1berry/MariaDB-server
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Bug#29630767 - USE OF UNINITIALIZED VALUE IN LIBMYSQL (CLIENT.CC FUNCTION RUN_PLUGIN_AUTH)

Browse Source
This commit is contained in:
Sergei Golubchik 2020-01-17 15:08:11 +01:00
parent 49b9ce15ef
commit 4d1c1b23e1
4 changed files with 28 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
mysql-test/r/connect_debug.result
View File

@ -8,3 +8,11 @@ create user 'bad' identified by 'worse';
ERROR 2059 (HY000): Authentication plugin 'foo/bar' cannot be loaded: invalid plugin name
set global debug_dbug=@old_dbug;
drop user bad;
set global debug_dbug='+d,increase_srv_handshake_scramble_len';
connect(localhost,root,,test,MASTER_MYPORT,MYSQL_TMP_DIR/mysqld.1.sock);
ERROR HY000: Malformed packet
set global debug_dbug=@old_dbug;
set global debug_dbug='+d,poison_srv_handshake_scramble_len';
connect(localhost,root,,test,MASTER_MYPORT,MYSQL_TMP_DIR/mysqld.1.sock);
ERROR HY000: Malformed packet
set global debug_dbug=@old_dbug;

15
mysql-test/t/connect_debug.test
View File

@ -21,3 +21,18 @@ create user 'bad' identified by 'worse';
--exec $MYSQL --default-auth=mysql_old_password --user=bad --password=worse 2>&1
set global debug_dbug=@old_dbug;
drop user bad;
#
# Bug#29630767 - USE OF UNINITIALIZED VALUE IN LIBMYSQL (CLIENT.CC FUNCTION RUN_PLUGIN_AUTH)
#
set global debug_dbug='+d,increase_srv_handshake_scramble_len';
--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR $MASTER_MYPORT MASTER_MYPORT
--error 2027
connect con1,localhost,root;
set global debug_dbug=@old_dbug;
set global debug_dbug='+d,poison_srv_handshake_scramble_len';
--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR $MASTER_MYPORT MASTER_MYPORT
--error 2027
connect con2,localhost,root;
set global debug_dbug=@old_dbug;

5
sql-common/client.c
View File

@ -3538,7 +3538,10 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
scramble_data_len= pkt_scramble_len;
scramble_plugin= scramble_data + scramble_data_len;
if (scramble_data + scramble_data_len > pkt_end)
scramble_data_len= pkt_end - scramble_data;
{
set_mysql_error(mysql, CR_MALFORMED_PACKET, unknown_sqlstate);
goto error;
}
}
else
{

1
sql/sql_acl.cc
View File

@ -8178,6 +8178,7 @@ static bool send_server_handshake_packet(MPVIO_EXT *mpvio,
int2store(end+5, thd->client_capabilities >> 16);
end[7]= data_len;
DBUG_EXECUTE_IF("poison_srv_handshake_scramble_len", end[7]= -100;);
DBUG_EXECUTE_IF("increase_srv_handshake_scramble_len", end[7]= 50;);
bzero(end + 8, 10);
end+= 18;
/* write scramble tail */