On Mar 12, Maarten LITMAATH wrote:> ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc(bb));
Description:
MySQL (e.g. version 4.0.10-gamma) does not check for buffer overflows when formatting error messages: the code just assumes that no message will ever be larger than SC_MAXWIDTH (256), ERRMSGSIZE (SC_MAXWIDTH) or MYSQL_ERRMSG_SIZE (200). This has been observed to lead to memory corruption when the client e.g. tries to redefine a key with a name whose length is of order 200 (yes, that _is_ a realistic use case for computer-handled keys).
How-To-Repeat:
Define a key with a length of ~200 or more (the longer, the better) and then try to redefine it; observe the client getting an error message that is truncated and/or has trailing garbage. The client and/or the server may then have corrupted their own memories to such an extent that they become unusable and/or crash (both have been observed at least in a client application).
Nope. Fails for me.
mysql> create table aa (bb int, key cccccccccccccccccccccccccccccccccccc
ERROR 1059: Identifier name 'ccccccccccccccccccccccccccccccccccccccccccc> cccccccccccccccccccccccccccccccccccccccccccccccccccccccc' is too long
mysql> create table aa (bb int, key cccccccccccccccccccccccccccccccccccc
> cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc > cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc > ccccccccccccccccc(bb));
ERROR 1059: Identifier name 'ccccccccccccccccccccccccccccccccccccccccccc
> cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc > ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc
Error message gets truncated, no overflow.
OK, let me give a bit more information. I am using MySQL through a server (the Globus RLS, if you care about that), which does all the SQL statements. I did some stress testing of that server, trying to break it, e.g. by supplying "ridiculously" long names for keys, which caused it to corrupt its own memory and/or crash. Debugging that, I ultimately came to the MySQL client code that it uses, and found that it _evidently_ does not check for overflows in error messages. In the debugger I clearly saw the code scribbling beyond the end of an error message buffer, overwriting adjacent fields in some struct. I then patched various routines dealing with error messages (also in MyODBC) and my problem went away.
I got truncated error messages too, but _after_ they had overflowed... Furthermore, whenever such overflow happens, the damage depends on the layout of the data segment or stack, so your program may survive, or _seem_ to survive, having corrupted its own memory.
Please download the diffs and have a look at them:
http://litmaath.home.cern.ch/litmaath/MyODBC-MySQL-patches/ mysql-4.0.10-gamma-ml-diffs.tgz
You will see that the problems can easily be fixed once and for all,
by using functions like my_snprintf() instead of plain sprintf().
Best regards,
Maarten
--------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
