Added protection for buffer overrun in COM_BINLOG_DUMP.

2015-02-05 09:37:56 +00:00
parent c6de1ff821
commit c611d63e94
1 changed files with 16 additions and 2 deletions
--- a/server/modules/routing/binlog/blr_slave.c
+++ b/server/modules/routing/binlog/blr_slave.c
@ -1079,8 +1079,15 @@ uint32_t	chksum;
 	ptr = GWBUF_DATA(queue);
 	len = extract_field(ptr, 24);
 	binlognamelen = len - 11;
-	if (! slave->nocrc)
-		binlognamelen -= 4;
+	if (binlognamelen > BINLOG_FNAMELEN)
+	{
+        	LOGIF(LE, (skygw_log_write(
+			LOGFILE_ERROR,
+			"blr_slave_binlog_dump truncating binlog filename "
+			"from %d to %d",
+			binlognamelen, BINLOG_FNAMELEN)));
+		binlognamelen = BINLOG_FNAMELEN;
+	}
 	ptr += 4;		// Skip length and sequence number
 	if (*ptr++ != COM_BINLOG_DUMP)
 	{
@ -1100,6 +1107,13 @@ uint32_t	chksum;
 	strncpy(slave->binlogfile, (char *)ptr, binlognamelen);
 	slave->binlogfile[binlognamelen] = 0;

+       	LOGIF(LD, (skygw_log_write(
+		LOGFILE_DEBUG,
+		"%s: COM_BINLOG_DUMP: binlog name '%s', length %d, "
+		"from position %d.", router->service->name,
+			slave->binlogfile, binlognamelen, 
+			slave->binlog_pos)));
+
 	slave->seqno = 1;