Bug#28984: crasher on connect with out of range password length in \

protocol Update for function moved to new file in 5.1. One could send a malformed packet that caused the server to SEGV. In recent versions of the password protocol, the client tells the server what length the ciphertext is (almost always 20). If that length was large enough to overflow a signed char, then the number would jump to very large after being casted to unsigned int. Instead, cast the *passwd char to uchar.

Bug#28984: crasher on connect with out of range password length in \
protocol Update for function moved to new file in 5.1. One could send a malformed packet that caused the server to SEGV. In recent versions of the password protocol, the client tells the server what length the ciphertext is (almost always 20). If that length was large enough to overflow a signed char, then the number would jump to very large after being casted to unsigned int. Instead, cast the *passwd char to uchar.
19b54e39 · cmiller@zippy.cornsilk.net · bccc6ad1 · 19b54e39
Commit 19b54e39 authored Jun 11, 2007 by cmiller@zippy.cornsilk.net
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 1 deletion

sql/sql_connect.cc sql/sql_connect.cc +4 -1

No files found.
--- a/sql/sql_connect.cc
+++ b/sql/sql_connect.cc
@@ -837,9 +837,12 @@ static int check_connection(THD *thd)
    password both send '\0'.

    This strlen() can't be easily deleted without changing protocol.
+
+    Cast *passwd to an unsigned char, so that it doesn't extend the sign for
+    *passwd > 127 and become 2**32-127+ after casting to uint.
  */
  uint passwd_len= thd->client_capabilities & CLIENT_SECURE_CONNECTION ?
-    *passwd++ : strlen(passwd);
+    (uchar)(*passwd++) : strlen(passwd);
  db= thd->client_capabilities & CLIENT_CONNECT_WITH_DB ?
    db + passwd_len + 1 : 0;
  /* strlen() can't be easily deleted without changing protocol */