List:Commits« Previous MessageNext Message »
From:Davi Arnaut Date:October 25 2007 7:10pm
Subject:bk commit into 5.1 tree (davi:1.2600) BUG#31850
View as plain text  
Below is the list of changes that have just been committed into a local
5.1 repository of davi. When davi does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet@stripped, 2007-10-25 16:09:59-03:00, davi@stripped +2 -0
  Bug#31850 Test crashes in "embedded" serve
  
  The mysql_change_user commit fails to properly update the database pointer
  when no database is selected, leading to "use after free" errors. The same
  happens on the user privilege pointer in the thread security context.
  
  The solution is to properly reset and update the database and the user pointer
  so that it doesn't point to freed memory.

  sql/sql_connect.cc@stripped, 2007-10-25 16:09:56-03:00, davi@stripped +6 -5
    Reset the selected database upon entrance. If no database was, default to
    unselected, and if it fails, the database will be reset back by the caller.

  sql/sql_parse.cc@stripped, 2007-10-25 16:09:56-03:00, davi@stripped +2 -2
    Remove unneeded cast, the x_free macro casts the argument.

diff -Nrup a/sql/sql_connect.cc b/sql/sql_connect.cc
--- a/sql/sql_connect.cc	2007-10-19 18:20:35 -03:00
+++ b/sql/sql_connect.cc	2007-10-25 16:09:56 -03:00
@@ -318,15 +318,16 @@ int check_user(THD *thd, enum enum_serve
   LEX_STRING db_str= { (char *) db, db ? strlen(db) : 0 };
   
 #ifdef NO_EMBEDDED_ACCESS_CHECKS
+  /*
+    Default to 'no database selected'. In case of error, the caller will
+    restore the previous database.
+  */
+  thd->reset_db(NULL, 0);
   thd->main_security_ctx.master_access= GLOBAL_ACLS;       // Full rights
+  thd->security_ctx->priv_user= thd->security_ctx->user;
   /* Change database if necessary */
   if (db && db[0])
   {
-    /*
-      thd->db is saved in caller and needs to be freed by caller if this
-      function returns 0
-    */
-    thd->reset_db(NULL, 0);
     if (mysql_change_db(thd, &db_str, FALSE))
     {
       /* Send the error to the client */
diff -Nrup a/sql/sql_parse.cc b/sql/sql_parse.cc
--- a/sql/sql_parse.cc	2007-10-18 15:47:18 -03:00
+++ b/sql/sql_parse.cc	2007-10-25 16:09:56 -03:00
@@ -933,8 +933,8 @@ bool dispatch_command(enum enum_server_c
       if (save_user_connect)
 	decrease_user_connections(save_user_connect);
 #endif /* NO_EMBEDDED_ACCESS_CHECKS */
-      x_free((uchar*) save_db);
-      x_free((uchar*)  save_security_ctx.user);
+      x_free(save_db);
+      x_free(save_security_ctx.user);
 
       if (cs_number)
       {
Thread
bk commit into 5.1 tree (davi:1.2600) BUG#31850Davi Arnaut25 Oct
  • Re: bk commit into 5.1 tree (davi:1.2600) BUG#31850Konstantin Osipov1 Nov