diff options
| author | unknown <serg@serg.mysql.com> | 2002-12-04 00:27:09 +0100 |
|---|---|---|
| committer | unknown <serg@serg.mysql.com> | 2002-12-04 00:27:09 +0100 |
| commit | e753fa4d8d30976b0c4a7ca68bd81b3a11bba06b (patch) | |
| tree | 16335efdcf86d2d7e4bc5940f3a9fa7861b8f48b | |
| parent | b79b6c357d1c4a1f952ff5b97580e9ca01bf8ec9 (diff) | |
| download | mariadb-git-e753fa4d8d30976b0c4a7ca68bd81b3a11bba06b.tar.gz | |
Security bug: password length check should be in check_user, not check_connections(),
otherwise COM_CHANGE_USER is unprotected and can be used for both privilege escalation and buffer overrun
| -rw-r--r-- | sql/sql_parse.cc | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc index 1803568f880..fe7e98c7028 100644 --- a/sql/sql_parse.cc +++ b/sql/sql_parse.cc @@ -109,6 +109,8 @@ static bool check_user(THD *thd,enum_server_command command, const char *user, NET *net= &thd->net; thd->db=0; + if (passwd[0] && strlen(passwd) != SCRAMBLE_LENGTH) + return 1; if (!(thd->user = my_strdup(user, MYF(0)))) { send_error(net,ER_OUT_OF_RESOURCES); @@ -458,8 +460,6 @@ check_connections(THD *thd) char *user= (char*) net->read_pos+5; char *passwd= strend(user)+1; char *db=0; - if (passwd[0] && strlen(passwd) != SCRAMBLE_LENGTH) - return ER_HANDSHAKE_ERROR; if (thd->client_capabilities & CLIENT_CONNECT_WITH_DB) db=strend(passwd)+1; if (thd->client_capabilities & CLIENT_INTERACTIVE) |