Bug#25714674: MYSQL SERVER REMOTE PREAUTH PROBLEM THROUGH INTEGER OVERFLOW

harinvadodaria · Hery Ramilison · commit 752acb1ae5a1 · 2017-03-18T08:42:04.000+01:00
Description: A missing length check for length-encoded string causes
             problem in preauthorization stage.
diff --git a/sql/auth/sql_authentication.cc b/sql/auth/sql_authentication.cc
@@ -1242,6 +1242,9 @@ char *get_56_lenc_string(char **buffer,
 {
   static char empty_string[1]= { '\0' };
   char *begin= *buffer;
+  uchar *pos= (uchar *)begin;
+  size_t required_length= 9;
+
 
   if (*max_bytes_available == 0)
     return NULL;
@@ -1262,13 +1265,37 @@ char *get_56_lenc_string(char **buffer,
     return empty_string;
   }
 
+  /* Make sure we have enough bytes available for net_field_length_ll */
+  DBUG_EXECUTE_IF("buffer_too_short_3",
+                  *pos= 252; *max_bytes_available= 2;
+  );
+  DBUG_EXECUTE_IF("buffer_too_short_4",
+                  *pos= 253; *max_bytes_available= 3;
+  );
+  DBUG_EXECUTE_IF("buffer_too_short_9",
+                  *pos= 254; *max_bytes_available= 8;
+  );
+
+  if (*pos <= 251)
+    required_length= 1;
+  if (*pos == 252)
+    required_length= 3;
+  if (*pos == 253)
+    required_length= 4;
+
+  if (*max_bytes_available < required_length)
+    return NULL;
+
   *string_length= (size_t)net_field_length_ll((uchar **)buffer);
 
   DBUG_EXECUTE_IF("sha256_password_scramble_too_long",
                   *string_length= SIZE_T_MAX;
   );
 
   size_t len_len= (size_t)(*buffer - begin);
+
+  DBUG_ASSERT((*max_bytes_available >= len_len) &&
+              (len_len == required_length));
   
   if (*string_length > *max_bytes_available - len_len)
     return NULL;
