summaryrefslogtreecommitdiff
path: root/sql/net_serv.cc
diff options
context:
space:
mode:
authorSergei Golubchik <sergii@pisem.net>2010-02-23 13:04:58 +0100
committerSergei Golubchik <sergii@pisem.net>2010-02-23 13:04:58 +0100
commitf04cf03f75ffca0b99562c027c1c57340d375f66 (patch)
treec519404b0a739443194821dc72431eb35b5d4988 /sql/net_serv.cc
parent2840821cc92c302c9172ef6d47c484b5bdfcc785 (diff)
downloadmariadb-git-f04cf03f75ffca0b99562c027c1c57340d375f66.tar.gz
fix for a possible DoS in the my_net_skip_rest()
Diffstat (limited to 'sql/net_serv.cc')
-rw-r--r--sql/net_serv.cc6
1 files changed, 6 insertions, 0 deletions
diff --git a/sql/net_serv.cc b/sql/net_serv.cc
index 4e1d507de2c..58ccde760c2 100644
--- a/sql/net_serv.cc
+++ b/sql/net_serv.cc
@@ -130,6 +130,7 @@ my_bool my_net_init(NET *net, Vio* vio)
net->last_error[0]=0;
net->compress=0; net->reading_or_writing=0;
net->where_b = net->remain_in_buf=0;
+ net->net_skip_rest_factor= 0;
net->last_errno=0;
#ifdef USE_QUERY_CACHE
query_cache_init_query(net);
@@ -743,6 +744,7 @@ static my_bool net_safe_read(NET *net, uchar *buff, size_t length,
static my_bool my_net_skip_rest(NET *net, uint32 remain, thr_alarm_t *alarmed,
ALARM *alarm_buff)
{
+ longlong limit= net->max_packet_size*net->net_skip_rest_factor;
uint32 old=remain;
DBUG_ENTER("my_net_skip_rest");
DBUG_PRINT("enter",("bytes_to_skip: %u", (uint) remain));
@@ -766,11 +768,15 @@ static my_bool my_net_skip_rest(NET *net, uint32 remain, thr_alarm_t *alarmed,
DBUG_RETURN(1);
update_statistics(thd_increment_bytes_received(length));
remain -= (uint32) length;
+ limit-= length;
+ if (limit < 0)
+ DBUG_RETURN(1);
}
if (old != MAX_PACKET_LENGTH)
break;
if (net_safe_read(net, net->buff, NET_HEADER_SIZE, alarmed))
DBUG_RETURN(1);
+ limit-= NET_HEADER_SIZE;
old=remain= uint3korr(net->buff);
net->pkt_nr++;
}
View Lorry Controller Status