Bug #27036 show create table <federated> crashes server
Submitted: 11 Mar 2007 18:57 Modified: 31 Mar 2007 23:14
Reporter: Shane Bester (Platinum Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Federated storage engine Severity:S1 (Critical)
Version:5.1.17BK OS:Any (*)
Assigned to: Antony Curtis CPU Architecture:Any
Tags: crash, federated

[11 Mar 2007 18:57] Shane Bester 
Description:
show create table aaaaaaa.bbbbbbbbbbbbbbbbbbbbbb; 

causes the server to crash when using a predefined server and
federated table!!

here's a stack trace.
Stack range sanity check OK, backtrace follows:
0x8221499 handle_segfault + 541
0xffffe410 _end + -143106752
0x400edb75 _end + 931615909
0x401207aa _end + 931823834
0x40126007 _end + 931846455
0x40127d18 _end + 931853896
0x401295b4 _end + 931860196
0x85976d1 my_malloc + 129
0x839a1b1 mysql_init + 35
0x83e402c _ZN12ha_federated4openEPKcij + 186
0x8303547 _ZN7handler7ha_openEP8st_tablePKcii + 261
0x8273df7 _Z21open_table_from_shareP3THDP14st_table_sharePKcjjjP8st_tableb + 2009
0x8269baa _Z17open_unireg_entryP3THDP8st_tableP13st_table_listPKcPcjP11st_mem_rootj + 1502
0x82682e7 _Z10open_tableP3THDP13st_table_listP11st_mem_rootPbj + 2471
0x8269fa5 _Z11open_tablesP3THDPP13st_table_listPjj + 559
0x826a7d8 _Z30open_normal_and_derived_tablesP3THDP13st_table_listj + 174
0x8361718 _Z18mysqld_show_createP3THDP13st_table_list + 230
0x822fcd8 _Z21mysql_execute_commandP3THD + 7622
0x823729b _Z11mysql_parseP3THDPcj + 299
0x822c8d5 _Z16dispatch_command19enum_server_commandP3THDPcj + 1965
0x822c11c _Z10do_commandP3THD + 612
0x822acf7 handle_one_connection + 253
0x4004daa7 _end + 930960343
0x4017ec2e _end + 932210014

How to repeat:
on remote server (5.0.38 in my case):
-----------------------------

drop database if exists aaaaaaa;
create database aaaaaaa;
use aaaaaaa;

CREATE TABLE `bbbbbbbbbbbbbbbbbbbbbb` (
`year` smallint(6) NOT NULL,
`month` tinyint(2) unsigned NOT NULL,
`week` tinyint(2) unsigned NOT NULL,
`day` tinyint(2) unsigned NOT NULL,
`hour` tinyint(2) unsigned NOT NULL,
`min` tinyint(2) unsigned NOT NULL,
`count` int(10) unsigned NOT NULL DEFAULT '0',
`timestamp` datetime NOT NULL,
UNIQUE KEY `min` (`year`,`month`,`day`,`hour`,`min`),
KEY `timestamp` (`timestamp`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1 COLLATE=latin1_general_ci;

on 5.1.17BK with federated engine
-----------------------------------

drop database if exists aaaaaaa;
create database aaaaaaa;
use aaaaaaa;

create server aaaaaaa foreign data wrapper mysql options (
user 'aaaaaaa', host '192.168.250.4', password 'aaaaaaa', database
'aaaaaaa', port 3306, socket '', owner 'root');

CREATE TABLE `bbbbbbbbbbbbbbbbbbbbbb` (
`year` smallint(6) NOT NULL,
`month` tinyint(2) unsigned NOT NULL,
`week` tinyint(2) unsigned NOT NULL,
`day` tinyint(2) unsigned NOT NULL,
`hour` tinyint(2) unsigned NOT NULL,
`min` tinyint(2) unsigned NOT NULL,
`count` int(10) unsigned NOT NULL DEFAULT '0',
`timestamp` datetime NOT NULL,
UNIQUE KEY `min` (`year`,`month`,`day`,`hour`,`min`),
KEY `timestamp` (`timestamp`)
) ENGINE="FEDERATED" CONNECTION="aaaaaaa";

show create table aaaaaaa.bbbbbbbbbbbbbbbbbbbbbb;

Suggested fix:
don't crash
[11 Mar 2007 19:00] MySQL Verification Team 
full error log from 5.1.17BK

Attachment: bug27036_error_log_5.1.17bk.txt (text/plain), 2.96 KiB.
[11 Mar 2007 20:20] MySQL Verification Team 
stack trace from windows debug 5.1.17BK

Attachment: bug27036_5.1.17_windows_debug_stack.txt (text/plain), 3.83 KiB.
[15 Mar 2007 11:56] Antony Curtis 
Doesn't appear to be reproducable after applying patch for Bug#26257
I will compare by building from unpatched tree to verify.
[16 Mar 2007 0:01] Antony Curtis 
Bug is caused by buffer overflow currupting the data structures used to manage the heap. The amount of memory allocated at ha_federated.cc:1416 is too small.

    if (!(share= (FEDERATED_SHARE *)
          my_multi_malloc(MYF(MY_WME),
                          &share, sizeof(*share),
                          &select_query,
                          query.length()+table->s->connect_string.length+1,
                          NullS)))
      goto error;

The query string later has the table name and a closing quotation mark appended to it, which is not taken into account - so an adequately long table name will result in catastrophic crash.

In any case, any patch to this will be obsoleted by the patch in Bug#26257 as it uses a very different mechanism for allocating memory.
[25 Mar 2007 4:13] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/22885

ChangeSet@1.2491, 2007-03-24 20:13:13-07:00, acurtis@xiphis.org +2 -0
  Bug#27036
    "show create table <federated> crashes server"
    Buffer allocated for string was inadequate in the case where table name length
    is longer than the connection name length.
    This bug fix is obsoleted by the patch for Bug 26257
[30 Mar 2007 18:12] Antony Curtis 
Patch for Bug#26257 which was pushed into 5.1.18-beta fixed this bug
[31 Mar 2007 23:14] Paul DuBois 
Noted in 5.1.18 changelog.

For FEDERATED tables, SHOW CREATE TABLE could fail when the table
name was longer than the connection name.