Commit 6cc5fd2f authored by Sergei Golubchik's avatar Sergei Golubchik

protocol safety fix:

before strlen(db) we need to be sure that
db lies within packet boundaries.
same for client_plugin.
parent 5da0d016
...@@ -7565,21 +7565,15 @@ static ulong parse_client_handshake_packet(MPVIO_EXT *mpvio, ...@@ -7565,21 +7565,15 @@ static ulong parse_client_handshake_packet(MPVIO_EXT *mpvio,
uint passwd_len= thd->client_capabilities & CLIENT_SECURE_CONNECTION ? uint passwd_len= thd->client_capabilities & CLIENT_SECURE_CONNECTION ?
(uchar)(*passwd++) : strlen(passwd); (uchar)(*passwd++) : strlen(passwd);
if (thd->client_capabilities & CLIENT_CONNECT_WITH_DB) db= thd->client_capabilities & CLIENT_CONNECT_WITH_DB ?
{ db + passwd_len + 1 : 0;
db= db + passwd_len + 1;
/* strlen() can't be easily deleted without changing protocol */
db_len= strlen(db);
}
else
{
db= 0;
db_len= 0;
}
if (passwd + passwd_len + db_len > (char *)net->read_pos + pkt_len) if (passwd + passwd_len + test(db) > (char *)net->read_pos + pkt_len)
return packet_error; return packet_error;
/* strlen() can't be easily deleted without changing protocol */
db_len= db ? strlen(db) : 0;
char *client_plugin= passwd + passwd_len + (db ? db_len + 1 : 0); char *client_plugin= passwd + passwd_len + (db ? db_len + 1 : 0);
/* Since 4.1 all database names are stored in utf8 */ /* Since 4.1 all database names are stored in utf8 */
...@@ -7646,8 +7640,7 @@ static ulong parse_client_handshake_packet(MPVIO_EXT *mpvio, ...@@ -7646,8 +7640,7 @@ static ulong parse_client_handshake_packet(MPVIO_EXT *mpvio,
if (thd->client_capabilities & CLIENT_PLUGIN_AUTH) if (thd->client_capabilities & CLIENT_PLUGIN_AUTH)
{ {
if ((client_plugin + strlen(client_plugin)) > if (client_plugin >= (char *)net->read_pos + pkt_len)
(char *)net->read_pos + pkt_len)
return packet_error; return packet_error;
client_plugin= fix_plugin_ptr(client_plugin); client_plugin= fix_plugin_ptr(client_plugin);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment