MDEV-7774: Crash when dropping user within rebuild_role_grants

The issue comes from not taking all possibilities to match an entry within the roles_mapping HASH, when updating the data structure.
2025-07-30 16:24:05 +03:00 · 2015-03-13 20:12:22 +02:00
parent acab0faa14
commit 6c55e52b10
3 changed files with 61 additions and 4 deletions
--- a/sql/sql_acl.cc
+++ b/sql/sql_acl.cc
@ -8802,10 +8802,30 @@ static int handle_grant_struct(enum enum_acl_lists struct_no, bool drop,
    if (struct_no == ROLES_MAPPINGS_HASH)
    {
      const char* role= role_grant_pair->r_uname? role_grant_pair->r_uname: "";
-      if (user_from->is_role() ? strcmp(user_from->user.str, role) :
-          (strcmp(user_from->user.str, user) ||
-           my_strcasecmp(system_charset_info, user_from->host.str, host)))
-        continue;
+      if (user_from->is_role())
+      {
+        /* When searching for roles within the ROLES_MAPPINGS_HASH, we have
+           to check both the user field as well as the role field for a match.
+
+           It is possible to have a role granted to a role. If we are going
+           to modify the mapping entry, it needs to be done on either on the
+           "user" end (here represented by a role) or the "role" end. At least
+           one part must match.
+
+           If the "user" end has a not-empty host string, it can never match
+           as we are searching for a role here. A role always has an empty host
+           string.
+        */
+        if ((*host || strcmp(user_from->user.str, user)) &&
+            strcmp(user_from->user.str, role))
+          continue;
+      }
+      else
+      {
+        if (strcmp(user_from->user.str, user) ||
+            my_strcasecmp(system_charset_info, user_from->host.str, host))
+          continue;
+      }
    }
    else
    {