List:Commits« Previous MessageNext Message »
From:Rafal Somla Date:May 10 2011 10:02am
Subject:Re: bzr commit into mysql-5.5 branch (rafal.somla:3477) Bug#11879051
View as plain text  
Hi Wlad,

On 09/05/2011 21:37, Vladislav Vaintroub wrote:

> I  think  the analysis  is not completely correct here.
>
> The way Windows authentication works  is such that0) Server sends
> welcome packet. 1) client sends client authentication packet that
> contains authentication method but without payload. 2) then server
> sends UPN to client 3) then client puts UPN into
> InitializeSecurityContext() and sends the resulting blob to server.
> (following steps omitted)
>
> The 255 limit is would be a limit in step 1).  But since payload is
> not used in this step , there is also no limit.

My understanding is different. Basically, the UPN sent first by server 
is wrapped in the welcome packet already and then the first 
authentication payload from client is wrapped inside the normal client 
authentication packet (in hope that all will be settled during this 
standard, 2 packet sequence). I included my analysis in bug#11878962 -
please review it to see if I made some mistakes. So far Joro, who wrote
the code, has confirmed that it is a problem so I assumed my analysis is
correct.

Rafal


---- analysis from bug#11878962 ----------

A client which uses authentication plugin can send arbitrary data to the
server-side plugin using

MYSQL_PLUGIN_VIO::write_packet(vio, ucchar *buf, int buf_len).

When this method is called first time (see client_mpvio_write_packet() 
in client.c:2680), the data is wrapped into a client authentication 
packet (send_client_reply_packet() in client.c:2450).

In the client authentication packet, the data payload is represented as
a length coded string of bytes with the first byte containing length.
Thus length of the payload is limited to 255 bytes. However, there are
no checks in the code which would prevent client from trying to send
more than 255 bytes using MYSQL_PLUGIN_VIO::write_packet().

If client tries to do so, then send_client_reply_packet() will execute 
the following code (where end points at the end of the constructed packet):

   if (data_len)
   {
     if (mysql->server_capabilities & CLIENT_SECURE_CONNECTION)
     {
       *end++= data_len;
       memcpy(end, data, data_len);
       end+= data_len;
     }
     ...

Since the size field is 1 byte, the length stored in the packet will be
different from data_len, if data_len > 256. Nevertheless, all the data 
will be appended to the packet without noticing this. A receiver of such 
a packet will  interpret it wrongly which can lead to unpredictable 
behavior (probably crash).
Thread
bzr commit into mysql-5.5 branch (rafal.somla:3477) Bug#11879051Rafal Somla28 Apr
  • RE: bzr commit into mysql-5.5 branch (rafal.somla:3477) Bug#11879051Vladislav Vaintroub9 May
    • Re: bzr commit into mysql-5.5 branch (rafal.somla:3477) Bug#11879051Rafal Somla10 May
      • RE: bzr commit into mysql-5.5 branch (rafal.somla:3477) Bug#11879051Vladislav Vaintroub10 May
        • Re: bzr commit into mysql-5.5 branch (rafal.somla:3477) Bug#11879051Rafal Somla10 May
          • RE: bzr commit into mysql-5.5 branch (rafal.somla:3477) Bug#11879051Vladislav Vaintroub10 May