Commit 3a364d51 authored by unknown's avatar unknown

Bug#28984: crasher on connect with out of range password length in \

	protocol

Fixed duplicated code, same as last commit.

One could send a malformed packet that caused the server to SEGV.  In 
recent versions of the password protocol, the client tells the server 
what length the ciphertext is (almost always 20).  If that length was
large enough to overflow a signed char, then the number would jump to 
very large after being casted to unsigned int.

Instead, cast the *passwd char to uchar.


sql/sql_parse.cc:
  Additional location of signed-char casted to uint.
parent 606927f7
...@@ -1445,11 +1445,14 @@ bool dispatch_command(enum enum_server_command command, THD *thd, ...@@ -1445,11 +1445,14 @@ bool dispatch_command(enum enum_server_command command, THD *thd,
Old clients send null-terminated string ('\0' for empty string) for Old clients send null-terminated string ('\0' for empty string) for
password. New clients send the size (1 byte) + string (not null password. New clients send the size (1 byte) + string (not null
terminated, so also '\0' for empty string). terminated, so also '\0' for empty string).
Cast *passwd to an unsigned char, so that it doesn't extend the sign
for *passwd > 127 and become 2**32-127 after casting to uint.
*/ */
char db_buff[NAME_LEN+1]; // buffer to store db in utf8 char db_buff[NAME_LEN+1]; // buffer to store db in utf8
char *db= passwd; char *db= passwd;
uint passwd_len= thd->client_capabilities & CLIENT_SECURE_CONNECTION ? uint passwd_len= thd->client_capabilities & CLIENT_SECURE_CONNECTION ?
*passwd++ : strlen(passwd); (uchar)(*passwd++) : strlen(passwd);
db+= passwd_len + 1; db+= passwd_len + 1;
#ifndef EMBEDDED_LIBRARY #ifndef EMBEDDED_LIBRARY
/* Small check for incomming packet */ /* Small check for incomming packet */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment