mirror/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-01-17 04:22:27 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

protocol safety fix:

Browse source 
before strlen(db) we need to be sure that
db lies within packet boundaries.
same for client_plugin.
This commit is contained in:
Sergei Golubchik 2011-07-08 00:13:24 +02:00
parent 46465327e7
commit 7e518f8360
1 changed files with 7 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
sql/sql_acl.cc
View file

@ -7565,21 +7565,15 @@ static ulong parse_client_handshake_packet(MPVIO_EXT *mpvio,
uint passwd_len= thd->client_capabilities & CLIENT_SECURE_CONNECTION ?
(uchar)(*passwd++) : strlen(passwd);
if (thd->client_capabilities & CLIENT_CONNECT_WITH_DB)
{
db= db + passwd_len + 1;
/* strlen() can't be easily deleted without changing protocol */
db_len= strlen(db);
}
else
{
db= 0;
db_len= 0;
}
db= thd->client_capabilities & CLIENT_CONNECT_WITH_DB ?
db + passwd_len + 1 : 0;
if (passwd + passwd_len + db_len > (char *)net->read_pos + pkt_len)
if (passwd + passwd_len + test(db) > (char *)net->read_pos + pkt_len)
return packet_error;
/* strlen() can't be easily deleted without changing protocol */
db_len= db ? strlen(db) : 0;
char *client_plugin= passwd + passwd_len + (db ? db_len + 1 : 0);
/* Since 4.1 all database names are stored in utf8 */
@ -7646,8 +7640,7 @@ static ulong parse_client_handshake_packet(MPVIO_EXT *mpvio,
if (thd->client_capabilities & CLIENT_PLUGIN_AUTH)
{
if ((client_plugin + strlen(client_plugin)) >
(char *)net->read_pos + pkt_len)
if (client_plugin >= (char *)net->read_pos + pkt_len)
return packet_error;
client_plugin= fix_plugin_ptr(client_plugin);
}