From 1ecd68d867ced1d00ebffdcedbf6bc97493f5067 Mon Sep 17 00:00:00 2001 From: Sergei Golubchik Date: Mon, 30 Apr 2018 23:06:09 +0200 Subject: [PATCH] Use after free in authentication --- mysql-test/r/connect_debug.result | 5 +++++ mysql-test/t/connect_debug.test | 12 ++++++++++++ sql-common/client.c | 4 ++-- sql/sql_acl.cc | 1 + 4 files changed, 20 insertions(+), 2 deletions(-) create mode 100644 mysql-test/r/connect_debug.result create mode 100644 mysql-test/t/connect_debug.test diff --git a/mysql-test/r/connect_debug.result b/mysql-test/r/connect_debug.result new file mode 100644 index 00000000000..0452b238db9 --- /dev/null +++ b/mysql-test/r/connect_debug.result @@ -0,0 +1,5 @@ +set @old_dbug=@@global.debug_dbug; +set global debug_dbug='+d,auth_disconnect'; +create user 'bad' identified by 'worse'; +set global debug_dbug=@old_dbug; +drop user bad; diff --git a/mysql-test/t/connect_debug.test b/mysql-test/t/connect_debug.test new file mode 100644 index 00000000000..299b605b2cd --- /dev/null +++ b/mysql-test/t/connect_debug.test @@ -0,0 +1,12 @@ +source include/have_debug.inc; +set @old_dbug=@@global.debug_dbug; + +# +# use after free if need plugin change and auth aborted +# +set global debug_dbug='+d,auth_disconnect'; +create user 'bad' identified by 'worse'; +--error 1 +--exec $MYSQL --default-auth=mysql_old_password --user=bad --password=worse +set global debug_dbug=@old_dbug; +drop user bad; diff --git a/sql-common/client.c b/sql-common/client.c index b485ebf4f60..00e2877bedb 100644 --- a/sql-common/client.c +++ b/sql-common/client.c @@ -2742,7 +2742,7 @@ static int client_mpvio_read_packet(struct st_plugin_vio *mpv, uchar **buf) *buf= mysql->net.read_pos; /* was it a request to change plugins ? */ - if (**buf == 254) + if (pkt_len == packet_error || **buf == 254) return (int)packet_error; /* if yes, this plugin shan't continue */ /* @@ -2927,7 +2927,7 @@ int run_plugin_auth(MYSQL *mysql, char *data, uint data_len, compile_time_assert(CR_OK == -1); compile_time_assert(CR_ERROR == 0); - if (res > CR_OK && mysql->net.read_pos[0] != 254) + if (res > CR_OK && (mysql->net.last_errno || mysql->net.read_pos[0] != 254)) { /* the plugin returned an error. write it down in mysql, diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index c3740f8ab29..15a238193dd 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -8253,6 +8253,7 @@ static bool send_plugin_request_packet(MPVIO_EXT *mpvio, const char *client_auth_plugin= ((st_mysql_auth *) (plugin_decl(mpvio->plugin)->info))->client_auth_plugin; + DBUG_EXECUTE_IF("auth_disconnect", { vio_close(net->vio); DBUG_RETURN(1); }); DBUG_ASSERT(client_auth_plugin); /*