List:Bugs« Previous MessageNext Message »
From:sasha Date:November 7 2000 2:44am
Subject:Re: mysqld segfaults on bad CONCAT_WS() syntax
View as plain text  
"Jeffrey D. Wheelhouse" wrote:
> 
> I first reported this in 3.23.25-beta, but I think mysqlbug sent it to the
> wrong place.
> 
> The following code segfaults mysqld from the command line client:
> 
> DROP TABLE IF EXISTS tblCrash;
> CREATE TABLE tblCrash (
> pkCrash INTEGER PRIMARY KEY,
> strCrash VARCHAR(255)
> );
> INSERT INTO tblCrash ( pkCrash, strCrash ) VALUES ( 1, '1');
> SELECT CONCAT_WS(pkCrash, strCrash) FROM tblCrash;
> 
> If the separator parameter to CONCAT_WS() is omitted and a table field
> appears as the first parameter, mysqld segfaults.  This is primarily
> interesting as a DOS attack since it implies that anyone with SELECT
> permission on any table can bring down the server.
> 
> This was on SPARC Solaris 2.7 using SunPro/Forte WS6.0 compilers with
> current patches.
> 
> Thanks,
> Jeff

Thanks for reporting the bug. Fix:

--- PARENT/sql/item_strfunc.h   Wed Aug 30 13:42:21 2000
+++ NEW/sql/item_strfunc.h      Mon Nov  6 19:39:12 2000
@@ -69,7 +69,13 @@
   ~Item_func_concat_ws() { delete separator; }
   String *val_str(String *);
   void fix_length_and_dec();
-  const char *func_name() const { return "concat_ws"; }
+  void update_used_tables();
+  bool fix_fields(THD *thd,struct st_table_list *tlist)
+  {
+    return (separator->fix_fields(thd,tlist)
+           || Item_func::fix_fields(thd,tlist));
+  }
+ const char *func_name() const { return "concat_ws"; }
 };

 class Item_func_reverse :public Item_str_func

--- PARENT/sql/item_strfunc.cc  Fri Nov  3 07:04:33 2000
+++ NEW/sql/item_strfunc.cc     Mon Nov  6 19:39:12 2000
@@ -309,6 +309,16 @@
     max_length=MAX_BLOB_WIDTH;
     maybe_null=1;
   }
+  used_tables_cache|=separator->used_tables();
+  const_item_cache&=separator->const_item();
+}
+
+void Item_func_concat_ws::update_used_tables()
+{
+  Item_func::update_used_tables();
+  separator->update_used_tables();
+  used_tables_cache|=separator->used_tables();
+  const_item_cache&=separator->const_item();
 }

Monty, I've pushed this one, since the fix is to conform to the pattern of ELT()
and MAKE_SET(). The reason for coredump was ingoring something with separator
the same way ELT() and MAKE_SET() were ignoring item.



-- 
MySQL Development Team
   __  ___     ___ ____  __ 
  /  |/  /_ __/ __/ __ \/ /   Sasha Pachev <sasha@stripped>
 / /|_/ / // /\ \/ /_/ / /__  MySQL AB, http://www.mysql.com/
/_/  /_/\_, /___/\___\_\___/  Provo, Utah, USA
       <___/
Thread
mysqld segfaults on bad CONCAT_WS() syntaxJeffrey D. Wheelhouse6 Nov
  • Re: mysqld segfaults on bad CONCAT_WS() syntaxsasha7 Nov