Merge branch '5.5' into 10.0

vuvova · vuvova · commit 42fac3241368 · 2018-05-01T11:47:43.000+02:00
diff --git a/mysql-test/r/connect_debug.result b/mysql-test/r/connect_debug.result
@@ -0,0 +1,5 @@
+set @old_dbug=@@global.debug_dbug;
+set global debug_dbug='+d,auth_disconnect';
+create user 'bad' identified by 'worse';
+set global debug_dbug=@old_dbug;
+drop user bad;
diff --git a/mysql-test/t/connect_debug.test b/mysql-test/t/connect_debug.test
@@ -0,0 +1,12 @@
+source include/have_debug.inc;
+set @old_dbug=@@global.debug_dbug;
+
+#
+# use after free if need plugin change and auth aborted
+#
+set global debug_dbug='+d,auth_disconnect';
+create user 'bad' identified by 'worse';
+--error 1
+--exec $MYSQL --default-auth=mysql_old_password --user=bad --password=worse
+set global debug_dbug=@old_dbug;
+drop user bad;
diff --git a/sql-common/client.c b/sql-common/client.c
@@ -1503,7 +1503,7 @@ MYSQL_DATA *cli_read_rows(MYSQL *mysql,MYSQL_FIELD *mysql_fields,
       else
       {
 	cur->data[field] = to;
-        if (to + len > end_to)
+        if (unlikely(len > (ulong)(end_to-to) || to > end_to))
         {
           free_rows(result);
           set_mysql_error(mysql, CR_MALFORMED_PACKET, unknown_sqlstate);
@@ -1575,7 +1575,7 @@ read_one_row(MYSQL *mysql,uint fields,MYSQL_ROW row, ulong *lengths)
     }
     else
     {
-      if (pos + len > end_pos)
+      if (unlikely(len > (ulong)(end_pos - pos) || pos > end_pos))
       {
         set_mysql_error(mysql, CR_UNKNOWN_ERROR, unknown_sqlstate);
         return -1;
@@ -2735,7 +2735,7 @@ static int client_mpvio_read_packet(struct st_plugin_vio *mpv, uchar **buf)
   *buf= mysql->net.read_pos;
 
   /* was it a request to change plugins ? */
-  if (**buf == 254)
+  if (pkt_len == packet_error || **buf == 254)
     return (int)packet_error; /* if yes, this plugin shan't continue */
 
   /*
@@ -2920,7 +2920,7 @@ int run_plugin_auth(MYSQL *mysql, char *data, uint data_len,
 
   compile_time_assert(CR_OK == -1);
   compile_time_assert(CR_ERROR == 0);
-  if (res > CR_OK && mysql->net.read_pos[0] != 254)
+  if (res > CR_OK && (mysql->net.last_errno || mysql->net.read_pos[0] != 254))
   {
     /*
       the plugin returned an error. write it down in mysql,
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
@@ -11172,6 +11172,7 @@ static bool send_plugin_request_packet(MPVIO_EXT *mpvio,
   const char *client_auth_plugin=
     ((st_mysql_auth *) (plugin_decl(mpvio->plugin)->info))->client_auth_plugin;
 
+  DBUG_EXECUTE_IF("auth_disconnect", { vio_close(net->vio); DBUG_RETURN(1); });
   DBUG_ASSERT(client_auth_plugin);
 
   /*

Original file line number	Diff line number	Diff line change
`@@ -1503,7 +1503,7 @@ MYSQL_DATA cli_read_rows(MYSQL mysql,MYSQL_FIELD *mysql_fields,`
`1503`	`1503`	`else`
`1504`	`1504`	`{`
`1505`	`1505`	`cur->data[field] = to;`
`1506`		`- if (to + len > end_to)`
	`1506`	`+ if (unlikely(len > (ulong)(end_to-to) \|\| to > end_to))`
`1507`	`1507`	`{`
`1508`	`1508`	`free_rows(result);`
`1509`	`1509`	`set_mysql_error(mysql, CR_MALFORMED_PACKET, unknown_sqlstate);`
`@@ -1575,7 +1575,7 @@ read_one_row(MYSQL mysql,uint fields,MYSQL_ROW row, ulong lengths)`
`1575`	`1575`	`}`
`1576`	`1576`	`else`
`1577`	`1577`	`{`
`1578`		`- if (pos + len > end_pos)`
	`1578`	`+ if (unlikely(len > (ulong)(end_pos - pos) \|\| pos > end_pos))`
`1579`	`1579`	`{`
`1580`	`1580`	`set_mysql_error(mysql, CR_UNKNOWN_ERROR, unknown_sqlstate);`
`1581`	`1581`	`return -1;`
`@@ -2735,7 +2735,7 @@ static int client_mpvio_read_packet(struct st_plugin_vio mpv, uchar *buf)`
`2735`	`2735`	`*buf= mysql->net.read_pos;`
`2736`	`2736`
`2737`	`2737`	`/* was it a request to change plugins ? */`
`2738`		`- if (**buf == 254)`
	`2738`	`+ if (pkt_len == packet_error \|\| **buf == 254)`
`2739`	`2739`	`return (int)packet_error; /* if yes, this plugin shan't continue */`
`2740`	`2740`
`2741`	`2741`	`/*`
`@@ -2920,7 +2920,7 @@ int run_plugin_auth(MYSQL mysql, char data, uint data_len,`
`2920`	`2920`
`2921`	`2921`	`compile_time_assert(CR_OK == -1);`
`2922`	`2922`	`compile_time_assert(CR_ERROR == 0);`
`2923`		`- if (res > CR_OK && mysql->net.read_pos[0] != 254)`
	`2923`	`+ if (res > CR_OK && (mysql->net.last_errno \|\| mysql->net.read_pos[0] != 254))`
`2924`	`2924`	`{`
`2925`	`2925`	`/*`
`2926`	`2926`	`the plugin returned an error. write it down in mysql,`