List:Commits« Previous MessageNext Message »
From:Dmitry Shulga Date:December 16 2010 4:52pm
Subject:bzr commit into mysql-5.1-bugteam branch (Dmitry.Shulga:3512) Bug#56976
View as plain text  
#At file:///Users/shulga/projects/mysql/5.1-bugteam-bug56976/ based on revid:mats.kindahl@stripped

 3512 Dmitry Shulga	2010-12-16
      Fixed bug#56976 - Severe Denial Of Service in prepared statements.
      
      The problem is that it doesn't check size of concatenated string
      against some limit when reading long data from client.
      
      The solution is to add check for size of result string against
      value of max_allowed_packet constant.
     @ sql/item.cc
        Item_param::set_longdata - added check for size of concatenated result
        against value of max_allowed_packet constant.
     @ sql/item.h
        added third argument of type THD* to declaration of set_longdata().
     @ sql/net_serv.cc
        Fixed an error that had been added by patch for bug#42503.
        This change will fix bug#58887.

    modified:
      sql/item.cc
      sql/item.h
      sql/net_serv.cc
      sql/sql_prepare.cc
=== modified file 'sql/item.cc'
--- a/sql/item.cc	2010-11-18 13:11:18 +0000
+++ b/sql/item.cc	2010-12-16 16:52:09 +0000
@@ -2738,7 +2738,7 @@ bool Item_param::set_str(const char *str
 }
 
 
-bool Item_param::set_longdata(const char *str, ulong length)
+bool Item_param::set_longdata(const char *str, ulong length, THD *thd)
 {
   DBUG_ENTER("Item_param::set_longdata");
 
@@ -2751,6 +2751,9 @@ bool Item_param::set_longdata(const char
     (here), and first have to concatenate all pieces together,
     write query to the binary log and only then perform conversion.
   */
+  if (str_value.length() + length > thd->variables.max_allowed_packet)
+    DBUG_RETURN(TRUE);
+
   if (str_value.append(str, length, &my_charset_bin))
     DBUG_RETURN(TRUE);
   state= LONG_DATA_VALUE;

=== modified file 'sql/item.h'
--- a/sql/item.h	2010-07-30 13:35:06 +0000
+++ b/sql/item.h	2010-12-16 16:52:09 +0000
@@ -1687,7 +1687,7 @@ public:
   void set_double(double i);
   void set_decimal(const char *str, ulong length);
   bool set_str(const char *str, ulong length);
-  bool set_longdata(const char *str, ulong length);
+  bool set_longdata(const char *str, ulong length, THD *thd);
   void set_time(MYSQL_TIME *tm, timestamp_type type, uint32 max_length_arg);
   bool set_from_user_var(THD *thd, const user_var_entry *entry);
   void reset();

=== modified file 'sql/net_serv.cc'
--- a/sql/net_serv.cc	2010-09-16 10:24:27 +0000
+++ b/sql/net_serv.cc	2010-12-16 16:52:09 +0000
@@ -170,17 +170,7 @@ my_bool net_realloc(NET *net, size_t len
   DBUG_ENTER("net_realloc");
   DBUG_PRINT("enter",("length: %lu", (ulong) length));
 
-  /*
-    When compression is off, net->where_b is always 0.
-    With compression turned on, net->where_b may indicate
-    that we still have a piece of the previous logical
-    packet in the buffer, unprocessed. Take it into account
-    when checking that max_allowed_packet is not exceeded.
-    This ensures that the client treats max_allowed_packet
-    limit identically, regardless of compression being on
-    or off.
-  */
-  if (length >= (net->max_packet_size + net->where_b))
+  if (length >= net->max_packet_size)
   {
     DBUG_PRINT("error", ("Packet too large. Max size: %lu",
                          net->max_packet_size));

=== modified file 'sql/sql_prepare.cc'
--- a/sql/sql_prepare.cc	2010-11-03 10:24:47 +0000
+++ b/sql/sql_prepare.cc	2010-12-16 16:52:09 +0000
@@ -2800,9 +2800,9 @@ void mysql_stmt_get_longdata(THD *thd, c
   param= stmt->param_array[param_number];
 
 #ifndef EMBEDDED_LIBRARY
-  if (param->set_longdata(packet, (ulong) (packet_end - packet)))
+  if (param->set_longdata(packet, (ulong) (packet_end - packet), thd))
 #else
-  if (param->set_longdata(thd->extra_data, thd->extra_length))
+  if (param->set_longdata(thd->extra_data, thd->extra_length, thd))
 #endif
   {
     stmt->state= Query_arena::ERROR;


Attachment: [text/bzr-bundle] bzr/dmitry.shulga@oracle.com-20101216165209-blr3j28zmxzsitkf.bundle
Thread
bzr commit into mysql-5.1-bugteam branch (Dmitry.Shulga:3512) Bug#56976Dmitry Shulga16 Dec
  • Re: bzr commit into mysql-5.1-bugteam branch (Dmitry.Shulga:3512)Bug#56976Davi Arnaut24 Dec