Security bug: password length check should be in check_user, not check_connections(),

otherwise COM_CHANGE_USER is unprotected and can be used for both privilege escalation and buffer overrun

Security bug: password length check should be in check_user, not check_connections(),
otherwise COM_CHANGE_USER is unprotected and can be used for both privilege escalation and buffer overrun
e753fa4d · unknown · b79b6c35 · e753fa4d
Commit e753fa4d authored Dec 04, 2002 by unknown
Show whitespace changes
Inline Side-by-side

Showing with 2 additions and 2 deletions

sql/sql_parse.cc sql/sql_parse.cc +2 -2

No files found.
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -109,6 +109,8 @@ static bool check_user(THD *thd,enum_server_command command, const char *user,
  NET *net= &thd->net;
  thd->db=0;

+  if (passwd[0] && strlen(passwd) != SCRAMBLE_LENGTH)
+    return 1;
  if (!(thd->user = my_strdup(user, MYF(0))))
  {
    send_error(net,ER_OUT_OF_RESOURCES);
@@ -458,8 +460,6 @@ check_connections(THD *thd)
  char *user=   (char*) net->read_pos+5;
  char *passwd= strend(user)+1;
  char *db=0;
-  if (passwd[0] && strlen(passwd) != SCRAMBLE_LENGTH)
-    return ER_HANDSHAKE_ERROR;
  if (thd->client_capabilities & CLIENT_CONNECT_WITH_DB)
    db=strend(passwd)+1;
  if (thd->client_capabilities & CLIENT_INTERACTIVE)