#At file:///Users/shulga/projects/mysql/5.1-bugteam-bug56976/ based on revid:dao-gang.qu@stripped
3537 Dmitry Shulga 2011-02-09
Fixed the bug#56976 - Severe Denial Of Service in prepared statements.
The problem was that server didn't check resulting size of prepared
statement argument which was set using mysql_send_long_data() API.
By calling mysql_send_long_data() several times it was possible
to create overly big string and thus force server to allocate
memory for it. There was no way to limit this allocation.
The solution is to add check for size of result string against
value of max_long_data_size constant. When intermediate string
exceeds max_long_data_size value ER_UNKNOWN_ERROR error is emitted.
@ sql/item.cc
Added call to my_message when accumulated string exceeds
max_long_data_size value. my_messge() calls error handler
that was installed in mysql_stmt_get_longdata before call
to Item_param::set_longdata.
The error handler sets to corresponding value the next
current statement fileds: state, last_error, last_errno.
@ sql/item.h
Added argument of type THD* to declaration of set_longdata().
@ sql/mysqld.cc
Added parameter max_long_data_size. This parameter used to
limit size of BLOB data that send from client to server
over call to mysql_send_long_data() API.
@ sql/set_var.cc
Added variable 'max_long_data_size' into list of variables
displayed by command 'show variables'.
@ sql/sql_prepare.cc
Added error handler class Set_longdata_error_handler. This
handler is installed inside mysql_stmt_get_longdata()
before call to param->set_longdata and deinstalled after
return from it.
Sourcecode snippet that makes checking for statement's state
during statement execution moved from Prepared_statement::execute()
to Prepared_statement::execute_loop() in order not to call
set_parameters() when statement has been failed during
set_long_data() execution. If it didn't do then call to
set_parameters would failed.
@ tests/mysql_client_test.c
It was added testcase for the bug #56976.
modified:
sql/item.cc
sql/item.h
sql/mysqld.cc
sql/set_var.cc
sql/sql_class.h
sql/sql_prepare.cc
tests/mysql_client_test.c
=== modified file 'sql/item.cc'
--- a/sql/item.cc 2010-12-21 11:34:11 +0000
+++ b/sql/item.cc 2011-02-09 13:36:42 +0000
@@ -2729,7 +2729,7 @@ bool Item_param::set_str(const char *str
}
-bool Item_param::set_longdata(const char *str, ulong length)
+bool Item_param::set_longdata(THD *thd, const char *str, ulong length)
{
DBUG_ENTER("Item_param::set_longdata");
@@ -2742,6 +2742,12 @@ bool Item_param::set_longdata(const char
(here), and first have to concatenate all pieces together,
write query to the binary log and only then perform conversion.
*/
+ if (str_value.length() + length > thd->variables.max_long_data_size)
+ DBUG_RETURN(my_message(ER_UNKNOWN_ERROR,
+ "Result string is longer than "
+ "'max_long_data_size' bytes",
+ MYF(0)));
+
if (str_value.append(str, length, &my_charset_bin))
DBUG_RETURN(TRUE);
state= LONG_DATA_VALUE;
=== modified file 'sql/item.h'
--- a/sql/item.h 2010-12-28 23:47:05 +0000
+++ b/sql/item.h 2011-02-09 13:36:42 +0000
@@ -1687,7 +1687,7 @@ public:
void set_double(double i);
void set_decimal(const char *str, ulong length);
bool set_str(const char *str, ulong length);
- bool set_longdata(const char *str, ulong length);
+ bool set_longdata(THD *thd, const char *str, ulong length);
void set_time(MYSQL_TIME *tm, timestamp_type type, uint32 max_length_arg);
bool set_from_user_var(THD *thd, const user_var_entry *entry);
void reset();
=== modified file 'sql/mysqld.cc'
--- a/sql/mysqld.cc 2010-12-28 23:47:05 +0000
+++ b/sql/mysqld.cc 2011-02-09 13:36:42 +0000
@@ -5687,7 +5687,7 @@ enum options_mysqld
OPT_KEY_BUFFER_SIZE, OPT_KEY_CACHE_BLOCK_SIZE,
OPT_KEY_CACHE_DIVISION_LIMIT, OPT_KEY_CACHE_AGE_THRESHOLD,
OPT_LONG_QUERY_TIME,
- OPT_LOWER_CASE_TABLE_NAMES, OPT_MAX_ALLOWED_PACKET,
+ OPT_LOWER_CASE_TABLE_NAMES, OPT_MAX_ALLOWED_PACKET, OPT_MAX_LONG_DATA_SIZE,
OPT_MAX_BINLOG_CACHE_SIZE, OPT_MAX_BINLOG_SIZE,
OPT_MAX_CONNECTIONS, OPT_MAX_CONNECT_ERRORS,
OPT_MAX_DELAYED_THREADS, OPT_MAX_HEP_TABLE_SIZE,
@@ -6862,6 +6862,12 @@ thread is in the relay logs.",
&global_system_variables.max_length_for_sort_data,
&max_system_variables.max_length_for_sort_data, 0, GET_ULONG,
REQUIRED_ARG, 1024, 4, 8192*1024L, 0, 1, 0},
+ {"max_long_data_size", OPT_MAX_LONG_DATA_SIZE,
+ "The maximum BLOB length to send to server from mysql_send_long_data API. "
+ "Deprecated option; use max_allowed_packet instead.",
+ &global_system_variables.max_long_data_size,
+ &max_system_variables.max_long_data_size, 0, GET_ULONG,
+ REQUIRED_ARG, 1024*1024L, 1024, 0xFFFFFFFF, MALLOC_OVERHEAD, 1, 0},
{"max_prepared_stmt_count", OPT_MAX_PREPARED_STMT_COUNT,
"Maximum number of prepared statements in the server.",
&max_prepared_stmt_count, &max_prepared_stmt_count,
=== modified file 'sql/set_var.cc'
--- a/sql/set_var.cc 2010-12-28 23:47:05 +0000
+++ b/sql/set_var.cc 2011-02-09 13:36:42 +0000
@@ -394,6 +394,8 @@ static sys_var_thd_ulong sys_max_seeks_f
&SV::max_seeks_for_key);
static sys_var_thd_ulong sys_max_length_for_sort_data(&vars, "max_length_for_sort_data",
&SV::max_length_for_sort_data);
+static sys_var_thd_ulong_session_readonly sys_max_long_data_size(&vars, "max_long_data_size",
+ &SV::max_long_data_size);
#ifndef TO_BE_DELETED /* Alias for max_join_size */
static sys_var_thd_ha_rows sys_sql_max_join_size(&vars, "sql_max_join_size",
&SV::max_join_size,
=== modified file 'sql/sql_class.h'
--- a/sql/sql_class.h 2010-12-28 23:47:05 +0000
+++ b/sql/sql_class.h 2011-02-09 13:36:42 +0000
@@ -308,6 +308,7 @@ struct system_variables
ulong max_allowed_packet;
ulong max_error_count;
ulong max_length_for_sort_data;
+ ulong max_long_data_size;
ulong max_sort_length;
ulong max_tmp_tables;
ulong max_insert_delayed_threads;
=== modified file 'sql/sql_prepare.cc'
--- a/sql/sql_prepare.cc 2010-12-28 23:47:05 +0000
+++ b/sql/sql_prepare.cc 2011-02-09 13:36:42 +0000
@@ -95,6 +95,7 @@ When one supplies long data for a placeh
#else
#include <mysql_com.h>
#endif
+#include <mysys_err.h>
/**
A result class used to send cursor rows using the binary protocol.
@@ -2730,6 +2731,32 @@ void mysql_sql_stmt_close(THD *thd)
}
}
+
+class Set_longdata_error_handler : public Internal_error_handler
+{
+public:
+ Set_longdata_error_handler(Prepared_statement *statement)
+ :stmt(statement)
+ { }
+
+public:
+ bool handle_error(uint sql_errno,
+ const char *message,
+ MYSQL_ERROR::enum_warning_level level,
+ THD *thd)
+ {
+ stmt->state= Query_arena::ERROR;
+ stmt->last_errno= sql_errno;
+ strncpy(stmt->last_error, message, MYSQL_ERRMSG_SIZE);
+
+ return TRUE;
+ }
+
+private:
+ Prepared_statement *stmt;
+};
+
+
/**
Handle long data in pieces from client.
@@ -2786,16 +2813,14 @@ void mysql_stmt_get_longdata(THD *thd, c
param= stmt->param_array[param_number];
+ Set_longdata_error_handler err_handler(stmt);
+ thd->push_internal_handler(&err_handler);
#ifndef EMBEDDED_LIBRARY
- if (param->set_longdata(packet, (ulong) (packet_end - packet)))
+ param->set_longdata(thd, packet, (ulong) (packet_end - packet));
#else
- if (param->set_longdata(thd->extra_data, thd->extra_length))
+ param->set_longdata(thd, thd->extra_data, thd->extra_length);
#endif
- {
- stmt->state= Query_arena::ERROR;
- stmt->last_errno= ER_OUTOFMEMORY;
- sprintf(stmt->last_error, ER(ER_OUTOFMEMORY), 0);
- }
+ thd->pop_internal_handler();
general_log_print(thd, thd->command, NullS);
@@ -3257,6 +3282,13 @@ Prepared_statement::execute_loop(String
bool error;
int reprepare_attempt= 0;
+ /* Check if we got an error when sending long data */
+ if (state == Query_arena::ERROR)
+ {
+ my_message(last_errno, last_error, MYF(0));
+ return TRUE;
+ }
+
if (set_parameters(expanded_query, packet, packet_end))
return TRUE;
@@ -3497,12 +3529,6 @@ bool Prepared_statement::execute(String
status_var_increment(thd->status_var.com_stmt_execute);
- /* Check if we got an error when sending long data */
- if (state == Query_arena::ERROR)
- {
- my_message(last_errno, last_error, MYF(0));
- return TRUE;
- }
if (flags & (uint) IS_IN_USE)
{
my_error(ER_PS_NO_RECURSION, MYF(0));
=== modified file 'tests/mysql_client_test.c'
--- a/tests/mysql_client_test.c 2010-12-28 23:47:05 +0000
+++ b/tests/mysql_client_test.c 2011-02-09 13:36:42 +0000
@@ -18399,6 +18399,54 @@ static void test_bug47485()
/*
+ Bug #56976: Severe Denial Of Service in prepared statements
+*/
+
+static void test_bug56976()
+{
+ MYSQL_STMT *stmt;
+ MYSQL_BIND bind[1];
+ int rc;
+ const char* query = "SELECT LENGTH(?)";
+ char *long_buffer;
+ unsigned long i, packet_len = 256 * 1024L;
+ unsigned long dos_len = 2 * 1024 * 1024L;
+
+ DBUG_ENTER("test_bug56976");
+ myheader("test_bug56976");
+
+ stmt= mysql_stmt_init(mysql);
+ check_stmt(stmt);
+
+ rc= mysql_stmt_prepare(stmt, query, strlen(query));
+ check_execute(stmt, rc);
+
+ memset(bind, 0, sizeof(bind));
+ bind[0].buffer_type = MYSQL_TYPE_TINY_BLOB;
+
+ rc= mysql_stmt_bind_param(stmt, bind);
+ check_execute(stmt, rc);
+
+ long_buffer= malloc(packet_len);
+ memset(long_buffer, 'a', packet_len);
+
+ for (i= 0; i < dos_len / packet_len; i++)
+ {
+ rc= mysql_stmt_send_long_data(stmt, 0, long_buffer, packet_len);
+ check_execute(stmt, rc);
+ }
+
+ rc= mysql_stmt_execute(stmt);
+
+ DIE_UNLESS(rc && mysql_stmt_errno(stmt) == ER_UNKNOWN_ERROR);
+
+ mysql_stmt_close(stmt);
+
+ DBUG_VOID_RETURN;
+}
+
+
+/*
Read and parse arguments and MySQL options from my.cnf
*/
@@ -18724,6 +18772,7 @@ static struct my_tests_st my_tests[]= {
{ "test_bug42373", test_bug42373 },
{ "test_bug54041", test_bug54041 },
{ "test_bug47485", test_bug47485 },
+ { "test_bug56976", test_bug56976 },
{ 0, 0 }
};
Attachment: [text/bzr-bundle] bzr/dmitry.shulga@oracle.com-20110209133642-70t26hlum9yebx2h.bundle
| Thread |
|---|
| • bzr commit into mysql-5.1-bugteam branch (Dmitry.Shulga:3537) Bug#56976 | Dmitry Shulga | 9 Feb |
