diff options
| author | Sinisa@sinisa.nasamreza.org <> | 2002-12-04 16:13:32 +0200 |
|---|---|---|
| committer | Sinisa@sinisa.nasamreza.org <> | 2002-12-04 16:13:32 +0200 |
| commit | cb6d9e0c8816b82f9f37e62983f5cd07518c36b2 (patch) | |
| tree | c0a4f6e0ed608f589f253fcc30051ee8dd219915 | |
| parent | 7a10ed6d8376f7beb7fb427a528aa578ce97adc8 (diff) | |
| parent | 9e61e636be4996a9b2c69959bac9ea06c28dd3d7 (diff) | |
| download | mariadb-git-cb6d9e0c8816b82f9f37e62983f5cd07518c36b2.tar.gz | |
Merge sinisa@work.mysql.com:/home/bk/mysql
into sinisa.nasamreza.org:/mnt/work/mysql
| -rw-r--r-- | libmysql/libmysql.c | 12 | ||||
| -rw-r--r-- | sql/sql_parse.cc | 8 |
2 files changed, 14 insertions, 6 deletions
diff --git a/libmysql/libmysql.c b/libmysql/libmysql.c index bab6d304094..3c1353e0088 100644 --- a/libmysql/libmysql.c +++ b/libmysql/libmysql.c @@ -307,7 +307,7 @@ net_safe_read(MYSQL *mysql) DBUG_PRINT("error",("Wrong connection or packet. fd: %s len: %d", vio_description(net->vio),len)); end_server(mysql); - net->last_errno=(net->last_errno == ER_NET_PACKET_TOO_LARGE ? + net->last_errno=(net->last_errno == ER_NET_PACKET_TOO_LARGE ? CR_NET_PACKET_TOO_LARGE: CR_SERVER_LOST); strmov(net->last_error,ER(net->last_errno)); @@ -891,7 +891,7 @@ static MYSQL_DATA *read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields, uint field,pkt_len; ulong len; uchar *cp; - char *to; + char *to, *end_to; MYSQL_DATA *result; MYSQL_ROWS **prev_ptr,*cur; NET *net = &mysql->net; @@ -929,6 +929,7 @@ static MYSQL_DATA *read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields, *prev_ptr=cur; prev_ptr= &cur->next; to= (char*) (cur->data+fields+1); + end_to=to+pkt_len-1; for (field=0 ; field < fields ; field++) { if ((len=(ulong) net_field_length(&cp)) == NULL_LENGTH) @@ -938,6 +939,13 @@ static MYSQL_DATA *read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields, else { cur->data[field] = to; + if (to+len > end_to) + { + free_rows(result); + net->last_errno=CR_UNKNOWN_ERROR; + strmov(net->last_error,ER(net->last_errno)); + DBUG_RETURN(0); + } memcpy(to,(char*) cp,len); to[len]=0; to+=len+1; cp+=len; diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc index 1803568f880..ddbc34b2c7e 100644 --- a/sql/sql_parse.cc +++ b/sql/sql_parse.cc @@ -109,6 +109,8 @@ static bool check_user(THD *thd,enum_server_command command, const char *user, NET *net= &thd->net; thd->db=0; + if (passwd[0] && strlen(passwd) != SCRAMBLE_LENGTH) + return 1; if (!(thd->user = my_strdup(user, MYF(0)))) { send_error(net,ER_OUT_OF_RESOURCES); @@ -458,8 +460,6 @@ check_connections(THD *thd) char *user= (char*) net->read_pos+5; char *passwd= strend(user)+1; char *db=0; - if (passwd[0] && strlen(passwd) != SCRAMBLE_LENGTH) - return ER_HANDSHAKE_ERROR; if (thd->client_capabilities & CLIENT_CONNECT_WITH_DB) db=strend(passwd)+1; if (thd->client_capabilities & CLIENT_INTERACTIVE) @@ -768,8 +768,8 @@ bool do_command(THD *thd) thread_safe_increment(com_other,&LOCK_thread_count); slow_command = TRUE; char* data = packet + 1; - uint db_len = *data; - uint tbl_len = *(data + db_len + 1); + uint db_len = *(uchar *)data; + uint tbl_len = *(uchar *)(data + db_len + 1); char* db = sql_alloc(db_len + tbl_len + 2); memcpy(db, data + 1, db_len); char* tbl_name = db + db_len; |