Uploaded image for project: 'MariaDB Server'
  1. MariaDB Server
  2. MDEV-9346

[PATCH] The federatedx and spider engine make mysqld crash when they are configured withtout username

    XMLWordPrintable

    Details

      Description

      When I use the federatedx and spider engine, on one occasion user name is omitted in connection information and it make mysqld crash.
      For example, a remote server is runing on 192.168.217.1 and port is 3310.

          case 1
          create table s1(A int) ENGINE = SPIDER CONNECTION 'host "192.168.217.1", port "3310", database "test", table "t1"';
          select * from s1;
          ERROR 2013 (HY000): Lost connection to MySQL server during query   <--  Lost Connection Because Server Crashed
          case 2
          create table fedx1(A int) ENGINE=FEDERATED    CONNECTION='mysql://:123456@192.168.217.1:3310/db1/fed';
          ERROR 2013 (HY000): Lost connection to MySQL server during query
          case 3
          CREATE SERVER serv1 
            FOREIGN DATA WRAPPER mysql 
          OPTIONS( 
          HOST '192.168.217.1',
          PORT 3310,
          DATABASE 'DB1'
          );
          create table fedx2(A int) ENGINE=FEDERATED CONNECTION='serv1/fed';
          ERROR 2013 (HY000): Lost connection to MySQL server during query

      The spider/federatedx engine and client program both use libmysql to connect to server, and both pass NULL as username to mysql_real_connect, while the client program will not crash in such condition. This makes me confused.

      The problem trace back to send_client_reply_packet function called by mysql_real_connect.
      In the following code snippet, user name ( NUL terminated string) is copied to the buffer(pointed by end), then strend() function find new end of buffer assuming end pointer point to a NUL terminated string.

        /* This needs to be changed as it's not useful with big packets */
        if (mysql->user[0])
          strmake(end, mysql->user, USERNAME_LENGTH);
        else
          read_user_name(end);
       
        /* We have to handle different version of handshake here */
        DBUG_PRINT("info",("user: %s",end));
        end= strend(end) + 1;

      The read_user_name function is called when user name is null. It give a value to user name and copy the the value in client (libmysql.c), while it is defined empty in server(client_settings.h)
      #define read_user_name(A) {}.
      So strend will access uninitialized buffer, and will make server crash under some condition.

      It may be reasonable that a user name value is given in read_user_name() in server code.
      https://github.com/MariaDB/server/pull/138

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              svoj Sergey Vojtovich
              Reporter:
              chengxiaoz chengxiaoz
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: