database/mariadb
1
0
Fork 0
mirror of https://github.com/MariaDB/server.git synced 2025-09-02 09:41:40 +03:00
Code Activity

Security bug: password length check should be in check_user, not check_connections(),

Browse Source 
otherwise COM_CHANGE_USER is unprotected and can be used for both privilege escalation and buffer overrun
This commit is contained in:
unknown
2002-12-04 00:27:09 +01:00
parent b79b6c357d
commit e753fa4d8d
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
sql/sql_parse.cc
View File

@@ -109,6 +109,8 @@ static bool check_user(THD *thd,enum_server_command command, const char *user,
NET *net= &thd->net; NET *net= &thd->net;
thd->db=0; thd->db=0;
if (passwd[0] && strlen(passwd) != SCRAMBLE_LENGTH)
return 1;
if (!(thd->user = my_strdup(user, MYF(0)))) if (!(thd->user = my_strdup(user, MYF(0))))
{ {
send_error(net,ER_OUT_OF_RESOURCES); send_error(net,ER_OUT_OF_RESOURCES);
@@ -458,8 +460,6 @@ check_connections(THD *thd)
char *user= (char*) net->read_pos+5; char *user= (char*) net->read_pos+5;
char *passwd= strend(user)+1; char *passwd= strend(user)+1;
char *db=0; char *db=0;
if (passwd[0] && strlen(passwd) != SCRAMBLE_LENGTH)
return ER_HANDSHAKE_ERROR;
if (thd->client_capabilities & CLIENT_CONNECT_WITH_DB) if (thd->client_capabilities & CLIENT_CONNECT_WITH_DB)
db=strend(passwd)+1; db=strend(passwd)+1;
if (thd->client_capabilities & CLIENT_INTERACTIVE) if (thd->client_capabilities & CLIENT_INTERACTIVE)