hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix error packet stringification function

Browse Source 
The code read past the stack buffer.
This commit is contained in:
Markus Mäkelä
2019-01-14 13:39:02 +02:00
parent 021d48f94c
commit 57fe5ff56a
1 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
server/modules/routing/readwritesplit/rwsplit_session_cmd.cc
View File

@ -35,13 +35,18 @@ std::string extract_error(GWBUF* buffer)
if (MYSQL_IS_ERROR_PACKET(((uint8_t*)GWBUF_DATA(buffer)))) if (MYSQL_IS_ERROR_PACKET(((uint8_t*)GWBUF_DATA(buffer))))
{ {
size_t replylen = MYSQL_GET_PAYLOAD_LEN(GWBUF_DATA(buffer)); size_t replylen = MYSQL_GET_PAYLOAD_LEN(GWBUF_DATA(buffer)) + MYSQL_HEADER_LEN;
char replybuf[replylen]; char replybuf[replylen];
gwbuf_copy_data(buffer, 0, sizeof(replybuf), (uint8_t*)replybuf); gwbuf_copy_data(buffer, 0, sizeof(replybuf), (uint8_t*)replybuf);
std::string err; std::string err;
std::string msg; std::string msg;
err.append(replybuf + 8, 5);
msg.append(replybuf + 13, replylen - 4 - 5); /**
* The payload starts with a one byte command followed by a two byte error code, a six byte state and
* a human-readable string that spans the rest of the packet.
*/
err.append(replybuf + MYSQL_HEADER_LEN + 3, 6);
msg.append(replybuf + MYSQL_HEADER_LEN + 3 + 6, replylen - MYSQL_HEADER_LEN - 3 - 6);
rval = err + ": " + msg; rval = err + ": " + msg;
} }