Bug #32707 misdimensioned buffer in protocol layer
Submitted: 26 Nov 2007 8:32 Modified: 14 Jan 2008 19:47
Reporter: Tatjana A. Nuernberg
Status: Closed
Category:Server: General Severity:S2 (Serious)
Version: OS:Any
Assigned to: Tatjana A. Nuernberg Target Version:
Triage: D2 (Serious)

[26 Nov 2007 8:32] Tatjana A. Nuernberg 
Description:
protocol.cc: send_error()

formula is incorrect for pos != buff

length= (uint) (strmake(pos, err, MYSQL_ERRMSG_SIZE-1) - buff);

How to repeat:
see code

Suggested fix:
length= (uint) (strmake(pos, err, MYSQL_ERRMSG_SIZE - (pos - buff) +1) - buff);
[27 Nov 2007 18:24] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38642

ChangeSet@1.2699, 2007-11-27 18:24:24+01:00, tnurnberg@mysql.com +1 -0
  Bug#32707: misdimensioned buffer in protocol layer
  
  Miscalculation in protocol-layer: size buffer correctly so
  even really long error messages cannot overflow our buffer.
[28 Nov 2007 9:08] Sergey Gluhov 
ok to push
[1 Dec 2007 13:36] Tatjana A. Nuernberg 
4.1.24, 5.0.52, 5.1.23, 6.2.8 in opt
[14 Dec 2007 9:13] Bugs System 
Pushed into 4.1.24
[14 Dec 2007 9:15] Bugs System 
Pushed into 5.0.54
[14 Dec 2007 9:18] Bugs System 
Pushed into 5.1.23-rc
[14 Dec 2007 9:21] Bugs System 
Pushed into 6.0.5-alpha
[14 Jan 2008 19:47] Jon Stephens 
Documented bugfix as follows in the 4.1.24, 5.0.54, 5.1.23, and 6.0.5 changelogs:

        It was possible to force an error message of excessive length
        which could lead to a buffer overflow. This has been made no
        longer possible as a security precaution.