• Davi Arnaut's avatar
    Bug#12563279: REGRESSION IN HANDLING PRE-4.1 AUTHENTICATION PACKET · 9b68760f
    Davi Arnaut authored
    The problem is that clients implementing the 4.0 version of the
    protocol (that is, mysql-4.0) do not null terminate a string
    at the end of the authentication packet. These clients denote
    the end of the string with the end of the packet.
    
    Although this goes against the documented (see MySQL Internals
    ClientServer Protocol wiki) description of the protocol, these
    old clients still need to be supported.
    
    The solution is to support the documented and actual behavior
    of the clients. If a client is using the pre-4.1 version of
    the protocol, the end of a string in the authentication packet
    can either be denoted with a null character or by the end of
    the packet. This restores backwards compatibility with old
    clients implementing either the documented or actual behavior.
    
    sql/password.c:
      The scrambled message, as provided by the user, might not be
      properly null terminated. If this is the case, uninitialized
      memory past the end of the buffer could theoretically be
      accessed. To ensure that this is never the case, copy the
      scrambled message over to a null terminated auxiliar buffer.
    sql/sql_connect.cc:
      Use different execution paths to read strings depending on the
      protocol being used. If version 4.0 of the protocol is used,
      end of string can be denoted with a NUL character or by the
      end of the packet.
      
      If there are not enough bytes left after the current position
      of the buffer to satisfy the current string, the string is
      considered to be empty. This is required because old clients
      do not send the password string field if the password is empty.
    9b68760f
sql_connect.cc 40.8 KB