From: Dmitry Shulga Date: December 15 2010 9:33am Subject: bzr commit into mysql-5.1-bugteam branch (Dmitry.Shulga:3512) Bug#56976 List-Archive: http://lists.mysql.com/commits/126894 X-Bug: 56976 Message-Id: <201012150933.oBF9XM0s019968@acsinet15.oracle.com> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0616239549==" --===============0616239549== MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline #At file:///Users/shulga/projects/mysql/5.1-bugteam-bug56976/ based on revid:mats.kindahl@stripped 3512 Dmitry Shulga 2010-12-15 Fixed bug#56976 - Severe Denial Of Service in prepared statements. The problem is that it doesn't check size of concatenated string against some limit when reading long data from client. The solution is to add check for size of result string against value of max_allowed_packet constant. @ sql/item.cc Item_param::set_longdata - added check for size of concatenated result against value of max_allowed_packet constant. @ sql/item.h added third argument of type THD* to declaration of set_longdata(). modified: sql/item.cc sql/item.h sql/sql_prepare.cc === modified file 'sql/item.cc' --- a/sql/item.cc 2010-11-18 13:11:18 +0000 +++ b/sql/item.cc 2010-12-15 09:33:22 +0000 @@ -2738,7 +2738,7 @@ bool Item_param::set_str(const char *str } -bool Item_param::set_longdata(const char *str, ulong length) +bool Item_param::set_longdata(const char *str, ulong length, THD *thd) { DBUG_ENTER("Item_param::set_longdata"); @@ -2751,6 +2751,9 @@ bool Item_param::set_longdata(const char (here), and first have to concatenate all pieces together, write query to the binary log and only then perform conversion. */ + if (str_value.length() + length > thd->variables.max_allowed_packet) + DBUG_RETURN(TRUE); + if (str_value.append(str, length, &my_charset_bin)) DBUG_RETURN(TRUE); state= LONG_DATA_VALUE; === modified file 'sql/item.h' --- a/sql/item.h 2010-07-30 13:35:06 +0000 +++ b/sql/item.h 2010-12-15 09:33:22 +0000 @@ -1687,7 +1687,7 @@ public: void set_double(double i); void set_decimal(const char *str, ulong length); bool set_str(const char *str, ulong length); - bool set_longdata(const char *str, ulong length); + bool set_longdata(const char *str, ulong length, THD *thd); void set_time(MYSQL_TIME *tm, timestamp_type type, uint32 max_length_arg); bool set_from_user_var(THD *thd, const user_var_entry *entry); void reset(); === modified file 'sql/sql_prepare.cc' --- a/sql/sql_prepare.cc 2010-11-03 10:24:47 +0000 +++ b/sql/sql_prepare.cc 2010-12-15 09:33:22 +0000 @@ -2800,9 +2800,9 @@ void mysql_stmt_get_longdata(THD *thd, c param= stmt->param_array[param_number]; #ifndef EMBEDDED_LIBRARY - if (param->set_longdata(packet, (ulong) (packet_end - packet))) + if (param->set_longdata(packet, (ulong) (packet_end - packet), thd)) #else - if (param->set_longdata(thd->extra_data, thd->extra_length)) + if (param->set_longdata(thd->extra_data, thd->extra_length, thd)) #endif { stmt->state= Query_arena::ERROR; --===============0616239549== MIME-Version: 1.0 Content-Type: text/bzr-bundle; charset="us-ascii"; name="bzr/dmitry.shulga@stripped" Content-Transfer-Encoding: 7bit Content-Disposition: inline # Bazaar merge directive format 2 (Bazaar 0.90) # revision_id: dmitry.shulga@stripped\ # dr7yfns8rqpumw4y # target_branch: file:///Users/shulga/projects/mysql/5.1-bugteam-\ # bug56976/ # testament_sha1: 164c1b1094c512bc533d6c0e9e34f962dd788992 # timestamp: 2010-12-15 15:33:31 +0600 # base_revision_id: mats.kindahl@stripped\ # 7udci9op4lc6jvtb # # Begin bundle IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWZKWhnAAAyhfgEAQWP///1fh ngC////wYAc7lvvTrVLRnet2z6Gi2HbPJuCShJP0RNPU2own6mmUMnqabSbSNGQAGgSSQmnoDTQ1 U/TKTT9U09TJoAAAAAlITBpSfpQD1MnpAAAeoAaNAAYkKYnpE2U9T0jNIAaBoB6mIyNNANqhCntF PUe1Tyho/Sho9R+qNDQABoABJICAjBAAp5NKfo0kbSZHqAA9Q3DJUx692V9VYOM2b9MPKl8tlG3q 4vtfC2p4/MnIBCJGMHwuvEz3tLUXESRznJ9DrD5qdGM6DgKSSCQGGsGiiG4EBVBnIQqZkIQxXpHw kTXtNmob3PZhEMj7K8aqDBmdRo+LZJnSlVRXrdLioPZiMiOQhDLa9LHsWNgMvPlY+R4x4vqZdFp3 XctDyuumW/TzkGqeCo4PewUTBLbVTL2Y4swM2jqYYU/GJB30f2oRGspargRT1kjoAbrJVkw17pu0 RIxu36BWbda5Wqg7J1u87LJXVWwBhmMGEqHopXEg6QjQsHQVA5ZfKSWdmZBotHZCcPjg+8TJKAkf DZrK5zJqZAYRNxQ80NEZ4wsgo0ekEQiJEcwIpJi2iqUJjocGFUCgydi7yoEidNLxN9Ly8mUmJu36 6Kq2zGVpRTTiX0KhhFjyEz8udnHC+n/UpTqdT/mFoi7RzlSNWSadrR5vX6CirVzHFGZamA0W17Jz EPiVCCCej03KRBIq2dsIYvcVvp6DO5YDZjJONK9s3CcsEx3zJWvvH4wtZ5c4WG91lAjWUPmIbE3k oMQn9uRoKVAqLbzetzhletqonPXfmRqYgMEVBxXMpshcMb9OwIlhCLhv0t0y6U7P+iI6YDYM2sYi MH63z/xRmJJlfcd/POJYVEdbjSZoFhcmIkb06xa+c6tVyNalCBiSag6sV4dk4qruGLlxLmjeiWwc MVTGIrCcrJ5jdTOM8U8YXG9hnPpotLymMO9QizFsGLuS3VA43EXLDBDqCYdxTGYxMOziYtLI4FRO 0HxfHrEZ21VFYmLRrOGcQ5njCt2SHC5xKosVleeNjtqiYrVvWbPJy7DTyKroQsc6I+1w6h00yeEn IgOm2A4GxxNtikiZnMPeD6ryaUKDhgmVbVHyUoo3nMqUhML4SQQXdm1HPPwadsux7tpa49fkIOPS jbPfEuWTZ/GnJKTtTUDminUDCq91oWPW3uY3O0TMzNQ8DWaiyPPUkVnn7etJ6lNKUwDidNI9/AyT xalmVh0XZRKWNVo5jMylAOTIUKqlrxa8CwrzHlFticLp0OBYMOzcnDikgsY6igcSGSxPL6jJlHEb IKmFtl4hEkVJfIJmB864cFGB7G8oMSgjoO6Xzvdu3nT610nO2OlGbhFbjBpOE5gCVqAzOPiMUHFZ 1mt51lrIxDIbct56uuTkx5WKqLxOnCYaSgwUu7aMjBi8aLB9nFeQP6n1PgDLhT4iMJdljurtWvp3 MRuBGaYAgy8DkbPRzu+vVDOR0SHlBVasy495OTZkVCuukFaes/VsIyZ7/ZVdx54+UKsMputXLw50 dmP2bK9CsY8Xo/HXo5svtT3I2DBr3VS78/eyvrYFZpFQKbxVJYEqF7yJTgYjBgTrqbj0MKinVQZQ 4gwLaqu1MK1EsyyiOpAIs2oeLyZuILzTxMgicDMuk5I9CO5cvJgZaXDdAGHAfQseo94vksytVK6w ENtV+oBqV2GOVYXYN9jOx80DU0a1cGoE8hA6IM06ihYr144n3C+LTpukwmZLJVY1qa5C/ibfcFyx Gw4dCgjMsSdOpysoRxEUYkmKoz4MqRlSpLUWuPPUKCzSMKcwQAGA+O3Oxe/uCYlC7kyi9lIVycNB X+C+CdiwBBOEMOca1cqjN1lNV0TVxqG+88RG3OqvNXKyoLkWiPfbbSNnfrgcXuDJRHFbpoHsDJmS cLoPPJWK4Q+QwxJTGE9hMoZxr1PoNjYlUXz7IBzVAMezUQ4O6cPcm3VxIAgLAmW0yiauCsHWgpiN 5dujOVJqsS3JhgPSxfAzkcy1stJYqyukRUsFpUzI9TJB6K1SEaOSqKDJchEHqAByYTw4M+Tlewio HF/i4KCJLGotUVgsjBT3LJXVm0EcpnipWCJCoDAOnBDVl1IoStDCZC8aTlBEQZC83TWhijAZjmUW Zmac8Tw5wuHAQkJxF/ZzeRIeGODHvEwhVGTQioB2JPemFzE8CQbE/w2KJSI/4ctOcVs0QH3sNe5f JQq54nOGKZTIIuNNNIJidBIZQVNE7mNh9Y0mUewvLzpkVJHOslAjzEOrKp1Ip6+rnfkumTCrMV51 2iLFZBbLVZGnwG5aK5A4vGBkJlJPpmgInXkWMNbrUrP+LuSKcKEhJS0M4A== --===============0616239549==--