From 2740335aa8b81d6abb11ee078957876e11813117 Mon Sep 17 00:00:00 2001 From: Georg Richter Date: Sat, 1 Apr 2023 18:12:37 +0200 Subject: [PATCH 1/2] Fix error macros range checking Corrected range checking for IS_MYSQL_ERROR and IS_MARIADB_ERROR macros. --- include/errmsg.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/errmsg.h b/include/errmsg.h index a3d22785..4c7b2f05 100644 --- a/include/errmsg.h +++ b/include/errmsg.h @@ -108,8 +108,8 @@ extern const char *mariadb_client_errors[]; /* Error messages */ #define CR_MARIADB_LAST_ERROR CR_ERR_NET_UNCOMPRESS #endif -#define IS_MYSQL_ERROR(code) ((code) > CR_MIN_ERROR && (code) < CR_MYSQL_LAST_ERROR) -#define IS_MARIADB_ERROR(code) ((code) > CER_MIN_ERROR && (code) < CR_MARIADB_LAST_ERROR) +#define IS_MYSQL_ERROR(code) ((code) > CR_MIN_ERROR && (code) <= CR_MYSQL_LAST_ERROR) +#define IS_MARIADB_ERROR(code) ((code) > CER_MIN_ERROR && (code) <= CR_MARIADB_LAST_ERROR) #define ER(code) IS_MYSQL_ERROR((code)) ? client_errors[(code) - CR_MIN_ERROR] : \ IS_MARIADB_ERROR((code)) ? mariadb_client_errors[(code) - CER_MIN_ERROR] : \ From 5a94570b39cfe826c7df62a7b351253061bea5ed Mon Sep 17 00:00:00 2001 From: Georg Richter Date: Wed, 5 Apr 2023 09:01:25 +0200 Subject: [PATCH 2/2] Fix for CONC-635: Disable TLS/SSL for named pipe/shared mem Since the server doesn't support secure connections for shared memory and named pipe connections but indicates this capability by setting the CLIENT_SSL flag, we unset this flag in case the connection uses shared memory or named pipe. --- plugins/auth/my_auth.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/plugins/auth/my_auth.c b/plugins/auth/my_auth.c index 2423294c..e5567e6c 100644 --- a/plugins/auth/my_auth.c +++ b/plugins/auth/my_auth.c @@ -200,8 +200,6 @@ error: return res; } - - static int send_client_reply_packet(MCPVIO_EXT *mpvio, const uchar *data, int data_len) { @@ -237,6 +235,16 @@ static int send_client_reply_packet(MCPVIO_EXT *mpvio, to unset CLIENT_CONNECT_WITH_DB flag */ mysql->client_flag&= ~CLIENT_CONNECT_WITH_DB; + /* CONC-635: For connections via named pipe or shared memory the server + indicates the capability for secure connections (TLS), but + doesn't support it. */ + if ((mysql->server_capabilities & CLIENT_SSL) && + (mysql->net.pvio->type == PVIO_TYPE_NAMEDPIPE || + mysql->net.pvio->type == PVIO_TYPE_SHAREDMEM)) + { + mysql->server_capabilities &= ~(CLIENT_SSL); + } + /* if server doesn't support SSL and verification of server certificate was set to mandatory, we need to return an error */ if (mysql->options.use_ssl && !(mysql->server_capabilities & CLIENT_SSL))