From bce5627ee3a856fa4806cae4cd3ae1a4391198e0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= Date: Fri, 16 Feb 2018 11:00:18 +0200 Subject: [PATCH] Fix out-of-bounds read on invalid query message When the parsing of a query failed, the message would treat the parameter as a string as the printf format was `%*s` instead of `%.*s`. The manpage of printf states the following about the precision specifier: ... or the maximum number of characters to be printed from a string for `s` and `S` conversions. This means that the field length specifier is somewhat meaningless for strings. --- query_classifier/qc_sqlite/qc_sqlite.cc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/query_classifier/qc_sqlite/qc_sqlite.cc b/query_classifier/qc_sqlite/qc_sqlite.cc index ef46a0902..ad0b10bac 100644 --- a/query_classifier/qc_sqlite/qc_sqlite.cc +++ b/query_classifier/qc_sqlite/qc_sqlite.cc @@ -3603,7 +3603,7 @@ static void log_invalid_data(GWBUF* query, const char* message) length = (int)GWBUF_LENGTH(query) - MYSQL_HEADER_LEN - 1; } - MXS_INFO("Parsing the query failed, %s: %*s", message, length, sql); + MXS_INFO("Parsing the query failed, %s: %.*s", message, length, sql); } } }