List:Commits« Previous MessageNext Message »
From:Dmitry Shulga Date:February 9 2011 1:36pm
Subject:bzr commit into mysql-5.1-bugteam branch (Dmitry.Shulga:3537) Bug#56976
View as plain text  
#At file:///Users/shulga/projects/mysql/5.1-bugteam-bug56976/ based on revid:dao-gang.qu@stripped

 3537 Dmitry Shulga	2011-02-09
      Fixed the bug#56976 - Severe Denial Of Service in prepared statements.
      
      The problem was that server didn't check resulting size of prepared
      statement argument which was set using mysql_send_long_data() API.
      By calling mysql_send_long_data() several times it was possible
      to create overly big string and thus force server to allocate
      memory for it. There was no way to limit this allocation.
      
      The solution is to add check for size of result string against
      value of max_long_data_size constant. When intermediate string
      exceeds max_long_data_size value ER_UNKNOWN_ERROR error is emitted.
     @ sql/item.cc
        Added call to my_message when accumulated string exceeds
        max_long_data_size value. my_messge() calls error handler
        that was installed in mysql_stmt_get_longdata before call
        to Item_param::set_longdata.
        
        The error handler sets to corresponding value the next
        current statement fileds: state, last_error, last_errno.
     @ sql/item.h
        Added argument of type THD* to declaration of set_longdata().
     @ sql/mysqld.cc
        Added parameter max_long_data_size. This parameter used to
        limit size of BLOB data that send from client to server 
        over call to mysql_send_long_data() API.
     @ sql/set_var.cc
        Added variable 'max_long_data_size' into list of variables
        displayed by command 'show variables'.
     @ sql/sql_prepare.cc
        Added error handler class Set_longdata_error_handler. This 
        handler is installed inside mysql_stmt_get_longdata()
        before call to param->set_longdata and deinstalled after
        return from it.
        
        Sourcecode snippet that makes checking for statement's state 
        during statement execution moved from Prepared_statement::execute()
        to Prepared_statement::execute_loop() in order not to call
        set_parameters() when statement has been failed during
        set_long_data() execution. If it didn't do then call to
        set_parameters would failed.
     @ tests/mysql_client_test.c
        It was added testcase for the bug #56976.

    modified:
      sql/item.cc
      sql/item.h
      sql/mysqld.cc
      sql/set_var.cc
      sql/sql_class.h
      sql/sql_prepare.cc
      tests/mysql_client_test.c
=== modified file 'sql/item.cc'
--- a/sql/item.cc	2010-12-21 11:34:11 +0000
+++ b/sql/item.cc	2011-02-09 13:36:42 +0000
@@ -2729,7 +2729,7 @@ bool Item_param::set_str(const char *str
 }
 
 
-bool Item_param::set_longdata(const char *str, ulong length)
+bool Item_param::set_longdata(THD *thd, const char *str, ulong length)
 {
   DBUG_ENTER("Item_param::set_longdata");
 
@@ -2742,6 +2742,12 @@ bool Item_param::set_longdata(const char
     (here), and first have to concatenate all pieces together,
     write query to the binary log and only then perform conversion.
   */
+  if (str_value.length() + length > thd->variables.max_long_data_size)
+    DBUG_RETURN(my_message(ER_UNKNOWN_ERROR,
+                           "Result string is longer than "
+                           "'max_long_data_size' bytes",
+                           MYF(0)));
+
   if (str_value.append(str, length, &my_charset_bin))
     DBUG_RETURN(TRUE);
   state= LONG_DATA_VALUE;

=== modified file 'sql/item.h'
--- a/sql/item.h	2010-12-28 23:47:05 +0000
+++ b/sql/item.h	2011-02-09 13:36:42 +0000
@@ -1687,7 +1687,7 @@ public:
   void set_double(double i);
   void set_decimal(const char *str, ulong length);
   bool set_str(const char *str, ulong length);
-  bool set_longdata(const char *str, ulong length);
+  bool set_longdata(THD *thd, const char *str, ulong length);
   void set_time(MYSQL_TIME *tm, timestamp_type type, uint32 max_length_arg);
   bool set_from_user_var(THD *thd, const user_var_entry *entry);
   void reset();

=== modified file 'sql/mysqld.cc'
--- a/sql/mysqld.cc	2010-12-28 23:47:05 +0000
+++ b/sql/mysqld.cc	2011-02-09 13:36:42 +0000
@@ -5687,7 +5687,7 @@ enum options_mysqld
   OPT_KEY_BUFFER_SIZE, OPT_KEY_CACHE_BLOCK_SIZE,
   OPT_KEY_CACHE_DIVISION_LIMIT, OPT_KEY_CACHE_AGE_THRESHOLD,
   OPT_LONG_QUERY_TIME,
-  OPT_LOWER_CASE_TABLE_NAMES, OPT_MAX_ALLOWED_PACKET,
+  OPT_LOWER_CASE_TABLE_NAMES, OPT_MAX_ALLOWED_PACKET, OPT_MAX_LONG_DATA_SIZE,
   OPT_MAX_BINLOG_CACHE_SIZE, OPT_MAX_BINLOG_SIZE,
   OPT_MAX_CONNECTIONS, OPT_MAX_CONNECT_ERRORS,
   OPT_MAX_DELAYED_THREADS, OPT_MAX_HEP_TABLE_SIZE,
@@ -6862,6 +6862,12 @@ thread is in the relay logs.",
     &global_system_variables.max_length_for_sort_data,
     &max_system_variables.max_length_for_sort_data, 0, GET_ULONG,
     REQUIRED_ARG, 1024, 4, 8192*1024L, 0, 1, 0},
+  {"max_long_data_size", OPT_MAX_LONG_DATA_SIZE,
+   "The maximum BLOB length to send to server from mysql_send_long_data API. "
+   "Deprecated option; use max_allowed_packet instead.",
+   &global_system_variables.max_long_data_size,
+   &max_system_variables.max_long_data_size, 0, GET_ULONG,
+   REQUIRED_ARG, 1024*1024L, 1024, 0xFFFFFFFF, MALLOC_OVERHEAD, 1, 0},
   {"max_prepared_stmt_count", OPT_MAX_PREPARED_STMT_COUNT,
    "Maximum number of prepared statements in the server.",
    &max_prepared_stmt_count, &max_prepared_stmt_count,

=== modified file 'sql/set_var.cc'
--- a/sql/set_var.cc	2010-12-28 23:47:05 +0000
+++ b/sql/set_var.cc	2011-02-09 13:36:42 +0000
@@ -394,6 +394,8 @@ static sys_var_thd_ulong	sys_max_seeks_f
 					      &SV::max_seeks_for_key);
 static sys_var_thd_ulong   sys_max_length_for_sort_data(&vars, "max_length_for_sort_data",
                                                  &SV::max_length_for_sort_data);
+static sys_var_thd_ulong_session_readonly sys_max_long_data_size(&vars, "max_long_data_size",
+                                                                 &SV::max_long_data_size);
 #ifndef TO_BE_DELETED	/* Alias for max_join_size */
 static sys_var_thd_ha_rows	sys_sql_max_join_size(&vars, "sql_max_join_size",
 					      &SV::max_join_size,

=== modified file 'sql/sql_class.h'
--- a/sql/sql_class.h	2010-12-28 23:47:05 +0000
+++ b/sql/sql_class.h	2011-02-09 13:36:42 +0000
@@ -308,6 +308,7 @@ struct system_variables
   ulong max_allowed_packet;
   ulong max_error_count;
   ulong max_length_for_sort_data;
+  ulong max_long_data_size;
   ulong max_sort_length;
   ulong max_tmp_tables;
   ulong max_insert_delayed_threads;

=== modified file 'sql/sql_prepare.cc'
--- a/sql/sql_prepare.cc	2010-12-28 23:47:05 +0000
+++ b/sql/sql_prepare.cc	2011-02-09 13:36:42 +0000
@@ -95,6 +95,7 @@ When one supplies long data for a placeh
 #else
 #include <mysql_com.h>
 #endif
+#include <mysys_err.h>
 
 /**
   A result class used to send cursor rows using the binary protocol.
@@ -2730,6 +2731,32 @@ void mysql_sql_stmt_close(THD *thd)
   }
 }
 
+
+class Set_longdata_error_handler : public Internal_error_handler
+{
+public:
+  Set_longdata_error_handler(Prepared_statement *statement)
+    :stmt(statement)
+  { }
+
+public:
+  bool handle_error(uint sql_errno,
+                    const char *message,
+                    MYSQL_ERROR::enum_warning_level level,
+                    THD *thd)
+  {
+    stmt->state= Query_arena::ERROR;
+    stmt->last_errno= sql_errno;
+    strncpy(stmt->last_error, message, MYSQL_ERRMSG_SIZE);
+
+    return TRUE;
+  }
+
+private:
+  Prepared_statement *stmt;
+};
+
+
 /**
   Handle long data in pieces from client.
 
@@ -2786,16 +2813,14 @@ void mysql_stmt_get_longdata(THD *thd, c
 
   param= stmt->param_array[param_number];
 
+  Set_longdata_error_handler err_handler(stmt);
+  thd->push_internal_handler(&err_handler);
 #ifndef EMBEDDED_LIBRARY
-  if (param->set_longdata(packet, (ulong) (packet_end - packet)))
+  param->set_longdata(thd, packet, (ulong) (packet_end - packet));
 #else
-  if (param->set_longdata(thd->extra_data, thd->extra_length))
+  param->set_longdata(thd, thd->extra_data, thd->extra_length);
 #endif
-  {
-    stmt->state= Query_arena::ERROR;
-    stmt->last_errno= ER_OUTOFMEMORY;
-    sprintf(stmt->last_error, ER(ER_OUTOFMEMORY), 0);
-  }
+  thd->pop_internal_handler();
 
   general_log_print(thd, thd->command, NullS);
 
@@ -3257,6 +3282,13 @@ Prepared_statement::execute_loop(String 
   bool error;
   int reprepare_attempt= 0;
 
+  /* Check if we got an error when sending long data */
+  if (state == Query_arena::ERROR)
+  {
+    my_message(last_errno, last_error, MYF(0));
+    return TRUE;
+  }
+
   if (set_parameters(expanded_query, packet, packet_end))
     return TRUE;
 
@@ -3497,12 +3529,6 @@ bool Prepared_statement::execute(String 
 
   status_var_increment(thd->status_var.com_stmt_execute);
 
-  /* Check if we got an error when sending long data */
-  if (state == Query_arena::ERROR)
-  {
-    my_message(last_errno, last_error, MYF(0));
-    return TRUE;
-  }
   if (flags & (uint) IS_IN_USE)
   {
     my_error(ER_PS_NO_RECURSION, MYF(0));

=== modified file 'tests/mysql_client_test.c'
--- a/tests/mysql_client_test.c	2010-12-28 23:47:05 +0000
+++ b/tests/mysql_client_test.c	2011-02-09 13:36:42 +0000
@@ -18399,6 +18399,54 @@ static void test_bug47485()
 
 
 /*
+  Bug #56976:   Severe Denial Of Service in prepared statements
+*/
+
+static void test_bug56976()
+{
+  MYSQL_STMT   *stmt;
+  MYSQL_BIND    bind[1];
+  int           rc;
+  const char*   query = "SELECT LENGTH(?)";
+  char *long_buffer;
+  unsigned long i, packet_len = 256 * 1024L;
+  unsigned long dos_len    = 2 * 1024 * 1024L;
+
+  DBUG_ENTER("test_bug56976");
+  myheader("test_bug56976");
+
+  stmt= mysql_stmt_init(mysql);
+  check_stmt(stmt);
+
+  rc= mysql_stmt_prepare(stmt, query, strlen(query));
+  check_execute(stmt, rc);
+
+  memset(bind, 0, sizeof(bind));
+  bind[0].buffer_type = MYSQL_TYPE_TINY_BLOB;
+
+  rc= mysql_stmt_bind_param(stmt, bind);
+  check_execute(stmt, rc);
+
+  long_buffer= malloc(packet_len);
+  memset(long_buffer, 'a', packet_len);
+
+  for (i= 0; i < dos_len / packet_len; i++)
+  {
+    rc= mysql_stmt_send_long_data(stmt, 0, long_buffer, packet_len);
+    check_execute(stmt, rc);
+  }
+
+  rc= mysql_stmt_execute(stmt);
+
+  DIE_UNLESS(rc && mysql_stmt_errno(stmt) == ER_UNKNOWN_ERROR);
+
+  mysql_stmt_close(stmt);
+
+  DBUG_VOID_RETURN;
+}
+
+
+/*
   Read and parse arguments and MySQL options from my.cnf
 */
 
@@ -18724,6 +18772,7 @@ static struct my_tests_st my_tests[]= {
   { "test_bug42373", test_bug42373 },
   { "test_bug54041", test_bug54041 },
   { "test_bug47485", test_bug47485 },
+  { "test_bug56976", test_bug56976 },
   { 0, 0 }
 };
 


Attachment: [text/bzr-bundle] bzr/dmitry.shulga@oracle.com-20110209133642-70t26hlum9yebx2h.bundle
Thread
bzr commit into mysql-5.1-bugteam branch (Dmitry.Shulga:3537) Bug#56976Dmitry Shulga9 Feb