| Bug #81626 | A buffer overflow occurs when an attacker sent large data to split() function | ||
|---|---|---|---|
| Submitted: | 27 May 2016 12:03 | Modified: | 17 Jun 2016 18:07 |
| Reporter: | Emin Ghuliev | Email Updates: | |
| Status: | Closed | Impact on me: | |
| Category: | MySQL Server: Command-line Clients | Severity: | S2 (Serious) |
| Version: | 5.7.11 | OS: | Linux |
| Assigned to: | CPU Architecture: | Any | |
[28 May 2016 8:43]
Emin Ghuliev
This bug related to "strcpy" function in the regex/split.c file second parameter didn't valid checks.
if (argc > 4)
for (n = atoi(argv[3]); n > 0; n--) {
(void) strcpy(buf, argv[1]); //<==== argv[1]
}
[30 May 2016 14:57]
Emin Ghuliev
subject changed
[17 Jun 2016 18:07]
Paul DuBois
Posted by developer: Noted in 5.5.31, 5.6.32, 5.7.14 changelogs. A buffer overflow in the regex library was fixed.
Description: Buffer overflows can be triggered that when an attacker wrote payload to argv[1] value larger than 512 byte. - mysql-server/regex/split.c: if (argc > 4) for (n = atoi(argv[3]); n > 0; n--) { (void) strcpy(buf, argv[1]); //<==== buffer overflow } or else if (argc > 3) for (n = atoi(argv[3]); n > 0; n--) { (void) strcpy(buf, argv[1]); //<==== buffer overflow (void) split(buf, fields, MNF, argv[2]); } How to repeat: pgm $(python -c "print 'A'*20000") a 1 Suggested fix: https://github.com/mysql/mysql-server/pull/78