Commit baefaa1e authored by Alexey Kopytov's avatar Alexey Kopytov

Bug #45031: invalid memory reads in my_real_read using protocol

            compression 
 
Since uint3korr() may read 4 bytes depending on build flags and 
platform, allocate 1 extra "safety" byte in the network buffer 
for cases when uint3korr() in my_real_read() is called to read
last 3 bytes in the buffer. 
 
It is practically hard to construct a reliable and reasonably 
small test case for this bug as that would require constructing 
input stream such that a certain sequence of bytes in a 
compressed packet happens to be the last 3 bytes of the network 
buffer. 


sql/net_serv.cc:
  Allocate 1 extra "safety" byte in the network buffer for cases 
  when uint3korr() is used to read last 3 bytes in the buffer.
parent 1a4bc9a1
...@@ -188,10 +188,12 @@ my_bool net_realloc(NET *net, ulong length) ...@@ -188,10 +188,12 @@ my_bool net_realloc(NET *net, ulong length)
pkt_length = (length+IO_SIZE-1) & ~(IO_SIZE-1); pkt_length = (length+IO_SIZE-1) & ~(IO_SIZE-1);
/* /*
We must allocate some extra bytes for the end 0 and to be able to We must allocate some extra bytes for the end 0 and to be able to
read big compressed blocks read big compressed blocks + 1 safety byte since uint3korr() in
my_real_read() may actually read 4 bytes depending on build flags and
platform.
*/ */
if (!(buff=(uchar*) my_realloc((char*) net->buff, (uint32) pkt_length + if (!(buff=(uchar*) my_realloc((char*) net->buff, (uint32) pkt_length +
NET_HEADER_SIZE + COMP_HEADER_SIZE, NET_HEADER_SIZE + COMP_HEADER_SIZE + 1,
MYF(MY_WME)))) MYF(MY_WME))))
{ {
net->error= 1; net->error= 1;
...@@ -919,6 +921,13 @@ my_real_read(NET *net, ulong *complen) ...@@ -919,6 +921,13 @@ my_real_read(NET *net, ulong *complen)
#ifdef HAVE_COMPRESS #ifdef HAVE_COMPRESS
if (net->compress) if (net->compress)
{ {
/*
The following uint3korr() may read 4 bytes, so make sure we don't
read unallocated or uninitialized memory. The right-hand expression
must match the size of the buffer allocated in net_realloc().
*/
DBUG_ASSERT(net->where_b + NET_HEADER_SIZE + sizeof(uint32) <=
net->max_packet + NET_HEADER_SIZE + COMP_HEADER_SIZE + 1);
/* /*
If the packet is compressed then complen > 0 and contains the If the packet is compressed then complen > 0 and contains the
number of bytes in the uncompressed packet number of bytes in the uncompressed packet
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment