Bug#25988681: USE-AFTER-FREE IN MYSQL_STMT_CLOSE()

Description: If mysql_stmt_close() encountered error,
             it recorded error in prepared statement
             but then frees memory assigned to prepared
             statement. If mysql_stmt_error() is used
             to get error information, it will result
             into use after free.

             In all cases where mysql_stmt_close() can
             fail, error would have been set by
             cli_advanced_command in MYSQL structure.

Solution: Don't copy error from MYSQL using set_stmt_errmsg.
          There is no automated way to test the fix since
          it is in mysql_stmt_close() which does not expect
          any reply from server.

Reviewed-By: Georgi Kodinov <georgi.kodinov@oracle.com>
Reviewed-By: Ramil Kalimullin <ramil.kalimullin@oracle.com>

1 files changed, 9 insertions, 5 deletions

diff --git a/libmysql/libmysql.c b/libmysql/libmysql.c
index 6e7134ff97c..d5ab85efa32 100644
--- a/libmysql/libmysql.c
+++ b/libmysql/libmysql.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -4678,10 +4678,14 @@ my_bool STDCALL mysql_stmt_close(MYSQL_STMT *stmt)
         mysql->status= MYSQL_STATUS_READY;
       }
       int4store(buff, stmt->stmt_id);
-      if ((rc= stmt_command(mysql, COM_STMT_CLOSE, buff, 4, stmt)))
-      {
-        set_stmt_errmsg(stmt, &mysql->net);
-      }
+      /*
+        If stmt_command failed, it would have already raised
+        error using set_mysql_error. Caller should use
+        mysql_error() or mysql_errno() to find out details.
+        Memory allocated for stmt will be released regardless
+        of the error.
+      */
+      rc= stmt_command(mysql, COM_STMT_CLOSE, buff, 4, stmt);
     }
   }