From 46085513c186e84a0acb852a3dea0c603cd3ffdf Mon Sep 17 00:00:00 2001
From: unknown <cmiller@zippy.cornsilk.net>
Date: Mon, 11 Jun 2007 16:03:05 -0400
Subject: [PATCH] Bug#28984: crasher on connect with out of range password
 length in \ 	protocol

Update for function moved to new file in 5.1.

One could send a malformed packet that caused the server to SEGV.  In
recent versions of the password protocol, the client tells the server
what length the ciphertext is (almost always 20).  If that length was
large enough to overflow a signed char, then the number would jump to
very large after being casted to unsigned int.

Instead, cast the *passwd char to uchar.


sql/sql_connect.cc:
  Update for function moved to new file in 5.1.
---
 sql/sql_connect.cc | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/sql/sql_connect.cc b/sql/sql_connect.cc
index 7c1ba3856e8..26b7098e27c 100644
--- a/sql/sql_connect.cc
+++ b/sql/sql_connect.cc
@@ -837,9 +837,12 @@ static int check_connection(THD *thd)
     password both send '\0'.
 
     This strlen() can't be easily deleted without changing protocol.
+
+    Cast *passwd to an unsigned char, so that it doesn't extend the sign for
+    *passwd > 127 and become 2**32-127+ after casting to uint.
   */
   uint passwd_len= thd->client_capabilities & CLIENT_SECURE_CONNECTION ?
-    *passwd++ : strlen(passwd);
+    (uchar)(*passwd++) : strlen(passwd);
   db= thd->client_capabilities & CLIENT_CONNECT_WITH_DB ?
     db + passwd_len + 1 : 0;
   /* strlen() can't be easily deleted without changing protocol */