diff options
| author | Alexey Botchkov <holyfoot@askmonty.org> | 2015-06-07 15:40:42 +0500 |
|---|---|---|
| committer | Alexey Botchkov <holyfoot@askmonty.org> | 2015-06-07 15:40:42 +0500 |
| commit | 1ae05db49c433b6cd3d0172fa1f4421632b6f2ac (patch) | |
| tree | 33f5bd36097719fdb68f315220c9182ced450101 | |
| parent | db0ecf2662c54b1382305908413b45c75f2dfd19 (diff) | |
| download | mariadb-git-1ae05db49c433b6cd3d0172fa1f4421632b6f2ac.tar.gz | |
MDEV-8078 Memory disclosure/buffer overread on audit plugin.
If the SET PASSWORD query doesn't have the password string,
the parsing of it can fail. It manifested first in MySQL 5.6 as
it started to hide password lines sent to the plugins.
Fixed by checking for that case.
| -rw-r--r-- | mysql-test/suite/plugins/r/server_audit.result | 3 | ||||
| -rw-r--r-- | mysql-test/suite/plugins/t/server_audit.test | 2 | ||||
| -rw-r--r-- | plugin/server_audit/server_audit.c | 12 |
3 files changed, 14 insertions, 3 deletions
diff --git a/mysql-test/suite/plugins/r/server_audit.result b/mysql-test/suite/plugins/r/server_audit.result index d0649a1fc1f..69c9bc3a4be 100644 --- a/mysql-test/suite/plugins/r/server_audit.result +++ b/mysql-test/suite/plugins/r/server_audit.result @@ -162,6 +162,8 @@ id CREATE USER u1 IDENTIFIED BY 'pwd-123'; GRANT ALL ON sa_db TO u2 IDENTIFIED BY "pwd-321"; SET PASSWORD FOR u1 = PASSWORD('pwd 098'); +SET PASSWORD FOR u1=<secret>; +ERROR 42000: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '=<secret>' at line 1 CREATE USER u3 IDENTIFIED BY ''; drop user u1, u2, u3; select 2; @@ -324,6 +326,7 @@ TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'/*comment*/ select 2',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER u1 IDENTIFIED BY *****',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'GRANT ALL ON sa_db TO u2 IDENTIFIED BY *****',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'SET PASSWORD FOR u1 = PASSWORD(*****)',0 +TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'SET PASSWORD FOR u1=<secret>',ID TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'CREATE USER u3 IDENTIFIED BY *****',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'drop user u1, u2, u3',0 TIME,HOSTNAME,root,localhost,ID,ID,QUERY,sa_db,'set global server_audit_events=\'\'',0 diff --git a/mysql-test/suite/plugins/t/server_audit.test b/mysql-test/suite/plugins/t/server_audit.test index c126b845def..87c667adb09 100644 --- a/mysql-test/suite/plugins/t/server_audit.test +++ b/mysql-test/suite/plugins/t/server_audit.test @@ -105,6 +105,8 @@ select * from t1; CREATE USER u1 IDENTIFIED BY 'pwd-123'; GRANT ALL ON sa_db TO u2 IDENTIFIED BY "pwd-321"; SET PASSWORD FOR u1 = PASSWORD('pwd 098'); +--error 1064 +SET PASSWORD FOR u1=<secret>; CREATE USER u3 IDENTIFIED BY ''; drop user u1, u2, u3; select 2; diff --git a/plugin/server_audit/server_audit.c b/plugin/server_audit/server_audit.c index 4aa8652de52..bede4c9545d 100644 --- a/plugin/server_audit/server_audit.c +++ b/plugin/server_audit/server_audit.c @@ -1175,9 +1175,15 @@ static size_t escape_string_hide_passwords(const char *str, unsigned int len, for (c=0; c<d_len; c++) result[c]= is_space(str[c]) ? ' ' : str[c]; - memmove(result + d_len, "*****", 5); - result+= d_len + 5; - b_char= *(next_s++); + if (*next_s) + { + memmove(result + d_len, "*****", 5); + result+= d_len + 5; + b_char= *(next_s++); + } + else + result+= d_len; + while (*next_s) { if (*next_s == b_char) |