• unknown's avatar
    Bug#17583: mysql drops connection when stdout is not writable · 8af12677
    unknown authored
    When the client program had its stdout file descriptor closed by the calling
    shell, after some amount of work (enough to fill a socket buffer) the server 
    would complain about a packet error and then disconnect the client.
    
    This is a serious security problem.  If stdout is closed before the mysql is
    exec()d, then the first socket() call allocates file number 1 to communicate
    with the server.  Subsequent write()s to that file number (as when printing
    results that come back from the database) go back to the server instead in 
    the command channel.  So, one should be able to craft data which, upon being
    selected back from the server to the client, and injected into the command
    stream become valid MySQL protocol to do something nasty when sent /back/ to 
    the server.
    
    The solution is to close explicitly the file descriptor that we *printf() to, 
    so that the libc layer and the OS layer both agree that the file is closed.
    
    
    BitKeeper/etc/collapsed:
      BitKeeper file /home/cmiller/work/mysql/bug17583/my41-bug17583/BitKeeper/etc/collapsed
    client/mysql.cc:
      If standard output is not open (specifically, if dup() of its file number 
      fails) then we explicitly close it so that future uses of the file descriptor
      behave correctly for a closed file.
    mysql-test/r/mysql_client.result:
      Prove that the problem of writing SQL output to the command socket no longer
      exists.
    mysql-test/t/mysql_client.test:
      Prove that the problem of writing SQL output to the command socket no longer
      exists.
    8af12677
mysql.cc 95.3 KB