Commit 33de7e55 authored by serg@serg.mysql.com's avatar serg@serg.mysql.com
Browse files

Security bug: password length check should be in check_user, not check_connections(), 

otherwise COM_CHANGE_USER is unprotected and can be used for both privilege escalation and buffer overrun
parent b9d1e3fc

sql/sql_parse.cc

+2 −2
Original line number Diff line number Diff line
@@ -109,6 +109,8 @@ static bool check_user(THD *thd,enum_server_command command, const char *user, 
  NET *net= &thd->net;

  thd->db=0;



  if (passwd[0] && strlen(passwd) != SCRAMBLE_LENGTH)

    return 1;

  if (!(thd->user = my_strdup(user, MYF(0))))

  {

    send_error(net,ER_OUT_OF_RESOURCES);
@@ -458,8 +460,6 @@ check_connections(THD *thd) 
  char *user=   (char*) net->read_pos+5;

  char *passwd= strend(user)+1;

  char *db=0;

  if (passwd[0] && strlen(passwd) != SCRAMBLE_LENGTH)

    return ER_HANDSHAKE_ERROR;

  if (thd->client_capabilities & CLIENT_CONNECT_WITH_DB)

    db=strend(passwd)+1;

  if (thd->client_capabilities & CLIENT_INTERACTIVE)