Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
Description
I'm not sure that mysql_client_test is run under valgrind normally, but the
issue can repeated like this on latest lp:maria/5.2
(revid:<email address hidden>):
(cd mysql-test && ./mtr main.mysql_client_test --start)
valgrind tests/mysql_client_test --defaults-file=mysql-test/var/my.cnf --vardir=mysql-test/var test_bug31669
#####################################
1 of (1/1): test_bug31669
#####################################
==18293== Invalid write of size 1
==18293== at 0x4AD084: strmake (strmake.c:55)
==18293== by 0x4D822C: send_change_user_packet (client.c:2016)
==18293== by 0x4D8D64: client_mpvio_write_packet (client.c:2306)
==18293== by 0x4DCB05: native_password_auth_client (client.c:3878)
==18293== by 0x4D9100: run_plugin_auth (client.c:2441)
==18293== by 0x48BE91: mysql_change_user (libmysql.c:695)
==18293== by 0x485BBC: test_bug31669 (mysql_client_test.c:17346)
==18293== by 0x48A8B2: main (mysql_client_test.c:18917)
==18293== Address 0x6ae4fa8 is 1 bytes after a block of size 455 alloc'd
==18293== at 0x4C22FAB: malloc (vg_replace_malloc.c:207)
==18293== by 0x496528: my_malloc (my_malloc.c:38)
==18293== by 0x4D806F: send_change_user_packet (client.c:1981)
==18293== by 0x4D8D64: client_mpvio_write_packet (client.c:2306)
==18293== by 0x4DCB05: native_password_auth_client (client.c:3878)
==18293== by 0x4D9100: run_plugin_auth (client.c:2441)
==18293== by 0x48BE91: mysql_change_user (libmysql.c:695)
==18293== by 0x485BBC: test_bug31669 (mysql_client_test.c:17346)
==18293== by 0x48A8B2: main (mysql_client_test.c:18917)
It looks to me like this buffer in send_change_user_packet() is allocated a
couple bytes too short:
buff= my_alloca(USERNAME_LENGTH + data_len + 1 + NAME_LEN + 2 + NAME_LEN);
The buffer size seems to be missing space for zero terminators of the
username, database, and plugin name?