From 4584ac2c73cad66462f889c978be81519ee92e17 Mon Sep 17 00:00:00 2001
From: "cmiller@zippy.cornsilk.net" <>
Date: Fri, 8 Jun 2007 16:10:53 -0400
Subject: [PATCH] Bug #28984: crasher on connect with out of range password
 length in \ 	protocol

One could send a malformed packet that caused the server to SEGV.  In
recent versions of the password protocol, the client tells the server
what length the ciphertext is (almost always 20).  If that length was
large enough to overflow a signed char, then the number would jump to
very large after being casted to unsigned int.

Instead, cast the *passwd char to uchar.
---
 sql/sql_parse.cc | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc
index 659926bdea3..4e84bc9d046 100644
--- a/sql/sql_parse.cc
+++ b/sql/sql_parse.cc
@@ -909,9 +909,12 @@ static int check_connection(THD *thd)
     Old clients send null-terminated string as password; new clients send
     the size (1 byte) + string (not null-terminated). Hence in case of empty
     password both send '\0'.
+
+    Cast *passwd to an unsigned char, so that it doesn't extend the sign for
+    *passwd > 127 and become 2**32-127 after casting to uint.
   */
   uint passwd_len= thd->client_capabilities & CLIENT_SECURE_CONNECTION ?
-    *passwd++ : strlen(passwd);
+    (uchar)(*passwd++) : strlen(passwd);
   db= thd->client_capabilities & CLIENT_CONNECT_WITH_DB ?
     db + passwd_len + 1 : 0;
   uint db_len= db ? strlen(db) : 0;