From 57fe5ff56ad0e4a2b6524de073e2fbd342cd90d7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= <markus.makela@mariadb.com>
Date: Mon, 14 Jan 2019 13:39:02 +0200
Subject: [PATCH] Fix error packet stringification function

The code read past the stack buffer.
---
 .../routing/readwritesplit/rwsplit_session_cmd.cc     | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/server/modules/routing/readwritesplit/rwsplit_session_cmd.cc b/server/modules/routing/readwritesplit/rwsplit_session_cmd.cc
index bc53221dc..cd775f9f0 100644
--- a/server/modules/routing/readwritesplit/rwsplit_session_cmd.cc
+++ b/server/modules/routing/readwritesplit/rwsplit_session_cmd.cc
@@ -35,13 +35,18 @@ std::string extract_error(GWBUF* buffer)
 
     if (MYSQL_IS_ERROR_PACKET(((uint8_t*)GWBUF_DATA(buffer))))
     {
-        size_t replylen = MYSQL_GET_PAYLOAD_LEN(GWBUF_DATA(buffer));
+        size_t replylen = MYSQL_GET_PAYLOAD_LEN(GWBUF_DATA(buffer)) + MYSQL_HEADER_LEN;
         char replybuf[replylen];
         gwbuf_copy_data(buffer, 0, sizeof(replybuf), (uint8_t*)replybuf);
         std::string err;
         std::string msg;
-        err.append(replybuf + 8, 5);
-        msg.append(replybuf + 13, replylen - 4 - 5);
+
+        /**
+         * The payload starts with a one byte command followed by a two byte error code, a six byte state and
+         * a human-readable string that spans the rest of the packet.
+         */
+        err.append(replybuf + MYSQL_HEADER_LEN + 3, 6);
+        msg.append(replybuf + MYSQL_HEADER_LEN + 3 + 6, replylen - MYSQL_HEADER_LEN - 3 - 6);
         rval = err + ": " + msg;
     }