diff options
| author | Dmitry Shulga <Dmitry.Shulga@oracle.com> | 2011-03-15 17:36:12 +0600 |
|---|---|---|
| committer | Dmitry Shulga <Dmitry.Shulga@oracle.com> | 2011-03-15 17:36:12 +0600 |
| commit | 9320dca994fdae18c549cb59266d49846dc1f839 (patch) | |
| tree | a5dc8beae05172872e0c5adc5f06bb1144c0be41 /tests | |
| parent | 07106d4ad95175b50db878c16b12215b2221db87 (diff) | |
| download | mariadb-git-9320dca994fdae18c549cb59266d49846dc1f839.tar.gz | |
Fixed Bug#11764168 "56976: SEVERE DENIAL OF SERVICE IN PREPARED STATEMENTS".
The problem was that server didn't check resulting size of prepared
statement argument which was set using mysql_send_long_data() API.
By calling mysql_send_long_data() several times it was possible
to create overly big string and thus force server to allocate
memory for it. There was no way to limit this allocation.
The solution is to add check for size of result string against
value of max_long_data_size start-up parameter. When intermediate
string exceeds max_long_data_size value an appropriate error message
is emitted.
We can't use existing max_allowed_packet parameter for this purpose
since its value is limited by 1GB and therefore using it as a limit
for data set through mysql_send_long_data() API would have been an
incompatible change. Newly introduced max_long_data_size parameter
gets value from max_allowed_packet parameter unless its value is
specified explicitly. This new parameter is marked as deprecated
and will be eventually replaced by max_allowed_packet parameter.
Value of max_long_data_size parameter can be set only at server
startup.
mysql-test/t/variables.test:
Added checking for new start-up parameter max_long_data_size.
sql/item.cc:
Added call to my_message() when accumulated string exceeds
max_long_data_size value. my_message() calls error handler
that was installed in mysql_stmt_get_longdata before call
to Item_param::set_longdata.
The error handler then sets state, last_error and last_errno
fields for current statement to values which correspond to
error which was caught.
sql/mysql_priv.h:
Added max_long_data_size variable declaration.
sql/mysqld.cc:
Added support for start-up parameter 'max_long_data_size'.
This parameter limits size of data which can be sent from
client to server using mysql_send_long_data() API.
sql/set_var.cc:
Added variable 'max_long_data_size' into list of variables
displayed by command 'show variables'.
sql/sql_prepare.cc:
Added error handler class Set_longdata_error_handler.
This handler is used to catch any errors that can be
generated during execution of Item_param::set_longdata().
Source code snippet that makes checking for statement's state
during statement execution is moved from Prepared_statement::execute()
to Prepared_statement::execute_loop() in order not to call
set_parameters() when statement has failed during
set_long_data() execution. If this hadn't been done
the call to set_parameters() would have failed.
tests/mysql_client_test.c:
A testcase for the bug #56976 was added.
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/mysql_client_test.c | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/tests/mysql_client_test.c b/tests/mysql_client_test.c index fc1f2e8293e..2e78c846fbc 100644 --- a/tests/mysql_client_test.c +++ b/tests/mysql_client_test.c @@ -18465,6 +18465,56 @@ static void test_bug58036() /* + Bug #56976: Severe Denial Of Service in prepared statements +*/ +static void test_bug56976() +{ + MYSQL_STMT *stmt; + MYSQL_BIND bind[1]; + int rc; + const char* query = "SELECT LENGTH(?)"; + char *long_buffer; + unsigned long i, packet_len = 256 * 1024L; + unsigned long dos_len = 2 * 1024 * 1024L; + + DBUG_ENTER("test_bug56976"); + myheader("test_bug56976"); + + stmt= mysql_stmt_init(mysql); + check_stmt(stmt); + + rc= mysql_stmt_prepare(stmt, query, strlen(query)); + check_execute(stmt, rc); + + memset(bind, 0, sizeof(bind)); + bind[0].buffer_type = MYSQL_TYPE_TINY_BLOB; + + rc= mysql_stmt_bind_param(stmt, bind); + check_execute(stmt, rc); + + long_buffer= (char*) my_malloc(packet_len, MYF(0)); + DIE_UNLESS(long_buffer); + + memset(long_buffer, 'a', packet_len); + + for (i= 0; i < dos_len / packet_len; i++) + { + rc= mysql_stmt_send_long_data(stmt, 0, long_buffer, packet_len); + check_execute(stmt, rc); + } + + my_free(long_buffer, MYF(0)); + rc= mysql_stmt_execute(stmt); + + DIE_UNLESS(rc && mysql_stmt_errno(stmt) == ER_UNKNOWN_ERROR); + + mysql_stmt_close(stmt); + + DBUG_VOID_RETURN; +} + + +/* Read and parse arguments and MySQL options from my.cnf */ @@ -18791,6 +18841,7 @@ static struct my_tests_st my_tests[]= { { "test_bug54041", test_bug54041 }, { "test_bug47485", test_bug47485 }, { "test_bug58036", test_bug58036 }, + { "test_bug56976", test_bug56976 }, { 0, 0 } }; |