Skip to content

Commit c492c34

Browse files
mariadb-YuchenPeimariadb-YuchenPei
committed
MDEV-33434 spider direct sql: Check length before memcpy
similar to MDEV-30981
1 parent d510f80 commit c492c34

File tree

3 files changed

+80
-82
lines changed

3 files changed

+80
-82
lines changed

storage/spider/mysql-test/spider/bugfix/r/mdev_33434.result

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
#
2+
# MDEV-33434 MDEV-33434 UBSAN null pointer passed as argument 2, which is declared to never be null in spider_udf_direct_sql_create_conn
3+
#
4+
INSTALL SONAME 'ha_spider';
5+
SET character_set_connection=ucs2;
6+
SELECT SPIDER_DIRECT_SQL('SELECT SLEEP(1)', '', 'srv "dummy", port "3307"');
7+
ERROR HY000: Unable to connect to foreign data source: localhost
8+
Warnings:
9+
Warning 1620 Plugin is busy and will be uninstalled on shutdown
10+
#
11+
# end of test mdev_33434
12+
#

storage/spider/mysql-test/spider/bugfix/t/mdev_33434.test

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,15 @@
1+
--echo #
2+
--echo # MDEV-33434 MDEV-33434 UBSAN null pointer passed as argument 2, which is declared to never be null in spider_udf_direct_sql_create_conn
3+
--echo #
4+
5+
INSTALL SONAME 'ha_spider';
6+
SET character_set_connection=ucs2;
7+
--error ER_CONNECT_TO_FOREIGN_DATA_SOURCE
8+
SELECT SPIDER_DIRECT_SQL('SELECT SLEEP(1)', '', 'srv "dummy", port "3307"');
9+
--disable_query_log
10+
--source ../../include/clean_up_spider.inc
11+
--enable_query_log
12+
13+
--echo #
14+
--echo # end of test mdev_33434
15+
--echo #

storage/spider/spd_direct_sql.cc

Lines changed: 53 additions & 82 deletions
Original file line numberDiff line numberDiff line change
@@ -413,6 +413,23 @@ int spider_udf_direct_sql_create_conn_key(
413413
DBUG_RETURN(0);
414414
}
415415

416+
static inline void spider_maybe_memcpy_string(
417+
char **dest,
418+
char *src,
419+
char *tmp,
420+
uint *dest_len,
421+
uint src_len)
422+
{
423+
*dest_len= src_len;
424+
if (src_len)
425+
{
426+
*dest= tmp;
427+
memcpy(*dest, src, src_len);
428+
} else
429+
*dest= NULL;
430+
}
431+
432+
416433
SPIDER_CONN *spider_udf_direct_sql_create_conn(
417434
const SPIDER_DIRECT_SQL *direct_sql,
418435
int *error_num
@@ -504,89 +521,43 @@ SPIDER_CONN *spider_udf_direct_sql_create_conn(
504521
{
505522
#endif
506523
conn->tgt_port = direct_sql->tgt_port;
507-
conn->tgt_socket_length = direct_sql->tgt_socket_length;
508-
conn->tgt_socket = tmp_socket;
509-
memcpy(conn->tgt_socket, direct_sql->tgt_socket,
510-
direct_sql->tgt_socket_length);
524+
spider_maybe_memcpy_string(
525+
&conn->tgt_socket, direct_sql->tgt_socket, tmp_socket,
526+
&conn->tgt_socket_length, direct_sql->tgt_socket_length);
511527
if (!tables_on_different_db_are_joinable)
512-
{
513-
conn->tgt_db_length = direct_sql->tgt_default_db_name_length;
514-
conn->tgt_db = tmp_db;
515-
memcpy(conn->tgt_db, direct_sql->tgt_default_db_name,
516-
direct_sql->tgt_default_db_name_length);
517-
}
518-
conn->tgt_username_length = direct_sql->tgt_username_length;
519-
conn->tgt_username = tmp_username;
520-
memcpy(conn->tgt_username, direct_sql->tgt_username,
521-
direct_sql->tgt_username_length);
522-
conn->tgt_password_length = direct_sql->tgt_password_length;
523-
conn->tgt_password = tmp_password;
524-
memcpy(conn->tgt_password, direct_sql->tgt_password,
525-
direct_sql->tgt_password_length);
526-
conn->tgt_ssl_ca_length = direct_sql->tgt_ssl_ca_length;
527-
if (conn->tgt_ssl_ca_length)
528-
{
529-
conn->tgt_ssl_ca = tmp_ssl_ca;
530-
memcpy(conn->tgt_ssl_ca, direct_sql->tgt_ssl_ca,
531-
direct_sql->tgt_ssl_ca_length);
532-
} else
533-
conn->tgt_ssl_ca = NULL;
534-
conn->tgt_ssl_capath_length = direct_sql->tgt_ssl_capath_length;
535-
if (conn->tgt_ssl_capath_length)
536-
{
537-
conn->tgt_ssl_capath = tmp_ssl_capath;
538-
memcpy(conn->tgt_ssl_capath, direct_sql->tgt_ssl_capath,
539-
direct_sql->tgt_ssl_capath_length);
540-
} else
541-
conn->tgt_ssl_capath = NULL;
542-
conn->tgt_ssl_cert_length = direct_sql->tgt_ssl_cert_length;
543-
if (conn->tgt_ssl_cert_length)
544-
{
545-
conn->tgt_ssl_cert = tmp_ssl_cert;
546-
memcpy(conn->tgt_ssl_cert, direct_sql->tgt_ssl_cert,
547-
direct_sql->tgt_ssl_cert_length);
548-
} else
549-
conn->tgt_ssl_cert = NULL;
550-
conn->tgt_ssl_cipher_length = direct_sql->tgt_ssl_cipher_length;
551-
if (conn->tgt_ssl_cipher_length)
552-
{
553-
conn->tgt_ssl_cipher = tmp_ssl_cipher;
554-
memcpy(conn->tgt_ssl_cipher, direct_sql->tgt_ssl_cipher,
555-
direct_sql->tgt_ssl_cipher_length);
556-
} else
557-
conn->tgt_ssl_cipher = NULL;
558-
conn->tgt_ssl_key_length = direct_sql->tgt_ssl_key_length;
559-
if (conn->tgt_ssl_key_length)
560-
{
561-
conn->tgt_ssl_key = tmp_ssl_key;
562-
memcpy(conn->tgt_ssl_key, direct_sql->tgt_ssl_key,
563-
direct_sql->tgt_ssl_key_length);
564-
} else
565-
conn->tgt_ssl_key = NULL;
566-
conn->tgt_default_file_length = direct_sql->tgt_default_file_length;
567-
if (conn->tgt_default_file_length)
568-
{
569-
conn->tgt_default_file = tmp_default_file;
570-
memcpy(conn->tgt_default_file, direct_sql->tgt_default_file,
571-
direct_sql->tgt_default_file_length);
572-
} else
573-
conn->tgt_default_file = NULL;
574-
conn->tgt_default_group_length = direct_sql->tgt_default_group_length;
575-
if (conn->tgt_default_group_length)
576-
{
577-
conn->tgt_default_group = tmp_default_group;
578-
memcpy(conn->tgt_default_group, direct_sql->tgt_default_group,
579-
direct_sql->tgt_default_group_length);
580-
} else
581-
conn->tgt_default_group = NULL;
582-
conn->tgt_dsn_length = direct_sql->tgt_dsn_length;
583-
if (conn->tgt_dsn_length)
584-
{
585-
conn->tgt_dsn = tmp_dsn;
586-
memcpy(conn->tgt_dsn, direct_sql->tgt_dsn,
587-
direct_sql->tgt_dsn_length);
588-
} else
589-
conn->tgt_dsn = NULL;
528+
spider_maybe_memcpy_string(
529+
&conn->tgt_db, direct_sql->tgt_default_db_name, tmp_db,
530+
&conn->tgt_db_length, direct_sql->tgt_default_db_name_length);
531+
spider_maybe_memcpy_string(
532+
&conn->tgt_username, direct_sql->tgt_username, tmp_username,
533+
&conn->tgt_username_length, direct_sql->tgt_username_length);
534+
spider_maybe_memcpy_string(
535+
&conn->tgt_password, direct_sql->tgt_password, tmp_password,
536+
&conn->tgt_password_length, direct_sql->tgt_password_length);
537+
spider_maybe_memcpy_string(
538+
&conn->tgt_ssl_ca, direct_sql->tgt_ssl_ca, tmp_ssl_ca,
539+
&conn->tgt_ssl_ca_length, direct_sql->tgt_ssl_ca_length);
540+
spider_maybe_memcpy_string(
541+
&conn->tgt_ssl_capath, direct_sql->tgt_ssl_capath, tmp_ssl_capath,
542+
&conn->tgt_ssl_capath_length, direct_sql->tgt_ssl_capath_length);
543+
spider_maybe_memcpy_string(
544+
&conn->tgt_ssl_cert, direct_sql->tgt_ssl_cert, tmp_ssl_cert,
545+
&conn->tgt_ssl_cert_length, direct_sql->tgt_ssl_cert_length);
546+
spider_maybe_memcpy_string(
547+
&conn->tgt_ssl_cipher, direct_sql->tgt_ssl_cipher, tmp_ssl_cipher,
548+
&conn->tgt_ssl_cipher_length, direct_sql->tgt_ssl_cipher_length);
549+
spider_maybe_memcpy_string(
550+
&conn->tgt_ssl_key, direct_sql->tgt_ssl_key, tmp_ssl_key,
551+
&conn->tgt_ssl_key_length, direct_sql->tgt_ssl_key_length);
552+
spider_maybe_memcpy_string(
553+
&conn->tgt_default_file, direct_sql->tgt_default_file, tmp_default_file,
554+
&conn->tgt_default_file_length, direct_sql->tgt_default_file_length);
555+
spider_maybe_memcpy_string(
556+
&conn->tgt_default_group, direct_sql->tgt_default_group, tmp_default_group,
557+
&conn->tgt_default_group_length, direct_sql->tgt_default_group_length);
558+
spider_maybe_memcpy_string(
559+
&conn->tgt_dsn, direct_sql->tgt_dsn, tmp_dsn,
560+
&conn->tgt_dsn_length, direct_sql->tgt_dsn_length);
590561
conn->tgt_ssl_vsc = direct_sql->tgt_ssl_vsc;
591562
#if defined(HS_HAS_SQLCOM) && defined(HAVE_HANDLERSOCKET)
592563
} else {

0 commit comments

Comments
 (0)