Details
-
Bug
-
Status: Closed (View Workflow)
-
Major
-
Resolution: Fixed
-
10.0(EOL), 10.1(EOL)
-
None
-
windows centos
Description
When I use the federatedx and spider engine, on one occasion user name is omitted in connection information and it make mysqld crash.
For example, a remote server is runing on 192.168.217.1 and port is 3310.
case 1 |
create table s1(A int) ENGINE = SPIDER CONNECTION 'host "192.168.217.1", port "3310", database "test", table "t1"'; |
select * from s1; |
ERROR 2013 (HY000): Lost connection to MySQL server during query <-- Lost Connection Because Server Crashed |
case 2 |
create table fedx1(A int) ENGINE=FEDERATED CONNECTION='mysql://:123456@192.168.217.1:3310/db1/fed'; |
ERROR 2013 (HY000): Lost connection to MySQL server during query |
case 3 |
CREATE SERVER serv1 |
FOREIGN DATA WRAPPER mysql |
OPTIONS(
|
HOST '192.168.217.1', |
PORT 3310,
|
DATABASE 'DB1' |
);
|
create table fedx2(A int) ENGINE=FEDERATED CONNECTION='serv1/fed'; |
ERROR 2013 (HY000): Lost connection to MySQL server during query |
The spider/federatedx engine and client program both use libmysql to connect to server, and both pass NULL as username to mysql_real_connect, while the client program will not crash in such condition. This makes me confused.
The problem trace back to send_client_reply_packet function called by mysql_real_connect.
In the following code snippet, user name ( NUL terminated string) is copied to the buffer(pointed by end), then strend() function find new end of buffer assuming end pointer point to a NUL terminated string.
/* This needs to be changed as it's not useful with big packets */ |
if (mysql->user[0]) |
strmake(end, mysql->user, USERNAME_LENGTH);
|
else |
read_user_name(end);
|
 |
/* We have to handle different version of handshake here */ |
DBUG_PRINT("info",("user: %s",end)); |
end= strend(end) + 1; |
The read_user_name function is called when user name is null. It give a value to user name and copy the the value in client (libmysql.c), while it is defined empty in server(client_settings.h)
#define read_user_name(A) {}.
So strend will access uninitialized buffer, and will make server crash under some condition.
It may be reasonable that a user name value is given in read_user_name() in server code.
https://github.com/MariaDB/server/pull/138
Attachments
Issue Links
- links to