List:Commits« Previous MessageNext Message »
From:Marc Alff Date:October 7 2010 9:17pm
Subject:bzr commit into mysql-next-mr-bugfixing branch (marc.alff:3321) Bug#57106
View as plain text  
#At file:///Users/malff/BZR_TREE/mysql-next-mr-bugfixing-57106/ based on revid:luis.soares@stripped

 3321 Marc Alff	2010-10-07
      Bug#57106 Robustness of memcpy calls in the performance schema
      
      Before this fix:
      - SELECT * from SETUP_ACTORS
      - SELECT * from THREADS
      could lead to crashes inside a memcpy,
      because the length of the memory to copy was not checked.
      
      This fix makes these tables more robust to invalid data,which can be produced with edge conditions when the record read is changing.

    modified:
      storage/perfschema/table_setup_actors.cc
      storage/perfschema/table_threads.cc
=== modified file 'storage/perfschema/table_setup_actors.cc'
--- a/storage/perfschema/table_setup_actors.cc	2010-07-02 16:15:37 +0000
+++ b/storage/perfschema/table_setup_actors.cc	2010-10-07 21:16:41 +0000
@@ -174,12 +174,23 @@ void table_setup_actors::make_row(PFS_se
 
   pfs->m_lock.begin_optimistic_lock(&lock);
 
-  memcpy(m_row.m_hostname, pfs->m_hostname, pfs->m_hostname_length);
   m_row.m_hostname_length= pfs->m_hostname_length;
-  memcpy(m_row.m_username, pfs->m_username, pfs->m_username_length);
+  if (unlikely((m_row.m_hostname_length == 0) ||
+               (m_row.m_hostname_length > sizeof(m_row.m_hostname))))
+    return;
+  memcpy(m_row.m_hostname, pfs->m_hostname, m_row.m_hostname_length);
+
   m_row.m_username_length= pfs->m_username_length;
-  memcpy(m_row.m_rolename, pfs->m_rolename, pfs->m_rolename_length);
+  if (unlikely((m_row.m_username_length == 0) ||
+               (m_row.m_username_length > sizeof(m_row.m_username))))
+    return;
+  memcpy(m_row.m_username, pfs->m_username, m_row.m_username_length);
+
   m_row.m_rolename_length= pfs->m_rolename_length;
+  if (unlikely((m_row.m_rolename_length == 0) ||
+               (m_row.m_rolename_length > sizeof(m_row.m_rolename))))
+    return;
+  memcpy(m_row.m_rolename, pfs->m_rolename, m_row.m_rolename_length);
 
   if (pfs->m_lock.end_optimistic_lock(&lock))
     m_row_exists= true;

=== modified file 'storage/perfschema/table_threads.cc'
--- a/storage/perfschema/table_threads.cc	2010-07-21 19:06:21 +0000
+++ b/storage/perfschema/table_threads.cc	2010-10-07 21:16:41 +0000
@@ -187,12 +187,25 @@ void table_threads::make_row(PFS_thread 
   m_row.m_thread_id= pfs->m_thread_id;
   m_row.m_name= safe_class->m_name;
   m_row.m_name_length= safe_class->m_name_length;
-  memcpy(m_row.m_username, pfs->m_username, pfs->m_username_length);
+
   m_row.m_username_length= pfs->m_username_length;
-  memcpy(m_row.m_hostname, pfs->m_hostname, pfs->m_hostname_length);
+  if (unlikely(m_row.m_username_length > sizeof(m_row.m_username)))
+    return;
+  if (m_row.m_username_length != 0)
+    memcpy(m_row.m_username, pfs->m_username, m_row.m_username_length);
+
   m_row.m_hostname_length= pfs->m_hostname_length;
-  memcpy(m_row.m_dbname, pfs->m_dbname, pfs->m_dbname_length);
+  if (unlikely(m_row.m_hostname_length > sizeof(m_row.m_hostname)))
+    return;
+  if (m_row.m_hostname_length != 0)
+    memcpy(m_row.m_hostname, pfs->m_hostname, m_row.m_hostname_length);
+
   m_row.m_dbname_length= pfs->m_dbname_length;
+  if (unlikely(m_row.m_dbname_length > sizeof(m_row.m_dbname)))
+    return;
+  if (m_row.m_dbname_length != 0)
+    memcpy(m_row.m_dbname, pfs->m_dbname, m_row.m_dbname_length);
+
   m_row.m_command= pfs->m_command;
   m_row.m_start_time= pfs->m_start_time;
   /* FIXME: need to copy it ? */


Attachment: [text/bzr-bundle] bzr/marc.alff@oracle.com-20101007211641-tq8ozhwefl5dkzq2.bundle
Thread
bzr commit into mysql-next-mr-bugfixing branch (marc.alff:3321) Bug#57106Marc Alff7 Oct