protocol safety fix:

before strlen(db) we need to be sure that db lies within packet boundaries
author: Sergei Golubchik <sergii@pisem.net> 2011-07-07 22:37:38 +0200
committer: Sergei Golubchik <sergii@pisem.net> 2011-07-07 22:37:38 +0200
commit: 17d716c9c67f17cb4a9cb94ab9091ba2ab38254a (patch)
tree: e40344d1209170e53134a902d68ae26b447e37a7 /sql/sql_connect.cc
parent: 6f5f5b949166a939269956bdf1cbd6349e9a6fcb (diff)
download: mariadb-git-17d716c9c67f17cb4a9cb94ab9091ba2ab38254a.tar.gz
1 files changed, 4 insertions, 3 deletions
diff --git a/sql/sql_connect.cc b/sql/sql_connect.cc
index ec0f65e3c58..59a18477259 100644
--- a/sql/sql_connect.cc
+++ b/sql/sql_connect.cc
@@ -893,16 +893,17 @@ static int check_connection(THD *thd)
     (uchar)(*passwd++) : strlen(passwd);
   db= thd->client_capabilities & CLIENT_CONNECT_WITH_DB ?
     db + passwd_len + 1 : 0;
-  /* strlen() can't be easily deleted without changing protocol */
-  uint db_len= db ? strlen(db) : 0;
 
-  if (passwd + passwd_len + db_len > (char *)net->read_pos + pkt_len)
+  if (passwd + passwd_len + test(db) > (char *)net->read_pos + pkt_len)
   {
     inc_host_errors(&thd->remote.sin_addr);
     my_error(ER_HANDSHAKE_ERROR, MYF(0), thd->main_security_ctx.host_or_ip);
     return 1;
   }
 
+  /* strlen() can't be easily deleted without changing protocol */
+  uint db_len= db ? strlen(db) : 0;
+
   /* Since 4.1 all database names are stored in utf8 */
   if (db)
   {
author	Sergei Golubchik <sergii@pisem.net>	2011-07-07 22:37:38 +0200
committer	Sergei Golubchik <sergii@pisem.net>	2011-07-07 22:37:38 +0200
commit	17d716c9c67f17cb4a9cb94ab9091ba2ab38254a (patch)
tree	e40344d1209170e53134a902d68ae26b447e37a7 /sql/sql_connect.cc
parent	6f5f5b949166a939269956bdf1cbd6349e9a6fcb (diff)
download	mariadb-git-17d716c9c67f17cb4a9cb94ab9091ba2ab38254a.tar.gz