Add bounds checks to response attributes

Summary: The function to write resp attrs has a 65k hard limit. While we could circumvent this with an alternate method, lets put in the limit a bit lower. OK packets also have a hard limit of 16mb, and as we have more junk thrown in there lets try and not flood it with resp attr stuff. The API does almost no error checking, so our solution is to truncate the warnings quietly :). dbug asserts will expose the issue to those who test thoroughly Reviewed By: fadimounir Differential Revision: D28662609 fbshipit-source-id: e14d7379601
percona · Jun 2, 2021 · a1ad6e1 · a1ad6e1
1 parent 4c6fbb7
commit a1ad6e1
Show file tree

Hide file tree

Showing 3 changed files with 14 additions and 2 deletions.
diff --git a/sql/protocol_classic.cc b/sql/protocol_classic.cc
@@ -1296,6 +1296,7 @@ static uchar *net_store_length_fast(uchar *packet, size_t length) {
 /* The following will only be used for short strings < 65K */
 
 uchar *net_store_data(uchar *to, const uchar *from, size_t length) {
+  DBUG_ASSERT(length <= 65535);
   to = net_store_length_fast(to, length);
   if (length > 0) memcpy(to, from, length);
   return to + length;

diff --git a/sql/session_tracker.cc b/sql/session_tracker.cc
@@ -60,6 +60,8 @@
 #include "sql_string.h"
 #include "template_utils.h"
 
+constexpr size_t Session_resp_attr_tracker::MAX_RESP_ATTR_LEN;
+
 static void store_lenenc_string(String &to, const char *from, size_t length);
 
 /**
@@ -1327,6 +1329,8 @@ bool Session_resp_attr_tracker::store(THD *thd MY_ATTRIBUTE((unused)),
 
   size_t len = net_length_size(attrs_.size());
   for (const auto &attr : attrs_) {
+    DBUG_ASSERT(attr.first.size() <= MAX_RESP_ATTR_LEN);
+    DBUG_ASSERT(attr.second.size() <= MAX_RESP_ATTR_LEN);
     len += net_length_size(attr.first.size()) + attr.first.size();
     len += net_length_size(attr.second.size()) + attr.second.size();
   }
@@ -1375,9 +1379,13 @@ void Session_resp_attr_tracker::mark_as_changed(THD *thd MY_ATTRIBUTE((unused)),
                                                 LEX_CSTRING *key,
                                                 const LEX_CSTRING *value) {
   DBUG_ASSERT(key->length > 0);
-  std::string k(key->str, key->length);
+  DBUG_ASSERT(key->length <= MAX_RESP_ATTR_LEN);
+  DBUG_ASSERT(value->length > 0);
+  DBUG_ASSERT(value->length <= MAX_RESP_ATTR_LEN);
 
-  attrs_[k] = std::string(value->str, value->length);
+  std::string k(key->str, std::min(key->length, MAX_RESP_ATTR_LEN));
+  std::string val(value->str, std::min(value->length, MAX_RESP_ATTR_LEN));
+  attrs_[std::move(k)] = std::move(val);
   m_changed = true;
 }
 

diff --git a/sql/session_tracker.h b/sql/session_tracker.h
@@ -325,6 +325,9 @@ class Session_resp_attr_tracker : public State_tracker {
     m_changed = false;
     m_enabled = false;
   }
+  // 65535 is the HARD LIMIT. Realistically we should need nothing
+  // close to this
+  static constexpr size_t MAX_RESP_ATTR_LEN = 60000;
 
   bool enable(THD *thd) override;
   bool check(THD *, set_var *) override { return false; }