Added checks in gw_mysql_do_authentication() for mysql protocol fileds

Added bytes check in gw_mysql_do_authentication() before proceding with user,database,token decode
2013-12-23 16:55:38 +01:00 · 2013-12-23 16:55:38 +01:00 · 13fdf4ef6b
commit 13fdf4ef6b
parent 999258be6e
2 changed files with 20 additions and 0 deletions
--- a/server/modules/protocol/.mysql_client.c.swp
+++ b/server/modules/protocol/.mysql_client.c.swp
--- a/server/modules/protocol/mysql_client.c
+++ b/server/modules/protocol/mysql_client.c
@ -354,6 +354,7 @@ static int gw_mysql_do_authentication(DCB *dcb, GWBUF *queue) {
 	/* int compress = -1; */
 	int connect_with_db = -1;
 	uint8_t *client_auth_packet = GWBUF_DATA(queue);
+	int client_auth_packet_size = 0;
 	char *username =  NULL;
 	char *database = NULL;
 	unsigned int auth_token_len = 0;
@ -372,6 +373,25 @@ static int gw_mysql_do_authentication(DCB *dcb, GWBUF *queue) {
 	stage1_hash = client_data->client_sha1;
 	username = client_data->user;

+	client_auth_packet_size = gwbuf_length(queue);
+
+	/* For clients supporting CLIENT_PROTOCOL_41
+	 * the Handshake Response Packet is:
+	 *
+	 * 4		bytes mysql protocol heade
+	 * 4		bytes capability flags
+	 * 4		max-packet size
+	 * 1		byte character set
+	 * string[23]	reserved (all [0])
+	 * ...
+	 * ...
+	 */
+
+	/* Detect now if there are enough bytes to continue */
+	if (client_auth_packet_size < (4 + 4 + 4 + 1 + 23)) {
+		return 1;
+	}
+
 	memcpy(&protocol->client_capabilities, client_auth_packet + 4, 4);

 	connect_with_db =