From 4d1c1b23e1373bbd4e72f524e855f1db076d2c73 Mon Sep 17 00:00:00 2001
From: Sergei Golubchik <serg@mariadb.org>
Date: Fri, 17 Jan 2020 15:08:11 +0100
Subject: [PATCH] Bug#29630767 - USE OF UNINITIALIZED VALUE IN LIBMYSQL
 (CLIENT.CC FUNCTION RUN_PLUGIN_AUTH)

---
 mysql-test/r/connect_debug.result |  8 ++++++++
 mysql-test/t/connect_debug.test   | 15 +++++++++++++++
 sql-common/client.c               |  5 ++++-
 sql/sql_acl.cc                    |  1 +
 4 files changed, 28 insertions(+), 1 deletion(-)

diff --git a/mysql-test/r/connect_debug.result b/mysql-test/r/connect_debug.result
index 3151166a0e6..c455363eb41 100644
--- a/mysql-test/r/connect_debug.result
+++ b/mysql-test/r/connect_debug.result
@@ -8,3 +8,11 @@ create user 'bad' identified by 'worse';
 ERROR 2059 (HY000): Authentication plugin 'foo/bar' cannot be loaded: invalid plugin name
 set global debug_dbug=@old_dbug;
 drop user bad;
+set global debug_dbug='+d,increase_srv_handshake_scramble_len';
+connect(localhost,root,,test,MASTER_MYPORT,MYSQL_TMP_DIR/mysqld.1.sock);
+ERROR HY000: Malformed packet
+set global debug_dbug=@old_dbug;
+set global debug_dbug='+d,poison_srv_handshake_scramble_len';
+connect(localhost,root,,test,MASTER_MYPORT,MYSQL_TMP_DIR/mysqld.1.sock);
+ERROR HY000: Malformed packet
+set global debug_dbug=@old_dbug;
diff --git a/mysql-test/t/connect_debug.test b/mysql-test/t/connect_debug.test
index 7a2f2872b79..de7a292ce67 100644
--- a/mysql-test/t/connect_debug.test
+++ b/mysql-test/t/connect_debug.test
@@ -21,3 +21,18 @@ create user 'bad' identified by 'worse';
 --exec $MYSQL --default-auth=mysql_old_password --user=bad --password=worse 2>&1
 set global debug_dbug=@old_dbug;
 drop user bad;
+
+#
+# Bug#29630767 - USE OF UNINITIALIZED VALUE IN LIBMYSQL (CLIENT.CC FUNCTION RUN_PLUGIN_AUTH)
+#
+set global debug_dbug='+d,increase_srv_handshake_scramble_len';
+--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR $MASTER_MYPORT MASTER_MYPORT
+--error 2027
+connect con1,localhost,root;
+set global debug_dbug=@old_dbug;
+
+set global debug_dbug='+d,poison_srv_handshake_scramble_len';
+--replace_result $MYSQL_TMP_DIR MYSQL_TMP_DIR $MASTER_MYPORT MASTER_MYPORT
+--error 2027
+connect con2,localhost,root;
+set global debug_dbug=@old_dbug;
diff --git a/sql-common/client.c b/sql-common/client.c
index f535b5119b7..c7fb70fbeef 100644
--- a/sql-common/client.c
+++ b/sql-common/client.c
@@ -3538,7 +3538,10 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
       scramble_data_len= pkt_scramble_len;
       scramble_plugin= scramble_data + scramble_data_len;
       if (scramble_data + scramble_data_len > pkt_end)
-        scramble_data_len= pkt_end - scramble_data;
+      {
+        set_mysql_error(mysql, CR_MALFORMED_PACKET, unknown_sqlstate);
+        goto error;
+      }
     }
     else
     {
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
index 8670f5b390d..ac1adf9e58b 100644
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@@ -8178,6 +8178,7 @@ static bool send_server_handshake_packet(MPVIO_EXT *mpvio,
   int2store(end+5, thd->client_capabilities >> 16);
   end[7]= data_len;
   DBUG_EXECUTE_IF("poison_srv_handshake_scramble_len", end[7]= -100;);
+  DBUG_EXECUTE_IF("increase_srv_handshake_scramble_len", end[7]= 50;);
   bzero(end + 8, 10);
   end+= 18;
   /* write scramble tail */