[5058] in bugtraq
Re: mSQL vulnerabilities
daemon@ATHENA.MIT.EDU (Black Adder)
Wed Jul 30 17:00:12 1997
Date: Tue, 29 Jul 1997 17:04:17 -0700
Reply-To: blkadder@VALUE.NET
From: Black Adder <blkadder@VALUE.NET>
X-To: David Sacerdote <davids@silence.secnet.com>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.BSI.3.96.970729140317.17463A-100000@silence.secnet.com>
On Tue, 29 Jul 1997, David Sacerdote wrote:
> > All mysql string are (own coded) C++ strings and the String class includes a
> > length so this problem doesn't exists.
>
> No. At least a few are on the stack. Look at mysql_rm_table() in
> 3.20.24a for example:
>
> int mysql_rm_table(THD *thd,tname_t *tables)
> {
> char path[FN_REFLEN];
> ...
> (void) sprintf(path,"%s/%s/%s%s",mysql_data_home,thd->db,table->real_name,
> reg_ext);
>
> I've not traced the functions which call mysql_rm_table to see if they do
> bounds checking, but what I see it doing is the kind of thing which makes
> me feel nervous, and suspect a hole, as my initial post to the bugtraq
> mailing list indicated. I have not *confirmed* or *exploited* any holes
> in MySQL as of this afternoon.
I sent Monty(the author of MySQL) a note after I saw the mSQL problems,
and taking a quick look and seeing the implicit declaration of FN_REFLEN
which is equivelant to MAXPATHLENGTH, and calls like the one you show
above. He stated that there are bounds checking (33 characters) so this is
not a problem.
