63 lines
1.8 KiB
Diff
63 lines
1.8 KiB
Diff
Fix CVE-2017-10788:
|
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-10788
|
|
|
|
Patch written to match corrected documentation specifications:
|
|
|
|
Old: http://web.archive.org/web/20161220021610/https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-close.html
|
|
New: https://dev.mysql.com/doc/refman/5.7/en/mysql-stmt-close.html
|
|
|
|
The patch itself is from https://github.com/perl5-dbi/DBD-mysql/issues/120#issuecomment-312420660.
|
|
|
|
From 9ce10cfae7138c37c3a0cb2ba2a1d682482943d0 Mon Sep 17 00:00:00 2001
|
|
From: Pali <pali@cpan.org>
|
|
Date: Sun, 25 Jun 2017 10:07:39 +0200
|
|
Subject: [PATCH] Fix use-after-free after calling mysql_stmt_close()
|
|
|
|
Ignore return value from mysql_stmt_close() and also its error message
|
|
because it points to freed memory after mysql_stmt_close() was called.
|
|
---
|
|
dbdimp.c | 8 ++------
|
|
mysql.xs | 7 ++-----
|
|
2 files changed, 4 insertions(+), 11 deletions(-)
|
|
|
|
diff --git a/dbdimp.c b/dbdimp.c
|
|
index c60a5f6..a6410e5 100644
|
|
--- a/dbdimp.c
|
|
+++ b/dbdimp.c
|
|
@@ -4894,12 +4894,8 @@ void dbd_st_destroy(SV *sth, imp_sth_t *imp_sth) {
|
|
|
|
if (imp_sth->stmt)
|
|
{
|
|
- if (mysql_stmt_close(imp_sth->stmt))
|
|
- {
|
|
- do_error(DBIc_PARENT_H(imp_sth), mysql_stmt_errno(imp_sth->stmt),
|
|
- mysql_stmt_error(imp_sth->stmt),
|
|
- mysql_stmt_sqlstate(imp_sth->stmt));
|
|
- }
|
|
+ mysql_stmt_close(imp_sth->stmt);
|
|
+ imp_sth->stmt= NULL;
|
|
}
|
|
#endif
|
|
|
|
diff --git a/mysql.xs b/mysql.xs
|
|
index 55376e1..affde59 100644
|
|
--- a/mysql.xs
|
|
+++ b/mysql.xs
|
|
@@ -434,11 +434,8 @@ do(dbh, statement, attr=Nullsv, ...)
|
|
if (bind)
|
|
Safefree(bind);
|
|
|
|
- if(mysql_stmt_close(stmt))
|
|
- {
|
|
- fprintf(stderr, "\n failed while closing the statement");
|
|
- fprintf(stderr, "\n %s", mysql_stmt_error(stmt));
|
|
- }
|
|
+ mysql_stmt_close(stmt);
|
|
+ stmt= NULL;
|
|
|
|
if (retval == -2) /* -2 means error */
|
|
{
|
|
--
|
|
1.7.9.5
|