Re: bug report: segfaults on large host,username,password,db fields - Polly Powledge - com.mysql.lists.bugs

3 messages in com.mysql.lists.bugsRe: bug report: segfaults on large ho...

From	Sent On	Attachments
Thimble Smith	25 Oct 2000 18:47
Polly Powledge	30 Oct 2000 11:51
Michael Widenius	04 Nov 2000 12:30

Subject:	Re: bug report: segfaults on large host,username,password,db fields
From:	Polly Powledge (ppow...@internap.com)
Date:	10/30/2000 11:51:10 AM
List:	com.mysql.lists.bugs

Tim, Monty --

Wow, I can't believe how fast you two responded to my fairly minor bug report. I really appreciate the effort you've put into this, and into MySQL itself and all the great documentation too.

Thank you,

Polly Powledge ppow...@internap.com

Michael Widenius wrote:

Hi!

"Thimble" == Thimble Smith <ti...@mysql.com> writes:

Thimble> On Wed, Oct 25, 2000 at 04:53:20PM -0700, ppow...@internap.com wrote:

Description:

I get segfaults when I use large-ish values for hosts, username, passwords, and db's in connects. I have not checked this with unix_socket.

How-To-Repeat:

At terminal window, type "mysql -u root -p <X>" where <X> is about 300 characters long. Enter password, then segfault. I have also encountered this with mysql_real_connect(), and can send you sample code if you want.

Fix:

The workaround is simple: don't do it. :^) But what I'm really worried about here is a DOS attack from a remote user.

Thimble> Since it's the client that's dumping core, there's no worry about a Thimble> remote user (who must be running the client on her own machine) Thimble> crashing the server through this problem.

Thimble> Still, it'd be nice to have this fixed. Note: this still happens on Thimble> the latest 3.23.

Thimble> Thanks for the report,

Thimble> Tim

Here is a patch for this:

===== libmysql/libmysql.c 1.41 vs edited ===== *** libmysql/libmysql.c-1.41 Mon Oct 9 23:10:40 2000 --- edited/libmysql/libmysql.c Fri Oct 27 23:30:34 2000 *************** *** 1140,1146 **** const char *passwd, const char *db, uint port, const char *unix_socket,uint client_flag) { ! char buff[100],charset_name_buff[16],*end,*host_info,
*charset_name; my_socket sock; uint32 ip_addr; struct sockaddr_in sock_addr; --- 1140,1147 ---- const char *passwd, const char *db, uint port, const char *unix_socket,uint client_flag) { ! char
buff[NAME_LEN+100],charset_name_buff[16],*end,*host_info, ! *charset_name; my_socket sock; uint32 ip_addr; struct sockaddr_in sock_addr; *************** *** 1496,1502 ****

int3store(buff+2,max_allowed_packet); if (user && user[0]) ! strmake(buff+5,user,32); else read_user_name((char*) buff+5); #ifdef _CUSTOMCONFIG_ --- 1497,1503 ----

int3store(buff+2,max_allowed_packet); if (user && user[0]) ! strmake(buff+5,user,32); /* Max user name */ else read_user_name((char*) buff+5); #ifdef _CUSTOMCONFIG_ *************** *** 1507,1513 **** (my_bool) (mysql->protocol_version == 9)); if (db && (mysql->server_capabilities & CLIENT_CONNECT_WITH_DB)) { ! end=strmov(end+1,db); mysql->db=my_strdup(db,MYF(MY_WME)); db=0; } --- 1508,1514 ---- (my_bool) (mysql->protocol_version == 9)); if (db && (mysql->server_capabilities & CLIENT_CONNECT_WITH_DB)) { ! end=strmake(end+1,db,NAME_LEN); mysql->db=my_strdup(db,MYF(MY_WME)); db=0; }

Regards, Monty