Description:
The function thd_security_context allocates memory on an unprotected MEM_ROOT if the message length becomes longer than requested and the initial buffer memory needs to be reallocated.

1. Writing more bytes than requested seems wrong even if we grow the buffer dynamically.
2. If the MEM_ROOT is invalidated this will lead to a crash.

How to repeat:
Crash because of using memory on an invalid MEM_ROOT has not yet been discovered. But it is clear that the design is not what you expect from this function.

Other crashes have been discovered related to this function, see Bug#38883

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/58950

2687 Kristofer Pettersson	2008-11-17
      Bug#40778 thd_security_context has bad architecture; allocates on unprotected memroot
            
      The function thd_security_context allocates memory on an unprotected MEM_ROOT if the
      message length becomes longer than requested and the initial buffer memory needs to
      be reallocated.
            
      This patch fixes the design error by copying parts of the reallocated buffer 
      to the destination buffer. This works because the destination buffer isn't
      owned by the String object and thus isn't freed when a new buffer is allocated.
      Any new memory allocated by the String object is reclaimed when the object
      is destroyed at the end of the function call.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/58955

2687 Kristofer Pettersson	2008-11-17
      Bug#40778 thd_security_context has bad architecture; allocates on unprotected memroot
                  
      The function thd_security_context allocates memory on an unprotected MEM_ROOT if the
      message length becomes longer than requested and the initial buffer memory needs to
      be reallocated.
                  
      This patch fixes the design error by copying parts of the reallocated buffer 
      to the destination buffer. This works because the destination buffer isn't
      owned by the String object and thus isn't freed when a new buffer is allocated.
      Any new memory allocated by the String object is reclaimed when the object
      is destroyed at the end of the function call.

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/58956

2688 Kristofer Pettersson	2008-11-17
      Bug#40778 thd_security_context has bad architecture; allocates on unprotected memroot
                  
      The function thd_security_context allocates memory on an unprotected MEM_ROOT if the
      message length becomes longer than requested and the initial buffer memory needs to
      be reallocated.
                  
      This patch fixes the design error by copying parts of the reallocated buffer 
      to the destination buffer. This works because the destination buffer isn't
      owned by the String object and thus isn't freed when a new buffer is allocated.
      Any new memory allocated by the String object is reclaimed when the object
      is destroyed at the end of the function call.

-- 
MySQL Code Commits Mailing List
For list archives: http://lists.mysql.com/commits
To unsubscribe:    http://lists.mysql.com/commits?unsub=commits@bugs.mysql.com

A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/58957

2687 Kristofer Pettersson	2008-11-17
      Bug#40778 thd_security_context has bad architecture; allocates on unprotected memroot
                        
      The function thd_security_context allocates memory on an unprotected MEM_ROOT if the
      message length becomes longer than requested and the initial buffer memory needs to
      be reallocated.
                        
      This patch fixes the design error by copying parts of the reallocated buffer 
      to the destination buffer. This works because the destination buffer isn't
      owned by the String object and thus isn't freed when a new buffer is allocated.
      Any new memory allocated by the String object is reclaimed when the object
      is destroyed at the end of the function call.

Pushed into 5.1.31  (revid:kristofer.pettersson@sun.com-20081117141721-x8jrq5vhnhwotxtu) (version source revid:patrick.crews@sun.com-20081126180318-v685u61mpgoc176x) (pib:5)

Pushed into 6.0.9-alpha  (revid:kristofer.pettersson@sun.com-20081117141721-x8jrq5vhnhwotxtu) (version source revid:ingo.struewing@sun.com-20081121151447-dtf2ofz2ys0zqed1) (pib:5)

Internal only. No documentation needed.

Pushed into 5.1.31-ndb-6.2.17 (revid:tomas.ulin@sun.com-20090119095303-uwwvxiibtr38djii) (version source revid:tomas.ulin@sun.com-20090108105244-8opp3i85jw0uj5ib) (merge vers: 5.1.31-ndb-6.2.17) (pib:6)

Pushed into 5.1.31-ndb-6.3.21 (revid:tomas.ulin@sun.com-20090119104956-guxz190n2kh31fxl) (version source revid:tomas.ulin@sun.com-20090119104956-guxz190n2kh31fxl) (merge vers: 5.1.31-ndb-6.3.21) (pib:6)

Pushed into 5.1.31-ndb-6.4.1 (revid:tomas.ulin@sun.com-20090119144033-4aylstx5czzz88i5) (version source revid:tomas.ulin@sun.com-20090119144033-4aylstx5czzz88i5) (merge vers: 5.1.31-ndb-6.4.1) (pib:6)