From bbc2e37fe4e0ca3a7cfa1437a763dc43829e98e2 Mon Sep 17 00:00:00 2001 From: Arun Kuruvila Date: Mon, 14 May 2018 11:28:13 +0530 Subject: Bug#27759871: BACKRONYM ISSUE IS STILL IN MYSQL 5.7 Description:- Client applications establishes connection to server, which does not support SSL, via TCP even when SSL is enforced via MYSQL_OPT_SSL_MODE or MYSQL_OPT_SSL_ENFORCE or MYSQL_OPT_SSL_VERIFY_SERVER_CERT. Analysis:- There exist no error handling for catching client applications which enforces SSL connection to connect to a server which does not support SSL. Fix:- Error handling is done to catch above mentioned scenarios. --- sql-common/client.c | 41 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 41 insertions(+) (limited to 'sql-common') diff --git a/sql-common/client.c b/sql-common/client.c index 9972ca741f2..3247fd8e339 100644 --- a/sql-common/client.c +++ b/sql-common/client.c @@ -2020,6 +2020,34 @@ error: #endif /* HAVE_OPENSSL && !EMBEDDED_LIBRARY */ +/** + Checks if any SSL option is set for libmysqld embedded server. + + @param mysql the connection handle + @retval 0 success + @retval 1 failure +*/ +#ifdef EMBEDDED_LIBRARY +int embedded_ssl_check(MYSQL *mysql) +{ + if (mysql->options.ssl_key || mysql->options.ssl_cert || + mysql->options.ssl_ca || mysql->options.ssl_capath || + mysql->options.ssl_cipher || + mysql->options.client_flag & CLIENT_SSL_VERIFY_SERVER_CERT || + (mysql->options.extension && + mysql->options.extension->ssl_mode == SSL_MODE_REQUIRED)) + { + set_mysql_extended_error(mysql, CR_SSL_CONNECTION_ERROR, unknown_sqlstate, + ER(CR_SSL_CONNECTION_ERROR), + "Embedded server libmysqld library doesn't support " + "SSL connections"); + return 1; + } + return 0; +} +#endif + + /* Note that the mysql argument must be initialized with mysql_init() before calling mysql_real_connect ! @@ -3592,6 +3620,11 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user, mysql->client_flag= client_flag; +#ifdef EMBEDDED_LIBRARY + if (embedded_ssl_check(mysql)) + goto error; +#endif + /* Part 2: invoke the plugin to send the authentication data to the server */ @@ -4271,10 +4304,14 @@ mysql_options(MYSQL *mysql,enum mysql_option option, const void *arg) mysql->reconnect= *(my_bool *) arg; break; case MYSQL_OPT_SSL_VERIFY_SERVER_CERT: +#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY) if (*(my_bool*) arg) mysql->options.client_flag|= CLIENT_SSL_VERIFY_SERVER_CERT; else mysql->options.client_flag&= ~CLIENT_SSL_VERIFY_SERVER_CERT; +#elif defined(EMBEDDED_LIBRARY) + DBUG_RETURN(1); +#endif break; case MYSQL_PLUGIN_DIR: EXTENSION_SET_STRING(&mysql->options, plugin_dir, arg); @@ -4288,11 +4325,15 @@ mysql_options(MYSQL *mysql,enum mysql_option option, const void *arg) (*(my_bool*) arg) ? TRUE : FALSE; break; case MYSQL_OPT_SSL_MODE: +#if defined(HAVE_OPENSSL) && !defined(EMBEDDED_LIBRARY) if (*(uint *) arg == SSL_MODE_REQUIRED) { ENSURE_EXTENSIONS_PRESENT(&mysql->options); mysql->options.extension->ssl_mode= SSL_MODE_REQUIRED; } +#elif defined(EMBEDDED_LIBRARY) + DBUG_RETURN(1); +#endif break; default: DBUG_RETURN(1); -- cgit v1.2.1 From e48d775c6f066add457fa8cfb2ebc4d5ff0c7613 Mon Sep 17 00:00:00 2001 From: Ivo Roylev Date: Thu, 14 Jun 2018 17:27:54 +0300 Subject: Bug#27980823: HEAP OVERFLOW VULNERABILITIES IN MYSQL CLIENT LIBRARY (cherry picked from commit b5b986b2cbd9a7848dc3f48e5c42b6d4e1e5fb22) --- sql-common/client.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'sql-common') diff --git a/sql-common/client.c b/sql-common/client.c index 3247fd8e339..7938403db59 100644 --- a/sql-common/client.c +++ b/sql-common/client.c @@ -1505,7 +1505,8 @@ unpack_fields(MYSQL *mysql, MYSQL_DATA *data,MEM_ROOT *alloc,uint fields, { uchar *pos; /* fields count may be wrong */ - DBUG_ASSERT((uint) (field - result) < fields); + if (field < result || (uint) (field - result) >= fields) + DBUG_RETURN(NULL); cli_fetch_lengths(&lengths[0], row->data, default_value ? 8 : 7); field->catalog= strmake_root(alloc,(char*) row->data[0], lengths[0]); field->db= strmake_root(alloc,(char*) row->data[1], lengths[1]); @@ -1612,6 +1613,7 @@ MYSQL_DATA *cli_read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields, if ((pkt_len= cli_safe_read(mysql)) == packet_error) DBUG_RETURN(0); + if (pkt_len == 0) DBUG_RETURN(0); if (!(result=(MYSQL_DATA*) my_malloc(sizeof(MYSQL_DATA), MYF(MY_WME | MY_ZEROFILL)))) { -- cgit v1.2.1