From: Davi Arnaut Date: April 29 2010 1:28pm Subject: bzr commit into mysql-5.0-bugteam branch (davi:2860) Bug#50974 List-Archive: http://lists.mysql.com/commits/106945 X-Bug: 50974 Message-Id: <20100429132821.D771B48E2CB@skynet> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="Boundary_(ID_QAKJ8H/gtbhLgXMXta/MXw)" --Boundary_(ID_QAKJ8H/gtbhLgXMXta/MXw) MIME-version: 1.0 Content-type: text/plain; CHARSET=US-ASCII Content-transfer-encoding: 7BIT Content-disposition: inline # At a local mysql-5.0-bugteam repository of davi 2860 Davi Arnaut 2010-04-29 Bug#50974: Server keeps receiving big (> max_allowed_packet) packets indefinitely. The server could be tricked to read packets indefinitely if it received a packet larger than the maximum size of one packet. This problem is aggravated by the fact that it can be triggered before authentication. The solution is to no skip big packets for non-authenticated sessions. If a big packet is sent before a session is authen- ticated, a error is returned and the connection is closed. @ include/mysql_com.h Add skip flag. Only used in server builds. @ sql/net_serv.cc Control whether big packets can be skipped. modified: include/mysql_com.h sql/net_serv.cc sql/sql_parse.cc === modified file 'include/mysql_com.h' --- a/include/mysql_com.h 2007-12-13 10:53:24 +0000 +++ b/include/mysql_com.h 2010-04-29 13:28:16 +0000 @@ -219,6 +219,16 @@ typedef struct st_net { my_bool report_error; /* We should report error (we have unreported error) */ my_bool return_errno; +#if defined(MYSQL_SERVER) && !defined(EMBEDDED_LIBRARY) + /* + Controls whether a big packet should be skipped. + + Initially set to FALSE by default. Unauthenticated sessions must have + this set to FALSE so that the server can't be tricked to read packets + indefinitely. + */ + my_bool skip_big_packet; +#endif } NET; #define packet_error (~(unsigned long) 0) === modified file 'sql/net_serv.cc' --- a/sql/net_serv.cc 2009-07-28 18:35:55 +0000 +++ b/sql/net_serv.cc 2010-04-29 13:28:16 +0000 @@ -141,6 +141,9 @@ my_bool my_net_init(NET *net, Vio* vio) net->query_cache_query= 0; #endif net->report_error= 0; +#if defined(MYSQL_SERVER) && !defined(EMBEDDED_LIBRARY) + net->skip_big_packet= FALSE; +#endif if (vio != 0) /* If real connection */ { @@ -947,6 +950,7 @@ my_real_read(NET *net, ulong *complen) { #if defined(MYSQL_SERVER) && !defined(NO_ALARM) if (!net->compress && + net->skip_big_packet && !my_net_skip_rest(net, (uint32) len, &alarmed, &alarm_buff)) net->error= 3; /* Successfully skiped packet */ #endif === modified file 'sql/sql_parse.cc' --- a/sql/sql_parse.cc 2010-04-29 04:42:32 +0000 +++ b/sql/sql_parse.cc 2010-04-29 13:28:16 +0000 @@ -493,6 +493,13 @@ int check_user(THD *thd, enum enum_serve } send_ok(thd); thd->password= test(passwd_len); // remember for error messages + /* + Allow the network layer to skip big packets. Although a malicious + authenticated session might use this to trick the server to read + big packets indefinitely, this is a previously established behavior + that needs to be preserved as to not break backwards compatibility. + */ + thd->net.skip_big_packet= TRUE; /* Ready to handle queries */ DBUG_RETURN(0); } --Boundary_(ID_QAKJ8H/gtbhLgXMXta/MXw) MIME-version: 1.0 Content-type: text/bzr-bundle; CHARSET=US-ASCII; name="bzr/davi.arnaut@stripped" Content-transfer-encoding: 7BIT Content-disposition: inline; filename="bzr/davi.arnaut@stripped" # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: davi.arnaut@stripped # target_branch: file:///home/davi/bzr/bugs/50974-5.0/ # testament_sha1: d8062314d0285bf8447f81ed50e9bac08cf8d0a4 # timestamp: 2010-04-29 10:28:21 -0300 # base_revision_id: ramil@stripped # # Begin bundle IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWcQ93QcAA5xfgFQUeff//38m vyC////wYAhvvCyAHQOg6ACgArIAZJE8ppoGppppmJ5U9PVPRMjQaNGjIaBoAQqepiPUaZGmjRpp pkGgAANGjCZNDA5pkZDJghowmCNNGjEDTJkYAAg0yKamaaQU/VMjGmkek09RmhGAI00eiYgDmmRk MmCGjCYI00aMQNMmRgACCSQEAEMkyaNT00mJ6Rk0mmKY0E/SR6MjeWSJFIMF6V2pEaoSejZtSfsW C5u124mrqVt3ExrEkF2i4WAwXNCHXPXGRVY5AU6eunTBourivrXT6edCCgA2CWIHutkM4Hc17EkE kgeOphXGB0MbopBB0Mbu8Ei+9749Msw0uOBL25eDVs7mcoFeFsa2sklsahb5CpdErYhVm19GITUE tOV2UTlaKmg+VBTAqJzZTeuwWblwo1jyyWlUfJQxiQJ9hm0VUsYiGFiuk0rBdVdjmKv/0GlrBX0T nVZ9o6c6qiBcq6hnVyUa4W6Tl0cOHN38ZVX7njiej6sZnsQwJQAFKv8EIJDaQKTdOjYpyXAEp9xm 2hrs46asU0b5zORWy8hJrvFAjWHl1d0BDQGU4gRFGwK944bGpizsOl1F3VXTNuuphE/sDDP0AwjS i2zyObYwSjSvk1LkZrDX2lKAwd7Ywbe0/UBJJOAHgOAm1BnF4EeYYSiEiFFpTKRzlU4fUtAgRCPG 0cWG82XhgiqU3rndB11scbYXiQ5gJ+66A/9KXaOq6OmowhqoJY3AnHkDTDE1DUHCw0iLTAwMM40q zq0aMgLdRHQGk9yuZBoGyJ6GcisGVaAu1Dy7wEQUwm7TZcpuOKkIc+9qEkwshjAkQXXfQWYRNcAc 8CnBoxzMIhCIiAwZukVj9pUTGNhkQKB50F5iUTrtvxLwcTNI8uCAlB6NrrLiIRKWsiq+cr1EiEqy sMSgrNZJPKj+zcnomIVhKKop06JCKhUUST59+lUCnJSAeW4uNYwwZBUBcFjwAMdy6CpQNWijoEci 9UaG+9Yiq03GwY4rqyIkDSXORSOMxDi0+V62lR6eeTsAKnwG2uHfArgN+UCcmuEZYE64kp6ygs5O RUnmZEgWrvW5as6WvstspSIlRLuMRytG5rTLAuKZaCRmbQtuhGh7wGgMDscKYCHlQ+sxsKh0gO0j IB5EpJQkMXWDUzhRXGD1STqteOBkRGUXClbQKj8jsD1fEyqcB2sqhHwLIY8pc7Ta4TsgAfdyAZtL wnOCFC0NPTvAaHEea95y/TqNdhkmBj4n0NuyVPKB9BjT8/qf21neTPmfYiYr6jWfc+q+x9sCo+1F RAtPu4pLFWfyUfdsVucwbTSUHw7w7eKN52rinCPz5MoqPq7ppUMF6TwPUvcfI9h/k70B8o4L3jfm vkV44B+AsJnr/95+hs0TDH5mbPqf5/rjkIw9wiL1O6hMVfFlFNncCnq+D331cDeIdYgS1l8BKLI8 RQVDYO2aAPt4RtKicqA3UcA7zdNDYWN9ilItS6zUfudx0fsUK9EQ7TrS/cbgWF/N/1/MdCus4trY GQF8B9iSzRAOBKmSRU96NYwOGOqpxFkT705byRM27AoNq9JaTLEcwi6ypHObCTFAiP8GxDL8HbbD QbToNf3GLQzvWl5vDcunHL0Urx5SOkkmPGvc9MN4uT8pEEyd0m+40GRYcTuJdTX+omSOJVfJd6Kj Z4ycsRQFctX4O0jFbU5vaT9WTjzJA7cQl5X8CnKmqxi1BtXScFQXiLUwaXfQwrTw0JyXgY6IkQyb xw2Wxr46xOQf8bkXy3BAJu1g8ZuYc2ScnIwHJUPZIytS402Hmy7M+rrQMbgbIOoiegd2DiZ2Gcva S9IWhzn8rv8V6yoKgGrL/ENpCIylnqtkwu3D8dhmtSvUwZSEbuFUYVcU99msn/RtPCnGM69AGN4c bcGQAQqQyzYAggB1ok7K0ZqE5gi0GFNKMTgBhEZIbnZJu5tzHPtEbveCmOPA1ODxSKMPSwc29CjS a111FvN6xPX8UhlLJ4ftyjPaWjMyRPpatBEPEYZm2wEPOAjnRlHSVA6hdyzPBd121ikRWnFtg4A6 BWoOqqhR6wedaWJNFwjgEANlp1RP5kjrZBw1DOd8Gk1/MXw5PlEpk7Iw0zzcFUwRhrTFqOo+PoxP JlKQXZnrK2IOqCsooy7MO1Q+AeXctFNpahzjU81Am/FMBUi8F9PKikZhFJNXzgFH3bffer4SVcHB 8OK88rqDwbajgRMCRoSK3DknJh8vYBpbgz+kiV5rtrgUcRIsRWwih3RCB5m+hLwg668THcyueuyy /2FtRKRyT1iheS1PDT7GTMyYRv5dyIJiV7BgYCsLF+QaY2ndQXK65MS2ANNlQ03+NbRISYTaGGJZ CIjFHUg6ikIOS8XYrQikdJqUve6rdMRfBs5PWbJ8Zz3hWFh5EhG3YOtmq0G3Z1MRMszfIcztXPMy OdALCbS0GZ3ZSq0NSATmAnhY0v2MjCt2bXIUAQBhg2AsAQnYtwk8yFiK3G4NjVOc5znXrwOIPZEH lwFDERe5IbWGEI6/815S1TkzNvc45MjayOA5xArSKk9HYKkaKKhLPMVMBx82/phVoqHfJp/mY11X LpbeUGmyTxGIpLa8HK5JihkVPHjmKRFJ6Lhl+1z+3AtEQPbh7P10AtctI0ZICvYYo2kommGSZE++ IKLZpGeFNnlxXjDPEuPRppfs1hfC9yyNRqIJRsfS1Qz2gw9oxhAZ3tpopigsmIvDlGeVzBzA6HtV 2epf6LuSKcKEhiHu6Dg= --Boundary_(ID_QAKJ8H/gtbhLgXMXta/MXw)--