Commit 8af12677 authored by unknown's avatar unknown

Bug#17583: mysql drops connection when stdout is not writable

When the client program had its stdout file descriptor closed by the calling
shell, after some amount of work (enough to fill a socket buffer) the server 
would complain about a packet error and then disconnect the client.

This is a serious security problem.  If stdout is closed before the mysql is
exec()d, then the first socket() call allocates file number 1 to communicate
with the server.  Subsequent write()s to that file number (as when printing
results that come back from the database) go back to the server instead in 
the command channel.  So, one should be able to craft data which, upon being
selected back from the server to the client, and injected into the command
stream become valid MySQL protocol to do something nasty when sent /back/ to 
the server.

The solution is to close explicitly the file descriptor that we *printf() to, 
so that the libc layer and the OS layer both agree that the file is closed.


BitKeeper/etc/collapsed:
  BitKeeper file /home/cmiller/work/mysql/bug17583/my41-bug17583/BitKeeper/etc/collapsed
client/mysql.cc:
  If standard output is not open (specifically, if dup() of its file number 
  fails) then we explicitly close it so that future uses of the file descriptor
  behave correctly for a closed file.
mysql-test/r/mysql_client.result:
  Prove that the problem of writing SQL output to the command socket no longer
  exists.
mysql-test/t/mysql_client.test:
  Prove that the problem of writing SQL output to the command socket no longer
  exists.
parent f097517d
452a92d0-31-8wSzSfZi165fcGcXPA
......@@ -372,6 +372,21 @@ int main(int argc,char *argv[])
else
status.add_to_history=1;
status.exit_status=1;
{
/*
The file descriptor-layer may be out-of-sync with the file-number layer,
so we make sure that "stdout" is really open. If its file is closed then
explicitly close the FD layer.
*/
int stdout_fileno_copy;
stdout_fileno_copy= dup(fileno(stdout)); /* Okay if fileno fails. */
if (stdout_fileno_copy == -1)
fclose(stdout);
else
close(stdout_fileno_copy); /* Clean up dup(). */
}
load_defaults("my",load_default_groups,&argc,&argv);
defaults_argv=argv;
if (get_options(argc, (char **) argv))
......
......@@ -2,3 +2,17 @@
1
ERROR 1064 (42000) at line 3: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1
ERROR at line 1: USE must be followed by a database name
create table t17583 (a int);
insert into t17583 (a) values (0),(1),(2),(3),(4),(5),(6),(7),(8),(9);
insert into t17583 select a from t17583;
insert into t17583 select a from t17583;
insert into t17583 select a from t17583;
insert into t17583 select a from t17583;
insert into t17583 select a from t17583;
insert into t17583 select a from t17583;
insert into t17583 select a from t17583;
select count(*) from t17583;
count(*)
1280
drop table t17583;
End of 4.1 tests.
......@@ -33,3 +33,22 @@
#
--exec echo 'help' | $MYSQL > $MYSQLTEST_VARDIR/tmp/bug20328.tmp
--exec echo 'help ' | $MYSQL > $MYSQLTEST_VARDIR/tmp/bug20328.tmp
#
# Bug#17583: mysql drops connection when stdout is not writable
#
create table t17583 (a int);
insert into t17583 (a) values (0),(1),(2),(3),(4),(5),(6),(7),(8),(9);
insert into t17583 select a from t17583;
insert into t17583 select a from t17583;
insert into t17583 select a from t17583;
insert into t17583 select a from t17583;
insert into t17583 select a from t17583;
insert into t17583 select a from t17583;
insert into t17583 select a from t17583;
# Close to the minimal data needed to exercise bug.
select count(*) from t17583;
--exec echo "select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; select count(*) from t17583; " |$MYSQL test >&-
drop table t17583;
--echo End of 4.1 tests.
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment