Uploaded image for project: 'MariaDB Connector/C'
  1. MariaDB Connector/C
  2. CONC-709

potential wild read in unpack_fields() in mariadb_lib.c

Details

    • Bug
    • Status: Closed (View Workflow)
    • Major
    • Resolution: Fixed
    • 3.4
    • 3.1.27, 3.4.4, 3.3.14
    • Protocol
    • None
    • Ubuntu 23.10

    Description

      If the server sends a column definition packet one of whose
      field lengths is 0xfb, net_field_length() returns NULL_LENGTH,
      and in response mthd_my_read_rows() sets cur->data[field] = 0.

      Later, unpack_fields() says 

            uint length= (uint)(row->data[i+1] - row->data[i] - 1);
      		 
            if (!row->data[i] || row->data[i][length])
      		 
              goto error;

      since row->data[i+1] can be zero, length can be set to something
      unexpected, and row->data[i][length] may be an out of bounds read.

      I've attached a demo server.

      $ mariadb --version
      		 
      mariadb from 11.6.0-MariaDB, client 15.2 for Linux (x86_64) using readline 5.1
      		 
      $ cc mc6a.c
      		 
      $ ./a.out &
      		 
      $ echo 'SELECT * FROM t;' | mariadb --host=127.0.0.1 --ssl=off d
      		 
      Segmentation fault (core dumped)
      		 
       
      		 
      Program terminated with signal SIGSEGV, Segmentation fault.
      		 
      #0  0x00005624146ec687 in unpack_fields (mysql=0x562414c09000 <mysql>, data=0x562415e5ca50, alloc=0x562414c09300 <mysql+768>, fields=1, 
          default_value=1 '\001') at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:1068
      		 
      1068          if (!row->data[i] || row->data[i][length])
      		 
      (gdb) where
      		 
      #0  0x00005624146ec687 in unpack_fields (mysql=0x562414c09000 <mysql>, data=0x562415e5ca50, alloc=0x562414c09300 <mysql+768>, fields=1, 
          default_value=1 '\001') at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:1068
      		 
      #1  0x00005624146f2711 in mthd_my_read_query_result (mysql=0x562414c09000 <mysql>) at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:2892
      		 
      #2  0x00005624146f2ad8 in mysql_real_query (mysql=0x562414c09000 <mysql>, query=0x562415e56138 "SELECT * FROM t", length=15)
      		 
          at /home/rtm/maria/server/libmariadb/libmariadb/mariadb_lib.c:2959
      		 
      #3  0x00005624146dd3a2 in mysql_real_query_for_lazy (buf=0x562415e56138 "SELECT * FROM t", length=15) at /home/rtm/maria/server/client/mysql.cc:3209
      		 
      #4  0x00005624146de2e9 in com_go (buffer=0x562414c095a0 <glob_buffer>) at /home/rtm/maria/server/client/mysql.cc:3480
      		 
      #5  0x00005624146dbc1b in add_line (buffer=..., line=0x562415e55098 "SELECT * FROM t;", line_length=16, in_string=0x7ffe6265a8c6 "", 
          ml_comment=0x7ffe6265a8c7, truncated=false) at /home/rtm/maria/server/client/mysql.cc:2643
      		 
      #6  0x00005624146dad87 in read_and_execute (interactive=false) at /home/rtm/maria/server/client/mysql.cc:2338
      		 
      #7  0x00005624146d9534 in main (argc=12, argv=0x562415e533e0) at /home/rtm/maria/server/client/mysql.cc:1397
      		 
      (gdb) print row->data[i]
      		 
      $1 = 0x562415eef89c "c"
      		 
      (gdb) print row->data[i+1]
      		 
      $2 = 0x0
      		 
      (gdb) print length
      		 
      $3 = 3926984547

      Attachments

        Activity

          People

            georg Georg Richter
            rtm Robert Morris
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.