Bugtraq mailing list archives
Re: mSQL vulnerabilities
From: blkadder () VALUE NET (Black Adder)
Date: Tue, 29 Jul 1997 17:04:17 -0700
On Tue, 29 Jul 1997, David Sacerdote wrote:
All mysql string are (own coded) C++ strings and the String class includes a length so this problem doesn't exists.No. At least a few are on the stack. Look at mysql_rm_table() in 3.20.24a for example: int mysql_rm_table(THD *thd,tname_t *tables) { char path[FN_REFLEN]; ... (void) sprintf(path,"%s/%s/%s%s",mysql_data_home,thd->db,table->real_name, reg_ext); I've not traced the functions which call mysql_rm_table to see if they do bounds checking, but what I see it doing is the kind of thing which makes me feel nervous, and suspect a hole, as my initial post to the bugtraq mailing list indicated. I have not *confirmed* or *exploited* any holes in MySQL as of this afternoon.
I sent Monty(the author of MySQL) a note after I saw the mSQL problems, and taking a quick look and seeing the implicit declaration of FN_REFLEN which is equivelant to MAXPATHLENGTH, and calls like the one you show above. He stated that there are bounds checking (33 characters) so this is not a problem.
Current thread:
- mSQL vulnerabilities Secure Networks Inc. (Jul 27)
- Re: mSQL vulnerabilities Stacey Son (Jul 28)
- <Possible follow-ups>
- Re: mSQL vulnerabilities David Sacerdote (Jul 28)
- Re: mSQL vulnerabilities David Sacerdote (Jul 29)
- Re: mSQL vulnerabilities Black Adder (Jul 29)