Bug #41041 Obsolete debug code can be used to crash server
Submitted: 26 Nov 2008 2:09 Modified: 19 Feb 2009 19:21
Reporter: Tatiana Azundris Nuernberg Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: DDL Severity:S3 (Non-critical)
Version:5.0,5.1 (with EXTRA_DEBUG) OS:Any
Assigned to: Tatiana Azundris Nuernberg
Triage: Triaged: D1 (Critical)

[26 Nov 2008 2:09] Tatiana Azundris Nuernberg
Description:
Debug-builds contain code conditional on "EXTRA_DEBUG".
One such helper in strmake() initializes any unused bytes behind payload in target-buffer to catch mis-dimensioned buffers. For easier identification, it doesn't write \0 bytes (which would make off-by-one buffer sizes hard to identify), but an ASCII character instead.

This caused trouble in the .frm file handling, as the buffer with the funny filler characters would be written in toto. To prevent this, additional code caught this special case and set the canary characters back to \0 for better .frm files.

The .frm buffer is in a defined state now though (the entirety of it is bzero'd first, then strmake() is called with the length of the string, not the buffer, so there can never be extra bytes to canarify after the payload). This means that the "put the bytes back to \0" code no longer serves a purpose.

Thanks to changes between 5.1 and 6.0 (different maxima for TABLE..COMMENT, different UTF-8s (6.0 supports 4-byte characters), optional extra-segment for comments in 6.0) and under-documentation of the code, the obsolete rezero code can be used to crash the server (cf. Bug#39591). This definitely needs fixing at least, but since the line in question no longer serves a useful purpose, it should go away altogether. Provided changeset removes the code-gone-bad, and adds comment instead to prevent future misunderstandings.

How to repeat:
In 5.0 or 5.1, use a maximum length UTF-8 TABLE..COMMENT (60 characters).
6.0 unaffected.

CREATE TABLE t3 (f1 INT) COMMENT
'כקבהחןכקבהחןכקבהחןכקבהחןכקבהחןכקבהחןכקבהחןכק�
�החןכקבהחןכקבהחן';

(EXTRA_DEBUG builds only)

Suggested fix:
http://lists.mysql.com/commits/59390
[5 Jan 2009 8:56] Tatiana Azundris Nuernberg
pushed 2008/12/30 to 5.0.76, 5.1.31, 6.0.9 in -bugteam
[6 Jan 2009 14:57] Georgi Kodinov
Pushed into 5.0.76 (revid:joro@sun.com-20090105160414-8q9j4bi1klkfwiup) (version source
revid:azundris@mysql.com-20081120143939-2ra1c8iuslx17j0v) (merge vers: 5.0.74) (pib:6)
[7 Jan 2009 20:42] Paul Dubois
Noted in 5.0.76 changelog.

In debug builds, obsolete debug code could be used to crash the server.

Setting report to NDI pending push into 5.1.x/6.0.x.
[19 Feb 2009 19:21] Paul Dubois
Noted in 5.1.31, 6.0.10 changelog.