List:Commits« Previous MessageNext Message »
From:Harin Vadodaria Date:December 13 2012 4:56am
Subject:bzr push into mysql-5.1 branch (harin.vadodaria:3884 to 3885) Bug#15965288
View as plain text  
 3885 Harin Vadodaria	2012-12-13
      Bug#15965288: BUFFER OVERFLOW IN YASSL FUNCTION
                    DOPROCESSREPLY()
      
      Description: Function DoProcessReply() calls function
                   decrypt_message() in a while loop without
                   performing a check on available buffer
                   space. This can cause buffer overflow and
                   crash the server. This patch is fix provided
                   by Sawtooth to resolve the issue.

    modified:
      extra/yassl/src/handshake.cpp
 3884 sayantan.dutta@stripped	2012-12-12
      Bug #14737171:MTR DOES NOT PRESERVE TEST CASE LOGS ON RETRY-FAIL

    modified:
      mysql-test/mysql-test-run.pl
=== modified file 'extra/yassl/src/handshake.cpp'
--- a/extra/yassl/src/handshake.cpp	2012-02-13 11:40:12 +0000
+++ b/extra/yassl/src/handshake.cpp	2012-12-13 04:47:26 +0000
@@ -767,8 +767,14 @@ int DoProcessReply(SSL& ssl)
 
         while (buffer.get_current() < hdr.length_ + RECORD_HEADER + offset) {
             // each message in record, can be more than 1 if not encrypted
-            if (ssl.getSecurity().get_parms().pending_ == false) // cipher on
+            if (ssl.getSecurity().get_parms().pending_ == false) { // cipher on
+                // sanity check for malicious/corrupted/illegal input
+                if (buffer.get_remaining() < hdr.length_) {
+                    ssl.SetError(bad_input);
+                    return 0;
+                }
                 decrypt_message(ssl, buffer, hdr.length_);
+            }
                 
             mySTL::auto_ptr<Message> msg(mf.CreateObject(hdr.type_));
             if (!msg.get()) {

No bundle (reason: useless for push emails).
Thread
bzr push into mysql-5.1 branch (harin.vadodaria:3884 to 3885) Bug#15965288Harin Vadodaria13 Dec