Bug #28984: crasher on connect with out of range password length in \

protocol One could send a malformed packet that caused the server to SEGV. In recent versions of the password protocol, the client tells the server what length the ciphertext is (almost always 20). If that length was large enough to overflow a signed char, then the number would jump to very large after being casted to unsigned int. Instead, cast the *passwd char to uchar.
2025-01-31 11:01:52 +01:00 · 2007-06-08 16:10:53 -04:00 · 2007-06-08 16:10:53 -04:00 · 4584ac2c73
commit 4584ac2c73
parent 75802339b2
1 changed files with 4 additions and 1 deletions
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@ -909,9 +909,12 @@ static int check_connection(THD *thd)
    Old clients send null-terminated string as password; new clients send
    the size (1 byte) + string (not null-terminated). Hence in case of empty
    password both send '\0'.
+
+    Cast *passwd to an unsigned char, so that it doesn't extend the sign for
+    *passwd > 127 and become 2**32-127 after casting to uint.
  */
  uint passwd_len= thd->client_capabilities & CLIENT_SECURE_CONNECTION ?
-    *passwd++ : strlen(passwd);
+    (uchar)(*passwd++) : strlen(passwd);
  db= thd->client_capabilities & CLIENT_CONNECT_WITH_DB ?
    db + passwd_len + 1 : 0;
  uint db_len= db ? strlen(db) : 0;