Bug#33814 - yassl problems

extra/yassl/src/handshake.cpp

@@ -527,6 +527,11 @@ void ProcessOldClientHello(input_buffer& input, SSL& ssl)
     input.read(len, sizeof(len));
     uint16 randomLen;
     ato16(len, randomLen);
+    if (ch.suite_len_ > MAX_SUITE_SZ || sessionLen > ID_LEN ||
+        randomLen > RAN_LEN) {
+        ssl.SetError(bad_input);
+        return;
+    }
 
     int j = 0;
     for (uint16 i = 0; i < ch.suite_len_; i += 3) {    

extra/yassl/src/template_instnt.cpp

@@ -101,6 +101,7 @@ template void ysArrayDelete<unsigned char>(unsigned char*);
 template void ysArrayDelete<char>(char*);
 
 template int min<int>(int, int);
+template uint16 min<uint16>(uint16, uint16);
 template unsigned int min<unsigned int>(unsigned int, unsigned int);
 template unsigned long min<unsigned long>(unsigned long, unsigned long);
 }

extra/yassl/src/yassl_imp.cpp

@@ -621,6 +621,10 @@ void HandShakeHeader::Process(input_buffer& input, SSL& ssl)
     }
 
     uint len = c24to32(length_);
+    if (len > input.get_remaining()) {
+        ssl.SetError(bad_input);
+        return;
+    }
     hashHandShake(ssl, input, len);
 
     hs->set_length(len);
@@ -1391,10 +1395,15 @@ input_buffer& operator>>(input_buffer& input, ClientHello& hello)
     
     // Suites
     byte tmp[2];
+    uint16 len;
     tmp[0] = input[AUTO];
     tmp[1] = input[AUTO];
-    ato16(tmp, hello.suite_len_);
+    ato16(tmp, len);
+
+    hello.suite_len_ = min(len, static_cast<uint16>(MAX_SUITE_SZ));
     input.read(hello.cipher_suites_, hello.suite_len_);
+    if (len > hello.suite_len_) // ignore extra suites
+        input.set_current(input.get_current() + len -  hello.suite_len_);
 
     // Compression
     hello.comp_len_ = input[AUTO];

mysql-test/r/bdb_notembedded.result

-set autocommit=1;
-reset master;
-create table bug16206 (a int);
-insert into bug16206 values(1);
-start transaction;
-insert into bug16206 values(2);
-commit;
-show binlog events;
-Log_name	Pos	Event_type	Server_id	End_log_pos	Info
-f	n	Format_desc	1	n	Server ver: VERSION, Binlog ver: 4
-f	n	Query	1	n	use `test`; create table bug16206 (a int)
-f	n	Query	1	n	use `test`; insert into bug16206 values(1)
-f	n	Query	1	n	use `test`; insert into bug16206 values(2)
-drop table bug16206;
-reset master;
-create table bug16206 (a int) engine=         bdb;
-insert into bug16206 values(0);
-insert into bug16206 values(1);
-start transaction;
-insert into bug16206 values(2);
-commit;
-insert into bug16206 values(3);
-show binlog events;
-Log_name	Pos	Event_type	Server_id	End_log_pos	Info
-f	n	Format_desc	1	n	Server ver: VERSION, Binlog ver: 4
-f	n	Query	1	n	use `test`; create table bug16206 (a int) engine=         bdb
-f	n	Query	1	n	use `test`; insert into bug16206 values(0)
-f	n	Query	1	n	use `test`; insert into bug16206 values(1)
-f	n	Query	1	n	use `test`; BEGIN
-f	n	Query	1	n	use `test`; insert into bug16206 values(2)
-f	n	Query	1	n	use `test`; COMMIT
-f	n	Query	1	n	use `test`; insert into bug16206 values(3)
-drop table bug16206;
-set autocommit=0;
-End of 5.0 tests

mysql-test/t/bdb_notembedded.test

--- source include/not_embedded.inc
--- source include/have_bdb.inc
-
-#
-# Bug #16206: Superfluous COMMIT event in binlog when updating BDB in autocommit mode
-#
-set autocommit=1;
-
-let $VERSION=`select version()`;
-
-reset master;
-create table bug16206 (a int);
-insert into bug16206 values(1);
-start transaction;
-insert into bug16206 values(2);
-commit;
---replace_result $VERSION VERSION
---replace_column 1 f 2 n 5 n
-show binlog events;
-drop table bug16206;
-
-reset master;
-create table bug16206 (a int) engine=         bdb;
-insert into bug16206 values(0);
-insert into bug16206 values(1);
-start transaction;
-insert into bug16206 values(2);
-commit;
-insert into bug16206 values(3);
---replace_result $VERSION VERSION
---replace_column 1 f 2 n 5 n
-show binlog events;
-drop table bug16206;
-
-set autocommit=0;
-
-
---echo End of 5.0 tests