hcq/MaxScale
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added protection for buffer overrun in COM_BINLOG_DUMP.

Browse Source
This commit is contained in:
Mark Riddoch
2015-02-05 09:37:56 +00:00
parent c6de1ff821
commit c611d63e94
1 changed files with 16 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
server/modules/routing/binlog/blr_slave.c
View File

@ -1079,8 +1079,15 @@ uint32_t chksum;
ptr = GWBUF_DATA(queue); ptr = GWBUF_DATA(queue);
len = extract_field(ptr, 24); len = extract_field(ptr, 24);
binlognamelen = len - 11; binlognamelen = len - 11;
if (! slave->nocrc) if (binlognamelen > BINLOG_FNAMELEN)
binlognamelen -= 4; {
LOGIF(LE, (skygw_log_write(
LOGFILE_ERROR,
"blr_slave_binlog_dump truncating binlog filename "
"from %d to %d",
binlognamelen, BINLOG_FNAMELEN)));
binlognamelen = BINLOG_FNAMELEN;
}
ptr += 4; // Skip length and sequence number ptr += 4; // Skip length and sequence number
if (*ptr++ != COM_BINLOG_DUMP) if (*ptr++ != COM_BINLOG_DUMP)
{ {
@ -1100,6 +1107,13 @@ uint32_t chksum;
strncpy(slave->binlogfile, (char *)ptr, binlognamelen); strncpy(slave->binlogfile, (char *)ptr, binlognamelen);
slave->binlogfile[binlognamelen] = 0; slave->binlogfile[binlognamelen] = 0;
LOGIF(LD, (skygw_log_write(
LOGFILE_DEBUG,
"%s: COM_BINLOG_DUMP: binlog name '%s', length %d, "
"from position %d.", router->service->name,
slave->binlogfile, binlognamelen,
slave->binlog_pos)));
slave->seqno = 1; slave->seqno = 1;