Commit 74a077b0 authored by MySQL Build Team's avatar MySQL Build Team

Backport into build-201006221614-5.1.46sp1

> ------------------------------------------------------------
> revno: 1810.3987.14
> revision-id: davi.arnaut@sun.com-20100429132816-ictyul6d75itek22
> parent: ramil@mysql.com-20100429044232-f0pkyx8fnpszf142
> committer: Davi Arnaut <Davi.Arnaut@Sun.COM>
> branch nick: 50974-5.0
> timestamp: Thu 2010-04-29 10:28:16 -0300
> message:
>   Bug#50974: Server keeps receiving big (> max_allowed_packet) packets indefinitely.
>   
>   The server could be tricked to read packets indefinitely if it
>   received a packet larger than the maximum size of one packet.
>   This problem is aggravated by the fact that it can be triggered
>   before authentication.
>   
>   The solution is to no skip big packets for non-authenticated
>   sessions. If a big packet is sent before a session is authen-
>   ticated, a error is returned and the connection is closed.

> ------------------------------------------------------------
> revno: 3363 [merge]
> revision-id: davi.arnaut@sun.com-20100429231819-i3anwzrdasjmezvt
> parent: davi.arnaut@sun.com-20100401131522-895y8uzvv8ag44gs
> parent: davi.arnaut@sun.com-20100429132816-ictyul6d75itek22
> committer: Davi Arnaut <Davi.Arnaut@Sun.COM>
> branch nick: mysql-5.1-bugteam
> timestamp: Thu 2010-04-29 20:18:19 -0300
> message:
>   Manual merge.
> ------------------------------------------------------------
> Use --include-merges or -n0 to see merged revisions.
parent 33042e6d
...@@ -277,6 +277,16 @@ typedef struct st_net { ...@@ -277,6 +277,16 @@ typedef struct st_net {
/** Client library sqlstate buffer. Set along with the error message. */ /** Client library sqlstate buffer. Set along with the error message. */
char sqlstate[SQLSTATE_LENGTH+1]; char sqlstate[SQLSTATE_LENGTH+1];
void *extension; void *extension;
#if defined(MYSQL_SERVER) && !defined(EMBEDDED_LIBRARY)
/*
Controls whether a big packet should be skipped.
Initially set to FALSE by default. Unauthenticated sessions must have
this set to FALSE so that the server can't be tricked to read packets
indefinitely.
*/
my_bool skip_big_packet;
#endif
} NET; } NET;
......
...@@ -136,6 +136,9 @@ my_bool my_net_init(NET *net, Vio* vio) ...@@ -136,6 +136,9 @@ my_bool my_net_init(NET *net, Vio* vio)
#else #else
net->query_cache_query= 0; net->query_cache_query= 0;
#endif #endif
#if defined(MYSQL_SERVER) && !defined(EMBEDDED_LIBRARY)
net->skip_big_packet= FALSE;
#endif
if (vio != 0) /* If real connection */ if (vio != 0) /* If real connection */
{ {
...@@ -949,6 +952,7 @@ my_real_read(NET *net, size_t *complen) ...@@ -949,6 +952,7 @@ my_real_read(NET *net, size_t *complen)
{ {
#if defined(MYSQL_SERVER) && !defined(NO_ALARM) #if defined(MYSQL_SERVER) && !defined(NO_ALARM)
if (!net->compress && if (!net->compress &&
net->skip_big_packet &&
!my_net_skip_rest(net, (uint32) len, &alarmed, &alarm_buff)) !my_net_skip_rest(net, (uint32) len, &alarmed, &alarm_buff))
net->error= 3; /* Successfully skiped packet */ net->error= 3; /* Successfully skiped packet */
#endif #endif
......
...@@ -471,6 +471,13 @@ check_user(THD *thd, enum enum_server_command command, ...@@ -471,6 +471,13 @@ check_user(THD *thd, enum enum_server_command command,
} }
my_ok(thd); my_ok(thd);
thd->password= test(passwd_len); // remember for error messages thd->password= test(passwd_len); // remember for error messages
/*
Allow the network layer to skip big packets. Although a malicious
authenticated session might use this to trick the server to read
big packets indefinitely, this is a previously established behavior
that needs to be preserved as to not break backwards compatibility.
*/
thd->net.skip_big_packet= TRUE;
/* Ready to handle queries */ /* Ready to handle queries */
DBUG_RETURN(0); DBUG_RETURN(0);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment