head 1.1; access; symbols OPENPKG_E1_MP_HEAD:1.1 OPENPKG_E1_MP:1.1 OPENPKG_E1_MP_2_STABLE:1.1 OPENPKG_E1_FP:1.1 OPENPKG_2_STABLE_20061018:1.1 OPENPKG_2_STABLE:1.1.0.24 OPENPKG_2_STABLE_BP:1.1 OPENPKG_2_5_SOLID:1.1.0.22 OPENPKG_2_5_SOLID_BP:1.1 OPENPKG_2_4_RELEASE:1.1 OPENPKG_2_4_SOLID:1.1.0.20 OPENPKG_2_4_SOLID_BP:1.1 OPENPKG_2_3_RELEASE:1.1 OPENPKG_2_3_SOLID:1.1.0.18 OPENPKG_2_3_SOLID_BP:1.1 OPENPKG_2_2_RELEASE:1.1 OPENPKG_2_2_SOLID:1.1.0.16 OPENPKG_2_2_SOLID_BP:1.1 OPENPKG_2_1_RELEASE:1.1 OPENPKG_2_1_SOLID:1.1.0.14 OPENPKG_2_1_SOLID_BP:1.1 OPENPKG_2_0_RELEASE:1.1 OPENPKG_2_0_SOLID:1.1.0.12 OPENPKG_2_0_SOLID_BP:1.1 OPENPKG_1_3_RELEASE:1.1 OPENPKG_1_3_SOLID:1.1.0.10 OPENPKG_1_3_SOLID_BP:1.1 OPENPKG_1_2_SOLID:1.1.0.8 OPENPKG_1_2_SOLID_BP:1.1 OPENPKG_1_STABLE:1.1.0.6 OPENPKG_1_STABLE_BP:1.1 OPENPKG_1_0_SOLID:1.1.0.4 OPENPKG_1_1_SOLID:1.1.0.2; locks; strict; comment @# @; 1.1 date 2002.12.16.07.22.06; author mlelstv; state dead; branches 1.1.2.1 1.1.4.1; next ; 1.1.2.1 date 2002.12.16.07.22.06; author mlelstv; state Exp; branches; next 1.1.2.2; 1.1.2.2 date 2003.01.29.11.38.51; author thl; state Exp; branches; next ; 1.1.4.1 date 2002.12.16.09.20.35; author mlelstv; state Exp; branches; next ; desc @@ 1.1 log @file mysql-sec.patch was initially added on branch OPENPKG_1_1_SOLID. @ text @@ 1.1.4.1 log @fix for http://security.e-matters.de/advisories/042002.html @ text @a0 178 diff -r -u mysql-3.23.53/libmysql/libmysql.c mysql-3.23.54/libmysql/libmysql.c --- mysql-3.23.53/libmysql/libmysql.c Thu Oct 10 12:17:31 2002 +++ mysql-3.23.54/libmysql/libmysql.c Thu Dec 5 10:37:06 2002 @@@@ -307,7 +307,7 @@@@ DBUG_PRINT("error",("Wrong connection or packet. fd: %s len: %d", vio_description(net->vio),len)); end_server(mysql); - net->last_errno=(net->last_errno == ER_NET_PACKET_TOO_LARGE ? + net->last_errno=(net->last_errno == ER_NET_PACKET_TOO_LARGE ? CR_NET_PACKET_TOO_LARGE: CR_SERVER_LOST); strmov(net->last_error,ER(net->last_errno)); @@@@ -891,7 +891,7 @@@@ uint field,pkt_len; ulong len; uchar *cp; - char *to; + char *to, *end_to; MYSQL_DATA *result; MYSQL_ROWS **prev_ptr,*cur; NET *net = &mysql->net; @@@@ -929,6 +929,7 @@@@ *prev_ptr=cur; prev_ptr= &cur->next; to= (char*) (cur->data+fields+1); + end_to=to+pkt_len-1; for (field=0 ; field < fields ; field++) { if ((len=(ulong) net_field_length(&cp)) == NULL_LENGTH) @@@@ -938,6 +939,13 @@@@ else { cur->data[field] = to; + if (len > end_to - to) + { + free_rows(result); + net->last_errno=CR_UNKNOWN_ERROR; + strmov(net->last_error,ER(net->last_errno)); + DBUG_RETURN(0); + } memcpy(to,(char*) cp,len); to[len]=0; to+=len+1; cp+=len; @@@@ -972,7 +980,7 @@@@ { uint field; ulong pkt_len,len; - uchar *pos,*prev_pos; + uchar *pos,*prev_pos, *end_pos; if ((pkt_len=(uint) net_safe_read(mysql)) == packet_error) return -1; @@@@ -980,6 +988,7 @@@@ return 1; /* End of data */ prev_pos= 0; /* allowed to write at packet[-1] */ pos=mysql->net.read_pos; + end_pos=pos+pkt_len; for (field=0 ; field < fields ; field++) { if ((len=(ulong) net_field_length(&pos)) == NULL_LENGTH) @@@@ -989,6 +998,12 @@@@ } else { + if (len > end_pos - pos) + { + mysql->net.last_errno=CR_UNKNOWN_ERROR; + strmov(mysql->net.last_error,ER(mysql->net.last_errno)); + return -1; + } row[field] = (char*) pos; pos+=len; *lengths++=len; diff -r -u mysql-3.23.53/libmysql_r/libmysql.c mysql-3.23.54/libmysql_r/libmysql.c --- mysql-3.23.53/libmysql_r/libmysql.c Thu Oct 10 12:17:31 2002 +++ mysql-3.23.54/libmysql_r/libmysql.c Thu Dec 5 10:37:06 2002 @@@@ -307,7 +307,7 @@@@ DBUG_PRINT("error",("Wrong connection or packet. fd: %s len: %d", vio_description(net->vio),len)); end_server(mysql); - net->last_errno=(net->last_errno == ER_NET_PACKET_TOO_LARGE ? + net->last_errno=(net->last_errno == ER_NET_PACKET_TOO_LARGE ? CR_NET_PACKET_TOO_LARGE: CR_SERVER_LOST); strmov(net->last_error,ER(net->last_errno)); @@@@ -891,7 +891,7 @@@@ uint field,pkt_len; ulong len; uchar *cp; - char *to; + char *to, *end_to; MYSQL_DATA *result; MYSQL_ROWS **prev_ptr,*cur; NET *net = &mysql->net; @@@@ -929,6 +929,7 @@@@ *prev_ptr=cur; prev_ptr= &cur->next; to= (char*) (cur->data+fields+1); + end_to=to+pkt_len-1; for (field=0 ; field < fields ; field++) { if ((len=(ulong) net_field_length(&cp)) == NULL_LENGTH) @@@@ -938,6 +939,13 @@@@ else { cur->data[field] = to; + if (len > end_to - to) + { + free_rows(result); + net->last_errno=CR_UNKNOWN_ERROR; + strmov(net->last_error,ER(net->last_errno)); + DBUG_RETURN(0); + } memcpy(to,(char*) cp,len); to[len]=0; to+=len+1; cp+=len; @@@@ -972,7 +980,7 @@@@ { uint field; ulong pkt_len,len; - uchar *pos,*prev_pos; + uchar *pos,*prev_pos, *end_pos; if ((pkt_len=(uint) net_safe_read(mysql)) == packet_error) return -1; @@@@ -980,6 +988,7 @@@@ return 1; /* End of data */ prev_pos= 0; /* allowed to write at packet[-1] */ pos=mysql->net.read_pos; + end_pos=pos+pkt_len; for (field=0 ; field < fields ; field++) { if ((len=(ulong) net_field_length(&pos)) == NULL_LENGTH) @@@@ -989,6 +998,12 @@@@ } else { + if (len > end_pos - pos) + { + mysql->net.last_errno=CR_UNKNOWN_ERROR; + strmov(mysql->net.last_error,ER(mysql->net.last_errno)); + return -1; + } row[field] = (char*) pos; pos+=len; *lengths++=len; diff -r -u mysql-3.23.53/sql/sql_parse.cc mysql-3.23.54/sql/sql_parse.cc --- mysql-3.23.53/sql/sql_parse.cc Thu Oct 10 12:17:26 2002 +++ mysql-3.23.54/sql/sql_parse.cc Thu Dec 5 10:37:04 2002 @@@@ -109,6 +109,8 @@@@ NET *net= &thd->net; thd->db=0; + if (passwd[0] && strlen(passwd) != SCRAMBLE_LENGTH) + return 1; if (!(thd->user = my_strdup(user, MYF(0)))) { send_error(net,ER_OUT_OF_RESOURCES); @@@@ -458,8 +460,6 @@@@ char *user= (char*) net->read_pos+5; char *passwd= strend(user)+1; char *db=0; - if (passwd[0] && strlen(passwd) != SCRAMBLE_LENGTH) - return ER_HANDSHAKE_ERROR; if (thd->client_capabilities & CLIENT_CONNECT_WITH_DB) db=strend(passwd)+1; if (thd->client_capabilities & CLIENT_INTERACTIVE) @@@@ -768,8 +768,8 @@@@ thread_safe_increment(com_other,&LOCK_thread_count); slow_command = TRUE; char* data = packet + 1; - uint db_len = *data; - uint tbl_len = *(data + db_len + 1); + uint db_len = *(uchar *)data; + uint tbl_len = *(uchar *)(data + db_len + 1); char* db = sql_alloc(db_len + tbl_len + 2); memcpy(db, data + 1, db_len); char* tbl_name = db + db_len; @ 1.1.2.1 log @fix for http://security.e-matters.de/advisories/042002.html @ text @a0 178 diff -r -u mysql-3.23.53/libmysql/libmysql.c mysql-3.23.54/libmysql/libmysql.c --- mysql-3.23.53/libmysql/libmysql.c Thu Oct 10 12:17:31 2002 +++ mysql-3.23.54/libmysql/libmysql.c Thu Dec 5 10:37:06 2002 @@@@ -307,7 +307,7 @@@@ DBUG_PRINT("error",("Wrong connection or packet. fd: %s len: %d", vio_description(net->vio),len)); end_server(mysql); - net->last_errno=(net->last_errno == ER_NET_PACKET_TOO_LARGE ? + net->last_errno=(net->last_errno == ER_NET_PACKET_TOO_LARGE ? CR_NET_PACKET_TOO_LARGE: CR_SERVER_LOST); strmov(net->last_error,ER(net->last_errno)); @@@@ -891,7 +891,7 @@@@ uint field,pkt_len; ulong len; uchar *cp; - char *to; + char *to, *end_to; MYSQL_DATA *result; MYSQL_ROWS **prev_ptr,*cur; NET *net = &mysql->net; @@@@ -929,6 +929,7 @@@@ *prev_ptr=cur; prev_ptr= &cur->next; to= (char*) (cur->data+fields+1); + end_to=to+pkt_len-1; for (field=0 ; field < fields ; field++) { if ((len=(ulong) net_field_length(&cp)) == NULL_LENGTH) @@@@ -938,6 +939,13 @@@@ else { cur->data[field] = to; + if (len > end_to - to) + { + free_rows(result); + net->last_errno=CR_UNKNOWN_ERROR; + strmov(net->last_error,ER(net->last_errno)); + DBUG_RETURN(0); + } memcpy(to,(char*) cp,len); to[len]=0; to+=len+1; cp+=len; @@@@ -972,7 +980,7 @@@@ { uint field; ulong pkt_len,len; - uchar *pos,*prev_pos; + uchar *pos,*prev_pos, *end_pos; if ((pkt_len=(uint) net_safe_read(mysql)) == packet_error) return -1; @@@@ -980,6 +988,7 @@@@ return 1; /* End of data */ prev_pos= 0; /* allowed to write at packet[-1] */ pos=mysql->net.read_pos; + end_pos=pos+pkt_len; for (field=0 ; field < fields ; field++) { if ((len=(ulong) net_field_length(&pos)) == NULL_LENGTH) @@@@ -989,6 +998,12 @@@@ } else { + if (len > end_pos - pos) + { + mysql->net.last_errno=CR_UNKNOWN_ERROR; + strmov(mysql->net.last_error,ER(mysql->net.last_errno)); + return -1; + } row[field] = (char*) pos; pos+=len; *lengths++=len; diff -r -u mysql-3.23.53/libmysql_r/libmysql.c mysql-3.23.54/libmysql_r/libmysql.c --- mysql-3.23.53/libmysql_r/libmysql.c Thu Oct 10 12:17:31 2002 +++ mysql-3.23.54/libmysql_r/libmysql.c Thu Dec 5 10:37:06 2002 @@@@ -307,7 +307,7 @@@@ DBUG_PRINT("error",("Wrong connection or packet. fd: %s len: %d", vio_description(net->vio),len)); end_server(mysql); - net->last_errno=(net->last_errno == ER_NET_PACKET_TOO_LARGE ? + net->last_errno=(net->last_errno == ER_NET_PACKET_TOO_LARGE ? CR_NET_PACKET_TOO_LARGE: CR_SERVER_LOST); strmov(net->last_error,ER(net->last_errno)); @@@@ -891,7 +891,7 @@@@ uint field,pkt_len; ulong len; uchar *cp; - char *to; + char *to, *end_to; MYSQL_DATA *result; MYSQL_ROWS **prev_ptr,*cur; NET *net = &mysql->net; @@@@ -929,6 +929,7 @@@@ *prev_ptr=cur; prev_ptr= &cur->next; to= (char*) (cur->data+fields+1); + end_to=to+pkt_len-1; for (field=0 ; field < fields ; field++) { if ((len=(ulong) net_field_length(&cp)) == NULL_LENGTH) @@@@ -938,6 +939,13 @@@@ else { cur->data[field] = to; + if (len > end_to - to) + { + free_rows(result); + net->last_errno=CR_UNKNOWN_ERROR; + strmov(net->last_error,ER(net->last_errno)); + DBUG_RETURN(0); + } memcpy(to,(char*) cp,len); to[len]=0; to+=len+1; cp+=len; @@@@ -972,7 +980,7 @@@@ { uint field; ulong pkt_len,len; - uchar *pos,*prev_pos; + uchar *pos,*prev_pos, *end_pos; if ((pkt_len=(uint) net_safe_read(mysql)) == packet_error) return -1; @@@@ -980,6 +988,7 @@@@ return 1; /* End of data */ prev_pos= 0; /* allowed to write at packet[-1] */ pos=mysql->net.read_pos; + end_pos=pos+pkt_len; for (field=0 ; field < fields ; field++) { if ((len=(ulong) net_field_length(&pos)) == NULL_LENGTH) @@@@ -989,6 +998,12 @@@@ } else { + if (len > end_pos - pos) + { + mysql->net.last_errno=CR_UNKNOWN_ERROR; + strmov(mysql->net.last_error,ER(mysql->net.last_errno)); + return -1; + } row[field] = (char*) pos; pos+=len; *lengths++=len; diff -r -u mysql-3.23.53/sql/sql_parse.cc mysql-3.23.54/sql/sql_parse.cc --- mysql-3.23.53/sql/sql_parse.cc Thu Oct 10 12:17:26 2002 +++ mysql-3.23.54/sql/sql_parse.cc Thu Dec 5 10:37:04 2002 @@@@ -109,6 +109,8 @@@@ NET *net= &thd->net; thd->db=0; + if (passwd[0] && strlen(passwd) != SCRAMBLE_LENGTH) + return 1; if (!(thd->user = my_strdup(user, MYF(0)))) { send_error(net,ER_OUT_OF_RESOURCES); @@@@ -458,8 +460,6 @@@@ char *user= (char*) net->read_pos+5; char *passwd= strend(user)+1; char *db=0; - if (passwd[0] && strlen(passwd) != SCRAMBLE_LENGTH) - return ER_HANDSHAKE_ERROR; if (thd->client_capabilities & CLIENT_CONNECT_WITH_DB) db=strend(passwd)+1; if (thd->client_capabilities & CLIENT_INTERACTIVE) @@@@ -768,8 +768,8 @@@@ thread_safe_increment(com_other,&LOCK_thread_count); slow_command = TRUE; char* data = packet + 1; - uint db_len = *data; - uint tbl_len = *(data + db_len + 1); + uint db_len = *(uchar *)data; + uint tbl_len = *(uchar *)(data + db_len + 1); char* db = sql_alloc(db_len + tbl_len + 2); memcpy(db, data + 1, db_len); char* tbl_name = db + db_len; @ 1.1.2.2 log @OpenPKG-SA-2003.008 @ text @a178 18 --- mysql-3.23.52/sql/sql_parse.cc Wed Jan 29 12:08:03 2003 +++ mysql-3.23.55/sql/sql_parse.cc Wed Jan 29 12:23:57 2003 @@@@ -794,6 +794,7 @@@@ char *save_user= thd->user; char *save_priv_user= thd->priv_user; char *save_db= thd->db; + thd->user=0; if ((uint) ((uchar*) db - net->read_pos) > packet_length) { // Check if protocol is ok @@@@ -803,7 +804,6 @@@@ if (check_user(thd, COM_CHANGE_USER, user, passwd, db, 0)) { // Restore old user x_free(thd->user); - x_free(thd->db); thd->master_access=save_master_access; thd->db_access=save_db_access; thd->db=save_db; @