Bug #16864 strxmov in the code, possible buffer overruns
Submitted: 28 Jan 2006 10:09 Modified: 26 Mar 2008 14:14
Reporter: Sergei Golubchik Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: General Severity:S2 (Serious)
Version:5.0 OS:Any
Assigned to: CPU Architecture:Any

[28 Jan 2006 10:09] Sergei Golubchik
Description:
We have quite a few strxmov in the code.
I've just fixed

    strxmov(definer, thd->security_ctx->priv_user, "@",
            thd->security_ctx->priv_host, NullS);

in db_create_routine(). This would be a classical (exploitable?) buffer overflow.
Other occurences should be examined and fixed as necessary.

at least 5.0 and 5.1 should be examined and fixed.

How to repeat:
[29 Aug 2006 17:28] Ian Greenhoe
Patch for removing most instances of strxmov from the 5.0 tree

Attachment: strxmov.patch (text/x-patch), 48.56 KiB.

[29 Aug 2006 21:10] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/11036

ChangeSet@1.2255, 2006-08-29 14:10:26-07:00, igreenhoe@anubis.greendragongames.com +29 -0
  Fix for bug #16864, (strxmov in code).
  
  Problem:  strxmov allows for a potential buffer overflow condition
  unless sizes of strings passed in are checked carefully prior to use.
  
  Solution:  Replace uses of strxmov with strxnmov, which checks to
  ensure that a buffer overrun does not occur.
  
  Note:  This is against the 5.0 tree.  The 5.1 tree will require
  some additional changes.
[11 Dec 2006 21:19] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/16798

ChangeSet@1.2341, 2006-12-11 13:09:52-08:00, igreenhoe@ra.greendragongames.com +34 -0
  Fix for Bug #16864 : strxmov in code
  
  Updated code to not use strxmov.  Instead it uses strxn0mov, which has the same behavior
  as strxnmov except that it has a guarantee of null termination.  (The maximum number of
  non-null characters written to the string is at most size - 1.)
  
  Update also include several private functions which allowed the use of strxn0mov by
  adding a size parameter.
  
  There are still several locations that cannot use strxn0mov.  These locations are in
  functions which take a pointer to a buffer, do not specify a size constraint, and
  are possibly referenced by code outside of our code base.
[12 Dec 2006 0:42] Chad MILLER
Approved for ChangeSet@1.2255 and ChangeSet@1.2341.
[24 Oct 2008 19:58] Michael Widenius
Change patch to not use strxn0mov()

Instead change strxnmov() to always add an end 0 and fix all calls that is using strxnmov()

(No reason to have yet another string function and after all, it's only we who are using strxnmov)