Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Duplicate
-
5.5.42, 10.0.17
-
None
-
Linux
Description
If mysqladmin is called purely with options (e.g. mysqladmin -u root), mask_password (the process list password scrubber) gets called with empty argv and zero argc. This causes an OOB write to temp_argv (line 1218 below) that results in a segmentation fault crash of mysqladmin.
Attached patch against MariaDB 5.5.42 fixes (similar can be applied to other affected branches).
--mancha
mariadb-5.5.42/client/mysqladmin.cc:
1198 static char **mask_password(int argc, char ***argv)
|
1199 {
|
1200 char **temp_argv;
|
1201 temp_argv= (char **)(my_malloc(sizeof(char *) * argc, MYF(MY_WME)));
|
1202 argc--;
|
1203 while (argc > 0)
|
1204 {
|
1205 temp_argv[argc]= my_strdup((*argv)[argc], MYF(MY_FAE));
|
1206 if (find_type((*argv)[argc - 1],&command_typelib, FIND_TYPE_BASIC) == ADMIN_PASSWORD ||
|
1207 find_type((*argv)[argc - 1],&command_typelib, FIND_TYPE_BASIC) == ADMIN_OLD_PASSWORD)
|
1208 {
|
1209 char *start= (*argv)[argc];
|
1210 while (*start)
|
1211 *start++= 'x';
|
1212 start= (*argv)[argc];
|
1213 if (*start)
|
1214 start[1]= 0; /* Cut length of argument */
|
1215 }
|
1216 argc--;
|
1217 }
|
1218 temp_argv[argc]= my_strdup((*argv)[argc], MYF(MY_FAE));
|
1219 return(temp_argv);
|
1220 }
|
Attachments
Issue Links
- is duplicated by
-
-
- Closed
-