List:Commits« Previous MessageNext Message »
From:Tatjana A Nuernberg Date:June 21 2007 2:30am
Subject:bk commit into 5.0 tree (tnurnberg:1.2497) BUG#24924
View as plain text  
Below is the list of changes that have just been committed into a local
5.0 repository of tnurnberg. When tnurnberg does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet@stripped, 2007-06-21 04:30:10+02:00, tnurnberg@stripped +2 -0
  Bug#24924: shared-memory-base-name that is too long causes buffer overflow
  
  long shared-memory-base-names could overflow a static internal buffer
  and thus crash mysqld and various clients.  change both to dynamic
  buffers, show everything but overflowing those buffers still works.
  
  The test case for this would pretty much amount to
  mysqld --shared-memory-base-name=HeyMrBaseNameXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX --shared-memory=1 &
  mysqladmin --no-defaults --shared-memory-base-name=HeyMrBaseNameXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX shutdown
  
  Unfortunately, we can't just use an .opt file for the
  server. The .opt file is used at start-up, before any
  include in the actual test can tell mysqltest to skip
  this one on non-Windows. As a result, such a test would
  break on unices.
  
  Fixing mysql-test-run.pl to export full path for master
  and slave would enable us to start a server from within
  the test which is ugly and, what's more, doesn't work as
  the server blocks (mysqltest offers no fire-and-forget
  fork-and-exec), and mysqladmin never gets run.
  
  Making the test rpl_windows_shm or some such so we can
  is beyond ugly. As is introducing another file-name based
  special case (run "win*.test" only when on Windows). As is
  (yuck) coding half the test into mtr (as in, having it
  hand out a customized environment conductive to the shm-
  thing on Win only).
  
  Situation is exacerbated by the fact that .sh is not
  necessary run as expected on Win.
  
  In short, it's just not worth it. No test-case until we
  have a new-and-improved test framework.

  sql-common/client.c@stripped, 2007-06-21 04:30:08+02:00, tnurnberg@stripped +9 -1
    Bug#24924: shared-memory-base-name that is too long causes buffer overflow
    
    compose shared memory name in dynamic rather than static buffer to prevent
    overflows (clients)

  sql/mysqld.cc@stripped, 2007-06-21 04:30:08+02:00, tnurnberg@stripped +10 -1
    Bug#24924: shared-memory-base-name that is too long causes buffer overflow
    
    compose shared memory name in dynamic rather than static buffer to prevent
    overflows (server)

# This is a BitKeeper patch.  What follows are the unified diffs for the
# set of deltas contained in the patch.  The rest of the patch, the part
# that BitKeeper cares about, is below these diffs.
# User:	tnurnberg
# Host:	sin.intern.azundris.com
# Root:	/home/tnurnberg/24924/50-24924

--- 1.616/sql/mysqld.cc	2007-06-16 11:34:16 +02:00
+++ 1.617/sql/mysqld.cc	2007-06-21 04:30:08 +02:00
@@ -4420,7 +4420,7 @@ pthread_handler_t handle_connections_sha
   HANDLE event_connect_answer= 0;
   ulong smem_buffer_length= shared_memory_buffer_length + 4;
   ulong connect_number= 1;
-  char tmp[63];
+  char *tmp= NULL;
   char *suffix_pos;
   char connect_number_char[22], *p;
   const char *errmsg= 0;
@@ -4429,6 +4429,12 @@ pthread_handler_t handle_connections_sha
   DBUG_ENTER("handle_connections_shared_memorys");
   DBUG_PRINT("general",("Waiting for allocated shared memory."));
 
+  /*
+     get enough space base-name + '_' + longest suffix we might ever send
+   */
+  if (!(tmp= (char *)my_malloc(strlen(shared_memory_base_name) + 32L, MYF(MY_FAE))))
+    goto error;
+
   if (my_security_attr_create(&sa_event, &errmsg,
                               GENERIC_ALL, SYNCHRONIZE | EVENT_MODIFY_STATE))
     goto error;
@@ -4616,6 +4622,9 @@ errorconn:
 
   /* End shared memory handling */
 error:
+  if (tmp)
+    my_free(tmp, MYF(0));
+
   if (errmsg)
   {
     char buff[180];

--- 1.114/sql-common/client.c	2007-06-07 14:27:07 +02:00
+++ 1.115/sql-common/client.c	2007-06-21 04:30:08 +02:00
@@ -402,7 +402,7 @@ HANDLE create_shared_memory(MYSQL *mysql
   HANDLE handle_file_map = NULL;
   ulong connect_number;
   char connect_number_char[22], *p;
-  char tmp[64];
+  char *tmp= NULL;
   char *suffix_pos;
   DWORD error_allow = 0;
   DWORD error_code = 0;
@@ -410,6 +410,12 @@ HANDLE create_shared_memory(MYSQL *mysql
   char *shared_memory_base_name = mysql->options.shared_memory_base_name;
 
   /*
+     get enough space base-name + '_' + longest suffix we might ever send
+   */
+  if (!(tmp= (char *)my_malloc(strlen(shared_memory_base_name) + 32L, MYF(MY_FAE))))
+    goto err;
+
+  /*
     The name of event and file-mapping events create agree next rule:
     shared_memory_base_name+unique_part
     Where:
@@ -551,6 +557,8 @@ err2:
       CloseHandle(handle_file_map);
   }
 err:
+  if (tmp)
+    my_free(tmp, MYF(0));
   if (error_allow)
     error_code = GetLastError();
   if (event_connect_request)
Thread
bk commit into 5.0 tree (tnurnberg:1.2497) BUG#24924Tatjana A Nuernberg21 Jun