5231 Harin Vadodaria 2012-12-13 [merge]
Bug#15965288: BUFFER OVERFLOW IN YASSL FUNCTION
DOPROCESSREPLY()
Description: Merge from 5.6 to trunk.
modified:
extra/yassl/src/handshake.cpp
5230 Sunny Bains 2012-12-13 [merge]
Merge from mysql-5.6 to mysql-trunk.
modified:
storage/innobase/lock/lock0lock.cc
=== modified file 'extra/yassl/src/handshake.cpp'
--- a/extra/yassl/src/handshake.cpp 2012-11-06 14:16:49 +0000
+++ b/extra/yassl/src/handshake.cpp 2012-12-13 04:53:33 +0000
@@ -762,8 +762,14 @@ int DoProcessReply(SSL& ssl)
while (buffer.get_current() < hdr.length_ + RECORD_HEADER + offset) {
// each message in record, can be more than 1 if not encrypted
- if (ssl.getSecurity().get_parms().pending_ == false) // cipher on
+ if (ssl.getSecurity().get_parms().pending_ == false) { // cipher on
+ // sanity check for malicious/corrupted/illegal input
+ if (buffer.get_remaining() < hdr.length_) {
+ ssl.SetError(bad_input);
+ return 0;
+ }
decrypt_message(ssl, buffer, hdr.length_);
+ }
mySTL::auto_ptr<Message> msg(mf.CreateObject(hdr.type_));
if (!msg.get()) {
No bundle (reason: useless for push emails).
| Thread |
|---|
| • bzr push into mysql-trunk branch (harin.vadodaria:5230 to 5231) Bug#15965288 | Harin Vadodaria | 13 Dec |
