From: Michael Widenius Date: October 27 2000 8:37pm Subject: Re: bug report: segfaults on large host,username,password,db fields List-Archive: http://lists.mysql.com/mysql/55400 Message-Id: <14841.59244.709958.801056@tik.mysql.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Hi! >>>>> "Thimble" == Thimble Smith writes: Thimble> On Wed, Oct 25, 2000 at 04:53:20PM -0700, ppowledge@stripped wrote: >> >Description: >> I get segfaults when I use large-ish values for hosts, username, >> passwords, and db's in connects. I have not checked this with unix_socket. >> >How-To-Repeat: >> At terminal window, type "mysql -u root -p " where is about >> 300 characters long. Enter password, then segfault. >> I have also encountered this with mysql_real_connect(), and can >> send you sample code if you want. >> >Fix: >> The workaround is simple: don't do it. :^) But what I'm really worried >> about here is a DOS attack from a remote user. Thimble> Since it's the client that's dumping core, there's no worry about a Thimble> remote user (who must be running the client on her own machine) Thimble> crashing the server through this problem. Thimble> Still, it'd be nice to have this fixed. Note: this still happens on Thimble> the latest 3.23. Thimble> Thanks for the report, Thimble> Tim Here is a patch for this: ===== libmysql/libmysql.c 1.41 vs edited ===== *** libmysql/libmysql.c-1.41 Mon Oct 9 23:10:40 2000 --- edited/libmysql/libmysql.c Fri Oct 27 23:30:34 2000 *************** *** 1140,1146 **** const char *passwd, const char *db, uint port, const char *unix_socket,uint client_flag) { ! char buff[100],charset_name_buff[16],*end,*host_info, *charset_name; my_socket sock; uint32 ip_addr; struct sockaddr_in sock_addr; --- 1140,1147 ---- const char *passwd, const char *db, uint port, const char *unix_socket,uint client_flag) { ! char buff[NAME_LEN+100],charset_name_buff[16],*end,*host_info, ! *charset_name; my_socket sock; uint32 ip_addr; struct sockaddr_in sock_addr; *************** *** 1496,1502 **** int3store(buff+2,max_allowed_packet); if (user && user[0]) ! strmake(buff+5,user,32); else read_user_name((char*) buff+5); #ifdef _CUSTOMCONFIG_ --- 1497,1503 ---- int3store(buff+2,max_allowed_packet); if (user && user[0]) ! strmake(buff+5,user,32); /* Max user name */ else read_user_name((char*) buff+5); #ifdef _CUSTOMCONFIG_ *************** *** 1507,1513 **** (my_bool) (mysql->protocol_version == 9)); if (db && (mysql->server_capabilities & CLIENT_CONNECT_WITH_DB)) { ! end=strmov(end+1,db); mysql->db=my_strdup(db,MYF(MY_WME)); db=0; } --- 1508,1514 ---- (my_bool) (mysql->protocol_version == 9)); if (db && (mysql->server_capabilities & CLIENT_CONNECT_WITH_DB)) { ! end=strmake(end+1,db,NAME_LEN); mysql->db=my_strdup(db,MYF(MY_WME)); db=0; } Regards, Monty