Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-22824

Buffer overflow in dict_table_t::parse_name()

    XMLWordPrintable

    Details

      Description

      The test parts.longname that I extended for MDEV-22817 revealed another error that was introduced in MDEV-16678:

      10.5 0e69f601aaafb920a9305c4ab5d380de2b43e917

      ==113772==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f8718ff4b21 at pc 0x7f872870157d bp 0x7f8718ff47f0 sp 0x7f8718ff3f98
      WRITE of size 394 at 0x7f8718ff4b21 thread T15
          #0 0x7f872870157c  (/lib/x86_64-linux-gnu/libasan.so.5+0x9b57c)
          #1 0x558391fc45d0 in bool dict_table_t::parse_name<true>(char (&) [193], char (&) [193], unsigned long*, unsigned long*) const /home/buildbot/buildbot/build/mariadb-10.5.4/storage/innobase/dict/dict0dict.cc:751
          #2 0x558391fc49c2 in dict_table_t* dict_acquire_mdl_shared<false>(dict_table_t*, THD*, MDL_ticket**, dict_table_op_t) /home/buildbot/buildbot/build/mariadb-10.5.4/storage/innobase/dict/dict0dict.cc:819
          #3 0x558391faff5a in dict_table_open_on_id(unsigned long, bool, dict_table_op_t, THD*, MDL_ticket**) /home/buildbot/buildbot/build/mariadb-10.5.4/storage/innobase/dict/dict0dict.cc:955
      

      The problem is that we are copying the entire table name (with partition and subpartition names) to the buffer, and only then stripping the partition and subpartition components.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              marko Marko Mäkelä
              Reporter:
              marko Marko Mäkelä
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: