Bug #572 Off-by-one error in sql_parse.cc
Submitted: 3 Jun 2003 6:37 Modified: 3 Jun 2003 8:15
Reporter: John Cartwright Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Compiling Severity:S3 (Non-critical)
Version:4.0.13 OS:Solaris (Solaris 8 (sparc))
Assigned to: CPU Architecture:Any

[3 Jun 2003 6:37] John Cartwright
Description:
There appears to be an off-by-one error in the function check_user (sql_parse.cc):

  char tmp_passwd[SCRAMBLE_LENGTH];
 
  if (passwd[0] && strlen(passwd) != SCRAMBLE_LENGTH)
    return 1;
  /*
    Move password to temporary buffer as it may be stored in communication
    buffer
  */
  strmov(tmp_passwd, passwd);

How to repeat:
Whilst the strlen check is correct, SCRAMBLE_LENGTH is defined as 8, so therefore tmp_passwd is overflowed by 1 byte as the strmov function also copies the NULL byte into the buffer tmp_passwd.

Whilst this does not appear to be exploitable it can interfere with stack protection algorithms. I found this at runtime using my ProPolice/SSP patch for Solaris (available at http://www.netsys.com/cgi-bin/display_article.cgi?1266)

To repeat: compile for Solaris using my patched compiler, - test rpl000017 will fail due to a detected stack-smashing attack.

Suggested fix:
Simply define tmp_passwd as:

char tmp_passwd[SCRAMBLE_LENGTH +1];

The testcase passes when this trivial modification is applied.
[3 Jun 2003 8:15] MySQL Verification Team
Thank you very much for your bug report.

It was truly a bug, and your fix is correct.

We have now applied it to our source tree and it will come in the next release of 4.0.