Bug #31669 Buffer overflow in mysql_change_user()
Submitted: 17 Oct 2007 15:54 Modified: 9 Nov 2007 0:11
Reporter: Davi Arnaut (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: C API (client library) Severity:S2 (Serious)
Version:5.0+ OS:Any
Assigned to: Davi Arnaut CPU Architecture:Any
Tags: mysql_change_user

[17 Oct 2007 15:54] Davi Arnaut 
Description:
During the review of Bug#31608, Magnus Svensson spotted a somewhat serious
buffer overflow in the mysql_change_user function:

mysql_change_user(MYSQL *mysql, const char *user,
                                   const char *passwd, const char *db)
{
  char buff[512],*end=buff;
  ...
  /* Store user into the buffer */
  end=strmov(end,user)+1;
  ...
  end= strmov(end, db ? db : "") + 1;
}

The problem is that when copying the supplied username and database, no bounds
checking is performed on the fixed-length buffer. A sufficiently large (> 512) user
string can easily cause stack corruption.

Since this API can be used from PHP and other programs, this is a serious problem.

How to repeat:
Call mysql_change_user() with a username string larger then 512 bytes.

Suggested fix:
Perform bounds checking when copying the username and database.
[19 Oct 2007 14:33] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/35927

ChangeSet@1.2543, 2007-10-19 12:32:33-03:00, davi@moksha.com.br +2 -0
  Bug#31669 Buffer overflow in mysql_change_user()
  
  The problem is that when copying the supplied username and
  database, no bounds checking is performed on the fixed-length
  buffer. A sufficiently large (> 512) user string can easily
  cause stack corruption. Since this API can be used from PHP
  and other programs, this is a serious problem.
  
  The solution is to increase the buffer size to the accepted
  size in similar functions and perform bounds checking when
  copying the username and database.
[22 Oct 2007 9:48] Magnus BlÄudd 
Review mail sent, some comments to fix or think about.
[23 Oct 2007 11:06] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/36116

ChangeSet@1.2543, 2007-10-23 09:05:39-03:00, davi@moksha.local +2 -0
  Bug#31669 Buffer overflow in mysql_change_user()
  
  The problem is that when copying the supplied username and
  database, no bounds checking is performed on the fixed-length
  buffer. A sufficiently large (> 512) user string can easily
  cause stack corruption. Since this API can be used from PHP
  and other programs, this is a serious problem.
  
  The solution is to increase the buffer size to the accepted
  size in similar functions and perform bounds checking when
  copying the username and database.
[30 Oct 2007 12:43] Davi Arnaut 
Pushed in 5.0-runtime
[7 Nov 2007 21:59] Bugs System 
Pushed into 6.0.4-alpha
[7 Nov 2007 22:01] Bugs System 
Pushed into 5.1.23-rc
[7 Nov 2007 22:02] Bugs System 
Pushed into 5.0.52
[9 Nov 2007 0:11] Paul DuBois 
Noted in 5.0.52, 5.1.23, 6.0.4 changelogs.

The mysql_change_user() C API function was subject to buffer overflow.