From 3d8134d2c9b74bc8883ffe2ef59c168361223837 Mon Sep 17 00:00:00 2001 From: Harin Vadodaria Date: Tue, 23 May 2017 07:14:33 +0200 Subject: [PATCH] Bug#25988681: USE-AFTER-FREE IN MYSQL_STMT_CLOSE() Description: If mysql_stmt_close() encountered error, it recorded error in prepared statement but then frees memory assigned to prepared statement. If mysql_stmt_error() is used to get error information, it will result into use after free. In all cases where mysql_stmt_close() can fail, error would have been set by cli_advanced_command in MYSQL structure. Solution: Don't copy error from MYSQL using set_stmt_errmsg. There is no automated way to test the fix since it is in mysql_stmt_close() which does not expect any reply from server. Reviewed-By: Georgi Kodinov Reviewed-By: Ramil Kalimullin --- libmysql/libmysql.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/libmysql/libmysql.c b/libmysql/libmysql.c index 6e7134ff97c..d5ab85efa32 100644 --- a/libmysql/libmysql.c +++ b/libmysql/libmysql.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved. +/* Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -4678,10 +4678,14 @@ my_bool STDCALL mysql_stmt_close(MYSQL_STMT *stmt) mysql->status= MYSQL_STATUS_READY; } int4store(buff, stmt->stmt_id); - if ((rc= stmt_command(mysql, COM_STMT_CLOSE, buff, 4, stmt))) - { - set_stmt_errmsg(stmt, &mysql->net); - } + /* + If stmt_command failed, it would have already raised + error using set_mysql_error. Caller should use + mysql_error() or mysql_errno() to find out details. + Memory allocated for stmt will be released regardless + of the error. + */ + rc= stmt_command(mysql, COM_STMT_CLOSE, buff, 4, stmt); } }