Commit 1e2d3c9b authored by unknown's avatar unknown
Browse files

fix potential security hole, pointed out by Sergei. Also simplify code per Sergei's suggestion. 


sql/ha_federated.cc:
  if the mysql_error(mysql) contained any %-format specifiers, my_snprintf would try to interppret them. Essentially replacing printf(str) with printf("%s", str);
sql/ha_federated.h:
  removed unused remote_error_len variable
parent 3b7c799f

sql/ha_federated.cc

+3 −6
Original line number Diff line number Diff line
@@ -2616,10 +2616,8 @@ int ha_federated::stash_remote_error() 
  DBUG_ENTER("ha_federated::stash_remote_error()");

  remote_error_number= mysql_errno(mysql);

  const char *remote_error= mysql_error(mysql);

  remote_error_len= strlen(remote_error);

  if(remote_error_len > (sizeof(remote_error_buf) - 1))

    remote_error_len= (sizeof(remote_error_buf) - 1);

  my_snprintf(remote_error_buf, remote_error_len + 1, remote_error);

  my_snprintf(remote_error_buf, sizeof(remote_error_buf), "%s",

              mysql_error(mysql));

  DBUG_RETURN(HA_FEDERATED_ERROR_WITH_REMOTE_SYSTEM);

}
@@ -2633,11 +2631,10 @@ bool ha_federated::get_error_message(int error, String* buf) 
    buf->append("Error on remote system: ");

    buf->qs_append(remote_error_number);

    buf->append(": ");

    buf->append(remote_error_buf, remote_error_len);

    buf->append(remote_error_buf);



    remote_error_number= 0;

    remote_error_buf[0]= '\0';

    remote_error_len= 0;

  }

  DBUG_PRINT("exit", ("message: %s", buf->ptr()));

  DBUG_RETURN(FALSE);

sql/ha_federated.h

+0 −1
Original line number Diff line number Diff line
@@ -159,7 +159,6 @@ class ha_federated: public handler 
  MYSQL_ROW_OFFSET current_position;  // Current position used by ::position()

  int remote_error_number;

  char remote_error_buf[FEDERATED_QUERY_BUFFER_SIZE];

  uint remote_error_len;



private:

  /*