Bug #12910665: AUTH-PLUGIN-DATA-LEN NOT TESTED FOR VALIDITY BY THE

CLIENT Added a check for a negative second part of the scramble length.

Bug #12910665: AUTH-PLUGIN-DATA-LEN NOT TESTED FOR VALIDITY BY THE
CLIENT Added a check for a negative second part of the scramble length.
ca3e45dc · Georgi Kodinov · 8b754968 · ca3e45dc · ca3e45dc
Commit ca3e45dc authored Jun 29, 2012 by Georgi Kodinov
Show whitespace changes
Inline Side-by-side

Showing with 7 additions and 0 deletions

sql-common/client.c sql-common/client.c +6 -0

sql/sql_acl.cc sql/sql_acl.cc +1 -0

No files found.
--- a/sql-common/client.c
+++ b/sql-common/client.c
@@ -3415,6 +3415,12 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
    mysql->server_status=uint2korr(end+3);
    mysql->server_capabilities|= uint2korr(end+5) << 16;
    pkt_scramble_len= end[7];
+    if (pkt_scramble_len < 0)
+    {
+      set_mysql_error(mysql, CR_MALFORMED_PACKET,
+                      unknown_sqlstate);        /* purecov: inspected */
+      goto error;
+    }
  }
  end+= 18;


--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -8032,6 +8032,7 @@ static bool send_server_handshake_packet(MPVIO_EXT *mpvio,
  int2store(end + 3, mpvio->server_status[0]);
  int2store(end + 5, mpvio->client_capabilities >> 16);
  end[7]= data_len;
+  DBUG_EXECUTE_IF("poison_srv_handshake_scramble_len", end[7]= -100;);
  bzero(end + 8, 10);
  end+= 18;
  /* write scramble tail */