Use after free in authentication

Author: vuvova

mysql-test/r/connect_debug.result

@@ -0,0 +1,5 @@
+set @old_dbug=@@global.debug_dbug;
+set global debug_dbug='+d,auth_disconnect';
+create user 'bad' identified by 'worse';
+set global debug_dbug=@old_dbug;
+drop user bad;

mysql-test/t/connect_debug.test

@@ -0,0 +1,12 @@
+source include/have_debug.inc;
+set @old_dbug=@@global.debug_dbug;
+
+#
+# use after free if need plugin change and auth aborted
+#
+set global debug_dbug='+d,auth_disconnect';
+create user 'bad' identified by 'worse';
+--error 1
+--exec $MYSQL --default-auth=mysql_old_password --user=bad --password=worse
+set global debug_dbug=@old_dbug;
+drop user bad;

sql-common/client.c

@@ -2742,7 +2742,7 @@ static int client_mpvio_read_packet(struct st_plugin_vio *mpv, uchar **buf)
   *buf= mysql->net.read_pos;
 
   /* was it a request to change plugins ? */
-  if (**buf == 254)
+  if (pkt_len == packet_error || **buf == 254)
     return (int)packet_error; /* if yes, this plugin shan't continue */
 
   /*
@@ -2927,7 +2927,7 @@ int run_plugin_auth(MYSQL *mysql, char *data, uint data_len,
 
   compile_time_assert(CR_OK == -1);
   compile_time_assert(CR_ERROR == 0);
-  if (res > CR_OK && mysql->net.read_pos[0] != 254)
+  if (res > CR_OK && (mysql->net.last_errno || mysql->net.read_pos[0] != 254))
   {
     /*
       the plugin returned an error. write it down in mysql,

sql/sql_acl.cc

@@ -8217,6 +8217,7 @@ static bool send_plugin_request_packet(MPVIO_EXT *mpvio,
   const char *client_auth_plugin=
     ((st_mysql_auth *) (plugin_decl(mpvio->plugin)->info))->client_auth_plugin;
 
+  DBUG_EXECUTE_IF("auth_disconnect", { vio_close(net->vio); DBUG_RETURN(1); });
   DBUG_ASSERT(client_auth_plugin);
 
   /*