diff options
| author | Alexey Kopytov <Alexey.Kopytov@sun.com> | 2009-05-27 14:20:57 +0400 |
|---|---|---|
| committer | Alexey Kopytov <Alexey.Kopytov@sun.com> | 2009-05-27 14:20:57 +0400 |
| commit | 1b8322c3c6f406bd119145c6f38ddeb802e1b9fc (patch) | |
| tree | 34ae98822606272f3479c61c527ed8c15c1d1702 /sql/password.c | |
| parent | 1d03fb715ebcd995648793fbdba57d9a2069ede6 (diff) | |
| download | mariadb-git-1b8322c3c6f406bd119145c6f38ddeb802e1b9fc.tar.gz | |
Bug #44767: invalid memory reads in password() and
old_password() functions
The PASSWORD() and OLD_PASSWORD() functions could lead to
memory reads outside of an internal buffer when used with BLOB
arguments.
String::c_ptr() assumes there is at least one extra byte
in the internally allocated buffer when adding the trailing
'\0'. This, however, may not be the case when a String object
was initialized with externally allocated buffer.
The bug was fixed by adding an additional "length" argument to
make_scrambled_password_323() and make_scrambled_password() in
order to avoid String::c_ptr() calls for
PASSWORD()/OLD_PASSWORD().
However, since the make_scrambled_password[_323] functions are
a part of the client library ABI, the functions with the new
interfaces were implemented with the 'my_' prefix in their
names, with the old functions changed to be wrappers around
the new ones to maintain interface compatibility.
mysql-test/r/func_crypt.result:
Added a test case for bug #44767.
mysql-test/t/func_crypt.test:
Added a test case for bug #44767.
sql/item_strfunc.cc:
Use the new my_make_scrambled_password*() to avoid
String::c_ptr().
sql/item_strfunc.h:
Changed Item_func[_old]_password::alloc() interfaces so that
we can use the new my_make_scrambled_password*() functions.
sql/mysql_priv.h:
Added declarations for the new my_make_scrambled_password*()
functions.
sql/password.c:
Added new my_make_scrambled_password*() functions with an
additional "length" argument. Changed ones to be wrappers
around the new ones to maintain interface compatibility.
sql/sql_yacc.yy:
Utilize the new password hashing functions with additional length
argument.
Diffstat (limited to 'sql/password.c')
| -rw-r--r-- | sql/password.c | 53 |
1 files changed, 45 insertions, 8 deletions
diff --git a/sql/password.c b/sql/password.c index 57ed3e6ab0f..e12074549a4 100644 --- a/sql/password.c +++ b/sql/password.c @@ -137,20 +137,39 @@ void hash_password(ulong *result, const char *password, uint password_len) Create password to be stored in user database from raw string Used for pre-4.1 password handling SYNOPSIS - make_scrambled_password_323() + my_make_scrambled_password_323() to OUT store scrambled password here password IN user-supplied password + pass_len IN length of password string */ -void make_scrambled_password_323(char *to, const char *password) +void my_make_scrambled_password_323(char *to, const char *password, + size_t pass_len) { ulong hash_res[2]; - hash_password(hash_res, password, (uint) strlen(password)); + hash_password(hash_res, password, (uint) pass_len); sprintf(to, "%08lx%08lx", hash_res[0], hash_res[1]); } /* + Wrapper around my_make_scrambled_password_323() to maintain client lib ABI + compatibility. + In server code usage of my_make_scrambled_password_323() is preferred to + avoid strlen(). + SYNOPSIS + make_scrambled_password_323() + to OUT store scrambled password here + password IN NULL-terminated string with user-supplied password +*/ + +void make_scrambled_password_323(char *to, const char *password) +{ + my_make_scrambled_password_323(to, password, strlen(password)); +} + + +/* Scramble string with password. Used in pre 4.1 authentication phase. SYNOPSIS @@ -383,20 +402,21 @@ my_crypt(char *to, const uchar *s1, const uchar *s2, uint len) The result of this function is used as return value from PASSWORD() and is stored in the database. SYNOPSIS - make_scrambled_password() + my_make_scrambled_password() buf OUT buffer of size 2*SHA1_HASH_SIZE + 2 to store hex string - password IN NULL-terminated password string + password IN password string + pass_len IN length of password string */ -void -make_scrambled_password(char *to, const char *password) +void my_make_scrambled_password(char *to, const char *password, + size_t pass_len) { SHA1_CONTEXT sha1_context; uint8 hash_stage2[SHA1_HASH_SIZE]; mysql_sha1_reset(&sha1_context); /* stage 1: hash password */ - mysql_sha1_input(&sha1_context, (uint8 *) password, (uint) strlen(password)); + mysql_sha1_input(&sha1_context, (uint8 *) password, (uint) pass_len); mysql_sha1_result(&sha1_context, (uint8 *) to); /* stage 2: hash stage1 output */ mysql_sha1_reset(&sha1_context); @@ -410,6 +430,23 @@ make_scrambled_password(char *to, const char *password) /* + Wrapper around my_make_scrambled_password() to maintain client lib ABI + compatibility. + In server code usage of my_make_scrambled_password() is preferred to + avoid strlen(). + SYNOPSIS + make_scrambled_password() + buf OUT buffer of size 2*SHA1_HASH_SIZE + 2 to store hex string + password IN NULL-terminated password string +*/ + +void make_scrambled_password(char *to, const char *password) +{ + my_make_scrambled_password(to, password, strlen(password)); +} + + +/* Produce an obscure octet sequence from password and random string, recieved from the server. This sequence corresponds to the password, but password can not be easily restored from it. The sequence |