MXS-2024: Validate COM_CHANGE_USER packet before use

The use of strcpy on data that is assumed to be null terminated causes reads and writes past buffers.
2018-08-24 20:52:52 +03:00
parent 13c7072da1
commit 2c54f28fae
1 changed files with 9 additions and 0 deletions
--- a/server/modules/protocol/MySQL/mariadbclient/mysql_client.cc
+++ b/server/modules/protocol/MySQL/mariadbclient/mysql_client.cc
@ -20,6 +20,7 @@
 #include <limits.h>
 #include <netinet/tcp.h>
 #include <sys/stat.h>
+#include <algorithm>
 #include <string>

 #include <maxscale/alloc.h>
@ -1545,6 +1546,14 @@ static bool reauthenticate_client(MXS_SESSION* session, GWBUF* packetbuf)
        gwbuf_copy_data(proto->stored_query, MYSQL_HEADER_LEN + 1,
                        sizeof(user), (uint8_t*)user);

+        char* end = user + sizeof(user);
+
+        if (std::find(user, end, '\0') == end)
+        {
+            mysql_send_auth_error(session->client_dcb, 3, 0, "Malformed AuthSwitchRequest packet");
+            return false;
+        }
+
        // Copy the new username to the session data
        MYSQL_session* data = (MYSQL_session*)session->client_dcb->data;
        strcpy(data->user, user);