List:Commits« Previous MessageNext Message »
From:He Zhenxing Date:May 31 2010 8:59am
Subject:bzr commit into mysql-trunk-bugfixing branch (zhenxing.he:3057) Bug#52748
View as plain text  
#At file:///media/sdb2/hezx/work/mysql/bzr/b52748/trunk-bugfixing/ based on revid:jon.hauglid@stripped

 3057 He Zhenxing	2010-05-31
      BUG#52748 Semi-Sync ACK packet isn't check for length
      
      Check the length and use strncpy to make the code safer.

    modified:
      plugin/semisync/semisync_master.cc
=== modified file 'plugin/semisync/semisync_master.cc'
--- a/plugin/semisync/semisync_master.cc	2010-03-11 02:22:18 +0000
+++ b/plugin/semisync/semisync_master.cc	2010-05-31 08:59:32 +0000
@@ -147,7 +147,8 @@ int ActiveTranx::insert_tranx_node(const
   }
 
   /* insert the binlog position in the active transaction list. */
-  strcpy(ins_node->log_name_, log_file_name);
+  strncpy(ins_node->log_name_, log_file_name, FN_REFLEN-1);
+  ins_node->log_name_[FN_REFLEN-1] = 0; /* make sure it ends properly */
   ins_node->log_pos_ = log_file_pos;
 
   if (!trx_front_)
@@ -1009,13 +1010,15 @@ int ReplSemiSyncMaster::writeTranxInBinl
     if (cmp > 0)
     {
       /* This is a larger position, let's update the maximum info. */
-      strcpy(commit_file_name_, log_file_name);
+      strncpy(commit_file_name_, log_file_name, FN_REFLEN-1);
+      commit_file_name_[FN_REFLEN-1] = 0; /* make sure it ends properly */
       commit_file_pos_ = log_file_pos;
     }
   }
   else
   {
-    strcpy(commit_file_name_, log_file_name);
+    strncpy(commit_file_name_, log_file_name, FN_REFLEN-1);
+    commit_file_name_[FN_REFLEN-1] = 0; /* make sure it ends properly */
     commit_file_pos_ = log_file_pos;
     commit_file_name_inited_ = true;
   }
@@ -1048,6 +1051,7 @@ int ReplSemiSyncMaster::readSlaveReply(N
   const unsigned char *packet;
   char     log_file_name[FN_REFLEN];
   my_off_t log_file_pos;
+  ulong    log_file_len = 0;
   ulong    packet_len;
   int      result = -1;
 
@@ -1123,7 +1127,13 @@ int ReplSemiSyncMaster::readSlaveReply(N
   }
 
   log_file_pos = uint8korr(packet + REPLY_BINLOG_POS_OFFSET);
-  strcpy(log_file_name, (const char*)packet + REPLY_BINLOG_NAME_OFFSET);
+  log_file_len = packet_len - REPLY_BINLOG_NAME_OFFSET;
+  if (log_file_len > FN_REFLEN)
+  {
+    sql_print_error("Read semi-sync reply binlog file length too large");
+    goto l_end;
+  }
+  strncpy(log_file_name, (const char*)packet + REPLY_BINLOG_NAME_OFFSET, log_file_len);
 
   if (trc_level & kTraceDetail)
     sql_print_information("%s: Got reply (%s, %lu)",


Attachment: [text/bzr-bundle] bzr/zhenxing.he@sun.com-20100531085932-cg3bbnhq9s3x1m5b.bundle
Thread
bzr commit into mysql-trunk-bugfixing branch (zhenxing.he:3057) Bug#52748He Zhenxing31 May