drizzle_state_field_read() can read past packet boundary
Bug #1150811 reported by
Wim Lewis
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| Drizzle Client & Protocol Library |
Fix Released
|
Medium
|
Wim Lewis | ||
Bug Description
drizzle_
if ((size_
{
con-
}
else
{
con-
}
However, if the field is broken across multiple packets, and the buffer contains the rest of this packet and the beginning of the next, this can read too much data into the field (including the packet header of the next packet). The field_size should be set to the smallest size among buffer_size, packet_size, and field_total.
Related branches
lp://staging/~wiml/libdrizzle/integer-sizes
- Andrew Hutchings: Approve
-
Diff: 618 lines (+134/-80)14 files modifiedlibdrizzle-5.1/constants.h (+15/-21)
libdrizzle-5.1/field_client.h (+17/-2)
libdrizzle/binlog.cc (+5/-5)
libdrizzle/conn.cc (+6/-0)
libdrizzle/field.cc (+36/-18)
libdrizzle/handshake.cc (+2/-2)
libdrizzle/pack.cc (+19/-7)
libdrizzle/pack.h (+2/-1)
libdrizzle/result.cc (+10/-8)
libdrizzle/result.h (+6/-6)
libdrizzle/statement.cc (+1/-1)
libdrizzle/statement_param.cc (+8/-2)
libdrizzle/structs.h (+6/-6)
tests/unit/statement.c (+1/-1)
| Changed in libdrizzle: | |
| status: | New → In Progress |
| importance: | Undecided → Medium |
| assignee: | nobody → Wim Lewis (wiml) |
| Changed in libdrizzle: | |
| status: | In Progress → Fix Released |
| Changed in libdrizzle: | |
| milestone: | none → 5.1.4 |
To post a comment you must log in.
