diff options
| author | Sergei Golubchik <serg@mariadb.org> | 2018-04-30 23:06:09 +0200 |
|---|---|---|
| committer | Sergei Golubchik <serg@mariadb.org> | 2018-05-01 00:30:17 +0200 |
| commit | fab383aac0a713b48765d0464428199470ae8c0a (patch) | |
| tree | a7eb29a44716bd0a333d48a60502660addc23c20 | |
| parent | a52c46e06935b09ff9219ae7684b5a29394e992b (diff) | |
| download | mariadb-git-fab383aac0a713b48765d0464428199470ae8c0a.tar.gz | |
Use after free in authentication
| -rw-r--r-- | mysql-test/r/connect_debug.result | 5 | ||||
| -rw-r--r-- | mysql-test/t/connect_debug.test | 12 | ||||
| -rw-r--r-- | sql-common/client.c | 4 | ||||
| -rw-r--r-- | sql/sql_acl.cc | 1 |
4 files changed, 20 insertions, 2 deletions
diff --git a/mysql-test/r/connect_debug.result b/mysql-test/r/connect_debug.result new file mode 100644 index 00000000000..0452b238db9 --- /dev/null +++ b/mysql-test/r/connect_debug.result @@ -0,0 +1,5 @@ +set @old_dbug=@@global.debug_dbug; +set global debug_dbug='+d,auth_disconnect'; +create user 'bad' identified by 'worse'; +set global debug_dbug=@old_dbug; +drop user bad; diff --git a/mysql-test/t/connect_debug.test b/mysql-test/t/connect_debug.test new file mode 100644 index 00000000000..299b605b2cd --- /dev/null +++ b/mysql-test/t/connect_debug.test @@ -0,0 +1,12 @@ +source include/have_debug.inc; +set @old_dbug=@@global.debug_dbug; + +# +# use after free if need plugin change and auth aborted +# +set global debug_dbug='+d,auth_disconnect'; +create user 'bad' identified by 'worse'; +--error 1 +--exec $MYSQL --default-auth=mysql_old_password --user=bad --password=worse +set global debug_dbug=@old_dbug; +drop user bad; diff --git a/sql-common/client.c b/sql-common/client.c index b485ebf4f60..00e2877bedb 100644 --- a/sql-common/client.c +++ b/sql-common/client.c @@ -2742,7 +2742,7 @@ static int client_mpvio_read_packet(struct st_plugin_vio *mpv, uchar **buf) *buf= mysql->net.read_pos; /* was it a request to change plugins ? */ - if (**buf == 254) + if (pkt_len == packet_error || **buf == 254) return (int)packet_error; /* if yes, this plugin shan't continue */ /* @@ -2927,7 +2927,7 @@ int run_plugin_auth(MYSQL *mysql, char *data, uint data_len, compile_time_assert(CR_OK == -1); compile_time_assert(CR_ERROR == 0); - if (res > CR_OK && mysql->net.read_pos[0] != 254) + if (res > CR_OK && (mysql->net.last_errno || mysql->net.read_pos[0] != 254)) { /* the plugin returned an error. write it down in mysql, diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 16358409124..14f34db6ccc 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -8217,6 +8217,7 @@ static bool send_plugin_request_packet(MPVIO_EXT *mpvio, const char *client_auth_plugin= ((st_mysql_auth *) (plugin_decl(mpvio->plugin)->info))->client_auth_plugin; + DBUG_EXECUTE_IF("auth_disconnect", { vio_close(net->vio); DBUG_RETURN(1); }); DBUG_ASSERT(client_auth_plugin); /* |