Details
-
Bug
-
Status: Closed (View Workflow)
-
Minor
-
Resolution: Fixed
-
10.6.25, 10.11.16, 11.8.6, 12.3.1
-
Can result in hang or crash
Description
The .cfg metadata file parser in storage/innobase/row/row0import.cc (used by ALTER TABLE ... IMPORT TABLESPACE) uses overly permissive or missing length limits when reading identifier strings from .cfg files.
String lengths are read as 4-byte integers via mach_read_from_4(), meaning a crafted .cfg file can specify lengths up to 2^32 bytes. Without proper bounds, this causes excessive memory allocation via UT_NEW_ARRAY_NOKEY() before the
string content is even validated.
Current state on main:
- Field names: no length validation at all
- Index names: limited to OS_FILE_MAX_PATH (4000), no check for zero
- Column names: limited to 128 with a FIXME: What is the maximum column name length? comment
- Hostname: no length validation at all
- Table name: no length validation at all
Correct limits (all lengths include the NUL terminator):
- Field/index/column names: NAME_LEN + 1 (193), the maximum identifier length
- Hostname: HOSTNAME_LENGTH + 1 (256), consistent with MariaDB's own hostname limit. Note: RFC 1035 defines the textual DNS name limit as 253 characters (253+1=254 with NUL), but MariaDB's HOSTNAME_LENGTH (255) is based on the RFC 1034
wire-format limit of 255 octets. Using HOSTNAME_LENGTH avoids rejecting .cfg files exported from servers with hostnames between 254-255 characters, which MariaDB itself permits. - Table name: MAX_FULL_NAME_LEN + 1 (655), since the .cfg file stores the full db/table name (written by row0quiesce.cc as table->name.m_name)
The existing row_import_cfg_read_string() function already validates that the NUL byte appears at exactly position len - 1, which prevents embedded NUL bytes and ensures proper termination.
—