From: Harin Vadodaria Date: December 13 2012 4:56am Subject: bzr push into mysql-5.1 branch (harin.vadodaria:3884 to 3885) Bug#15965288 List-Archive: http://lists.mysql.com/commits/145499 X-Bug: 15965288 Message-Id: <20121213045610.3542.39055.3885@hvadodar-ThinkPad-T420> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit 3885 Harin Vadodaria 2012-12-13 Bug#15965288: BUFFER OVERFLOW IN YASSL FUNCTION DOPROCESSREPLY() Description: Function DoProcessReply() calls function decrypt_message() in a while loop without performing a check on available buffer space. This can cause buffer overflow and crash the server. This patch is fix provided by Sawtooth to resolve the issue. modified: extra/yassl/src/handshake.cpp 3884 sayantan.dutta@stripped 2012-12-12 Bug #14737171:MTR DOES NOT PRESERVE TEST CASE LOGS ON RETRY-FAIL modified: mysql-test/mysql-test-run.pl === modified file 'extra/yassl/src/handshake.cpp' --- a/extra/yassl/src/handshake.cpp 2012-02-13 11:40:12 +0000 +++ b/extra/yassl/src/handshake.cpp 2012-12-13 04:47:26 +0000 @@ -767,8 +767,14 @@ int DoProcessReply(SSL& ssl) while (buffer.get_current() < hdr.length_ + RECORD_HEADER + offset) { // each message in record, can be more than 1 if not encrypted - if (ssl.getSecurity().get_parms().pending_ == false) // cipher on + if (ssl.getSecurity().get_parms().pending_ == false) { // cipher on + // sanity check for malicious/corrupted/illegal input + if (buffer.get_remaining() < hdr.length_) { + ssl.SetError(bad_input); + return 0; + } decrypt_message(ssl, buffer, hdr.length_); + } mySTL::auto_ptr msg(mf.CreateObject(hdr.type_)); if (!msg.get()) { No bundle (reason: useless for push emails).