From b9380f0e76b34af223c4ef0b4fe648ddca47a59c Mon Sep 17 00:00:00 2001
From: Davi Arnaut <Davi.Arnaut@Sun.COM>
Date: Thu, 17 Dec 2009 15:58:38 -0200
Subject: Bug#48983: Bad strmake calls (length one too long)

The problem is a somewhat common misusage of the strmake function.
The strmake(dst, src, len) function writes at most /len/ bytes to
the string pointed to by src, not including the trailing null byte.
Hence, if /len/ is the exact length of the destination buffer, a
one byte buffer overflow can occur if the length of the source
string is equal to or greater than /len/.
---
 sql/sql_acl.cc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'sql/sql_acl.cc')

diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index f29baad9a84..bf117874552 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -914,7 +914,7 @@ int acl_getroot(THD *thd, USER_RESOURCES  *mqh,
     *mqh= acl_user->user_resource;
 
     if (acl_user->host.hostname)
-      strmake(sctx->priv_host, acl_user->host.hostname, MAX_HOSTNAME);
+      strmake(sctx->priv_host, acl_user->host.hostname, MAX_HOSTNAME - 1);
     else
       *sctx->priv_host= 0;
   }
@@ -1015,7 +1015,7 @@ bool acl_getroot_no_password(Security_context *sctx, char *user, char *host,
     sctx->priv_user= acl_user->user ? user : (char *) "";
 
     if (acl_user->host.hostname)
-      strmake(sctx->priv_host, acl_user->host.hostname, MAX_HOSTNAME);
+      strmake(sctx->priv_host, acl_user->host.hostname, MAX_HOSTNAME - 1);
     else
       *sctx->priv_host= 0;
   }
-- 
cgit v1.2.1