Bug #41041 Obsolete debug code can be used to crash server
Submitted: 26 Nov 2008 3:09 Modified: 19 Feb 20:21
Reporter: Tatjana A. Nuernberg
Status: Closed
Category:Server: DDL Severity:S3 (Non-critical)
Version:5.0,5.1 (with EXTRA_DEBUG) OS:Any
Assigned to: Tatjana A. Nuernberg Target Version:5.1+
Triage: Triaged: D1 (Critical)

[26 Nov 2008 3:09] Tatjana A. Nuernberg 
Description:
Debug-builds contain code conditional on "EXTRA_DEBUG".
One such helper in strmake() initializes any unused bytes behind payload in target-buffer
to catch mis-dimensioned buffers. For easier identification, it doesn't write \0 bytes
(which would make off-by-one buffer sizes hard to identify), but an ASCII character
instead.

This caused trouble in the .frm file handling, as the buffer with the funny filler
characters would be written in toto. To prevent this, additional code caught this special
case and set the canary characters back to \0 for better .frm files.

The .frm buffer is in a defined state now though (the entirety of it is bzero'd first,
then strmake() is called with the length of the string, not the buffer, so there can
never be extra bytes to canarify after the payload). This means that the "put the bytes
back to \0" code no longer serves a purpose.

Thanks to changes between 5.1 and 6.0 (different maxima for TABLE..COMMENT, different
UTF-8s (6.0 supports 4-byte characters), optional extra-segment for comments in 6.0) and
under-documentation of the code, the obsolete rezero code can be used to crash the server
(cf. Bug#39591). This definitely needs fixing at least, but since the line in question no
longer serves a useful purpose, it should go away altogether. Provided changeset removes
the code-gone-bad, and adds comment instead to prevent future misunderstandings.

How to repeat:
In 5.0 or 5.1, use a maximum length UTF-8 TABLE..COMMENT (60 characters).
6.0 unaffected.

CREATE TABLE t3 (f1 INT) COMMENT
'כקבהחןכקבהחןכקבהחןכקבהחןכקבהחןכקבהחןכקבהחןכק�
�החןכקבהחןכקבהחן';

(EXTRA_DEBUG builds only)

Suggested fix:
http://lists.mysql.com/commits/59390
[5 Jan 9:56] Tatjana A. Nuernberg 
pushed 2008/12/30 to 5.0.76, 5.1.31, 6.0.9 in -bugteam
[6 Jan 15:57] Georgi Kodinov 
Pushed into 5.0.76 (revid:joro@sun.com-20090105160414-8q9j4bi1klkfwiup) (version source
revid:azundris@mysql.com-20081120143939-2ra1c8iuslx17j0v) (merge vers: 5.0.74) (pib:6)
[7 Jan 21:42] Paul DuBois 
Noted in 5.0.76 changelog.

In debug builds, obsolete debug code could be used to crash the server.

Setting report to NDI pending push into 5.1.x/6.0.x.
[19 Feb 20:21] Paul DuBois 
Noted in 5.1.31, 6.0.10 changelog.