Bug #2689 Server crash on InnoDB table rename with short db/tablename
Submitted: 9 Feb 2004 8:40 Modified: 9 Feb 2004 8:53
Reporter: Sergey Petrunya Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: InnoDB storage engine Severity:S3 (Non-critical)
Version:5.0-bk OS:
Assigned to: CPU Architecture:Any

[9 Feb 2004 8:40] Sergey Petrunya 
Description:
mysqld crashes if one tries to rename innodb table with strlen("databasename/tablename") < 5.

How to repeat:
Run:
create database t2;
use t2;
create table t ( x int) engine=innodb;
alter table t rename othername;

and watch mysqld to crash.

Suggested fix:
The problem is with row_is_mysql_tmp_table_name function code:
	ulint	i;
	for (i = 0; i <= ut_strlen(name) - 5; i++) {
		if (ut_memcmp(name + i, (char*)"/#sql", 5) == 0) {
		 ....
		 
For case where (ut_strlen(name) - 5) < 0 the loop runs off table name and eventually runs off valid memory as well.

Fix:
 replace "ulint i" with "lint i"
[9 Feb 2004 8:41] Sergey Petrunya 
Here is the stack trace:

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 8192 (LWP 25710)]
0x0838a7a7 in ut_memcmp (str1=0xc0000000, str2=0x8473f5e, n=5) at ../../innobase/include/ut0mem.ic:27
27              return(memcmp(str1, str2, n));
Current language:  auto; currently c
(gdb) bt
#0  0x0838a7a7 in ut_memcmp (str1=0xc0000000, str2=0x8473f5e, n=5) at ../../innobase/include/ut0mem.ic:27
#1  0x08303223 in row_is_mysql_tmp_table_name (name=0xc0000000 <Address 0xc0000000 out of bounds>) at row0mysql.c:2473
#2  0x08303e1f in row_rename_table_for_mysql (old_name=0xbfffdcf0 "t2/t", new_name=0xbfffd900 "t2/othername",
    trx=0x40fe4468) at row0mysql.c:2731
#3  0x081fdf46 in ha_innobase::rename_table(char const*, char const*) (this=0x868c5f8, from=0xbfffe330 "./t2/t",
    to=0xbfffe130 "./t2/othername") at ha_innodb.cc:3874
#4  0x08204b2e in mysql_rename_table(db_type, char const*, char const*, char const*, char const*) (base=DB_TYPE_RMS_ISAM,
    old_db=0x5 <Address 0x5 out of bounds>, old_name=0x5 <Address 0x5 out of bounds>,
    new_db=0x5 <Address 0x5 out of bounds>, new_name=0x5 <Address 0x5 out of bounds>) at sql_table.cc:1119
#5  0x082076c4 in mysql_alter_table(THD*, char*, char*, st_ha_create_information*, st_table_list*, List<create_field>&, List<Key>&, List<Alter_drop>&, List<Alter_column>&, unsigned, st_order*, bool, enum_duplicates, enum_enable_or_disable, tablespace_op_type, bool) (thd=0x868a4a8, new_db=0x868c158 "t2", new_name=0x868c5d0 "othername", create_info=0x868a854,
    table_list=0x868c578, fields=@0x868a798, keys=@0x868a78c, drop_list=@0x868a750, alter_list=@0x868a75c, order_num=5,
    order=0x5, drop_primary=false, handle_duplicates=5, keys_onoff=LEAVE_AS_IS, tablespace_op=141084112, simple_alter=true)
    at sql_table.cc:2036
#6  0x08174ef9 in mysql_execute_command(THD*) (thd=0x868a4a8) at sql_parse.cc:2323
#7  0x08179664 in mysql_parse(THD*, char*, unsigned) (thd=0x868a4a8, inBuf=0x868a4b8 "\001", length=30) at sql_parse.cc:4149
#8  0x0817288f in dispatch_command(enum_server_command, THD*, char*, unsigned) (command=COM_QUERY, thd=0x868a4a8,
    packet=0x8680c91 "alter table t rename othername", packet_length=31) at sql_parse.cc:1396
#9  0x081721fa in do_command(THD*) (thd=0x868a4a8) at sql_parse.cc:1226
#10 0x08171703 in handle_one_connection (arg=0x5) at sql_parse.cc:991
#11 0x08161729 in create_new_thread (thd=0x868a4a8) at mysqld.cc:3002
#12 0x08161db9 in handle_connections_sockets (arg=0x0) at mysqld.cc:3275
#13 0x08161125 in main (argc=5, argv=0xbffff9d4) at mysqld.cc:2672
#14 0x420158d4 in __libc_start_main () from /lib/i686/libc.so.6
[9 Feb 2004 8:53] Heikki Tuuri 
Sergey,

thank you for the bug report! I have now fixed this to the latest 4.0 tree.

Best regards,

Heikki