Bug #12910665: AUTH-PLUGIN-DATA-LEN NOT TESTED FOR VALIDITY BY THE
CLIENT Added a check for a negative second part of the scramble length.
This commit is contained in:
parent
8b75496856
commit
ca3e45dce1
@ -3415,6 +3415,12 @@ CLI_MYSQL_REAL_CONNECT(MYSQL *mysql,const char *host, const char *user,
|
|||||||
mysql->server_status=uint2korr(end+3);
|
mysql->server_status=uint2korr(end+3);
|
||||||
mysql->server_capabilities|= uint2korr(end+5) << 16;
|
mysql->server_capabilities|= uint2korr(end+5) << 16;
|
||||||
pkt_scramble_len= end[7];
|
pkt_scramble_len= end[7];
|
||||||
|
if (pkt_scramble_len < 0)
|
||||||
|
{
|
||||||
|
set_mysql_error(mysql, CR_MALFORMED_PACKET,
|
||||||
|
unknown_sqlstate); /* purecov: inspected */
|
||||||
|
goto error;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
end+= 18;
|
end+= 18;
|
||||||
|
|
||||||
|
@ -8032,6 +8032,7 @@ static bool send_server_handshake_packet(MPVIO_EXT *mpvio,
|
|||||||
int2store(end + 3, mpvio->server_status[0]);
|
int2store(end + 3, mpvio->server_status[0]);
|
||||||
int2store(end + 5, mpvio->client_capabilities >> 16);
|
int2store(end + 5, mpvio->client_capabilities >> 16);
|
||||||
end[7]= data_len;
|
end[7]= data_len;
|
||||||
|
DBUG_EXECUTE_IF("poison_srv_handshake_scramble_len", end[7]= -100;);
|
||||||
bzero(end + 8, 10);
|
bzero(end + 8, 10);
|
||||||
end+= 18;
|
end+= 18;
|
||||||
/* write scramble tail */
|
/* write scramble tail */
|
||||||
|
Loading…
x
Reference in New Issue
Block a user