database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-07-29 05:21:33 +03:00
Code Activity

Bug#31669 Buffer overflow in mysql_change_user()

Browse Source 
The problem is that when copying the supplied username and
database, no bounds checking is performed on the fixed-length
buffer. A sufficiently large (> 512) user string can easily
cause stack corruption. Since this API can be used from PHP
and other programs, this is a serious problem.

The solution is to increase the buffer size to the accepted
size in similar functions and perform bounds checking when
copying the username and database.
This commit is contained in:
davi@moksha.local/moksha.com.br
2007-10-23 09:05:39 -03:00
parent 6fa35a5d3b
commit dac55f09f0
2 changed files with 98 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
libmysql/libmysql.c
View File

@ -706,7 +706,8 @@ int cli_read_change_user_result(MYSQL *mysql, char *buff, const char *passwd)
my_bool STDCALL mysql_change_user(MYSQL *mysql, const char *user,
const char *passwd, const char *db)
{
char buff[512],*end=buff;
char buff[USERNAME_LENGTH+SCRAMBLED_PASSWORD_CHAR_LENGTH+NAME_LEN+2];
char *end= buff;
int rc;
DBUG_ENTER("mysql_change_user");
@ -716,7 +717,7 @@ my_bool STDCALL mysql_change_user(MYSQL *mysql, const char *user,
passwd="";
/* Store user into the buffer */
end=strmov(end,user)+1;
end= strmake(end, user, USERNAME_LENGTH) + 1;
/* write scrambled password according to server capabilities */
if (passwd[0])
@ -736,7 +737,7 @@ my_bool STDCALL mysql_change_user(MYSQL *mysql, const char *user,
else
*end++= '\0'; /* empty password */
/* Add database if needed */
end= strmov(end, db ? db : "") + 1;
end= strmake(end, db ? db : "", NAME_LEN) + 1;
/* Write authentication package */
simple_command(mysql,COM_CHANGE_USER, buff,(ulong) (end-buff),1);