1berry/MariaDB-server
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix for a possible DoS in the my_net_skip_rest()

Browse Source
This commit is contained in:
Sergei Golubchik 2010-02-23 13:04:58 +01:00
parent 2840821cc9
commit f04cf03f75
4 changed files with 10 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
include/mysql.h.pp
View File

@ -28,7 +28,7 @@ typedef struct st_net {
unsigned int *return_status; unsigned int *return_status;
unsigned char reading_or_writing; unsigned char reading_or_writing;
char save_char; char save_char;
my_bool unused0; char net_skip_rest_factor;
my_bool unused; my_bool unused;
my_bool compress; my_bool compress;
my_bool unused1; my_bool unused1;

2
include/mysql_com.h
View File

@ -254,7 +254,7 @@ typedef struct st_net {
unsigned int *return_status; unsigned int *return_status;
unsigned char reading_or_writing; unsigned char reading_or_writing;
char save_char; char save_char;
my_bool unused0; /* Please remove with the next incompatible ABI change. */ char net_skip_rest_factor;
my_bool unused; /* Please remove with the next incompatible ABI change */ my_bool unused; /* Please remove with the next incompatible ABI change */
my_bool compress; my_bool compress;
my_bool unused1; /* Please remove with the next incompatible ABI change. */ my_bool unused1; /* Please remove with the next incompatible ABI change. */

6
sql/net_serv.cc
View File

@ -130,6 +130,7 @@ my_bool my_net_init(NET *net, Vio* vio)
net->last_error[0]=0; net->last_error[0]=0;
net->compress=0; net->reading_or_writing=0; net->compress=0; net->reading_or_writing=0;
net->where_b = net->remain_in_buf=0; net->where_b = net->remain_in_buf=0;
net->net_skip_rest_factor= 0;
net->last_errno=0; net->last_errno=0;
#ifdef USE_QUERY_CACHE #ifdef USE_QUERY_CACHE
query_cache_init_query(net); query_cache_init_query(net);
@ -743,6 +744,7 @@ static my_bool net_safe_read(NET *net, uchar *buff, size_t length,
static my_bool my_net_skip_rest(NET *net, uint32 remain, thr_alarm_t *alarmed, static my_bool my_net_skip_rest(NET *net, uint32 remain, thr_alarm_t *alarmed,
ALARM *alarm_buff) ALARM *alarm_buff)
{ {
longlong limit= net->max_packet_size*net->net_skip_rest_factor;
uint32 old=remain; uint32 old=remain;
DBUG_ENTER("my_net_skip_rest"); DBUG_ENTER("my_net_skip_rest");
DBUG_PRINT("enter",("bytes_to_skip: %u", (uint) remain)); DBUG_PRINT("enter",("bytes_to_skip: %u", (uint) remain));
@ -766,11 +768,15 @@ static my_bool my_net_skip_rest(NET *net, uint32 remain, thr_alarm_t *alarmed,
DBUG_RETURN(1); DBUG_RETURN(1);
update_statistics(thd_increment_bytes_received(length)); update_statistics(thd_increment_bytes_received(length));
remain -= (uint32) length; remain -= (uint32) length;
limit-= length;
if (limit < 0)
DBUG_RETURN(1);
} }
if (old != MAX_PACKET_LENGTH) if (old != MAX_PACKET_LENGTH)
break; break;
if (net_safe_read(net, net->buff, NET_HEADER_SIZE, alarmed)) if (net_safe_read(net, net->buff, NET_HEADER_SIZE, alarmed))
DBUG_RETURN(1); DBUG_RETURN(1);
limit-= NET_HEADER_SIZE;
old=remain= uint3korr(net->buff); old=remain= uint3korr(net->buff);
net->pkt_nr++; net->pkt_nr++;
} }

3
sql/sql_connect.cc
View File

@ -474,7 +474,8 @@ check_user(THD *thd, enum enum_server_command command,
} }
} }
my_ok(thd); my_ok(thd);
thd->password= test(passwd_len); // remember for error messages thd->net.net_skip_rest_factor= 2; // skip at most 2*max_packet_size
thd->password= test(passwd_len); // remember for error messages
/* Ready to handle queries */ /* Ready to handle queries */
DBUG_RETURN(0); DBUG_RETURN(0);
} }