Bug#25510805 - MYSQL CRASHES WHEN TRYING TO CONNECT FROM

Anushree Prakash B · Anushree Prakash B · commit 6d86d29c8557 · 2017-08-23T13:58:51.000+05:30
A HOST WITH AHOSTNAME OF 69 CHARACTERS

DESCRIPTION:
===========
When a connection is made from a host with a hostname
length of more than HOSTNAME_LENGTH characters,
MySQL crashes with a buffer overflow.

ANALYSIS:
========
If the hostname of the connecting host is greater than
HOSTNAME_LENGTH (60 chars), copying the hostname to the
performance schema table field which is limited to
HOSTNAME_LENGTH characters results in a crash.

FIX:
===
The fix is to truncate the hostname to HOSTNAME_LENGTH
number of characters before adding them to the performance
schema tables which record host information and details.
This makes sure that the client connection is established
successfully.
diff --git a/sql/hostname.cc b/sql/hostname.cc
@@ -33,6 +33,7 @@
                                                 // sql_print_information
 #include "violite.h"                            // vio_getnameinfo,
                                                 // vio_get_normalized_ip_string
+#include <string>
 #ifdef	__cplusplus
 extern "C" {					// Because of SCO 3.2V4.2
 #endif
@@ -551,6 +552,14 @@ int ip_to_hostname(struct sockaddr_storage *ip_storage,
                   }
                   );
 
+  DBUG_EXECUTE_IF ("getnameinfo_fake_max_length",
+                  {
+                    std::string s(NI_MAXHOST-1, 'a');
+                    strcpy(hostname_buffer, s.c_str());
+                    err_code= 0;
+                  }
+                  );
+
   /*
   ===========================================================================
   DEBUG code only (end)
diff --git a/storage/perfschema/pfs.cc b/storage/perfschema/pfs.cc
@@ -41,6 +41,7 @@
 #include "sp_head.h"
 #include "pfs_digest.h"
 
+using std::min;
 /**
   @page PAGE_PERFORMANCE_SCHEMA The Performance Schema main page
   MySQL PERFORMANCE_SCHEMA implementation.
@@ -2018,7 +2019,8 @@ static void set_thread_account_v1(const char *user, int user_len,
   DBUG_ASSERT((uint) user_len <= sizeof(pfs->m_username));
   DBUG_ASSERT((host != NULL) || (host_len == 0));
   DBUG_ASSERT(host_len >= 0);
-  DBUG_ASSERT((uint) host_len <= sizeof(pfs->m_hostname));
+
+  host_len= min<size_t>(host_len, sizeof(pfs->m_hostname));
 
   if (unlikely(pfs == NULL))
     return;
