From 3a364d517246d6d571a3c5eecac99dbee6dac7db Mon Sep 17 00:00:00 2001 From: unknown Date: Tue, 12 Jun 2007 08:47:36 -0400 Subject: [PATCH] Bug#28984: crasher on connect with out of range password length in \ protocol Fixed duplicated code, same as last commit. One could send a malformed packet that caused the server to SEGV. In recent versions of the password protocol, the client tells the server what length the ciphertext is (almost always 20). If that length was large enough to overflow a signed char, then the number would jump to very large after being casted to unsigned int. Instead, cast the *passwd char to uchar. sql/sql_parse.cc: Additional location of signed-char casted to uint. --- sql/sql_parse.cc | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc index 4e84bc9d046..24f9ef30569 100644 --- a/sql/sql_parse.cc +++ b/sql/sql_parse.cc @@ -1445,11 +1445,14 @@ bool dispatch_command(enum enum_server_command command, THD *thd, Old clients send null-terminated string ('\0' for empty string) for password. New clients send the size (1 byte) + string (not null terminated, so also '\0' for empty string). + + Cast *passwd to an unsigned char, so that it doesn't extend the sign + for *passwd > 127 and become 2**32-127 after casting to uint. */ char db_buff[NAME_LEN+1]; // buffer to store db in utf8 char *db= passwd; uint passwd_len= thd->client_capabilities & CLIENT_SECURE_CONNECTION ? - *passwd++ : strlen(passwd); + (uchar)(*passwd++) : strlen(passwd); db+= passwd_len + 1; #ifndef EMBEDDED_LIBRARY /* Small check for incomming packet */