From cba71f3e253fbe654bb570e60b43fd089faaddb1 Mon Sep 17 00:00:00 2001 From: unknown Date: Thu, 1 Nov 2007 17:29:20 -0200 Subject: Bug#31850 Test crashes in "embedded" server The mysql_change_user command fails to properly update the database pointer when no database is selected, leading to "use after free" errors. The same happens on the user privilege pointer in the thread security context. The solution is to properly reset and update the database name. Also update the user_priv pointer so that it doesn't point to freed memory. sql/sql_connect.cc: After a successful call to check_user() without specifying a new database name, the previous database thd->db) is freed but the pointer is not updated to NULL. sql/sql_parse.cc: Update the security_ctx->priv_user pointer as it is a alias for the user security_ctx->user pointer. Also remove unneeded cast, the x_free macro casts the argument. --- sql/sql_parse.cc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'sql/sql_parse.cc') diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc index 85457fea41b..b2f2e74999b 100644 --- a/sql/sql_parse.cc +++ b/sql/sql_parse.cc @@ -911,6 +911,7 @@ bool dispatch_command(enum enum_server_command command, THD *thd, /* Clear variables that are allocated */ thd->user_connect= 0; + thd->security_ctx->priv_user= thd->security_ctx->user; res= check_user(thd, COM_CHANGE_USER, passwd, passwd_len, db, FALSE); if (res) @@ -933,8 +934,8 @@ bool dispatch_command(enum enum_server_command command, THD *thd, if (save_user_connect) decrease_user_connections(save_user_connect); #endif /* NO_EMBEDDED_ACCESS_CHECKS */ - x_free((uchar*) save_db); - x_free((uchar*) save_security_ctx.user); + x_free(save_db); + x_free(save_security_ctx.user); if (cs_number) { -- cgit v1.2.1