Bug #16899 | Possible buffer overflow in handling of DEFINER-clause | ||
---|---|---|---|
Submitted: | 30 Jan 2006 12:38 | Modified: | 31 Aug 2006 18:24 |
Reporter: | Alexander Nozdrin | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Stored Routines | Severity: | S3 (Non-critical) |
Version: | 5.0.18/5.0.19 BK | OS: | Any (all) |
Assigned to: | Alexander Nozdrin | CPU Architecture: | Any |
[30 Jan 2006 12:38]
Alexander Nozdrin
[28 Jun 2006 14:07]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/8419
[30 Jun 2006 19:46]
Konstantin Osipov
A review done by email, asked for another patch.
[26 Jul 2006 16:08]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/9607
[28 Jul 2006 16:02]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/9725
[29 Jul 2006 14:13]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/9761 ChangeSet@1.2244, 2006-07-29 18:11:53+04:00, anozdrin@booka. +35 -0 Fix for BUG#16899: Possible buffer overflow in handling of DEFINER-clause User name (host name) has limit on length. The server code relies on these limits when storing the names. The problem was that sometimes these limits were not checked properly, so that could lead to buffer overflow. The fix is to: 1. Introduce User_name and Host_name classes, which incapsulate user name and host name respectively. These classes check for limits. If the limit is exceeded, the string should be trimmed and warning should be thrown. 2. Transform LEX_USER to class Lex_user, which contains User_name and Host_name instances. 3. Change trigger-handling code so that statement query is produced once for replication log and trigger file.
[21 Aug 2006 22:08]
Konstantin Osipov
Reviewed over email with a few comments.
[22 Aug 2006 15:24]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/10732 ChangeSet@1.2240, 2006-08-22 19:25:09+04:00, anozdrin@alik. +36 -0 Fix for BUG#16899: Possible buffer overflow in handling of DEFINER-clause User name (host name) has limit on length. The server code relies on these limits when storing the names. The problem was that sometimes these limits were not checked properly, so that could lead to buffer overflow. The fix is to: 1. Introduce User_name and Host_name classes, which incapsulate user name and host name respectively. These classes check for limits. If the limit is exceeded, the string should be trimmed and warning should be thrown. 2. Transform LEX_USER to class Lex_user, which contains User_name and Host_name instances. 3. Change trigger-handling code so that statement query is produced once for replication log and trigger file.
[23 Aug 2006 5:49]
Michael Widenius
Patch not approved becasue: - Too big and complex (for a stable release) - Introduces not needed, not well thought out classes - Adds several error messages, when only one is needed - It's possible to do a smaller, more well defined patch to fix the original problem. - I seriosly dislike the idea of doing 'error correction' early in the program and then later check if we had one error, instead of stopping as soon we find the error. The approach should be that we check for wrong arguments early and then functions should be able to trust their arguments.
[23 Aug 2006 16:40]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/10780 ChangeSet@1.2242, 2006-08-23 20:40:42+04:00, anozdrin@alik. +13 -0 Fix for BUG#16899: Possible buffer overflow in handling of DEFINER-clause User name (host name) has limit on length. The server code relies on these limits when storing the names. The problem was that sometimes these limits were not checked properly, so that could lead to buffer overflow. The fix is to check length of user/host name in parser and if string is too long, throw an error.
[23 Aug 2006 17:30]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/10784 ChangeSet@1.2242, 2006-08-23 21:31:00+04:00, anozdrin@alik. +14 -0 Fix for BUG#16899: Possible buffer overflow in handling of DEFINER-clause User name (host name) has limit on length. The server code relies on these limits when storing the names. The problem was that sometimes these limits were not checked properly, so that could lead to buffer overflow. The fix is to check length of user/host name in parser and if string is too long, throw an error.
[23 Aug 2006 20:02]
Konstantin Osipov
Approved on IRC the version based on Monty's patch.
[24 Aug 2006 12:28]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/10825 ChangeSet@1.2238, 2006-08-24 16:29:24+04:00, anozdrin@alik. +13 -0 Fix for BUG#16899: Possible buffer overflow in handling of DEFINER-clause User name (host name) has limit on length. The server code relies on these limits when storing the names. The problem was that sometimes these limits were not checked properly, so that could lead to buffer overflow. The fix is to check length of user/host name in parser and if string is too long, throw an error.
[24 Aug 2006 14:31]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/10836 ChangeSet@1.2244, 2006-08-24 18:32:11+04:00, anozdrin@alik. +2 -0 Polishing (was the part of original patch for BUG#16899): Changed trigger-handling code so that there will be the one place for generate statement string for replication log and for trigger file.
[24 Aug 2006 14:47]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/10838 ChangeSet@1.2244, 2006-08-24 18:48:26+04:00, anozdrin@alik. +2 -0 Polishing (was the part of original patch for BUG#16899): Changed trigger-handling code so that there will be the one place for generate statement string for replication log and for trigger file.
[25 Aug 2006 18:02]
Alexander Nozdrin
Pushed into 5.0-release tree for 5.0.24a.
[28 Aug 2006 18:42]
Paul DuBois
Noted in 5.0.24a changelog.
[29 Aug 2006 11:53]
Alexander Nozdrin
Moved back to 'Patch queued', since there is a patch for this bug in 5.0-rt tree, needed to be merged into the main 5.0 tree.
[29 Aug 2006 21:49]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/11038 ChangeSet@1.2255, 2006-08-30 01:48:15+04:00, kostja@bodhi.local +3 -0 Remove the fix for Bug#10668 "CREATE USER does not enforce username length limit", it's superseded by the fix for Bug#16899 "Possible buffer overflow in handling of DEFINER-clause". Update test results.
[31 Aug 2006 9:54]
Alexander Nozdrin
Merged into 5.0 tree, currently tagged 5.0.25; merged into 5.1 tree, currently tagged 5.1.12-beta.
[31 Aug 2006 18:24]
Paul DuBois
Noted in 5.1.12 changelog.