diff options
| -rw-r--r-- | mysql-test/r/connect_debug.result | 5 | ||||
| -rw-r--r-- | mysql-test/t/connect_debug.test | 12 | ||||
| -rw-r--r-- | sql-common/client.c | 8 | ||||
| -rw-r--r-- | sql/sql_acl.cc | 1 |
4 files changed, 22 insertions, 4 deletions
diff --git a/mysql-test/r/connect_debug.result b/mysql-test/r/connect_debug.result new file mode 100644 index 00000000000..0452b238db9 --- /dev/null +++ b/mysql-test/r/connect_debug.result @@ -0,0 +1,5 @@ +set @old_dbug=@@global.debug_dbug; +set global debug_dbug='+d,auth_disconnect'; +create user 'bad' identified by 'worse'; +set global debug_dbug=@old_dbug; +drop user bad; diff --git a/mysql-test/t/connect_debug.test b/mysql-test/t/connect_debug.test new file mode 100644 index 00000000000..299b605b2cd --- /dev/null +++ b/mysql-test/t/connect_debug.test @@ -0,0 +1,12 @@ +source include/have_debug.inc; +set @old_dbug=@@global.debug_dbug; + +# +# use after free if need plugin change and auth aborted +# +set global debug_dbug='+d,auth_disconnect'; +create user 'bad' identified by 'worse'; +--error 1 +--exec $MYSQL --default-auth=mysql_old_password --user=bad --password=worse +set global debug_dbug=@old_dbug; +drop user bad; diff --git a/sql-common/client.c b/sql-common/client.c index d583f54bcba..586c2effc1e 100644 --- a/sql-common/client.c +++ b/sql-common/client.c @@ -1503,7 +1503,7 @@ MYSQL_DATA *cli_read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields, else { cur->data[field] = to; - if (to + len > end_to) + if (unlikely(len > (ulong)(end_to-to) || to > end_to)) { free_rows(result); set_mysql_error(mysql, CR_MALFORMED_PACKET, unknown_sqlstate); @@ -1575,7 +1575,7 @@ read_one_row(MYSQL *mysql,uint fields,MYSQL_ROW row, ulong *lengths) } else { - if (pos + len > end_pos) + if (unlikely(len > (ulong)(end_pos - pos) || pos > end_pos)) { set_mysql_error(mysql, CR_UNKNOWN_ERROR, unknown_sqlstate); return -1; @@ -2735,7 +2735,7 @@ static int client_mpvio_read_packet(struct st_plugin_vio *mpv, uchar **buf) *buf= mysql->net.read_pos; /* was it a request to change plugins ? */ - if (**buf == 254) + if (pkt_len == packet_error || **buf == 254) return (int)packet_error; /* if yes, this plugin shan't continue */ /* @@ -2920,7 +2920,7 @@ int run_plugin_auth(MYSQL *mysql, char *data, uint data_len, compile_time_assert(CR_OK == -1); compile_time_assert(CR_ERROR == 0); - if (res > CR_OK && mysql->net.read_pos[0] != 254) + if (res > CR_OK && (mysql->net.last_errno || mysql->net.read_pos[0] != 254)) { /* the plugin returned an error. write it down in mysql, diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 291f1f613a2..b957b5713d2 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -11172,6 +11172,7 @@ static bool send_plugin_request_packet(MPVIO_EXT *mpvio, const char *client_auth_plugin= ((st_mysql_auth *) (plugin_decl(mpvio->plugin)->info))->client_auth_plugin; + DBUG_EXECUTE_IF("auth_disconnect", { vio_close(net->vio); DBUG_RETURN(1); }); DBUG_ASSERT(client_auth_plugin); /* |