diff options
| author | cmiller@zippy.cornsilk.net <> | 2006-10-09 18:28:06 -0400 |
|---|---|---|
| committer | cmiller@zippy.cornsilk.net <> | 2006-10-09 18:28:06 -0400 |
| commit | 4812d81eabe2c2eeb2818e78e35365a84a44763e (patch) | |
| tree | 1c006a0b771d0d2c43b7ee794ab93d6fc8de48ae /BitKeeper | |
| parent | 72ad606ece804432c04987137542e79890115263 (diff) | |
| download | mariadb-git-4812d81eabe2c2eeb2818e78e35365a84a44763e.tar.gz | |
Bug#17583: mysql drops connection when stdout is not writable
When the client program had its stdout file descriptor closed by the calling
shell, after some amount of work (enough to fill a socket buffer) the server
would complain about a packet error and then disconnect the client.
This is a serious security problem. If stdout is closed before the mysql is
exec()d, then the first socket() call allocates file number 1 to communicate
with the server. Subsequent write()s to that file number (as when printing
results that come back from the database) go back to the server instead in
the command channel. So, one should be able to craft data which, upon being
selected back from the server to the client, and injected into the command
stream become valid MySQL protocol to do something nasty when sent /back/ to
the server.
The solution is to close explicitly the file descriptor that we *printf() to,
so that the libc layer and the OS layer both agree that the file is closed.
Diffstat (limited to 'BitKeeper')
| -rw-r--r-- | BitKeeper/etc/collapsed | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/BitKeeper/etc/collapsed b/BitKeeper/etc/collapsed new file mode 100644 index 00000000000..60be7fa5dc6 --- /dev/null +++ b/BitKeeper/etc/collapsed @@ -0,0 +1 @@ +452a92d0-31-8wSzSfZi165fcGcXPA |