Details
-
Bug
-
Status: Open (View Workflow)
-
Major
-
Resolution: Unresolved
-
10.5
-
None
Description
COM_STMT_PREPARE protocol result permits only 2 bytes for returning columns number.
COM_STMT_PREPARE_OK format :
* int<1> 0x00 COM_STMT_PREPARE_OK header |
* int<4> statement id |
* int<2> number of columns in the returned result set (or 0 if statement does not return result set) |
* int<2> number of prepared statement parameters ('?' placeholders) |
* string<1> -not used- |
* int<2> number of warnings |
If number of columns is more than 65355, an error MUST be returned from server.
The actual implementation send unexpected data, resulting in wrong connectors state, and unusable connection.
Example:
prepare a query 'SELECT 1, 1, 1, 1, ...' with 100 000 value '1' .
result will be :
+--------------------------------------------------+
|
| 0 1 2 3 4 5 6 7 8 9 a b c d e f |
|
+--------------------------------------------------+------------------+
|
| 0C 00 00 01 00 02 00 00 00 A0 86 00 00 00 00 00 | ................ |
|
+--------------------------------------------------+------------------+
|
number of columns = A0 86 = value 34 644 (100000 - 65356), not 100000
so connectors try to read 34 644 column definition packet, but there will be 65356 more.
Correction:
If number of column > 65355, an error has to be returned from server, like it's done when the number of parameters is too big (error "Prepared statement contains too many placeholders")