From: Dmitry Shulga
Date: December 16 2010 4:52pm
Subject: bzr commit into mysql-5.1-bugteam branch (Dmitry.Shulga:3512) Bug#56976
List-Archive: http://lists.mysql.com/commits/127098
X-Bug: 56976
Message-Id: <201012161652.oBGGqePq000586@acsinet15.oracle.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0532806381=="

--===============0532806381==
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

#At file:///Users/shulga/projects/mysql/5.1-bugteam-bug56976/ based on revid:mats.kindahl@stripped

 3512 Dmitry Shulga	2010-12-16
      Fixed bug#56976 - Severe Denial Of Service in prepared statements.
      
      The problem is that it doesn't check size of concatenated string
      against some limit when reading long data from client.
      
      The solution is to add check for size of result string against
      value of max_allowed_packet constant.
     @ sql/item.cc
        Item_param::set_longdata - added check for size of concatenated result
        against value of max_allowed_packet constant.
     @ sql/item.h
        added third argument of type THD* to declaration of set_longdata().
     @ sql/net_serv.cc
        Fixed an error that had been added by patch for bug#42503.
        This change will fix bug#58887.

    modified:
      sql/item.cc
      sql/item.h
      sql/net_serv.cc
      sql/sql_prepare.cc
=== modified file 'sql/item.cc'
--- a/sql/item.cc	2010-11-18 13:11:18 +0000
+++ b/sql/item.cc	2010-12-16 16:52:09 +0000
@@ -2738,7 +2738,7 @@ bool Item_param::set_str(const char *str
 }
 
 
-bool Item_param::set_longdata(const char *str, ulong length)
+bool Item_param::set_longdata(const char *str, ulong length, THD *thd)
 {
   DBUG_ENTER("Item_param::set_longdata");
 
@@ -2751,6 +2751,9 @@ bool Item_param::set_longdata(const char
     (here), and first have to concatenate all pieces together,
     write query to the binary log and only then perform conversion.
   */
+  if (str_value.length() + length > thd->variables.max_allowed_packet)
+    DBUG_RETURN(TRUE);
+
   if (str_value.append(str, length, &my_charset_bin))
     DBUG_RETURN(TRUE);
   state= LONG_DATA_VALUE;

=== modified file 'sql/item.h'
--- a/sql/item.h	2010-07-30 13:35:06 +0000
+++ b/sql/item.h	2010-12-16 16:52:09 +0000
@@ -1687,7 +1687,7 @@ public:
   void set_double(double i);
   void set_decimal(const char *str, ulong length);
   bool set_str(const char *str, ulong length);
-  bool set_longdata(const char *str, ulong length);
+  bool set_longdata(const char *str, ulong length, THD *thd);
   void set_time(MYSQL_TIME *tm, timestamp_type type, uint32 max_length_arg);
   bool set_from_user_var(THD *thd, const user_var_entry *entry);
   void reset();

=== modified file 'sql/net_serv.cc'
--- a/sql/net_serv.cc	2010-09-16 10:24:27 +0000
+++ b/sql/net_serv.cc	2010-12-16 16:52:09 +0000
@@ -170,17 +170,7 @@ my_bool net_realloc(NET *net, size_t len
   DBUG_ENTER("net_realloc");
   DBUG_PRINT("enter",("length: %lu", (ulong) length));
 
-  /*
-    When compression is off, net->where_b is always 0.
-    With compression turned on, net->where_b may indicate
-    that we still have a piece of the previous logical
-    packet in the buffer, unprocessed. Take it into account
-    when checking that max_allowed_packet is not exceeded.
-    This ensures that the client treats max_allowed_packet
-    limit identically, regardless of compression being on
-    or off.
-  */
-  if (length >= (net->max_packet_size + net->where_b))
+  if (length >= net->max_packet_size)
   {
     DBUG_PRINT("error", ("Packet too large. Max size: %lu",
                          net->max_packet_size));

=== modified file 'sql/sql_prepare.cc'
--- a/sql/sql_prepare.cc	2010-11-03 10:24:47 +0000
+++ b/sql/sql_prepare.cc	2010-12-16 16:52:09 +0000
@@ -2800,9 +2800,9 @@ void mysql_stmt_get_longdata(THD *thd, c
   param= stmt->param_array[param_number];
 
 #ifndef EMBEDDED_LIBRARY
-  if (param->set_longdata(packet, (ulong) (packet_end - packet)))
+  if (param->set_longdata(packet, (ulong) (packet_end - packet), thd))
 #else
-  if (param->set_longdata(thd->extra_data, thd->extra_length))
+  if (param->set_longdata(thd->extra_data, thd->extra_length, thd))
 #endif
   {
     stmt->state= Query_arena::ERROR;


--===============0532806381==
MIME-Version: 1.0
Content-Type: text/bzr-bundle; charset="us-ascii";
	name="bzr/dmitry.shulga@stripped"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: dmitry.shulga@stripped\
#   blr3j28zmxzsitkf
# target_branch: file:///Users/shulga/projects/mysql/5.1-bugteam-\
#   bug56976/
# testament_sha1: 07751fe85527e588ef1731ed765023e6dae24470
# timestamp: 2010-12-16 22:52:17 +0600
# base_revision_id: mats.kindahl@stripped\
#   7udci9op4lc6jvtb
# 
# Begin bundle
IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWeNxi28AA+VfgEAQWP///1fh
ngC////wYAhvvbWyq6BRouYGls+umTWtVWewyJNCT9KeKeibQ9JlBpkZMg0xGjTTTIGURlT8qP9J
T9FPU8pmpo0NHqBmkZBkMhgcwmATACYTCaYAABMmmgYSKCATRlT2inpMnomntRD0gPUNAAA2pCmJ
pPRhqmgaeSZNDI0AAAAEkQIAmmQTBGiaeoaU9pT9JqPUGgbKL54JRfou04YZg5Aw7dvL2HpssEfO
BXW5hrE7YZ5hRr/LUBEUqg2lxBrZs5ZSL1bVAVMr2XT/Z8SNen45B+A1A222xtG7wgYYT0mcESc3
JkdcIMym9t9MZ1OpGRy/Ar+hdx13g2y23DSanryThfChN8oURuV0gE0+89FFNQX1X2S+V5JsDoHr
FFKZ6TDCU2urkhsqtTUsoNQAQW+k4oWZnNEYtVVY3z3qOvsL1AslA6ovuTAS1CQHm6ynvZvGwbx2
8DLKzumShyj21oncVu3oJrYpJo60g6htXG4tkPq2goTdbzZTTcgvtouFwSO0V31827X7baW36v4B
k4zvqbNgC2SL13kXqQtoVPEKlgFuWHsrQSbYLZxIYIIETKBrQNARSFVLeNZMmpkDa4Jxi0hXCRue
yY5SpqDFF1ODgp2VoKyTL2rFc7cBl5qrLaDh7acQLWmOzQuNNYJVX2wQW4GsoVmhpz7qV2Nhk195
XZZNaqklQxeformSD/bkU9TNzwBIwqP/F0aUUAYgGUo8LCCpTVYmku6o4Y/NBurkxrDDB+BEzBzu
dI1Rw7rN+komCEOpIyBfOirLZguMXNehWY1TvlyIYrIbWMd6ZEDl/4E9TYb2Sc3LTROeJuC2swzx
reY1rs6DZ3vDPiSqqkbDiXQLRx5kJosKzE6JjeGK0BcQqpXsLkTYIGWcFL9tcKk7DmFhdkROljdy
MszEqK05d/AeC8U66irUIPLOs3ONwjlqeiFdlr/IZRPIymuSoPrbZBwaGRIDJ6jM6gSRDQqw9TBA
oOxKHLytqvb2vhBMC2wWoqMyHVcKAttpZ7u5e9jomI01lHNc2IGtuGApG7cmVNwUtr16X6IK5mus
16lBom0HcvGtTjCrLHlHUsDPXbzkK0LCxcl1Wwc5GCooRCExkKU1MYRIZaSLZt58CKrLCOVpVRNl
92U6zGgLOqtQmCtQPKJS08JUk9TwYZBbtoOgiQxyLSrCd77yJIrwVXNX4VOuwxVoXQsaLX2QmoXO
PXSpRCKKnFJPJuhBD1PGFLUq5t8TV+yPavtioNnQG6KYD7O8KzLxC7eJzLqEq9LY2xtvu0bj7yP2
8Y+EAZxKwwJya1hyIdckpjyRcNxowzGpQFJDFBqLcApOzXCCX6V0ouVQU0CEEeWkIEGgTnPn7w6Q
SvPx/OwovUoBMQX968qF5K6XQ0CKW9YrA8l8FIsY5BvthjAY5b9YcGSVLLFxqGxAncW5kFK+5Ol3
+tY1D6jHp91EiROp7BzIdRyZz6KZoqGsc9Zw3V2VH34LUC76VsoDcIiV6R4BRY8ll4ms/qTOZWTN
Rl5nokbc95A5czxtPu2Q3HGW8Wrl0Ww0abpOwgngCNTnzGKjotSwvs62ur2R5Jcgr5+/G0yOYdie
gVvQ6xRkgioLPFozvNywaa+DKLlDnWjeuyI+Z9jqhg2FnvWedPNPxtvDf5fE0G5m951JhBJg9x3k
2b4b4ee7EnTAqIlD3k5lt4Yhb4VsDYJVJWGeGFQXrrMSaflGY0UuMZ/5W6N5M6uyUctTdGkC4nG3
HEjdS3JyCsSjugB1U3LEAzFig3AgGyl7osuLq6P1hf7sEXm9G9qhOh6opXINhSRWH6sSgjmkMG75
GhGARXH68TsT7dCaKVXo2h/QPl9AZcERMyW4nigzZMagjSNYO1ExaBWSAwLBOspvqxD2UF6EuAdD
39nBk7q1P4iNHUUH2MIKnmvjOcqlgtSuXCQJvJa9wh2BcM57Qx1vmcMu0E66sg1I3gGkSUjoIxqt
K1ovr07qWmxL09C8zSbw9cV6u6eoFEA/wbM/ySA2dAUz7GHmuSPsua4qMyawSlDZBcQ1ocJoZbBw
GvLW6hJQSnLAvPPLESGGUum0ighJgWu3PS5Vw1AMpYVTZ3EkGJUVDpkhh5LX0W1PoyQRTiGHc7lk
rTH68aVBdXUGo7hvY7IXLUFneGSusRkL2SX55340sIQjxjk3WLo2hQQKoVCIyzzWcwmm0qaUp8k5
nENQQpGMoVBkoMky0zG2BT4DbsUrDOPUEO1iBjb0EOK5Sdw2gwjt1CVIVKBa8rMVyoJyFIF4rLYk
cyb3DsMYh4RBhMysR2suD+SpeuPoZ+VgXq8vuXgDauVJsORekelZK8NnSXNqo3axgnKKkIOlpQDo
0JOtbAqwc1/J0VEielhmpLQNhmF0+dUatq8itLWKqAxJ6lAI+hQ2hHG1Dwb85BFkg1r0QrUvMFUp
ItDxY8LpHwD4Ne7u7u76lgHlJSiUhuQ2VTS/RwiTM579mTP7QZSLZ0OUwkHmKIQBkj3AzBACYcU+
2Pbkolgj9DruyAwoKI9WMmscdKUJ7orPChIiOJlWEShOKkyfKA0hO5D9Zt38CTiCj2ESJk4xTgaM
CxupVbKdX3pUg5Q63r7eOk4J3rJQUG4oUFpvmq8BSF3BQhWYEjzIsTudwDcrYVwX0WkaX3IPoC+S
u7wWa/+LuSKcKEhxuMW3gA==


--===============0532806381==--