Bug #32707 misdimensioned buffer in protocol layer
Submitted: 26 Nov 2007 7:32 Modified: 14 Jan 2008 18:47
Reporter: Tatiana Azundris Nuernberg Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: General Severity:S2 (Serious)
Version: OS:Any
Assigned to: Tatiana Azundris Nuernberg
Triage: D2 (Serious)

[26 Nov 2007 7:32] Tatiana Azundris Nuernberg
Description:
protocol.cc: send_error()

formula is incorrect for pos != buff

length= (uint) (strmake(pos, err, MYSQL_ERRMSG_SIZE-1) - buff);

How to repeat:
see code

Suggested fix:
length= (uint) (strmake(pos, err, MYSQL_ERRMSG_SIZE - (pos - buff) +1) - buff);
[27 Nov 2007 17:24] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/38642

ChangeSet@1.2699, 2007-11-27 18:24:24+01:00, tnurnberg@mysql.com +1 -0
  Bug#32707: misdimensioned buffer in protocol layer
  
  Miscalculation in protocol-layer: size buffer correctly so
  even really long error messages cannot overflow our buffer.
[28 Nov 2007 8:08] Sergey Glukhov
ok to push
[1 Dec 2007 12:36] Tatiana Azundris Nuernberg
4.1.24, 5.0.52, 5.1.23, 6.2.8 in opt
[14 Dec 2007 8:13] Bugs System
Pushed into 4.1.24
[14 Dec 2007 8:15] Bugs System
Pushed into 5.0.54
[14 Dec 2007 8:18] Bugs System
Pushed into 5.1.23-rc
[14 Dec 2007 8:21] Bugs System
Pushed into 6.0.5-alpha
[14 Jan 2008 18:47] Jon Stephens
Documented bugfix as follows in the 4.1.24, 5.0.54, 5.1.23, and 6.0.5 changelogs:

        It was possible to force an error message of excessive length
        which could lead to a buffer overflow. This has been made no
        longer possible as a security precaution.