diff options
| author | Sergei Golubchik <serg@mariadb.org> | 2018-04-30 23:06:09 +0200 |
|---|---|---|
| committer | Sergei Golubchik <serg@mariadb.org> | 2018-05-01 11:50:34 +0200 |
| commit | 1ecd68d867ced1d00ebffdcedbf6bc97493f5067 (patch) | |
| tree | 38d628467af7870287576ed5b478aa33b6be8c52 | |
| parent | ccad629d7e453b06b16193deb4685fc10908f92f (diff) | |
| download | mariadb-git-1ecd68d867ced1d00ebffdcedbf6bc97493f5067.tar.gz | |
Use after free in authenticationmariadb-galera-5.5.60
| -rw-r--r-- | mysql-test/r/connect_debug.result | 5 | ||||
| -rw-r--r-- | mysql-test/t/connect_debug.test | 12 | ||||
| -rw-r--r-- | sql-common/client.c | 4 | ||||
| -rw-r--r-- | sql/sql_acl.cc | 1 |
4 files changed, 20 insertions, 2 deletions
diff --git a/mysql-test/r/connect_debug.result b/mysql-test/r/connect_debug.result new file mode 100644 index 00000000000..0452b238db9 --- /dev/null +++ b/mysql-test/r/connect_debug.result @@ -0,0 +1,5 @@ +set @old_dbug=@@global.debug_dbug; +set global debug_dbug='+d,auth_disconnect'; +create user 'bad' identified by 'worse'; +set global debug_dbug=@old_dbug; +drop user bad; diff --git a/mysql-test/t/connect_debug.test b/mysql-test/t/connect_debug.test new file mode 100644 index 00000000000..299b605b2cd --- /dev/null +++ b/mysql-test/t/connect_debug.test @@ -0,0 +1,12 @@ +source include/have_debug.inc; +set @old_dbug=@@global.debug_dbug; + +# +# use after free if need plugin change and auth aborted +# +set global debug_dbug='+d,auth_disconnect'; +create user 'bad' identified by 'worse'; +--error 1 +--exec $MYSQL --default-auth=mysql_old_password --user=bad --password=worse +set global debug_dbug=@old_dbug; +drop user bad; diff --git a/sql-common/client.c b/sql-common/client.c index b485ebf4f60..00e2877bedb 100644 --- a/sql-common/client.c +++ b/sql-common/client.c @@ -2742,7 +2742,7 @@ static int client_mpvio_read_packet(struct st_plugin_vio *mpv, uchar **buf) *buf= mysql->net.read_pos; /* was it a request to change plugins ? */ - if (**buf == 254) + if (pkt_len == packet_error || **buf == 254) return (int)packet_error; /* if yes, this plugin shan't continue */ /* @@ -2927,7 +2927,7 @@ int run_plugin_auth(MYSQL *mysql, char *data, uint data_len, compile_time_assert(CR_OK == -1); compile_time_assert(CR_ERROR == 0); - if (res > CR_OK && mysql->net.read_pos[0] != 254) + if (res > CR_OK && (mysql->net.last_errno || mysql->net.read_pos[0] != 254)) { /* the plugin returned an error. write it down in mysql, diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index c3740f8ab29..15a238193dd 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -8253,6 +8253,7 @@ static bool send_plugin_request_packet(MPVIO_EXT *mpvio, const char *client_auth_plugin= ((st_mysql_auth *) (plugin_decl(mpvio->plugin)->info))->client_auth_plugin; + DBUG_EXECUTE_IF("auth_disconnect", { vio_close(net->vio); DBUG_RETURN(1); }); DBUG_ASSERT(client_auth_plugin); /* |