BUG#24437124: POSSIBLE BUFFER OVERFLOW ON CREATE TABLE

ANALYSIS: ========= 'CREATE TABLE' query with a large value for 'CONNECTION' string reports an incorrect error. The length of connection string is stored in .frm in two bytes (max value= 65535). When the string length exceeds the max value, the length is truncated to fit the two bytes limit. Further processing leads to reading only a part of the string as the length stored is incorrect. The remaining part of the string is treated as engine type and hence results in an error. FIX: ==== We are now restricting the connection string length to 1024. An appropriate error is reported if the length crosses this limit. NOTE: ===== The 'PASSWORD' table option is documented as unused and processed within a dead code. Hence it will not cause similar issue with large strings.
2025-08-07 00:04:31 +03:00 · 2016-11-10 15:11:57 +05:30
parent 2f2103d540
commit a63185e863
2 changed files with 17 additions and 1 deletions
--- a/include/mysql_com.h
+++ b/include/mysql_com.h
@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2016, Oracle and/or its affiliates. All rights reserved.

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -26,6 +26,7 @@
 #define USERNAME_CHAR_LENGTH 16
 #define NAME_LEN                (NAME_CHAR_LEN*SYSTEM_CHARSET_MBMAXLEN)
 #define USERNAME_LENGTH         (USERNAME_CHAR_LENGTH*SYSTEM_CHARSET_MBMAXLEN)
+#define CONNECT_STRING_MAXLEN 1024

 #define MYSQL_AUTODETECT_CHARSET_NAME "auto"