From: Rafal Somla Date: May 10 2011 10:02am Subject: Re: bzr commit into mysql-5.5 branch (rafal.somla:3477) Bug#11879051 List-Archive: http://lists.mysql.com/commits/136978 Message-Id: <4DC90D19.7040800@oracle.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Hi Wlad, On 09/05/2011 21:37, Vladislav Vaintroub wrote: > I think the analysis is not completely correct here. > > The way Windows authentication works is such that0) Server sends > welcome packet. 1) client sends client authentication packet that > contains authentication method but without payload. 2) then server > sends UPN to client 3) then client puts UPN into > InitializeSecurityContext() and sends the resulting blob to server. > (following steps omitted) > > The 255 limit is would be a limit in step 1). But since payload is > not used in this step , there is also no limit. My understanding is different. Basically, the UPN sent first by server is wrapped in the welcome packet already and then the first authentication payload from client is wrapped inside the normal client authentication packet (in hope that all will be settled during this standard, 2 packet sequence). I included my analysis in bug#11878962 - please review it to see if I made some mistakes. So far Joro, who wrote the code, has confirmed that it is a problem so I assumed my analysis is correct. Rafal ---- analysis from bug#11878962 ---------- A client which uses authentication plugin can send arbitrary data to the server-side plugin using MYSQL_PLUGIN_VIO::write_packet(vio, ucchar *buf, int buf_len). When this method is called first time (see client_mpvio_write_packet() in client.c:2680), the data is wrapped into a client authentication packet (send_client_reply_packet() in client.c:2450). In the client authentication packet, the data payload is represented as a length coded string of bytes with the first byte containing length. Thus length of the payload is limited to 255 bytes. However, there are no checks in the code which would prevent client from trying to send more than 255 bytes using MYSQL_PLUGIN_VIO::write_packet(). If client tries to do so, then send_client_reply_packet() will execute the following code (where end points at the end of the constructed packet): if (data_len) { if (mysql->server_capabilities & CLIENT_SECURE_CONNECTION) { *end++= data_len; memcpy(end, data, data_len); end+= data_len; } ... Since the size field is 1 byte, the length stored in the packet will be different from data_len, if data_len > 256. Nevertheless, all the data will be appended to the packet without noticing this. A receiver of such a packet will interpret it wrongly which can lead to unpredictable behavior (probably crash).