From a162adad6005c12ab27a8e18023d90bb928d6f2d Mon Sep 17 00:00:00 2001 From: Dmitry Lenev Date: Tue, 11 Dec 2012 22:00:51 +0400 Subject: Bug #15954872 "MAKE MDL SUBSYSTEM AND TABLE DEFINITION CACHE ROBUST AGAINST BUGS IN CALLERS". Both MDL subsystems and Table Definition Cache code assume that callers ensure that names of objects passed to them are not longer than NAME_LEN bytes. Unfortunately due to bugs in callers this assumption might be broken in some cases. As result we get nasty bugs causing buffer overruns when we construct MDL key or TDC key from object names. This patch makes TDC code more robust against such bugs by ensuring that we always checking size of result buffer when constructing TDC keys. This doesn't free its callers from ensuring that both db and table names are shorter than NAME_LEN bytes. But at least this steps prevents buffer overruns in case of bug in caller, replacing them with less harmful behavior. This is 5.1-only version of patch. This patch introduces new version of create_table_def_key() helper function which constructs TDC key without risk of result buffer overrun. Places in code that construct TDC keys were changed to use this function. Also changed rm_temporary_table() and open_new_frm() functions to avoid use of "unsafe" strmov() and strxmov() functions and use safer strnxmov() instead. --- sql/sql_trigger.cc | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) (limited to 'sql/sql_trigger.cc') diff --git a/sql/sql_trigger.cc b/sql/sql_trigger.cc index 4e056739d96..3ad956cb3fe 100644 --- a/sql/sql_trigger.cc +++ b/sql/sql_trigger.cc @@ -1988,9 +1988,7 @@ bool Table_triggers_list::change_table_name(THD *thd, const char *db, */ #ifndef DBUG_OFF uchar key[MAX_DBKEY_LENGTH]; - uint key_length= (uint) (strmov(strmov((char*)&key[0], db)+1, - old_table)-(char*)&key[0])+1; - + uint key_length= create_table_def_key((char *)key, db, old_table); if (!is_table_name_exclusively_locked_by_this_thread(thd, key, key_length)) safe_mutex_assert_owner(&LOCK_open); #endif -- cgit v1.2.1