MDEV-9898 SET ROLE NONE can crash mysqld.

The check_user_can_set_role() used find_user_exact() to get the permissions for the SET ROLE NONE command. Which returned NULL too often, for instance when user authenticated as 'user'@'%'. Now we use find_user_wild() instead.
MariaDB · May 2, 2016 · 94cd0f6 · 94cd0f6
1 parent ad4239c
commit 94cd0f6
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 1 deletion.
diff --git a/mysql-test/suite/roles/set_role-simple.result b/mysql-test/suite/roles/set_role-simple.result
@@ -45,3 +45,12 @@ delete from mysql.user where user='test_role1';
 delete from mysql.roles_mapping where Role='test_role1';
 flush privileges;
 drop user 'test_user'@'localhost';
+create user user1;
+select current_user;
+current_user
+user1@%
+show grants;
+Grants for user1@%
+GRANT USAGE ON *.* TO 'user1'@'%'
+set role none;
+drop user user1;
diff --git a/mysql-test/suite/roles/set_role-simple.test b/mysql-test/suite/roles/set_role-simple.test
@@ -37,3 +37,18 @@ delete from mysql.user where user='test_role1';
 delete from mysql.roles_mapping where Role='test_role1';
 flush privileges;
 drop user 'test_user'@'localhost';
+
+#
+# MDEV-9898 SET ROLE NONE can crash mysqld.
+#
+
+create user user1;
+
+--connect (con1,localhost,user1,,)
+select current_user;
+show grants;
+set role none;
+
+connection default;
+drop user user1;
+
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc
@@ -2037,7 +2037,7 @@ static int check_user_can_set_role(const char *user, const char *host,
   {
     /* have to clear the privileges */
     /* get the current user */
-    acl_user= find_user_exact(host, user);
+    acl_user= find_user_wild(host, user, ip);
     if (acl_user == NULL)
     {
       my_error(ER_INVALID_CURRENT_USER, MYF(0), rolename);