#At file:///Users/malff/BZR_TREE/mysql-next-mr-bugfixing-57106/ based on revid:luis.soares@stripped
3321 Marc Alff 2010-10-07
Bug#57106 Robustness of memcpy calls in the performance schema
Before this fix:
- SELECT * from SETUP_ACTORS
- SELECT * from THREADS
could lead to crashes inside a memcpy,
because the length of the memory to copy was not checked.
This fix makes these tables more robust to invalid data,which can be produced with edge conditions when the record read is changing.
modified:
storage/perfschema/table_setup_actors.cc
storage/perfschema/table_threads.cc
=== modified file 'storage/perfschema/table_setup_actors.cc'
--- a/storage/perfschema/table_setup_actors.cc 2010-07-02 16:15:37 +0000
+++ b/storage/perfschema/table_setup_actors.cc 2010-10-07 21:16:41 +0000
@@ -174,12 +174,23 @@ void table_setup_actors::make_row(PFS_se
pfs->m_lock.begin_optimistic_lock(&lock);
- memcpy(m_row.m_hostname, pfs->m_hostname, pfs->m_hostname_length);
m_row.m_hostname_length= pfs->m_hostname_length;
- memcpy(m_row.m_username, pfs->m_username, pfs->m_username_length);
+ if (unlikely((m_row.m_hostname_length == 0) ||
+ (m_row.m_hostname_length > sizeof(m_row.m_hostname))))
+ return;
+ memcpy(m_row.m_hostname, pfs->m_hostname, m_row.m_hostname_length);
+
m_row.m_username_length= pfs->m_username_length;
- memcpy(m_row.m_rolename, pfs->m_rolename, pfs->m_rolename_length);
+ if (unlikely((m_row.m_username_length == 0) ||
+ (m_row.m_username_length > sizeof(m_row.m_username))))
+ return;
+ memcpy(m_row.m_username, pfs->m_username, m_row.m_username_length);
+
m_row.m_rolename_length= pfs->m_rolename_length;
+ if (unlikely((m_row.m_rolename_length == 0) ||
+ (m_row.m_rolename_length > sizeof(m_row.m_rolename))))
+ return;
+ memcpy(m_row.m_rolename, pfs->m_rolename, m_row.m_rolename_length);
if (pfs->m_lock.end_optimistic_lock(&lock))
m_row_exists= true;
=== modified file 'storage/perfschema/table_threads.cc'
--- a/storage/perfschema/table_threads.cc 2010-07-21 19:06:21 +0000
+++ b/storage/perfschema/table_threads.cc 2010-10-07 21:16:41 +0000
@@ -187,12 +187,25 @@ void table_threads::make_row(PFS_thread
m_row.m_thread_id= pfs->m_thread_id;
m_row.m_name= safe_class->m_name;
m_row.m_name_length= safe_class->m_name_length;
- memcpy(m_row.m_username, pfs->m_username, pfs->m_username_length);
+
m_row.m_username_length= pfs->m_username_length;
- memcpy(m_row.m_hostname, pfs->m_hostname, pfs->m_hostname_length);
+ if (unlikely(m_row.m_username_length > sizeof(m_row.m_username)))
+ return;
+ if (m_row.m_username_length != 0)
+ memcpy(m_row.m_username, pfs->m_username, m_row.m_username_length);
+
m_row.m_hostname_length= pfs->m_hostname_length;
- memcpy(m_row.m_dbname, pfs->m_dbname, pfs->m_dbname_length);
+ if (unlikely(m_row.m_hostname_length > sizeof(m_row.m_hostname)))
+ return;
+ if (m_row.m_hostname_length != 0)
+ memcpy(m_row.m_hostname, pfs->m_hostname, m_row.m_hostname_length);
+
m_row.m_dbname_length= pfs->m_dbname_length;
+ if (unlikely(m_row.m_dbname_length > sizeof(m_row.m_dbname)))
+ return;
+ if (m_row.m_dbname_length != 0)
+ memcpy(m_row.m_dbname, pfs->m_dbname, m_row.m_dbname_length);
+
m_row.m_command= pfs->m_command;
m_row.m_start_time= pfs->m_start_time;
/* FIXME: need to copy it ? */
Attachment: [text/bzr-bundle] bzr/marc.alff@oracle.com-20101007211641-tq8ozhwefl5dkzq2.bundle
| Thread |
|---|
| • bzr commit into mysql-next-mr-bugfixing branch (marc.alff:3321) Bug#57106 | Marc Alff | 7 Oct |
