Skip to content

Commit 42fac32

Browse files
committed
Merge branch '5.5' into 10.0
2 parents c4499a0 + fab383a commit 42fac32

File tree

4 files changed

+22
-4
lines changed

4 files changed

+22
-4
lines changed

mysql-test/r/connect_debug.result

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
set @old_dbug=@@global.debug_dbug;
2+
set global debug_dbug='+d,auth_disconnect';
3+
create user 'bad' identified by 'worse';
4+
set global debug_dbug=@old_dbug;
5+
drop user bad;

mysql-test/t/connect_debug.test

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
source include/have_debug.inc;
2+
set @old_dbug=@@global.debug_dbug;
3+
4+
#
5+
# use after free if need plugin change and auth aborted
6+
#
7+
set global debug_dbug='+d,auth_disconnect';
8+
create user 'bad' identified by 'worse';
9+
--error 1
10+
--exec $MYSQL --default-auth=mysql_old_password --user=bad --password=worse
11+
set global debug_dbug=@old_dbug;
12+
drop user bad;

sql-common/client.c

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1503,7 +1503,7 @@ MYSQL_DATA *cli_read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields,
15031503
else
15041504
{
15051505
cur->data[field] = to;
1506-
if (to + len > end_to)
1506+
if (unlikely(len > (ulong)(end_to-to) || to > end_to))
15071507
{
15081508
free_rows(result);
15091509
set_mysql_error(mysql, CR_MALFORMED_PACKET, unknown_sqlstate);
@@ -1575,7 +1575,7 @@ read_one_row(MYSQL *mysql,uint fields,MYSQL_ROW row, ulong *lengths)
15751575
}
15761576
else
15771577
{
1578-
if (pos + len > end_pos)
1578+
if (unlikely(len > (ulong)(end_pos - pos) || pos > end_pos))
15791579
{
15801580
set_mysql_error(mysql, CR_UNKNOWN_ERROR, unknown_sqlstate);
15811581
return -1;
@@ -2735,7 +2735,7 @@ static int client_mpvio_read_packet(struct st_plugin_vio *mpv, uchar **buf)
27352735
*buf= mysql->net.read_pos;
27362736

27372737
/* was it a request to change plugins ? */
2738-
if (**buf == 254)
2738+
if (pkt_len == packet_error || **buf == 254)
27392739
return (int)packet_error; /* if yes, this plugin shan't continue */
27402740

27412741
/*
@@ -2920,7 +2920,7 @@ int run_plugin_auth(MYSQL *mysql, char *data, uint data_len,
29202920

29212921
compile_time_assert(CR_OK == -1);
29222922
compile_time_assert(CR_ERROR == 0);
2923-
if (res > CR_OK && mysql->net.read_pos[0] != 254)
2923+
if (res > CR_OK && (mysql->net.last_errno || mysql->net.read_pos[0] != 254))
29242924
{
29252925
/*
29262926
the plugin returned an error. write it down in mysql,

sql/sql_acl.cc

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11172,6 +11172,7 @@ static bool send_plugin_request_packet(MPVIO_EXT *mpvio,
1117211172
const char *client_auth_plugin=
1117311173
((st_mysql_auth *) (plugin_decl(mpvio->plugin)->info))->client_auth_plugin;
1117411174

11175+
DBUG_EXECUTE_IF("auth_disconnect", { vio_close(net->vio); DBUG_RETURN(1); });
1117511176
DBUG_ASSERT(client_auth_plugin);
1117611177

1117711178
/*

0 commit comments

Comments
 (0)