Bug#25714674: MYSQL SERVER REMOTE PREAUTH PROBLEM THROUGH INTEGER OVERFLOW

harinvadodaria · harinvadodaria · commit 586af419599c · 2017-03-15T13:37:02.000+01:00
Description: A missing length check for length-encoded string causes
             problem in preauthorization stage.
diff --git a/include/mysql.h.pp b/include/mysql.h.pp
@@ -245,6 +245,7 @@
 my_ulonglong net_field_length_ll(uchar **packet);
 uchar *net_store_length(uchar *pkg, ulonglong length);
 unsigned int net_length_size(ulonglong num);
+unsigned int net_field_length_size(uchar *pos);
 #include "mysql/client_plugin.h"
 struct st_mysql_client_plugin
 {
diff --git a/include/mysql_com.h b/include/mysql_com.h
@@ -1064,6 +1064,7 @@ ulong STDCALL net_field_length(uchar **packet);
 my_ulonglong net_field_length_ll(uchar **packet);
 uchar *net_store_length(uchar *pkg, ulonglong length);
 unsigned int net_length_size(ulonglong num);
+unsigned int net_field_length_size(uchar *pos);
 
 #ifdef __cplusplus
 }
diff --git a/mysys/pack.cc b/mysys/pack.cc
@@ -142,3 +142,24 @@ uint net_length_size(ulonglong num)
   return 9;
 }
 
+
+/**
+  length of buffer required to represent a length-encoded string
+  give the length part of length encoded string. This function can
+  be used before calling net_field_lenth/net_field_length_ll.
+
+  @param [in] pos  Length information of length-encoded string
+
+  @return length of buffer needed to store this number [1, 3, 4, 9].
+*/
+
+uint net_field_length_size(uchar *pos)
+{
+  if (*pos <= 251)
+    return 1;
+  if (*pos == 252)
+    return 3;
+  if (*pos == 253)
+    return 4;
+  return 9;
+}
diff --git a/sql/auth/sql_authentication.cc b/sql/auth/sql_authentication.cc
@@ -1300,6 +1300,7 @@ char *get_56_lenc_string(char **buffer,
 {
   static char empty_string[1]= { '\0' };
   char *begin= *buffer;
+  uchar *pos= (uchar *)begin;
 
   if (*max_bytes_available == 0)
     return NULL;
@@ -1320,6 +1321,23 @@ char *get_56_lenc_string(char **buffer,
     return empty_string;
   }
 
+  /* Make sure we have enough bytes available for net_field_length_ll */
+
+  DBUG_EXECUTE_IF("buffer_too_short_3",
+                  *pos= 252; *max_bytes_available= 2;
+  );
+  DBUG_EXECUTE_IF("buffer_too_short_4",
+                  *pos= 253; *max_bytes_available= 3;
+  );
+  DBUG_EXECUTE_IF("buffer_too_short_9",
+                  *pos= 254; *max_bytes_available= 8;
+  );
+
+  size_t required_length= (size_t)net_field_length_size(pos);
+
+  if (*max_bytes_available < required_length)
+    return NULL;
+
   *string_length= (size_t)net_field_length_ll((uchar **)buffer);
 
   DBUG_EXECUTE_IF("sha256_password_scramble_too_long",
@@ -1328,6 +1346,9 @@ char *get_56_lenc_string(char **buffer,
 
   size_t len_len= (size_t)(*buffer - begin);
 
+  DBUG_ASSERT((*max_bytes_available >= len_len) &&
+              (len_len == required_length));
+
   if (*string_length > *max_bytes_available - len_len)
     return NULL;
 

Original file line number	Diff line number	Diff line change
`@@ -245,6 +245,7 @@`
`245`	`245`	`my_ulonglong net_field_length_ll(uchar **packet);`
`246`	`246`	`uchar net_store_length(uchar pkg, ulonglong length);`
`247`	`247`	`unsigned int net_length_size(ulonglong num);`
	`248`	`+unsigned int net_field_length_size(uchar *pos);`
`248`	`249`	`#include "mysql/client_plugin.h"`
`249`	`250`	`struct st_mysql_client_plugin`
`250`	`251`	`{`
Original file line number	Diff line number	Diff line change
`@@ -1064,6 +1064,7 @@ ulong STDCALL net_field_length(uchar **packet);`
`1064`	`1064`	`my_ulonglong net_field_length_ll(uchar **packet);`
`1065`	`1065`	`uchar net_store_length(uchar pkg, ulonglong length);`
`1066`	`1066`	`unsigned int net_length_size(ulonglong num);`
	`1067`	`+unsigned int net_field_length_size(uchar *pos);`
`1067`	`1068`
`1068`	`1069`	`#ifdef __cplusplus`
`1069`	`1070`	`}`