| Bug #572 | Off-by-one error in sql_parse.cc | ||
|---|---|---|---|
| Submitted: | 3 Jun 2003 6:37 | Modified: | 3 Jun 2003 8:15 |
| Reporter: | John Cartwright | Email Updates: | |
| Status: | Closed | Impact on me: | |
| Category: | MySQL Server: Compiling | Severity: | S3 (Non-critical) |
| Version: | 4.0.13 | OS: | Solaris (Solaris 8 (sparc)) |
| Assigned to: | CPU Architecture: | Any | |
[3 Jun 2003 8:15]
MySQL Verification Team
Thank you very much for your bug report. It was truly a bug, and your fix is correct. We have now applied it to our source tree and it will come in the next release of 4.0.
Description: There appears to be an off-by-one error in the function check_user (sql_parse.cc): char tmp_passwd[SCRAMBLE_LENGTH]; if (passwd[0] && strlen(passwd) != SCRAMBLE_LENGTH) return 1; /* Move password to temporary buffer as it may be stored in communication buffer */ strmov(tmp_passwd, passwd); How to repeat: Whilst the strlen check is correct, SCRAMBLE_LENGTH is defined as 8, so therefore tmp_passwd is overflowed by 1 byte as the strmov function also copies the NULL byte into the buffer tmp_passwd. Whilst this does not appear to be exploitable it can interfere with stack protection algorithms. I found this at runtime using my ProPolice/SSP patch for Solaris (available at http://www.netsys.com/cgi-bin/display_article.cgi?1266) To repeat: compile for Solaris using my patched compiler, - test rpl000017 will fail due to a detected stack-smashing attack. Suggested fix: Simply define tmp_passwd as: char tmp_passwd[SCRAMBLE_LENGTH +1]; The testcase passes when this trivial modification is applied.