Skip to content

branch-4.0: [fix](fe) Bound length in MysqlProto.readLenEncodedString #63604#64058

Open
github-actions[bot] wants to merge 1 commit into
branch-4.0from
auto-pick-63604-branch-4.0
Open

branch-4.0: [fix](fe) Bound length in MysqlProto.readLenEncodedString #63604#64058
github-actions[bot] wants to merge 1 commit into
branch-4.0from
auto-pick-63604-branch-4.0

Conversation

@github-actions

@github-actions github-actions Bot commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

Cherry-picked from #63604

@MarkLee131
[fix](fe) Bound length in MysqlProto.readLenEncodedString (#63604)
14e09dc 
### What problem does this PR solve?

Issue Number: close #63603

Problem Summary:

`MysqlProto.readLenEncodedString` reads a length-encoded integer and
passes it straight to `new byte[(int) length]` with no bound. The length
is fully attacker-controlled (a `0xFE` lead byte carries an 8-byte
value), and it is read before authentication from
`MysqlAuthPacket.readFrom` (the auth-response field at
`MysqlAuthPacket.java:93` and the connection-attributes loop at
`MysqlAuthPacket.java:110-118`). A small handshake response can
therefore request
a ~2 GiB allocation, and a length with the high bit set casts to a
negative size (`NegativeArraySizeException`).

This PR rejects a length that is negative or larger than the bytes
remaining in the buffer before allocating. A well-formed length-encoded
string's payload always fits in the remaining buffer, so valid input is
unaffected. One guard covers both reach paths.
@github-actions github-actions Bot requested a review from morningman as a code owner June 3, 2026 06:48
@hello-stephen

hello-stephen commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

  1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
  2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
  3. What features were added. Why was this function added?
  4. Which code was refactored and why was this part of the code refactored?
  5. Which functions were optimized and what is the difference before and after the optimization?

@hello-stephen hello-stephen reopened this Jun 3, 2026
@hello-stephen

hello-stephen commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

run buildall

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@morningman morningman Awaiting requested review from morningman morningman is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@hello-stephen @MarkLee131