Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Duplicate
-
10.11
-
None
-
Can result in unexpected behaviour
Description
When `proxy_protocol_networks` is enabled, MariaDB accepts PROXY protocol
headers from trusted networks before authentication.
The PROXY protocol v1 parsing path in `parse_proxy_protocol_header()` reads
header bytes into a fixed-size stack buffer:
uchar hdr[MAX_PROXY_HEADER_LEN];
The read loop allows reading up to the full buffer size:
while (pos < sizeof(hdr))
After the loop completes, the code appends a null terminator:
hdr[pos] = 0;
If an attacker sends a maximum-length PROXY v1 header without a newline,
`pos` can reach the full buffer size before termination, causing the null
terminator write to occur one byte past the end of the stack buffer.
This results in an off-by-one stack buffer overflow in the pre-authentication
PROXY protocol parser.
Proposed Fix:
1. Increase the header buffer size by one byte to reserve space for the
null terminator.
2. Preserve full valid header parsing while ensuring termination remains
in bounds.
3. Add regression test for maximum-length PROXY headers.
Related PR:
https://github.com/MariaDB/server/pull/4998
Attachments
Issue Links
- duplicates
-
-
- Closed
-