From b2047aaa80e0893424750819ebdf81279025d830 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= Date: Tue, 28 Aug 2018 16:40:00 +0300 Subject: [PATCH] Fix heap buffer overflow in blr The name printing wrote past the end of the buffer. --- server/modules/routing/binlogrouter/blr_master.cc | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/server/modules/routing/binlogrouter/blr_master.cc b/server/modules/routing/binlogrouter/blr_master.cc index 748f73196..043357521 100644 --- a/server/modules/routing/binlogrouter/blr_master.cc +++ b/server/modules/routing/binlogrouter/blr_master.cc @@ -392,11 +392,12 @@ blr_restart_master(ROUTER_INSTANCE *router) /* Set reconnection task */ static const char master[] = "Master"; - char *name = (char *)MXS_MALLOC(strlen(router->service->name) + sizeof(master)); + size_t sz = strlen(router->service->name) + sizeof(master) + 2; + char *name = (char *)MXS_MALLOC(sz); if (name) { - sprintf(name, "%s %s", router->service->name, master); + snprintf(name, sz, "%s %s", router->service->name, master); hktask_add(name, blr_start_master_in_main, router,