database/mariadb-connector-c
1
0
Fork 0
mirror of https://github.com/mariadb-corporation/mariadb-connector-c.git synced 2025-08-08 14:02:17 +03:00
Code Activity

Fix for CONC-345: heap-use-after free in client_mpvio_read_packet

Browse Source 
We need to check if pkt_len is > 0 before the buffer content will be checked.
This commit is contained in:
Georg Richter
2018-07-03 11:17:46 +02:00
parent 9e1fef0bf2
commit a0d4b422bd
2 changed files with 45 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
plugins/auth/my_auth.c
View File

@@ -357,7 +357,7 @@ static int client_mpvio_read_packet(struct st_plugin_vio *mpv, uchar **buf)
*buf= mysql->net.read_pos; *buf= mysql->net.read_pos;
/* was it a request to change plugins ? */ /* was it a request to change plugins ? */
if (**buf == 254) if (pkt_len && **buf == 254)
return (int)packet_error; /* if yes, this plugin shan't continue */ return (int)packet_error; /* if yes, this plugin shan't continue */
/* /*

44
unittest/libmariadb/bulk1.c
View File

@@ -43,6 +43,49 @@ static int check_bulk(MYSQL *mysql)
return OK; return OK;
} }
static int bulk_insert_id(MYSQL *mysql)
{
int i;
int rc;
MYSQL_BIND bind[1];
unsigned int array_size= 2;
int val_a[2]= {0,1};
MYSQL_STMT *stmt= mysql_stmt_init(mysql);
rc= mysql_query(mysql, "CREATE OR REPLACE TABLE t1 (a int not null auto_increment primary key)");
check_mysql_rc(rc, mysql);
rc= mysql_query(mysql, "INSERT INTO t1 VALUES(0),(1)");
check_mysql_rc(rc, mysql);
diag("Insert via mysql_query ok");
rc= mysql_query(mysql, "CREATE OR REPLACE TABLE t1 (a int not null auto_increment primary key)");
check_mysql_rc(rc, mysql);
memset(&bind, 0, sizeof(MYSQL_BIND));
bind[0].buffer_type= MYSQL_TYPE_LONG;
bind[0].buffer= val_a;
rc= mysql_stmt_prepare(stmt, SL("insert into t1 values(?)"));
check_stmt_rc(rc, stmt);
rc= mysql_stmt_attr_set(stmt, STMT_ATTR_ARRAY_SIZE, &array_size);
check_stmt_rc(rc, stmt);
rc= mysql_stmt_bind_param(stmt, bind);
check_stmt_rc(rc, stmt);
rc= mysql_stmt_execute(stmt);
check_stmt_rc(rc, stmt);
diag("Insert via bulk insert (binary protocol) ok");
mysql_stmt_close(stmt);
exit(1);
return OK;
}
static int bulk1(MYSQL *mysql) static int bulk1(MYSQL *mysql)
{ {
MYSQL_STMT *stmt= mysql_stmt_init(mysql); MYSQL_STMT *stmt= mysql_stmt_init(mysql);
@@ -998,6 +1041,7 @@ static int bulk_null_null(MYSQL *mysql)
struct my_tests_st my_tests[] = { struct my_tests_st my_tests[] = {
{"check_bulk", check_bulk, TEST_CONNECTION_DEFAULT, 0, NULL, NULL}, {"check_bulk", check_bulk, TEST_CONNECTION_DEFAULT, 0, NULL, NULL},
{"bulk_insert_id", bulk_insert_id, TEST_CONNECTION_NEW, 0, NULL, NULL},
{"bulk_null_null", bulk_null_null, TEST_CONNECTION_NEW, 0, NULL, NULL}, {"bulk_null_null", bulk_null_null, TEST_CONNECTION_NEW, 0, NULL, NULL},
{"test_char_conv1", test_char_conv1, TEST_CONNECTION_NEW, 0, NULL, NULL}, {"test_char_conv1", test_char_conv1, TEST_CONNECTION_NEW, 0, NULL, NULL},
{"test_char_conv2", test_char_conv2, TEST_CONNECTION_NEW, 0, NULL, NULL}, {"test_char_conv2", test_char_conv2, TEST_CONNECTION_NEW, 0, NULL, NULL},