List:Commits« Previous MessageNext Message »
From:He Zhenxing Date:June 1 2010 9:00am
Subject:bzr commit into mysql-trunk-bugfixing branch (zhenxing.he:3077) Bug#52748
View as plain text  
#At file:///media/sdb2/hezx/work/mysql/bzr/b52748/trunk-bugfixing/ based on revid:davi.arnaut@stripped

 3077 He Zhenxing	2010-06-01 [merge]
      BUG#52748 Semi-Sync ACK packet isn't check for length
      
      Check the length and use strncpy to make the code safer.

    modified:
      mysql-test/suite/rpl/t/rpl_semi_sync.test
      plugin/semisync/semisync_master.cc
=== modified file 'mysql-test/suite/rpl/t/rpl_semi_sync.test'
--- a/mysql-test/suite/rpl/t/rpl_semi_sync.test	2010-04-28 12:47:49 +0000
+++ b/mysql-test/suite/rpl/t/rpl_semi_sync.test	2010-06-01 08:59:48 +0000
@@ -602,7 +602,11 @@ source include/stop_slave.inc;
 UNINSTALL PLUGIN rpl_semi_sync_slave;
 
 connection master;
+# The dump thread may still be running on the master, and so the following
+# UNINSTALL could generate a warning about the plugin is busy.
+disable_warnings;
 UNINSTALL PLUGIN rpl_semi_sync_master;
+enable_warnings;
 
 connection slave;
 source include/start_slave.inc;

=== modified file 'plugin/semisync/semisync_master.cc'
--- a/plugin/semisync/semisync_master.cc	2010-03-11 02:22:18 +0000
+++ b/plugin/semisync/semisync_master.cc	2010-06-01 08:59:48 +0000
@@ -147,7 +147,8 @@ int ActiveTranx::insert_tranx_node(const
   }
 
   /* insert the binlog position in the active transaction list. */
-  strcpy(ins_node->log_name_, log_file_name);
+  strncpy(ins_node->log_name_, log_file_name, FN_REFLEN-1);
+  ins_node->log_name_[FN_REFLEN-1] = 0; /* make sure it ends properly */
   ins_node->log_pos_ = log_file_pos;
 
   if (!trx_front_)
@@ -1009,13 +1010,15 @@ int ReplSemiSyncMaster::writeTranxInBinl
     if (cmp > 0)
     {
       /* This is a larger position, let's update the maximum info. */
-      strcpy(commit_file_name_, log_file_name);
+      strncpy(commit_file_name_, log_file_name, FN_REFLEN-1);
+      commit_file_name_[FN_REFLEN-1] = 0; /* make sure it ends properly */
       commit_file_pos_ = log_file_pos;
     }
   }
   else
   {
-    strcpy(commit_file_name_, log_file_name);
+    strncpy(commit_file_name_, log_file_name, FN_REFLEN-1);
+    commit_file_name_[FN_REFLEN-1] = 0; /* make sure it ends properly */
     commit_file_pos_ = log_file_pos;
     commit_file_name_inited_ = true;
   }
@@ -1048,6 +1051,7 @@ int ReplSemiSyncMaster::readSlaveReply(N
   const unsigned char *packet;
   char     log_file_name[FN_REFLEN];
   my_off_t log_file_pos;
+  ulong    log_file_len = 0;
   ulong    packet_len;
   int      result = -1;
 
@@ -1123,7 +1127,13 @@ int ReplSemiSyncMaster::readSlaveReply(N
   }
 
   log_file_pos = uint8korr(packet + REPLY_BINLOG_POS_OFFSET);
-  strcpy(log_file_name, (const char*)packet + REPLY_BINLOG_NAME_OFFSET);
+  log_file_len = packet_len - REPLY_BINLOG_NAME_OFFSET;
+  if (log_file_len > FN_REFLEN)
+  {
+    sql_print_error("Read semi-sync reply binlog file length too large");
+    goto l_end;
+  }
+  strncpy(log_file_name, (const char*)packet + REPLY_BINLOG_NAME_OFFSET, log_file_len);
 
   if (trc_level & kTraceDetail)
     sql_print_information("%s: Got reply (%s, %lu)",


Attachment: [text/bzr-bundle] bzr/zhenxing.he@sun.com-20100601085948-jll7bqx0d88q99ei.bundle
Thread
bzr commit into mysql-trunk-bugfixing branch (zhenxing.he:3077) Bug#52748He Zhenxing1 Jun