Commit c1585aea authored by unknown's avatar unknown

Bug #28984: crasher on connect with out of range password length in \

	protocol

One could send a malformed packet that caused the server to SEGV.  In 
recent versions of the password protocol, the client tells the server 
what length the ciphertext is (almost always 20).  If that length was
large enough to overflow a signed char, then the number would jump to 
very large after being casted to unsigned int.

Instead, cast the *passwd char to uchar. 



sql/sql_parse.cc:
  Cast *passwd to get rid of the sign, so that sign extension doesn't
  cause the sequence 125, 126, 127, 4294967169, 4294967170.
parent bc23584b
...@@ -909,9 +909,12 @@ static int check_connection(THD *thd) ...@@ -909,9 +909,12 @@ static int check_connection(THD *thd)
Old clients send null-terminated string as password; new clients send Old clients send null-terminated string as password; new clients send
the size (1 byte) + string (not null-terminated). Hence in case of empty the size (1 byte) + string (not null-terminated). Hence in case of empty
password both send '\0'. password both send '\0'.
Cast *passwd to an unsigned char, so that it doesn't extend the sign for
*passwd > 127 and become 2**32-127 after casting to uint.
*/ */
uint passwd_len= thd->client_capabilities & CLIENT_SECURE_CONNECTION ? uint passwd_len= thd->client_capabilities & CLIENT_SECURE_CONNECTION ?
*passwd++ : strlen(passwd); (uchar)(*passwd++) : strlen(passwd);
db= thd->client_capabilities & CLIENT_CONNECT_WITH_DB ? db= thd->client_capabilities & CLIENT_CONNECT_WITH_DB ?
db + passwd_len + 1 : 0; db + passwd_len + 1 : 0;
uint db_len= db ? strlen(db) : 0; uint db_len= db ? strlen(db) : 0;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment