Bug #4925 Crash in MySQL 4.0.20 in net_printf (str overflow ?)
Submitted: 6 Aug 2004 12:30 Modified: 17 Aug 2004 23:58
Reporter: jocelyn fournier (Silver Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:4.0.20 OS:Linux (Linux)
Assigned to: Sergei Golubchik CPU Architecture:Any

[6 Aug 2004 12:30] jocelyn fournier
Description:
Hi,

I've just encountered the following crash with MySQL 4.0.20 (unfortunately I've no idea of how to reproduce it) :

0x8096995 handle_segfault + 645
0x827b78a __pthread_sighandler + 122
0x82a4a06 _IO_str_overflow + 230
0x82a3af0 _IO_default_xsputn + 128
0x82947f4 vfprintf + 324
0x829e23b vsprintf + 123
0x8091c57 net_printf(st_net*, unsigned, ...) + 119
0x80a205e handle_one_connection + 990
0x827728e pthread_start_thread + 206
0x82b0b0a clone + 106

It seems the text_pos string sent to vsprintf entails an overflow inside the function.

Regards,
  Jocelyn

How to repeat:
Hard to tell unfortunately :(

Suggested fix:
Perhaps use vsnprintf instead ?
[6 Aug 2004 12:45] jocelyn fournier
Note also that some of my files could have a 4.1 FRM header.
[6 Aug 2004 18:38] Hartmut Holzgraefe
Although i can't reproduce this i still agree that using vsnprintf instead of vsprintf is a valid request.
[12 Aug 2004 0:28] Antony Curtis
Patch for bug: 
 
===== net_pkg.cc 1.31 vs edited ===== 
--- 1.31/sql/net_pkg.cc 2003-02-17 00:14:34 +00:00 
+++ edited/net_pkg.cc   2004-08-11 23:03:13 +01:00 
@@ -124,7 +124,7 @@ 
   } 
   offset= net->return_errno ? 2 : 0; 
   text_pos=(char*) net->buff+head_length+offset+1; 
-  (void) vsprintf(my_const_cast(char*) (text_pos),format,args); 
+  (void) vsnprintf(my_const_cast(char*) (text_pos), (int)
(net->buff_end-text_pos),format,args); 
   length=(uint) strlen((char*) text_pos); 
   if (length >= sizeof(net->last_error)) 
     length=sizeof(net->last_error)-1;          /* purecov: inspected */
[12 Aug 2004 0:34] Antony Curtis
Actually, this patch will compile better ;) 
 
===== net_pkg.cc 1.31 vs edited ===== 
--- 1.31/sql/net_pkg.cc 2003-02-17 00:14:34 +00:00 
+++ edited/net_pkg.cc   2004-08-11 23:33:28 +01:00 
@@ -124,7 +124,8 @@ 
   } 
   offset= net->return_errno ? 2 : 0; 
   text_pos=(char*) net->buff+head_length+offset+1; 
-  (void) vsprintf(my_const_cast(char*) (text_pos),format,args); 
+  (void) vsnprintf(my_const_cast(char*) (text_pos), 
+        (int)((char *)net->buff_end-(char *)text_pos),format,args); 
   length=(uint) strlen((char*) text_pos); 
   if (length >= sizeof(net->last_error)) 
     length=sizeof(net->last_error)-1;          /* purecov: inspected */
[17 Aug 2004 23:58] Sergei Golubchik
Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html

Additional info:

fixed in 4.1.21