List:Commits« Previous MessageNext Message »
From:Marc Alff Date:October 8 2010 3:06pm
Subject:bzr push into mysql-next-mr-bugfixing branch (marc.alff:3320 to 3321)
Bug#57106
View as plain text  
 3321 Marc Alff	2010-10-07
      Bug#57106 Robustness of memcpy calls in the performance schema
      
      Before this fix:
      - SELECT * from SETUP_ACTORS
      - SELECT * from THREADS
      could lead to crashes inside a memcpy,
      because the length of the memory to copy was not checked.
      
      This fix makes these tables more robust to invalid data,which can be produced with edge conditions when the record read is changing.

    modified:
      storage/perfschema/table_setup_actors.cc
      storage/perfschema/table_threads.cc
 3320 Luis Soares	2010-10-06 [merge]
      BUG 46110: automerged bzr bundle from bug report.

    added:
      mysql-test/suite/rpl/r/rpl_filter_database.result
      mysql-test/suite/rpl/t/rpl_filter_database-slave.opt
      mysql-test/suite/rpl/t/rpl_filter_database.test
    modified:
      sql/sql_parse.cc
=== modified file 'storage/perfschema/table_setup_actors.cc'
--- a/storage/perfschema/table_setup_actors.cc	2010-07-02 16:15:37 +0000
+++ b/storage/perfschema/table_setup_actors.cc	2010-10-07 21:16:41 +0000
@@ -174,12 +174,23 @@ void table_setup_actors::make_row(PFS_se
 
   pfs->m_lock.begin_optimistic_lock(&lock);
 
-  memcpy(m_row.m_hostname, pfs->m_hostname, pfs->m_hostname_length);
   m_row.m_hostname_length= pfs->m_hostname_length;
-  memcpy(m_row.m_username, pfs->m_username, pfs->m_username_length);
+  if (unlikely((m_row.m_hostname_length == 0) ||
+               (m_row.m_hostname_length > sizeof(m_row.m_hostname))))
+    return;
+  memcpy(m_row.m_hostname, pfs->m_hostname, m_row.m_hostname_length);
+
   m_row.m_username_length= pfs->m_username_length;
-  memcpy(m_row.m_rolename, pfs->m_rolename, pfs->m_rolename_length);
+  if (unlikely((m_row.m_username_length == 0) ||
+               (m_row.m_username_length > sizeof(m_row.m_username))))
+    return;
+  memcpy(m_row.m_username, pfs->m_username, m_row.m_username_length);
+
   m_row.m_rolename_length= pfs->m_rolename_length;
+  if (unlikely((m_row.m_rolename_length == 0) ||
+               (m_row.m_rolename_length > sizeof(m_row.m_rolename))))
+    return;
+  memcpy(m_row.m_rolename, pfs->m_rolename, m_row.m_rolename_length);
 
   if (pfs->m_lock.end_optimistic_lock(&lock))
     m_row_exists= true;

=== modified file 'storage/perfschema/table_threads.cc'
--- a/storage/perfschema/table_threads.cc	2010-07-21 19:06:21 +0000
+++ b/storage/perfschema/table_threads.cc	2010-10-07 21:16:41 +0000
@@ -187,12 +187,25 @@ void table_threads::make_row(PFS_thread 
   m_row.m_thread_id= pfs->m_thread_id;
   m_row.m_name= safe_class->m_name;
   m_row.m_name_length= safe_class->m_name_length;
-  memcpy(m_row.m_username, pfs->m_username, pfs->m_username_length);
+
   m_row.m_username_length= pfs->m_username_length;
-  memcpy(m_row.m_hostname, pfs->m_hostname, pfs->m_hostname_length);
+  if (unlikely(m_row.m_username_length > sizeof(m_row.m_username)))
+    return;
+  if (m_row.m_username_length != 0)
+    memcpy(m_row.m_username, pfs->m_username, m_row.m_username_length);
+
   m_row.m_hostname_length= pfs->m_hostname_length;
-  memcpy(m_row.m_dbname, pfs->m_dbname, pfs->m_dbname_length);
+  if (unlikely(m_row.m_hostname_length > sizeof(m_row.m_hostname)))
+    return;
+  if (m_row.m_hostname_length != 0)
+    memcpy(m_row.m_hostname, pfs->m_hostname, m_row.m_hostname_length);
+
   m_row.m_dbname_length= pfs->m_dbname_length;
+  if (unlikely(m_row.m_dbname_length > sizeof(m_row.m_dbname)))
+    return;
+  if (m_row.m_dbname_length != 0)
+    memcpy(m_row.m_dbname, pfs->m_dbname, m_row.m_dbname_length);
+
   m_row.m_command= pfs->m_command;
   m_row.m_start_time= pfs->m_start_time;
   /* FIXME: need to copy it ? */


Attachment: [text/bzr-bundle] bzr/marc.alff@oracle.com-20101007211641-tq8ozhwefl5dkzq2.bundle
Thread
bzr push into mysql-next-mr-bugfixing branch (marc.alff:3320 to 3321)Bug#57106Marc Alff8 Oct