From: Date: June 11 2007 10:03pm
Subject: bk commit into 5.1 tree (cmiller:1.2486) BUG#28984
List-Archive: http://lists.mysql.com/commits/28524
X-Bug: 28984
Message-Id: <20070611200311.ED1198304F@zippy>

Below is the list of changes that have just been committed into a local
5.1 repository of cmiller. When cmiller does a push these changes will
be propagated to the main repository and, within 24 hours after the
push, to the public repository.
For information on how to access the public repository
see http://dev.mysql.com/doc/mysql/en/installing-source-tree.html

ChangeSet@stripped, 2007-06-11 16:03:05-04:00, cmiller@stripped +1 -0
  Bug#28984: crasher on connect with out of range password length in \
  	protocol
  
  Update for function moved to new file in 5.1.
  
  One could send a malformed packet that caused the server to SEGV.  In 
  recent versions of the password protocol, the client tells the server 
  what length the ciphertext is (almost always 20).  If that length was
  large enough to overflow a signed char, then the number would jump to 
  very large after being casted to unsigned int.
    
  Instead, cast the *passwd char to uchar.

  sql/sql_connect.cc@stripped, 2007-06-11 16:03:03-04:00, cmiller@stripped +4 -1
    Update for function moved to new file in 5.1.

# This is a BitKeeper patch.  What follows are the unified diffs for the
# set of deltas contained in the patch.  The rest of the patch, the part
# that BitKeeper cares about, is below these diffs.
# User:	cmiller
# Host:	zippy.cornsilk.net
# Root:	/home/cmiller/work/mysql/mysql-5.1-maint

--- 1.6/sql/sql_connect.cc	2007-06-05 11:31:43 -04:00
+++ 1.7/sql/sql_connect.cc	2007-06-11 16:03:03 -04:00
@@ -837,9 +837,12 @@ static int check_connection(THD *thd)
     password both send '\0'.
 
     This strlen() can't be easily deleted without changing protocol.
+
+    Cast *passwd to an unsigned char, so that it doesn't extend the sign for
+    *passwd > 127 and become 2**32-127+ after casting to uint.
   */
   uint passwd_len= thd->client_capabilities & CLIENT_SECURE_CONNECTION ?
-    *passwd++ : strlen(passwd);
+    (uchar)(*passwd++) : strlen(passwd);
   db= thd->client_capabilities & CLIENT_CONNECT_WITH_DB ?
     db + passwd_len + 1 : 0;
   /* strlen() can't be easily deleted without changing protocol */