Commit 21e6836b authored by unknown's avatar unknown
Browse files

Fix for BUG#16899: Possible buffer overflow in handling of DEFINER-clause 

    
User name (host name) has limit on length. The server code relies on these
limits when storing the names. The problem was that sometimes these limits
were not checked properly, so that could lead to buffer overflow.
  
The fix is to check length of user/host name in parser and if string is too
long, throw an error.


mysql-test/r/grant.result:
  Updated result file.
mysql-test/r/sp.result:
  Updated result file.
mysql-test/r/trigger.result:
  Updated result file.
mysql-test/r/view.result:
  Updated result file.
mysql-test/t/grant.test:
  Added test for BUG#16899.
mysql-test/t/sp.test:
  Added test for BUG#16899.
mysql-test/t/trigger.test:
  Added test for BUG#16899.
mysql-test/t/view.test:
  Added test for BUG#16899.
sql/mysql_priv.h:
  Added prototype for new function.
sql/sql_acl.cc:
  Remove outdated checks.
sql/sql_parse.cc:
  Add a new function for checking string length.
sql/share/errmsg.txt:
  Added new resources.
sql/sql_yacc.yy:
  Check length of user/host name.
parent 70ad92dc

mysql-test/r/grant.result

+24 −0
Original line number Diff line number Diff line
@@ -867,3 +867,27 @@ insert into mysql.user select * from t2; 
flush privileges;

drop table t2;

drop table t1;

GRANT CREATE ON mysqltest.* TO 1234567890abcdefGHIKL@localhost;

ERROR HY000: String '1234567890abcdefGHIKL' is too long for user name (should be no longer than 16)

GRANT CREATE ON mysqltest.* TO some_user_name@1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY;

ERROR HY000: String '1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY' is too long for host name (should be no longer than 60)

REVOKE CREATE ON mysqltest.* FROM 1234567890abcdefGHIKL@localhost;

ERROR HY000: String '1234567890abcdefGHIKL' is too long for user name (should be no longer than 16)

REVOKE CREATE ON mysqltest.* FROM some_user_name@1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY;

ERROR HY000: String '1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY' is too long for host name (should be no longer than 60)

GRANT CREATE ON t1 TO 1234567890abcdefGHIKL@localhost;

ERROR HY000: String '1234567890abcdefGHIKL' is too long for user name (should be no longer than 16)

GRANT CREATE ON t1 TO some_user_name@1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY;

ERROR HY000: String '1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY' is too long for host name (should be no longer than 60)

REVOKE CREATE ON t1 FROM 1234567890abcdefGHIKL@localhost;

ERROR HY000: String '1234567890abcdefGHIKL' is too long for user name (should be no longer than 16)

REVOKE CREATE ON t1 FROM some_user_name@1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY;

ERROR HY000: String '1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY' is too long for host name (should be no longer than 60)

GRANT EXECUTE ON PROCEDURE p1 TO 1234567890abcdefGHIKL@localhost;

ERROR HY000: String '1234567890abcdefGHIKL' is too long for user name (should be no longer than 16)

GRANT EXECUTE ON PROCEDURE p1 TO some_user_name@1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY;

ERROR HY000: String '1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY' is too long for host name (should be no longer than 60)

REVOKE EXECUTE ON PROCEDURE p1 FROM 1234567890abcdefGHIKL@localhost;

ERROR HY000: String '1234567890abcdefGHIKL' is too long for user name (should be no longer than 16)

REVOKE EXECUTE ON PROCEDURE t1 FROM some_user_name@1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY;

ERROR HY000: String '1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY' is too long for host name (should be no longer than 60)

mysql-test/r/sp.result

+13 −0
Original line number Diff line number Diff line
@@ -5072,4 +5072,17 @@ a 
1

use test|

drop table t3|

DROP PROCEDURE IF EXISTS bug16899_p1|

DROP FUNCTION IF EXISTS bug16899_f1|

CREATE DEFINER=1234567890abcdefGHIKL@localhost PROCEDURE bug16899_p1()

BEGIN

SET @a = 1;

END|

ERROR HY000: String '1234567890abcdefGHIKL' is too long for user name (should be no longer than 16)

CREATE DEFINER=some_user_name@1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY

FUNCTION bug16899_f1() RETURNS INT

BEGIN

RETURN 1;

END|

ERROR HY000: String '1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY' is too long for host name (should be no longer than 60)

drop table t1,t2;

mysql-test/r/trigger.result

+13 −0
Original line number Diff line number Diff line
@@ -1089,4 +1089,17 @@ begin 
set @a:= 1;

end|

ERROR HY000: Triggers can not be created on system tables

use test|

DROP TABLE IF EXISTS t1;

DROP TABLE IF EXISTS t2;

CREATE TABLE t1(c INT);

CREATE TABLE t2(c INT);

CREATE DEFINER=1234567890abcdefGHIKL@localhost

TRIGGER t1_bi BEFORE INSERT ON t1 FOR EACH ROW SET @a = 1;

ERROR HY000: String '1234567890abcdefGHIKL' is too long for user name (should be no longer than 16)

CREATE DEFINER=some_user_name@1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY

TRIGGER t2_bi BEFORE INSERT ON t2 FOR EACH ROW SET @a = 2;

ERROR HY000: String '1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY' is too long for host name (should be no longer than 60)

DROP TABLE t1;

DROP TABLE t2;

End of 5.0 tests

mysql-test/r/view.result

+11 −0
Original line number Diff line number Diff line
@@ -2736,3 +2736,14 @@ m e 
1	b

DROP VIEW v1;

DROP TABLE IF EXISTS t1,t2;

DROP TABLE IF EXISTS t1;

DROP VIEW IF EXISTS v1;

DROP VIEW IF EXISTS v2;

CREATE TABLE t1(a INT, b INT);

CREATE DEFINER=1234567890abcdefGHIKL@localhost

VIEW v1 AS SELECT a FROM t1;

ERROR HY000: String '1234567890abcdefGHIKL' is too long for user name (should be no longer than 16)

CREATE DEFINER=some_user_name@1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY

VIEW v2 AS SELECT b FROM t1;

ERROR HY000: String '1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY' is too long for host name (should be no longer than 60)

DROP TABLE t1;

mysql-test/t/grant.test

+49 −0
Original line number Diff line number Diff line
@@ -681,3 +681,52 @@ drop table t2; 
drop table t1;





#

# Test for BUG#16899: Possible buffer overflow in handling of DEFINER-clause.

#

# These checks are intended to ensure that appropriate errors are risen when

# illegal user name or hostname is specified in user-clause of GRANT/REVOKE

# statements.

#



# Working with database-level privileges.



--error ER_WRONG_STRING_LENGTH

GRANT CREATE ON mysqltest.* TO 1234567890abcdefGHIKL@localhost;



--error ER_WRONG_STRING_LENGTH

GRANT CREATE ON mysqltest.* TO some_user_name@1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY;



--error ER_WRONG_STRING_LENGTH

REVOKE CREATE ON mysqltest.* FROM 1234567890abcdefGHIKL@localhost;



--error ER_WRONG_STRING_LENGTH

REVOKE CREATE ON mysqltest.* FROM some_user_name@1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY;



# Working with table-level privileges.



--error ER_WRONG_STRING_LENGTH

GRANT CREATE ON t1 TO 1234567890abcdefGHIKL@localhost;



--error ER_WRONG_STRING_LENGTH

GRANT CREATE ON t1 TO some_user_name@1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY;



--error ER_WRONG_STRING_LENGTH

REVOKE CREATE ON t1 FROM 1234567890abcdefGHIKL@localhost;



--error ER_WRONG_STRING_LENGTH

REVOKE CREATE ON t1 FROM some_user_name@1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY;



# Working with routine-level privileges.



--error ER_WRONG_STRING_LENGTH

GRANT EXECUTE ON PROCEDURE p1 TO 1234567890abcdefGHIKL@localhost;



--error ER_WRONG_STRING_LENGTH

GRANT EXECUTE ON PROCEDURE p1 TO some_user_name@1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY;



--error ER_WRONG_STRING_LENGTH

REVOKE EXECUTE ON PROCEDURE p1 FROM 1234567890abcdefGHIKL@localhost;



--error ER_WRONG_STRING_LENGTH

REVOKE EXECUTE ON PROCEDURE t1 FROM some_user_name@1234567890abcdefghij1234567890abcdefghij1234567890abcdefghijQWERTY;