Bug #11765023: 57934: DOS POSSIBLE SINCE BINARY CASTING DOESN'T

ADHERE TO MAX_ALLOWED_PACKET Added a check for max_packet_length in CONVERT(, BINARY|CHAR). Added a test case.
author: Georgi Kodinov <Georgi.Kodinov@Oracle.com> 2011-03-15 13:19:30 +0200
committer: Georgi Kodinov <Georgi.Kodinov@Oracle.com> 2011-03-15 13:19:30 +0200
commit: 405f7ca69a36a2b2d7b02bdb945f1e6879c5aaea (patch)
tree: 343f9f8f7c64ede999aa42dca9c963622ff2495a /sql/item_timefunc.cc
parent: d8235ef5ccf17760c9df045624ae09699686e4aa (diff)
download: mariadb-git-405f7ca69a36a2b2d7b02bdb945f1e6879c5aaea.tar.gz
1 files changed, 13 insertions, 0 deletions
diff --git a/sql/item_timefunc.cc b/sql/item_timefunc.cc
index 6335199b8de..74aae94b6f2 100644
--- a/sql/item_timefunc.cc
+++ b/sql/item_timefunc.cc
@@ -2444,6 +2444,19 @@ String *Item_char_typecast::val_str(String *str)
   String *res;
   uint32 length;
 
+  if (cast_length >= 0 &&
+      ((unsigned) cast_length) > current_thd->variables.max_allowed_packet)
+  {
+    push_warning_printf(current_thd, MYSQL_ERROR::WARN_LEVEL_WARN,
+			ER_WARN_ALLOWED_PACKET_OVERFLOWED,
+			ER(ER_WARN_ALLOWED_PACKET_OVERFLOWED),
+			cast_cs == &my_charset_bin ?
+                        "cast_as_binary" : func_name(),
+                        current_thd->variables.max_allowed_packet);
+    null_value= 1;
+    return 0;
+  }
+
   if (!charset_conversion)
   {
     if (!(res= args[0]->val_str(str)))
author	Georgi Kodinov <Georgi.Kodinov@Oracle.com>	2011-03-15 13:19:30 +0200
committer	Georgi Kodinov <Georgi.Kodinov@Oracle.com>	2011-03-15 13:19:30 +0200
commit	405f7ca69a36a2b2d7b02bdb945f1e6879c5aaea (patch)
tree	343f9f8f7c64ede999aa42dca9c963622ff2495a /sql/item_timefunc.cc
parent	d8235ef5ccf17760c9df045624ae09699686e4aa (diff)
download	mariadb-git-405f7ca69a36a2b2d7b02bdb945f1e6879c5aaea.tar.gz