MySQL (e.g. version 4.0.10-gamma) does not check for buffer overflows when formatting error messages: the code just assumes that no message will ever be larger than SC_MAXWIDTH (256), ERRMSGSIZE (SC_MAXWIDTH) or MYSQL_ERRMSG_SIZE (200). This has been observed to lead to memory corruption when the client e.g. tries to redefine a key with a name whose length is of order 200 (yes, that _is_ a realistic use case for computer-handled keys).
>How-To-Repeat:
Define a key with a length of ~200 or more (the longer, the better) and then try to redefine it; observe the client getting an error message that is truncated and/or has trailing garbage. The client and/or the server may then have corrupted their own memories to such an extent that they become unusable and/or crash (both have been observed at least in a client application).
>Fix:
In general, functions like my_vsnprintf() and my_snprintf() should be used instead of their counterparts vsprintf() and sprintf().
Please find suggested changes for various source files here:
http://litmaath.home.cern.ch/litmaath/MyODBC-MySQL-patches.html
In particular the file "mysql-4.0.10-gamma-ml-diffs.tgz" contains the differences between the original and the patched versions.
These fixes appeared to be sufficient to prevent memory corruption in my use cases.
>Submitter-Id: unknown >Originator: Maarten LITMAATH >Organization: CERN - European Laboratory for Particle Physics >MySQL support: none >Synopsis: error message formatting may cause buffer overflows >Severity: serious >Priority: high >Category: mysql >Class: sw-bug >Release: mysql-4.0.10-gamma (Source distribution) >Server: lt-mysqladmin Ver 8.40 Distrib 4.0.10-gamma, for intel-linux on i686
Copyright (C) 2000 MySQL AB & MySQL Finland AB & TCX DataKonsult AB This software comes with ABSOLUTELY NO WARRANTY. This is free software, and you are welcome to modify and redistribute it under the GPL license
Server version 4.0.10-gamma Protocol version 10 Connection Localhost via UNIX socket UNIX socket /tmp/mysql.sock Uptime: 16 days 11 hours 50 min 3 sec
Threads: 1 Questions: 5523 Slow queries: 0 Opens: 13 Flush tables: 1 Open tables: 7 Queries per second avg: 0.004
>C compiler: 2.95.2 >C++ compiler: 2.95.2 >Environment:
System: Linux lxshare0270 2.4.18-18.7.x.cernsmp #1 SMP Mon Nov 18 15:44:49 CET 2002 i686 unknown
Architecture: i686
Some paths: /usr/bin/perl /usr/bin/make /usr/bin/gmake /usr/bin/gcc /usr/bin/cc
GCC: Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs
gcc version 2.96 20000731 (Red Hat Linux 7.3 2.96-113) (not used)
Compilation info: CC='gcc' CFLAGS='' CXX='g++' CXXFLAGS='' LDFLAGS='' ASFLAGS=''
LIBC:
lrwxrwxrwx 1 root root 13 Feb 20 13:27 /lib/libc.so.6 -> libc-2.2.5.so
-rwxr-xr-x 1 root root 1260480 Oct 10 17:16 /lib/libc-2.2.5.so
-rw-r--r-- 1 root root 2312442 Oct 10 16:51 /usr/lib/libc.a
-rw-r--r-- 1 root root 178 Oct 10 16:46 /usr/lib/libc.so
Configure command: ./configure '--prefix=/var/lib/mysql' '--with-thread-safe-client' '--enable-thread-safe-client'
--------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
