Skip to content
Blame Permalink
  • Sanjana DS's avatar
    3e1c876f
    Bug #23152979: CLUSTER: POSSIBLE BUFFER OVERFLOW ISSUES · 3e1c876f
    Sanjana DS authored 
    DESCRIPTION
===========
Buffer overflow is reported in a lot of code sections spanning
across ndb code.
If not handled propoerly, they can cause abnormal behaviour.

ANALYSIS
========
The reported cases are the ones which are likely to cause
SEGFAULT, MEMORY LEAK etc.
The function readDataPrivate has a memcpy() that could lead
to buffer overflow.
Possible buffer overflow due to strcat() in get_prefix_buf().
ndb_end() not called in many places due to which memory leaks
could happen.

FIX
===
1) Made modifications in code paths leading to readDataPrivate
to prevent buffer overflow:

 (i) sql/ha_ndbcluster_binlog.cc: Passed size of buf instead of
 passing UINT_MAX as the "bytes" arg.
 (ii) Added a require() in storage/ndb/tools/ndb_lib_move_data.cpp,
 to make sure "length1" is lesser than or equal to the buffer
 size.

2) Added a require() in get_prefix_buf().

3) Added an inline funcion ndb_end_exit() that calls ndb_end() and
then exits from the program. Substitued return/exit() with ndb_end_exit()
in places where ndb_end() was missing.
    3e1c876f
    Bug #23152979: CLUSTER: POSSIBLE BUFFER OVERFLOW ISSUES
    Sanjana DS authored 
    DESCRIPTION
===========
Buffer overflow is reported in a lot of code sections spanning
across ndb code.
If not handled propoerly, they can cause abnormal behaviour.

ANALYSIS
========
The reported cases are the ones which are likely to cause
SEGFAULT, MEMORY LEAK etc.
The function readDataPrivate has a memcpy() that could lead
to buffer overflow.
Possible buffer overflow due to strcat() in get_prefix_buf().
ndb_end() not called in many places due to which memory leaks
could happen.

FIX
===
1) Made modifications in code paths leading to readDataPrivate
to prevent buffer overflow:

 (i) sql/ha_ndbcluster_binlog.cc: Passed size of buf instead of
 passing UINT_MAX as the "bytes" arg.
 (ii) Added a require() in storage/ndb/tools/ndb_lib_move_data.cpp,
 to make sure "length1" is lesser than or equal to the buffer
 size.

2) Added a require() in get_prefix_buf().

3) Added an inline funcion ndb_end_exit() that calls ndb_end() and
then exits from the program. Substitued return/exit() with ndb_end_exit()
in places where ndb_end() was missing.