Skip to content

Commit 752acb1

Browse files
harinvadodariaHery Ramilison
authored andcommitted
Bug#25714674: MYSQL SERVER REMOTE PREAUTH PROBLEM THROUGH INTEGER OVERFLOW
Description: A missing length check for length-encoded string causes problem in preauthorization stage.
1 parent dbdd4e9 commit 752acb1

File tree

1 file changed

+27
-0
lines changed

1 file changed

+27
-0
lines changed

sql/auth/sql_authentication.cc

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1242,6 +1242,9 @@ char *get_56_lenc_string(char **buffer,
12421242
{
12431243
static char empty_string[1]= { '\0' };
12441244
char *begin= *buffer;
1245+
uchar *pos= (uchar *)begin;
1246+
size_t required_length= 9;
1247+
12451248

12461249
if (*max_bytes_available == 0)
12471250
return NULL;
@@ -1262,13 +1265,37 @@ char *get_56_lenc_string(char **buffer,
12621265
return empty_string;
12631266
}
12641267

1268+
/* Make sure we have enough bytes available for net_field_length_ll */
1269+
DBUG_EXECUTE_IF("buffer_too_short_3",
1270+
*pos= 252; *max_bytes_available= 2;
1271+
);
1272+
DBUG_EXECUTE_IF("buffer_too_short_4",
1273+
*pos= 253; *max_bytes_available= 3;
1274+
);
1275+
DBUG_EXECUTE_IF("buffer_too_short_9",
1276+
*pos= 254; *max_bytes_available= 8;
1277+
);
1278+
1279+
if (*pos <= 251)
1280+
required_length= 1;
1281+
if (*pos == 252)
1282+
required_length= 3;
1283+
if (*pos == 253)
1284+
required_length= 4;
1285+
1286+
if (*max_bytes_available < required_length)
1287+
return NULL;
1288+
12651289
*string_length= (size_t)net_field_length_ll((uchar **)buffer);
12661290

12671291
DBUG_EXECUTE_IF("sha256_password_scramble_too_long",
12681292
*string_length= SIZE_T_MAX;
12691293
);
12701294

12711295
size_t len_len= (size_t)(*buffer - begin);
1296+
1297+
DBUG_ASSERT((*max_bytes_available >= len_len) &&
1298+
(len_len == required_length));
12721299

12731300
if (*string_length > *max_bytes_available - len_len)
12741301
return NULL;

0 commit comments

Comments
 (0)