List:Commits« Previous MessageNext Message »
From:Davi Arnaut Date:April 29 2010 1:28pm
Subject:bzr commit into mysql-5.0-bugteam branch (davi:2860) Bug#50974
View as plain text  
# At a local mysql-5.0-bugteam repository of davi

 2860 Davi Arnaut	2010-04-29
      Bug#50974: Server keeps receiving big (> max_allowed_packet) packets indefinitely.
      
      The server could be tricked to read packets indefinitely if it
      received a packet larger than the maximum size of one packet.
      This problem is aggravated by the fact that it can be triggered
      before authentication.
      
      The solution is to no skip big packets for non-authenticated
      sessions. If a big packet is sent before a session is authen-
      ticated, a error is returned and the connection is closed.
     @ include/mysql_com.h
        Add skip flag. Only used in server builds.
     @ sql/net_serv.cc
        Control whether big packets can be skipped.

    modified:
      include/mysql_com.h
      sql/net_serv.cc
      sql/sql_parse.cc
=== modified file 'include/mysql_com.h'
--- a/include/mysql_com.h	2007-12-13 10:53:24 +0000
+++ b/include/mysql_com.h	2010-04-29 13:28:16 +0000
@@ -219,6 +219,16 @@ typedef struct st_net {
 
   my_bool report_error; /* We should report error (we have unreported error) */
   my_bool return_errno;
+#if defined(MYSQL_SERVER) && !defined(EMBEDDED_LIBRARY)
+  /*
+    Controls whether a big packet should be skipped.
+
+    Initially set to FALSE by default. Unauthenticated sessions must have
+    this set to FALSE so that the server can't be tricked to read packets
+    indefinitely.
+  */
+  my_bool skip_big_packet;
+#endif
 } NET;
 
 #define packet_error (~(unsigned long) 0)

=== modified file 'sql/net_serv.cc'
--- a/sql/net_serv.cc	2009-07-28 18:35:55 +0000
+++ b/sql/net_serv.cc	2010-04-29 13:28:16 +0000
@@ -141,6 +141,9 @@ my_bool my_net_init(NET *net, Vio* vio)
   net->query_cache_query= 0;
 #endif
   net->report_error= 0;
+#if defined(MYSQL_SERVER) && !defined(EMBEDDED_LIBRARY)
+  net->skip_big_packet= FALSE;
+#endif
 
   if (vio != 0)					/* If real connection */
   {
@@ -947,6 +950,7 @@ my_real_read(NET *net, ulong *complen)
 	  {
 #if defined(MYSQL_SERVER) && !defined(NO_ALARM)
 	    if (!net->compress &&
+                net->skip_big_packet &&
 		!my_net_skip_rest(net, (uint32) len, &alarmed, &alarm_buff))
 	      net->error= 3;		/* Successfully skiped packet */
 #endif

=== modified file 'sql/sql_parse.cc'
--- a/sql/sql_parse.cc	2010-04-29 04:42:32 +0000
+++ b/sql/sql_parse.cc	2010-04-29 13:28:16 +0000
@@ -493,6 +493,13 @@ int check_user(THD *thd, enum enum_serve
       }
       send_ok(thd);
       thd->password= test(passwd_len);          // remember for error messages 
+      /*
+        Allow the network layer to skip big packets. Although a malicious
+        authenticated session might use this to trick the server to read
+        big packets indefinitely, this is a previously established behavior
+        that needs to be preserved as to not break backwards compatibility.
+      */
+      thd->net.skip_big_packet= TRUE;
       /* Ready to handle queries */
       DBUG_RETURN(0);
     }


Attachment: [text/bzr-bundle] bzr/davi.arnaut@sun.com-20100429132816-ictyul6d75itek22.bundle
Thread
bzr commit into mysql-5.0-bugteam branch (davi:2860) Bug#50974Davi Arnaut29 Apr
  • Re: bzr commit into mysql-5.0-bugteam branch (davi:2860) Bug#50974Konstantin Osipov29 Apr