diff options
| author | Davi Arnaut <davi.arnaut@oracle.com> | 2011-05-30 07:42:30 -0300 |
|---|---|---|
| committer | Davi Arnaut <davi.arnaut@oracle.com> | 2011-05-30 07:42:30 -0300 |
| commit | 9b68760fd61869626808bf47ac75a9024ea662b7 (patch) | |
| tree | 73a6a370f745762eec600a8b111c7d306b936c13 /sql/password.c | |
| parent | 05098831606c3267fc6f80f6af65a8069e82b56a (diff) | |
| download | mariadb-git-9b68760fd61869626808bf47ac75a9024ea662b7.tar.gz | |
Bug#12563279: REGRESSION IN HANDLING PRE-4.1 AUTHENTICATION PACKET
The problem is that clients implementing the 4.0 version of the
protocol (that is, mysql-4.0) do not null terminate a string
at the end of the authentication packet. These clients denote
the end of the string with the end of the packet.
Although this goes against the documented (see MySQL Internals
ClientServer Protocol wiki) description of the protocol, these
old clients still need to be supported.
The solution is to support the documented and actual behavior
of the clients. If a client is using the pre-4.1 version of
the protocol, the end of a string in the authentication packet
can either be denoted with a null character or by the end of
the packet. This restores backwards compatibility with old
clients implementing either the documented or actual behavior.
sql/password.c:
The scrambled message, as provided by the user, might not be
properly null terminated. If this is the case, uninitialized
memory past the end of the buffer could theoretically be
accessed. To ensure that this is never the case, copy the
scrambled message over to a null terminated auxiliar buffer.
sql/sql_connect.cc:
Use different execution paths to read strings depending on the
protocol being used. If version 4.0 of the protocol is used,
end of string can be denoted with a NUL character or by the
end of the packet.
If there are not enough bytes left after the current position
of the buffer to satisfy the current string, the string is
considered to be empty. This is required because old clients
do not send the password string field if the password is empty.
Diffstat (limited to 'sql/password.c')
| -rw-r--r-- | sql/password.c | 32 |
1 files changed, 17 insertions, 15 deletions
diff --git a/sql/password.c b/sql/password.c index 9204c660b77..29a501986f4 100644 --- a/sql/password.c +++ b/sql/password.c @@ -204,21 +204,16 @@ void scramble_323(char *to, const char *message, const char *password) } -/* - Check scrambled message - Used in pre 4.1 password handling - SYNOPSIS - check_scramble_323() - scrambled scrambled message to check. - message original random message which was used for scrambling; must - be exactly SCRAMBLED_LENGTH_323 bytes long and - NULL-terminated. - hash_pass password which should be used for scrambling - All params are IN. +/** + Check scrambled message. Used in pre 4.1 password handling. - RETURN VALUE - 0 - password correct - !0 - password invalid + @param scrambled Scrambled message to check. + @param message Original random message which was used for scrambling. + @param hash_pass Password which should be used for scrambling. + + @remark scrambled and message must be SCRAMBLED_LENGTH_323 bytes long. + + @return FALSE if password is correct, TRUE otherwise. */ my_bool @@ -227,9 +222,16 @@ check_scramble_323(const char *scrambled, const char *message, { struct rand_struct rand_st; ulong hash_message[2]; - char buff[16],*to,extra; /* Big enough for check */ + /* Big enough for checks. */ + char buff[16], scrambled_buff[SCRAMBLE_LENGTH_323 + 1]; + char *to, extra; const char *pos; + /* Ensure that the scrambled message is null-terminated. */ + memcpy(scrambled_buff, scrambled, SCRAMBLE_LENGTH_323); + scrambled_buff[SCRAMBLE_LENGTH_323]= '\0'; + scrambled= scrambled_buff; + hash_password(hash_message, message, SCRAMBLE_LENGTH_323); randominit(&rand_st,hash_pass[0] ^ hash_message[0], hash_pass[1] ^ hash_message[1]); |