Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-9346

[PATCH] The federatedx and spider engine make mysqld crash when they are configured withtout username




      When I use the federatedx and spider engine, on one occasion user name is omitted in connection information and it make mysqld crash.
      For example, a remote server is runing on and port is 3310.

          case 1
          create table s1(A int) ENGINE = SPIDER CONNECTION 'host "", port "3310", database "test", table "t1"';
          select * from s1;
          ERROR 2013 (HY000): Lost connection to MySQL server during query   <--  Lost Connection Because Server Crashed
          case 2
          create table fedx1(A int) ENGINE=FEDERATED    CONNECTION='mysql://:123456@';
          ERROR 2013 (HY000): Lost connection to MySQL server during query
          case 3
          CREATE SERVER serv1 
            FOREIGN DATA WRAPPER mysql 
          HOST '',
          PORT 3310,
          DATABASE 'DB1'
          create table fedx2(A int) ENGINE=FEDERATED CONNECTION='serv1/fed';
          ERROR 2013 (HY000): Lost connection to MySQL server during query

      The spider/federatedx engine and client program both use libmysql to connect to server, and both pass NULL as username to mysql_real_connect, while the client program will not crash in such condition. This makes me confused.

      The problem trace back to send_client_reply_packet function called by mysql_real_connect.
      In the following code snippet, user name ( NUL terminated string) is copied to the buffer(pointed by end), then strend() function find new end of buffer assuming end pointer point to a NUL terminated string.

        /* This needs to be changed as it's not useful with big packets */
        if (mysql->user[0])
          strmake(end, mysql->user, USERNAME_LENGTH);
        /* We have to handle different version of handshake here */
        DBUG_PRINT("info",("user: %s",end));
        end= strend(end) + 1;

      The read_user_name function is called when user name is null. It give a value to user name and copy the the value in client (libmysql.c), while it is defined empty in server(client_settings.h)
      #define read_user_name(A) {}.
      So strend will access uninitialized buffer, and will make server crash under some condition.

      It may be reasonable that a user name value is given in read_user_name() in server code.


        Issue Links



              svoj Sergey Vojtovich
              chengxiaoz chengxiaoz
              0 Vote for this issue
              3 Start watching this issue



                Git Integration

                  Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.