Bug #31836 insufficient space reserved for the suffix of relay log file name
Submitted: 25 Oct 2007 8:13 Modified: 28 Nov 2007 18:51
Reporter: Andrei Elkin Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Replication Severity:S2 (Serious)
Version:5.0,5.1 OS:Any
Assigned to: Andrei Elkin CPU Architecture:Any

[25 Oct 2007 8:13] Andrei Elkin
Description:
if the global `char pidfile_name[FN_REFLEN]' value occupies
more than FN_REFLEN - strlen("relay-bin") - 1 == FN_REFLEN - 10
then in generating of the relay log file name in
init_relay_log_info() -> MYSQL_LOG::generate_name()
the buffer relay_log_info:char buf[FN_REFLEN] overruns.

Look at the calling line
  rli->relay_log.generate_name(opt_relay_logname, "-relay-bin", 1, buf)

if opt_relay_logname is NULL, the two lines of MYSQL_LOG::generate_name()

  strmake(buff, pidfile_name, FN_REFLEN - 5); // buff is buf of caller
  strmov(fn_ext(buff), suffix);

will store in buf[FN_REFLEN] FN_REFLEN + 10 - 5 i.e 5 bytes over the size.

How to repeat:
Look at the code, or create a setup where pidfile_name is more than 512 - 10 == 502 bytes.
Start mysqld without --relay-log. Overrun can be noticed by different means incl a  crash.

Practically i did:
1. set pidfile_name to a string with strlen 502 i.e to occupie 503.
2. checked at return from MYSQL_LOG::generate_name() the length of the string
 (gdb) p strlen(buff)
 $9 = 512

however, sizeof(init_relay_log_info:buf) == 512

which means 1 byte overrun in buf.

Suggested fix:
fixing along bug#28597 with reserving the max bytes among all possible suffixes
appendable to the `pidfile_name' root.
[27 Nov 2007 10:49] Bugs System
Pushed into 5.0.54
[27 Nov 2007 10:50] Bugs System
Pushed into 5.1.23-rc
[27 Nov 2007 10:53] Bugs System
Pushed into 6.0.4-alpha
[28 Nov 2007 18:51] Jon Stephens
Thank you for your bug report. This issue has been committed to our source repository of that product and will be incorporated into the next release.

If necessary, you can access the source repository and build the latest available version, including the bug fix. More information about accessing the source trees is available at

    http://dev.mysql.com/doc/en/installing-source.html

Documented in 5.0.54, 5.1.23, and 6.0.4 changelogs as:

        It was possible for the name of the relay log file to exceeed
        the amount of memory reserved for it, possibly leading to a
        crash of the server.