Bug #36275 SQLTables buffer overrun
Submitted: 23 Apr 2008 8:08 Modified: 15 Jul 2008 12:33
Reporter: Patrick Frants Email Updates:
Status: Closed Impact on me:
None 
Category:Connector / ODBC Severity:S2 (Serious)
Version:3.51.25.00 OS:Windows (XP)
Assigned to: Jim Winstead CPU Architecture:Any
Tags: buffer overrun, SQLTables

[23 Apr 2008 8:08] Patrick Frants
Description:
Can't pass value longer than 67 as TableType parameter to SQLTables.

SQLTables (http://msdn2.microsoft.com/en-us/library//ms711831.aspx)

overrun(length 69): 'TABLE','VIEW','SYNONYM','ALIAS','GLOBAL TEMPORARY','LOCAL TEMPORARY'
overrun(length 68): 'TABLE','VIEW','SYNONYM','ALIAS','GLOBAL TEMPORARY','LOCAL TEMPORAR'
ok(length 67): 'TABLE','VIEW','SYNONYM','ALIAS','GLOBAL TEMPORARY','LOCAL TEMPORA'

How to repeat:
Microsoft ODBC test tool odbcte32
- Full connect (odbc 3.0, use odbc)
- Catalog|SQLTables, only fill in TableType with:
'TABLE','VIEW','SYNONYM','ALIAS','GLOBAL TEMPORARY','LOCAL TEMPORARY'
- Press Ok, wait a minute, BOEM!

Suggested fix:
No buffer overrun.
[23 Apr 2008 13:43] Tonci Grgin
Hi Patrick and thanks for your report.

I don't see us posing this limitation in our code... Can you please use "SQL_ALL_TABLE_TYPES" instead of long strings while I consult whether this is our bug or not.

In any case, odbcte32.exe bombs just like described.
[23 Apr 2008 14:23] Tonci Grgin
I stand corrected... Our fault:
static my_bool check_table_type(const char *TableType, 
                                const char *req_type, 
                                uint       len)
{
    char    req_type_quoted[NAME_LEN+2], req_type_quoted1[NAME_LEN+2];
...
Type_buff[NAME_LEN+1],

Verified as described by reporter. Maybe we should increase MYSQL_NAME_LEN.
[28 Apr 2008 17:10] Lawrenty Novitsky
Made buffer allocation dynamic for the one, described in bug, and for the rest I found can be overrun.

Attachment: bug36275.diff (application/octet-stream, text), 14.20 KiB.

[7 May 2008 15:07] Jim Winstead
Remove buggy helper functions in catalog.c and fix treatment of identifiers as wildcards

Attachment: bug36275.patch (text/plain), 27.70 KiB.

[10 Jul 2008 17:43] Jim Winstead
Updated patch including test case and removing handling of  SQL_ALL_* as strings

Attachment: bug36275.patch (text/plain), 30.60 KiB.

[10 Jul 2008 21:05] Lawrenty Novitsky
ok to push.
[14 Jul 2008 22:06] Jim Winstead
Fixed in the upcoming 5.1.5 release.
[15 Jul 2008 12:33] Tony Bedford
An entry has been added to the 5.1.5 changelog:

Assigning a string longer than 67 characters to the TableType parameter resulted in a buffer overrun when the SQLTables() function was called.