protocol safety fix:

before strlen(db) we need to be sure that db lies within packet boundaries. same for client_plugin.

protocol safety fix:
before strlen(db) we need to be sure that db lies within packet boundaries. same for client_plugin.
7e518f83 · Sergei Golubchik · 46465327 · 7e518f83
Commit 7e518f83 authored Jul 08, 2011 by Sergei Golubchik
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 14 deletions

sql/sql_acl.cc sql/sql_acl.cc +7 -14

No files found.
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -7565,21 +7565,15 @@ static ulong parse_client_handshake_packet(MPVIO_EXT *mpvio,
  uint passwd_len= thd->client_capabilities & CLIENT_SECURE_CONNECTION ?
                   (uchar)(*passwd++) : strlen(passwd);

-  if (thd->client_capabilities & CLIENT_CONNECT_WITH_DB)
-  {
-    db= db + passwd_len + 1;
-    /* strlen() can't be easily deleted without changing protocol */
-    db_len= strlen(db);
-  }
-  else
-  {
-    db= 0;
-    db_len= 0;
-  }
+  db= thd->client_capabilities & CLIENT_CONNECT_WITH_DB ?
+    db + passwd_len + 1 : 0;

-  if (passwd + passwd_len + db_len > (char *)net->read_pos + pkt_len)
+  if (passwd + passwd_len + test(db) > (char *)net->read_pos + pkt_len)
    return packet_error;

+  /* strlen() can't be easily deleted without changing protocol */
+  db_len= db ? strlen(db) : 0;
+
  char *client_plugin= passwd + passwd_len + (db ? db_len + 1 : 0);

  /* Since 4.1 all database names are stored in utf8 */
@@ -7646,8 +7640,7 @@ static ulong parse_client_handshake_packet(MPVIO_EXT *mpvio,

  if (thd->client_capabilities & CLIENT_PLUGIN_AUTH)
  {
-    if ((client_plugin + strlen(client_plugin)) > 
-          (char *)net->read_pos + pkt_len)
+    if (client_plugin >= (char *)net->read_pos + pkt_len)
      return packet_error;
    client_plugin= fix_plugin_ptr(client_plugin);
  }