merge mysql-5.0-secrutiy-fixed -> mysql-5.0

54e3e6d3 · Georgi Kodinov · e53ffb8f · 779c42dd · 54e3e6d3 · 54e3e6d3
Commit 54e3e6d3 authored Mar 09, 2011 by Georgi Kodinov
6 changed files
--- a/mysql-test/r/grant.result
+++ b/mysql-test/r/grant.result
@@ -1230,4 +1230,197 @@ DROP DATABASE mysqltest2;
 DROP USER testuser@localhost;
 use test;

+#
+# Test for bug #36544 "DROP USER does not remove stored function
+#                      privileges".
+#
+create database mysqltest1;
+create function mysqltest1.f1() returns int return 0;
+create procedure mysqltest1.p1() begin end;
+#
+# 1) Check that DROP USER properly removes privileges on both
+#    stored procedures and functions.
+#
+create user mysqluser1@localhost;
+grant execute on function mysqltest1.f1 to mysqluser1@localhost;
+grant execute on procedure mysqltest1.p1 to mysqluser1@localhost;
+# Quick test that granted privileges are properly reflected
+# in privilege tables and in in-memory structures.
+show grants for mysqluser1@localhost;
+Grants for mysqluser1@localhost
+GRANT USAGE ON *.* TO 'mysqluser1'@'localhost'
+GRANT EXECUTE ON PROCEDURE `mysqltest1`.`p1` TO 'mysqluser1'@'localhost'
+GRANT EXECUTE ON FUNCTION `mysqltest1`.`f1` TO 'mysqluser1'@'localhost'
+select db, routine_name, routine_type, proc_priv from mysql.procs_priv where user='mysqluser1' and host='localhost';
+db	routine_name	routine_type	proc_priv
+mysqltest1	f1	FUNCTION	Execute
+mysqltest1	p1	PROCEDURE	Execute
+#
+# Create connection 'bug_36544_con1' as 'mysqluser1@localhost'.
+call mysqltest1.p1();
+select mysqltest1.f1();
+mysqltest1.f1()
+0
+#
+# Switch to connection 'default'.
+drop user mysqluser1@localhost;
+#
+# Test that dropping of user is properly reflected in
+# both privilege tables and in in-memory structures.
+#
+# Switch to connection 'bug36544_con1'.
+# The connection cold be alive but should not be able to
+# access to any of the stored routines.
+call mysqltest1.p1();
+ERROR 42000: execute command denied to user 'mysqluser1'@'localhost' for routine 'mysqltest1.p1'
+select mysqltest1.f1();
+ERROR 42000: execute command denied to user 'mysqluser1'@'localhost' for routine 'mysqltest1.f1'
+#
+# Switch to connection 'default'.
+#
+# Now create user with the same name and check that he
+# has not inherited privileges.
+create user mysqluser1@localhost;
+show grants for mysqluser1@localhost;
+Grants for mysqluser1@localhost
+GRANT USAGE ON *.* TO 'mysqluser1'@'localhost'
+select db, routine_name, routine_type, proc_priv from mysql.procs_priv where user='mysqluser1' and host='localhost';
+db	routine_name	routine_type	proc_priv
+#
+# Create connection 'bug_36544_con2' as 'mysqluser1@localhost'.
+# Newly created user should not be able to access any of the routines.
+call mysqltest1.p1();
+ERROR 42000: execute command denied to user 'mysqluser1'@'localhost' for routine 'mysqltest1.p1'
+select mysqltest1.f1();
+ERROR 42000: execute command denied to user 'mysqluser1'@'localhost' for routine 'mysqltest1.f1'
+#
+# Switch to connection 'default'.
+#
+# 2) Check that RENAME USER properly updates privileges on both
+#    stored procedures and functions.
+#
+grant execute on function mysqltest1.f1 to mysqluser1@localhost;
+grant execute on procedure mysqltest1.p1 to mysqluser1@localhost;
+#
+# Create one more user to make in-memory hashes non-trivial.
+# User names 'mysqluser11' and 'mysqluser10' were selected
+# to trigger bug discovered during code inspection.
+create user mysqluser11@localhost;
+grant execute on function mysqltest1.f1 to mysqluser11@localhost;
+grant execute on procedure mysqltest1.p1 to mysqluser11@localhost;
+# Also create a couple of tables to test for another bug
+# discovered during code inspection (again table names were
+# chosen especially to trigger the bug).
+create table mysqltest1.t11 (i int);
+create table mysqltest1.t22 (i int);
+grant select on mysqltest1.t22 to mysqluser1@localhost;
+grant select on mysqltest1.t11 to mysqluser1@localhost;
+# Quick test that granted privileges are properly reflected
+# in privilege tables and in in-memory structures.
+show grants for mysqluser1@localhost;
+Grants for mysqluser1@localhost
+GRANT USAGE ON *.* TO 'mysqluser1'@'localhost'
+GRANT SELECT ON `mysqltest1`.`t11` TO 'mysqluser1'@'localhost'
+GRANT SELECT ON `mysqltest1`.`t22` TO 'mysqluser1'@'localhost'
+GRANT EXECUTE ON PROCEDURE `mysqltest1`.`p1` TO 'mysqluser1'@'localhost'
+GRANT EXECUTE ON FUNCTION `mysqltest1`.`f1` TO 'mysqluser1'@'localhost'
+select db, routine_name, routine_type, proc_priv from mysql.procs_priv where user='mysqluser1' and host='localhost';
+db	routine_name	routine_type	proc_priv
+mysqltest1	f1	FUNCTION	Execute
+mysqltest1	p1	PROCEDURE	Execute
+select db, table_name, table_priv from mysql.tables_priv where user='mysqluser1' and host='localhost';
+db	table_name	table_priv
+mysqltest1	t11	Select
+mysqltest1	t22	Select
+#
+# Switch to connection 'bug36544_con2'.
+call mysqltest1.p1();
+select mysqltest1.f1();
+mysqltest1.f1()
+0
+select * from mysqltest1.t11;
+i
+select * from mysqltest1.t22;
+i
+#
+# Switch to connection 'default'.
+rename user mysqluser1@localhost to mysqluser10@localhost;
+#
+# Test that there are no privileges left for mysqluser1.
+#
+# Switch to connection 'bug36544_con2'.
+# The connection cold be alive but should not be able to
+# access to any of the stored routines or tables.
+call mysqltest1.p1();
+ERROR 42000: execute command denied to user 'mysqluser1'@'localhost' for routine 'mysqltest1.p1'
+select mysqltest1.f1();
+ERROR 42000: execute command denied to user 'mysqluser1'@'localhost' for routine 'mysqltest1.f1'
+select * from mysqltest1.t11;
+ERROR 42000: SELECT command denied to user 'mysqluser1'@'localhost' for table 't11'
+select * from mysqltest1.t22;
+ERROR 42000: SELECT command denied to user 'mysqluser1'@'localhost' for table 't22'
+#
+# Switch to connection 'default'.
+#
+# Now create user with the old name and check that he
+# has not inherited privileges.
+create user mysqluser1@localhost;
+show grants for mysqluser1@localhost;
+Grants for mysqluser1@localhost
+GRANT USAGE ON *.* TO 'mysqluser1'@'localhost'
+select db, routine_name, routine_type, proc_priv from mysql.procs_priv where user='mysqluser1' and host='localhost';
+db	routine_name	routine_type	proc_priv
+select db, table_name, table_priv from mysql.tables_priv where user='mysqluser1' and host='localhost';
+db	table_name	table_priv
+#
+# Create connection 'bug_36544_con3' as 'mysqluser1@localhost'.
+# Newly created user should not be able to access to any of the
+# stored routines or tables.
+call mysqltest1.p1();
+ERROR 42000: execute command denied to user 'mysqluser1'@'localhost' for routine 'mysqltest1.p1'
+select mysqltest1.f1();
+ERROR 42000: execute command denied to user 'mysqluser1'@'localhost' for routine 'mysqltest1.f1'
+select * from mysqltest1.t11;
+ERROR 42000: SELECT command denied to user 'mysqluser1'@'localhost' for table 't11'
+select * from mysqltest1.t22;
+ERROR 42000: SELECT command denied to user 'mysqluser1'@'localhost' for table 't22'
+#
+# Switch to connection 'default'.
+#
+# Now check that privileges became associated with a new user
+# name - mysqluser10.
+#
+show grants for mysqluser10@localhost;
+Grants for mysqluser10@localhost
+GRANT USAGE ON *.* TO 'mysqluser10'@'localhost'
+GRANT SELECT ON `mysqltest1`.`t22` TO 'mysqluser10'@'localhost'
+GRANT SELECT ON `mysqltest1`.`t11` TO 'mysqluser10'@'localhost'
+GRANT EXECUTE ON PROCEDURE `mysqltest1`.`p1` TO 'mysqluser10'@'localhost'
+GRANT EXECUTE ON FUNCTION `mysqltest1`.`f1` TO 'mysqluser10'@'localhost'
+select db, routine_name, routine_type, proc_priv from mysql.procs_priv where user='mysqluser10' and host='localhost';
+db	routine_name	routine_type	proc_priv
+mysqltest1	f1	FUNCTION	Execute
+mysqltest1	p1	PROCEDURE	Execute
+select db, table_name, table_priv from mysql.tables_priv where user='mysqluser10' and host='localhost';
+db	table_name	table_priv
+mysqltest1	t11	Select
+mysqltest1	t22	Select
+#
+# Create connection 'bug_36544_con4' as 'mysqluser10@localhost'.
+call mysqltest1.p1();
+select mysqltest1.f1();
+mysqltest1.f1()
+0
+select * from mysqltest1.t11;
+i
+select * from mysqltest1.t22;
+i
+#
+# Switch to connection 'default'.
+#
+# Clean-up.
+drop user mysqluser1@localhost;
+drop user mysqluser10@localhost;
+drop user mysqluser11@localhost;
+drop database mysqltest1;
 End of 5.0 tests
--- a/mysql-test/suite/funcs_1/r/innodb_storedproc_06.result
+++ b/mysql-test/suite/funcs_1/r/innodb_storedproc_06.result
@@ -131,10 +131,6 @@ root@localhost	db_storedproc_1
 drop user 'user_1'@'localhost';
 DROP PROCEDURE sp3;
 DROP FUNCTION fn1;
-Warnings:
-Error	1133	Can't find any matching row in the user table
-Error	1269	Can't revoke all privileges for one or more of the requested users
-Warning	1405	Failed to revoke all privileges to dropped routine

 Testcase 3.1.6.4:
 -----------------

--- a/mysql-test/suite/funcs_1/r/memory_storedproc_06.result
+++ b/mysql-test/suite/funcs_1/r/memory_storedproc_06.result
@@ -131,10 +131,6 @@ root@localhost	db_storedproc_1
 drop user 'user_1'@'localhost';
 DROP PROCEDURE sp3;
 DROP FUNCTION fn1;
-Warnings:
-Error	1133	Can't find any matching row in the user table
-Error	1269	Can't revoke all privileges for one or more of the requested users
-Warning	1405	Failed to revoke all privileges to dropped routine

 Testcase 3.1.6.4:
 -----------------

--- a/mysql-test/suite/funcs_1/r/myisam_storedproc_06.result
+++ b/mysql-test/suite/funcs_1/r/myisam_storedproc_06.result
@@ -131,10 +131,6 @@ root@localhost	db_storedproc_1
 drop user 'user_1'@'localhost';
 DROP PROCEDURE sp3;
 DROP FUNCTION fn1;
-Warnings:
-Error	1133	Can't find any matching row in the user table
-Error	1269	Can't revoke all privileges for one or more of the requested users
-Warning	1405	Failed to revoke all privileges to dropped routine

 Testcase 3.1.6.4:
 -----------------

--- a/mysql-test/t/grant.test
+++ b/mysql-test/t/grant.test
@@ -1267,6 +1267,183 @@ DROP USER testuser@localhost;
 use test;
 --echo

+
+--echo #
+--echo # Test for bug #36544 "DROP USER does not remove stored function
+--echo #                      privileges".
+--echo #
+create database mysqltest1;
+create function mysqltest1.f1() returns int return 0;
+create procedure mysqltest1.p1() begin end;
+--echo #
+--echo # 1) Check that DROP USER properly removes privileges on both
+--echo #    stored procedures and functions.
+--echo #
+create user mysqluser1@localhost;
+grant execute on function mysqltest1.f1 to mysqluser1@localhost;
+grant execute on procedure mysqltest1.p1 to mysqluser1@localhost;
+
+--echo # Quick test that granted privileges are properly reflected
+--echo # in privilege tables and in in-memory structures.
+show grants for mysqluser1@localhost;
+select db, routine_name, routine_type, proc_priv from mysql.procs_priv where user='mysqluser1' and host='localhost';
+--echo #
+--echo # Create connection 'bug_36544_con1' as 'mysqluser1@localhost'.
+--connect (bug36544_con1,localhost,mysqluser1,,)
+call mysqltest1.p1();
+select mysqltest1.f1();
+
+--echo #
+--echo # Switch to connection 'default'.
+--connection default
+drop user mysqluser1@localhost;
+
+--echo #
+--echo # Test that dropping of user is properly reflected in
+--echo # both privilege tables and in in-memory structures.
+--echo #
+--echo # Switch to connection 'bug36544_con1'.
+--connection bug36544_con1
+--echo # The connection cold be alive but should not be able to
+--echo # access to any of the stored routines.
+--error ER_PROCACCESS_DENIED_ERROR
+call mysqltest1.p1();
+--error ER_PROCACCESS_DENIED_ERROR
+select mysqltest1.f1();
+--disconnect bug36544_con1
+
+--echo #
+--echo # Switch to connection 'default'.
+--connection default
+--echo #
+--echo # Now create user with the same name and check that he
+--echo # has not inherited privileges.
+create user mysqluser1@localhost;
+show grants for mysqluser1@localhost;
+select db, routine_name, routine_type, proc_priv from mysql.procs_priv where user='mysqluser1' and host='localhost';
+--echo #
+--echo # Create connection 'bug_36544_con2' as 'mysqluser1@localhost'.
+--connect (bug36544_con2,localhost,mysqluser1,,)
+--echo # Newly created user should not be able to access any of the routines.
+--error ER_PROCACCESS_DENIED_ERROR
+call mysqltest1.p1();
+--error ER_PROCACCESS_DENIED_ERROR
+select mysqltest1.f1();
+--echo #
+--echo # Switch to connection 'default'.
+--connection default
+
+--echo #
+--echo # 2) Check that RENAME USER properly updates privileges on both
+--echo #    stored procedures and functions.
+--echo #
+grant execute on function mysqltest1.f1 to mysqluser1@localhost;
+grant execute on procedure mysqltest1.p1 to mysqluser1@localhost;
+--echo #
+--echo # Create one more user to make in-memory hashes non-trivial.
+--echo # User names 'mysqluser11' and 'mysqluser10' were selected
+--echo # to trigger bug discovered during code inspection.
+create user mysqluser11@localhost;
+grant execute on function mysqltest1.f1 to mysqluser11@localhost;
+grant execute on procedure mysqltest1.p1 to mysqluser11@localhost;
+--echo # Also create a couple of tables to test for another bug
+--echo # discovered during code inspection (again table names were
+--echo # chosen especially to trigger the bug).
+create table mysqltest1.t11 (i int);
+create table mysqltest1.t22 (i int);
+grant select on mysqltest1.t22 to mysqluser1@localhost;
+grant select on mysqltest1.t11 to mysqluser1@localhost;
+
+--echo # Quick test that granted privileges are properly reflected
+--echo # in privilege tables and in in-memory structures.
+show grants for mysqluser1@localhost;
+select db, routine_name, routine_type, proc_priv from mysql.procs_priv where user='mysqluser1' and host='localhost';
+select db, table_name, table_priv from mysql.tables_priv where user='mysqluser1' and host='localhost';
+--echo #
+--echo # Switch to connection 'bug36544_con2'.
+--connection bug36544_con2
+call mysqltest1.p1();
+select mysqltest1.f1();
+select * from mysqltest1.t11;
+select * from mysqltest1.t22;
+
+--echo #
+--echo # Switch to connection 'default'.
+--connection default
+rename user mysqluser1@localhost to mysqluser10@localhost;
+
+--echo #
+--echo # Test that there are no privileges left for mysqluser1.
+--echo #
+--echo # Switch to connection 'bug36544_con2'.
+--connection bug36544_con2
+--echo # The connection cold be alive but should not be able to
+--echo # access to any of the stored routines or tables.
+--error ER_PROCACCESS_DENIED_ERROR
+call mysqltest1.p1();
+--error ER_PROCACCESS_DENIED_ERROR
+select mysqltest1.f1();
+--error ER_TABLEACCESS_DENIED_ERROR
+select * from mysqltest1.t11;
+--error ER_TABLEACCESS_DENIED_ERROR
+select * from mysqltest1.t22;
+--disconnect bug36544_con2
+
+--echo #
+--echo # Switch to connection 'default'.
+--connection default
+--echo #
+--echo # Now create user with the old name and check that he
+--echo # has not inherited privileges.
+create user mysqluser1@localhost;
+show grants for mysqluser1@localhost;
+select db, routine_name, routine_type, proc_priv from mysql.procs_priv where user='mysqluser1' and host='localhost';
+select db, table_name, table_priv from mysql.tables_priv where user='mysqluser1' and host='localhost';
+--echo #
+--echo # Create connection 'bug_36544_con3' as 'mysqluser1@localhost'.
+--connect (bug36544_con3,localhost,mysqluser1,,)
+--echo # Newly created user should not be able to access to any of the
+--echo # stored routines or tables.
+--error ER_PROCACCESS_DENIED_ERROR
+call mysqltest1.p1();
+--error ER_PROCACCESS_DENIED_ERROR
+select mysqltest1.f1();
+--error ER_TABLEACCESS_DENIED_ERROR
+select * from mysqltest1.t11;
+--error ER_TABLEACCESS_DENIED_ERROR
+select * from mysqltest1.t22;
+--disconnect bug36544_con3
+
+--echo #
+--echo # Switch to connection 'default'.
+--connection default
+--echo #
+--echo # Now check that privileges became associated with a new user
+--echo # name - mysqluser10.
+--echo #
+show grants for mysqluser10@localhost;
+select db, routine_name, routine_type, proc_priv from mysql.procs_priv where user='mysqluser10' and host='localhost';
+select db, table_name, table_priv from mysql.tables_priv where user='mysqluser10' and host='localhost';
+--echo #
+--echo # Create connection 'bug_36544_con4' as 'mysqluser10@localhost'.
+--connect (bug36544_con4,localhost,mysqluser10,,)
+call mysqltest1.p1();
+select mysqltest1.f1();
+select * from mysqltest1.t11;
+select * from mysqltest1.t22;
+--disconnect bug36544_con4
+
+--echo #
+--echo # Switch to connection 'default'.
+--connection default
+--echo #
+--echo # Clean-up.
+drop user mysqluser1@localhost;
+drop user mysqluser10@localhost;
+drop user mysqluser11@localhost;
+drop database mysqltest1;
+
+
 --echo End of 5.0 tests

 disconnect master;

--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
-/* Copyright (C) 2000-2003 MySQL AB
+/* Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -5048,18 +5048,15 @@ static int handle_grant_table(TABLE_LIST *tables, uint table_no, bool drop,
 }


-/*
+/**
  Handle an in-memory privilege structure.

-  SYNOPSIS
-    handle_grant_struct()
-    struct_no                   The number of the structure to handle (0..3).
-    drop                        If user_from is to be dropped.
-    user_from                   The the user to be searched/dropped/renamed.
-    user_to                     The new name for the user if to be renamed,
-                                NULL otherwise.
+  @param struct_no  The number of the structure to handle (0..4).
+  @param drop       If user_from is to be dropped.
+  @param user_from  The the user to be searched/dropped/renamed.
+  @param user_to    The new name for the user if to be renamed, NULL otherwise.

-  DESCRIPTION
+  @note
    Scan through all elements in an in-memory grant structure and apply
    the requested operation.
    Delete from grant structure if drop is true.
@@ -5069,12 +5066,12 @@ static int handle_grant_table(TABLE_LIST *tables, uint table_no, bool drop,
    0 acl_users
    1 acl_dbs
    2 column_priv_hash
-    3 procs_priv_hash
+    3 proc_priv_hash
+    4 func_priv_hash

-  RETURN
-    > 0         At least one element matched.
-    0           OK, but no element matched.
-    -1		Wrong arguments to function
+  @retval > 0  At least one element matched.
+  @retval 0    OK, but no element matched.
+  @retval -1   Wrong arguments to function.
 */

 static int handle_grant_struct(uint struct_no, bool drop,
@@ -5088,6 +5085,7 @@ static int handle_grant_struct(uint struct_no, bool drop,
  ACL_USER *UNINIT_VAR(acl_user);
  ACL_DB *UNINIT_VAR(acl_db);
  GRANT_NAME *UNINIT_VAR(grant_name);
+  HASH *UNINIT_VAR(grant_name_hash);
  DBUG_ENTER("handle_grant_struct");
  DBUG_PRINT("info",("scan struct: %u  search: '%s'@'%s'",
                     struct_no, user_from->user.str, user_from->host.str));
@@ -5104,9 +5102,15 @@ static int handle_grant_struct(uint struct_no, bool drop,
    break;
  case 2:
    elements= column_priv_hash.records;
+    grant_name_hash= &column_priv_hash;
    break;
  case 3:
    elements= proc_priv_hash.records;
+    grant_name_hash= &proc_priv_hash;
+    break;
+  case 4:
+    elements= func_priv_hash.records;
+    grant_name_hash= &func_priv_hash;
    break;
  default:
    return -1;
@@ -5136,16 +5140,13 @@ static int handle_grant_struct(uint struct_no, bool drop,
      break;

    case 2:
-      grant_name= (GRANT_NAME*) hash_element(&column_priv_hash, idx);
-      user= grant_name->user;
-      host= grant_name->host.hostname;
-      break;
-
    case 3:
-      grant_name= (GRANT_NAME*) hash_element(&proc_priv_hash, idx);
+    case 4:
+      grant_name= (GRANT_NAME*) hash_element(grant_name_hash, idx);
      user= grant_name->user;
      host= grant_name->host.hostname;
      break;
+
    default:
      assert(0);
    }
@@ -5176,14 +5177,25 @@ static int handle_grant_struct(uint struct_no, bool drop,
        break;

      case 2:
-        hash_delete(&column_priv_hash, (byte*) grant_name);
-	break;
-
      case 3:
-        hash_delete(&proc_priv_hash, (byte*) grant_name);
+      case 4:
+        hash_delete(grant_name_hash, (byte*) grant_name);
 	break;
      }
      elements--;
+      /*
+        - If we are iterating through an array then we just have moved all
+          elements after the current element one position closer to its head.
+          This means that we have to take another look at the element at
+          current position as it is a new element from the array's tail.
+        - If we are iterating through a hash the current element was replaced
+          with one of elements from the tail. So we also have to take a look
+          at the new element in current position.
+          Note that in our HASH implementation hash_delete() won't move any
+          elements with position after current one to position before the
+          current (i.e. from the tail to the head), so it is safe to continue
+          iteration without re-starting.
+      */
      idx--;
    }
    else if ( user_to )
@@ -5201,22 +5213,41 @@ static int handle_grant_struct(uint struct_no, bool drop,

      case 2:
      case 3:
-        /* 
-          Update the grant structure with the new user name and
-          host name
-        */
-        grant_name->set_user_details(user_to->host.str, grant_name->db,
-                                     user_to->user.str, grant_name->tname,
-                                     TRUE);
-
-        /*
-          Since username is part of the hash key, when the user name
-          is renamed, the hash key is changed. Update the hash to
-          ensure that the position matches the new hash key value
-        */
-        hash_update(&column_priv_hash, (byte*) grant_name,
-                    (byte *) grant_name->hash_key, grant_name->key_length);
-	break;
+      case 4:
+        {
+          /*
+            Save old hash key and its length to be able properly update
+            element position in hash.
+          */
+          char *old_key= grant_name->hash_key;
+          size_t old_key_length= grant_name->key_length;
+
+          /*
+            Update the grant structure with the new user name and host name.
+          */
+          grant_name->set_user_details(user_to->host.str, grant_name->db,
+                                       user_to->user.str, grant_name->tname,
+                                       TRUE);
+
+          /*
+            Since username is part of the hash key, when the user name
+            is renamed, the hash key is changed. Update the hash to
+            ensure that the position matches the new hash key value
+          */
+          hash_update(grant_name_hash, (byte*) grant_name, (byte*) old_key,
+                      old_key_length);
+          /*
+            hash_update() operation could have moved element from the tail
+            of the hash to the current position. So we need to take a look
+            at the element in current position once again.
+            Thanks to the fact that hash_update() for our HASH implementation
+            won't move any elements from the tail of the hash to the positions
+            before the current one (a.k.a. head) it is safe to continue
+            iteration without restarting.
+          */
+          idx--;
+          break;
+        }
      }
    }
    else
@@ -5302,7 +5333,7 @@ static int handle_grant_data(TABLE_LIST *tables, bool drop,
    }
  }

-  /* Handle procedures table. */
+  /* Handle stored routines table. */
  if ((found= handle_grant_table(tables, 4, drop, user_from, user_to)) < 0)
  {
    /* Handle of table failed, don't touch in-memory array. */
@@ -5319,6 +5350,15 @@ static int handle_grant_data(TABLE_LIST *tables, bool drop,
      if (! drop && ! user_to)
        goto end;
    }
+    /* Handle funcs array. */
+    if (((handle_grant_struct(4, drop, user_from, user_to) && ! result) ||
+         found) && ! result)
+    {
+      result= 1; /* At least one record/element found. */
+      /* If search is requested, we do not need to search further. */
+      if (! drop && ! user_to)
+        goto end;
+    }
  }

  /* Handle tables table. */