Bug #16864 | strxmov in the code, possible buffer overruns | ||
---|---|---|---|
Submitted: | 28 Jan 2006 10:09 | Modified: | 26 Mar 2008 14:14 |
Reporter: | Sergei Golubchik | Email Updates: | |
Status: | Verified | Impact on me: | |
Category: | MySQL Server: General | Severity: | S2 (Serious) |
Version: | 5.0 | OS: | Any |
Assigned to: | CPU Architecture: | Any |
[28 Jan 2006 10:09]
Sergei Golubchik
[29 Aug 2006 17:28]
Ian Greenhoe
Patch for removing most instances of strxmov from the 5.0 tree
Attachment: strxmov.patch (text/x-patch), 48.56 KiB.
[29 Aug 2006 21:10]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/11036 ChangeSet@1.2255, 2006-08-29 14:10:26-07:00, igreenhoe@anubis.greendragongames.com +29 -0 Fix for bug #16864, (strxmov in code). Problem: strxmov allows for a potential buffer overflow condition unless sizes of strings passed in are checked carefully prior to use. Solution: Replace uses of strxmov with strxnmov, which checks to ensure that a buffer overrun does not occur. Note: This is against the 5.0 tree. The 5.1 tree will require some additional changes.
[11 Dec 2006 21:19]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/16798 ChangeSet@1.2341, 2006-12-11 13:09:52-08:00, igreenhoe@ra.greendragongames.com +34 -0 Fix for Bug #16864 : strxmov in code Updated code to not use strxmov. Instead it uses strxn0mov, which has the same behavior as strxnmov except that it has a guarantee of null termination. (The maximum number of non-null characters written to the string is at most size - 1.) Update also include several private functions which allowed the use of strxn0mov by adding a size parameter. There are still several locations that cannot use strxn0mov. These locations are in functions which take a pointer to a buffer, do not specify a size constraint, and are possibly referenced by code outside of our code base.
[12 Dec 2006 0:42]
Chad MILLER
Approved for ChangeSet@1.2255 and ChangeSet@1.2341.
[24 Oct 2008 19:58]
Michael Widenius
Change patch to not use strxn0mov() Instead change strxnmov() to always add an end 0 and fix all calls that is using strxnmov() (No reason to have yet another string function and after all, it's only we who are using strxnmov)