[MDEV-9346] [PATCH] The federatedx and spider engine make mysqld crash when they are configured withtout username - Jira

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 10.0(EOL), 10.1(EOL)
Fix Version/s: 10.0.24, 10.1.12
Component/s: Storage Engine - Federated, Storage Engine - Spider
Labels:
None
Environment:
windows centos

Description

When I use the federatedx and spider engine, on one occasion user name is omitted in connection information and it make mysqld crash.
For example, a remote server is runing on 192.168.217.1 and port is 3310.

    case 1

    create table s1(A int) ENGINE = SPIDER CONNECTION 'host "192.168.217.1", port "3310", database "test", table "t1"';

    select * from s1;

    ERROR 2013 (HY000): Lost connection to MySQL server during query   <--  Lost Connection Because Server Crashed

    case 2

    create table fedx1(A int) ENGINE=FEDERATED    CONNECTION='mysql://:123456@192.168.217.1:3310/db1/fed';

    ERROR 2013 (HY000): Lost connection to MySQL server during query

    case 3

    CREATE SERVER serv1

      FOREIGN DATA WRAPPER mysql

    OPTIONS(

    HOST '192.168.217.1',

    PORT 3310,

    DATABASE 'DB1'

);

    create table fedx2(A int) ENGINE=FEDERATED CONNECTION='serv1/fed';

    ERROR 2013 (HY000): Lost connection to MySQL server during query

The spider/federatedx engine and client program both use libmysql to connect to server, and both pass NULL as username to mysql_real_connect, while the client program will not crash in such condition. This makes me confused.

The problem trace back to send_client_reply_packet function called by mysql_real_connect.
In the following code snippet, user name ( NUL terminated string) is copied to the buffer(pointed by end), then strend() function find new end of buffer assuming end pointer point to a NUL terminated string.

  /* This needs to be changed as it's not useful with big packets */

  if (mysql->user[0])

    strmake(end, mysql->user, USERNAME_LENGTH);

  else

    read_user_name(end);

  /* We have to handle different version of handshake here */

  DBUG_PRINT("info",("user: %s",end));

  end= strend(end) + 1;

The read_user_name function is called when user name is null. It give a value to user name and copy the the value in client (libmysql.c), while it is defined empty in server(client_settings.h)
#define read_user_name(A) {}.
So strend will access uninitialized buffer, and will make server crash under some condition.

It may be reasonable that a user name value is given in read_user_name() in server code.
https://github.com/MariaDB/server/pull/138

Attachments

Issue Links

links to

Github pull request

Activity

People

Assignee:: Sergey Vojtovich

Reporter:: chengxiaoz

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 2015-12-30 16:13

Updated:: 2016-02-16 16:44

Resolved:: 2016-02-16 16:44

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.