List:Commits« Previous MessageNext Message »
From:He Zhenxing Date:May 24 2010 2:53am
Subject:bzr commit into mysql-trunk-bugfixing branch (zhenxing.he:3057) Bug#52748
View as plain text  
#At file:///media/sdb2/hezx/work/mysql/bzr/b52748/trunk-bugfixing/ based on revid:jon.hauglid@stripped

 3057 He Zhenxing	2010-05-24
      BUG#52748 Semi-Sync ACK packet isn't check for length
      
      Check the length and use strncpy to make the code safer.

    modified:
      plugin/semisync/semisync_master.cc
=== modified file 'plugin/semisync/semisync_master.cc'
--- a/plugin/semisync/semisync_master.cc	2010-03-11 02:22:18 +0000
+++ b/plugin/semisync/semisync_master.cc	2010-05-24 02:53:14 +0000
@@ -1048,6 +1048,7 @@ int ReplSemiSyncMaster::readSlaveReply(N
   const unsigned char *packet;
   char     log_file_name[FN_REFLEN];
   my_off_t log_file_pos;
+  ulong    log_file_len = 0;
   ulong    packet_len;
   int      result = -1;
 
@@ -1123,7 +1124,13 @@ int ReplSemiSyncMaster::readSlaveReply(N
   }
 
   log_file_pos = uint8korr(packet + REPLY_BINLOG_POS_OFFSET);
-  strcpy(log_file_name, (const char*)packet + REPLY_BINLOG_NAME_OFFSET);
+  log_file_len = packet_len - log_file_pos;
+  if (log_file_len > FN_REFLEN)
+  {
+    sql_print_error("Read semi-sync reply binlog file length too large");
+    goto l_end;
+  }
+  strncpy(log_file_name, (const char*)packet + REPLY_BINLOG_NAME_OFFSET, log_file_len);
 
   if (trc_level & kTraceDetail)
     sql_print_information("%s: Got reply (%s, %lu)",


Attachment: [text/bzr-bundle] bzr/zhenxing.he@sun.com-20100524025314-3cpqy9xwxqale46n.bundle
Thread
bzr commit into mysql-trunk-bugfixing branch (zhenxing.he:3057) Bug#52748He Zhenxing24 May