CVE-2004-2149

Vulnerability

A buffer overflow vulnerability exists in the prepared statements API (libmysqlclient) in MySQL versions 4.1.3 beta and 4.1.4. When a prepared statement uses a large number of placeholders (parameters), the internal buffer handling can overflow, leading to memory corruption. The issue was reported as MySQL bug #5194 [1]. Affected versions are MySQL 4.1.3 beta and 4.1.4; later versions are not affected.

Exploitation

An attacker can trigger the overflow by sending a crafted prepared SQL statement containing an excessive number of placeholder parameters (e.g., more than 65536 placeholders) [1]. The attack is performed remotely over the MySQL protocol; the attacker must be able to issue PREPARE statements. No special privileges beyond network access to the MySQL server are required. The overflow occurs during the mysql_stmt_prepare or mysql_stmt_execute call on the client side, but the server also processes the statement and can be affected. The exact sequence: connect to the MySQL server, prepare a statement with an extremely high placeholder count, and execute it. This causes the buffer overflow and likely crashes the client or server process.

Impact

Successful exploitation leads to a denial of service (DoS) condition. The MySQL server process (or client) may crash due to memory corruption. No arbitrary code execution is described in the references; the primary impact is service interruption [1]. The crash is caused by an unaligned address error or segmentation fault.

Mitigation

MySQL released a fix in version 4.1.5, with the release date around November 2004 (shortly after the bug was reported). Users should upgrade to MySQL 4.1.5 or later. As a workaround, restrict network access to the MySQL server to trusted hosts only, and ensure that prepared statements with excessive placeholders are not allowed. The bug is not on the CISA KEV list.