Bug#50974: Server keeps receiving big (> max_allowed_packet) packets indefinitely.

The server could be tricked to read packets indefinitely if it
received a packet larger than the maximum size of one packet.
This problem is aggravated by the fact that it can be triggered
before authentication.

The solution is to no skip big packets for non-authenticated
sessions. If a big packet is sent before a session is authen-
ticated, a error is returned and the connection is closed.

1 files changed, 4 insertions, 0 deletions

diff --git a/sql/net_serv.cc b/sql/net_serv.cc
index fdabad6f569..1d1871e27a8 100644
--- a/sql/net_serv.cc
+++ b/sql/net_serv.cc
@@ -141,6 +141,9 @@ my_bool my_net_init(NET *net, Vio* vio)
   net->query_cache_query= 0;
 #endif
   net->report_error= 0;
+#if defined(MYSQL_SERVER) && !defined(EMBEDDED_LIBRARY)
+  net->skip_big_packet= FALSE;
+#endif
 
   if (vio != 0)					/* If real connection */
   {
@@ -947,6 +950,7 @@ my_real_read(NET *net, ulong *complen)
 	  {
 #if defined(MYSQL_SERVER) && !defined(NO_ALARM)
 	    if (!net->compress &&
+                net->skip_big_packet &&
 		!my_net_skip_rest(net, (uint32) len, &alarmed, &alarm_buff))
 	      net->error= 3;		/* Successfully skiped packet */
 #endif