Re: buffer overflows in MySQL error messages (e.g. in 4.0.10-gamma)

Mon, 17 Mar 2003 16:13:07 -0800

Sergei Golubchik wrote:

Ok, I took a look at this.
(btw, this was not a diff at all, but rather tarball of new and old
files. Having a real unified diff would make your changes MUCH easier to
understand).


Hi,
I did not want to force a particular diff format on the reader;
having the original and the new sources, one can run "diff" with
any options desired...

Though your changes looked innocent - that is they most probably could
do no harm - I failed to understand when they'll do any good.
You replaced a set of checks for buffer overflow by some other set of
checks, which looked equivalent to the old one.

Please, show at least one single test case where old code gets buffer
overflow.


First of all I must _apologize_ that in my bug report I _mixed_ remarks
about the behavior of MySQL with those for MyODBC: it is in fact MyODBC
which evidently does not do any overflow checks for error messages!

MyODBC version 3.51.06 uses a buffer twice the original size, which in
practice probably is enough to avoid the problem, though it _still_
does not do explicit checks (I have reported that).

MySQL _does_ check for overflows, but _not_ 100% correctly...

I will try to reproduce the problem that I observed a few weeks ago,
but I will show you one problem right now.  Look in mysys/my_error.c:

---------------------------------------------------------------------
  char          ebuff[ERRMSGSIZE+20];
  /* ... */
  olen=(uint) strlen(tpos=my_errmsg[nr / ERRMOD][nr % ERRMOD]);
  endpos=ebuff;

  while (*tpos)
  {
    if (tpos[0] != '%')
    {
      *endpos++= *tpos++;       /* Copy ordinary char */
      olen++;
      continue;
    }
---------------------------------------------------------------------

Now what if "olen >= ERRMSGSIZE+20" i.e. "olen >= 276"?
Then the above code could overflow the buffer.
It would be ridiculous if an error message were that long, right?
Well, the longest message in sql/share/romanian/errmsg.txt is _318_
characters long...
Regards,
                Maarten


---------------------------------------------------------------------
Before posting, please check:
  http://www.mysql.com/manual.php   (the manual)
  http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Reply via email to