4768 Harin Vadodaria 2012-12-13 [merge]
Bug#15965288: BUFFER OVERFLOW IN YASSL FUNCTION
DOPROCESSREPLY()
Description: Merge from 5.5 to 5.6 .
modified:
extra/yassl/src/handshake.cpp
4767 Sunny Bains 2012-12-13
Bug#4789249 - LOCKING ASSERT IN FK UPDATE CASCADE CODE, LOCK->TRX->LOCK.WAIT_LOCK == LOCK
Bug#14707091 SEGV IN LOCK_DEADLOCK_LOCK_PRINT(), NULL LOCK PTR
Joining T1 does a deadlock check due to wait
T1 is selected as victim (but not rolled back), for any number of reasons.
We try and resolve more deadlocks
- T2 is selected as a victim and rolled back
- This grants T1 the lock and is no longer the victim.
Since T1 was originally selected as a victim, when we go to reset its lock
state we trip over the invariant that it must still be in the wait state.
Fix is to check if T1 was granted a lock when T2 was rolled back during
additional deadlock checking.
Approved by Jimmy Yang rb#1619.
modified:
storage/innobase/lock/lock0lock.cc
=== modified file 'extra/yassl/src/handshake.cpp'
--- a/extra/yassl/src/handshake.cpp 2012-07-24 13:24:00 +0000
+++ b/extra/yassl/src/handshake.cpp 2012-12-13 04:51:09 +0000
@@ -762,8 +762,14 @@ int DoProcessReply(SSL& ssl)
while (buffer.get_current() < hdr.length_ + RECORD_HEADER + offset) {
// each message in record, can be more than 1 if not encrypted
- if (ssl.getSecurity().get_parms().pending_ == false) // cipher on
+ if (ssl.getSecurity().get_parms().pending_ == false) { // cipher on
+ // sanity check for malicious/corrupted/illegal input
+ if (buffer.get_remaining() < hdr.length_) {
+ ssl.SetError(bad_input);
+ return 0;
+ }
decrypt_message(ssl, buffer, hdr.length_);
+ }
mySTL::auto_ptr<Message> msg(mf.CreateObject(hdr.type_));
if (!msg.get()) {
No bundle (reason: useless for push emails).
| Thread |
|---|
| • bzr push into mysql-5.6 branch (harin.vadodaria:4767 to 4768) Bug#15965288 | Harin Vadodaria | 13 Dec |
