From a50e8e9ce6c367f8477bd749f3e0a49b6bdaefd6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Markus=20M=C3=A4kel=C3=A4?= <markus.makela@mariadb.com>
Date: Mon, 27 Aug 2018 20:35:09 +0300
Subject: [PATCH] MXS-2024: Prevent stack overflow

If a large packet is received, the stack would overflow when the username
size was determined from the packet size. The code must not assume
anything about the size of the packet being read.
---
 .../protocol/MySQL/mariadbclient/mysql_client.cc   | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)

diff --git a/server/modules/protocol/MySQL/mariadbclient/mysql_client.cc b/server/modules/protocol/MySQL/mariadbclient/mysql_client.cc
index 08bddce77..136eb4ac8 100644
--- a/server/modules/protocol/MySQL/mariadbclient/mysql_client.cc
+++ b/server/modules/protocol/MySQL/mariadbclient/mysql_client.cc
@@ -22,6 +22,7 @@
 #include <sys/stat.h>
 #include <algorithm>
 #include <string>
+#include <vector>
 
 #include <maxscale/alloc.h>
 #include <maxscale/authenticator.h>
@@ -1537,14 +1538,15 @@ static bool reauthenticate_client(MXS_SESSION* session, GWBUF* packetbuf)
 
     if (session->client_dcb->authfunc.reauthenticate)
     {
+        uint64_t payloadlen = gwbuf_length(packetbuf) - MYSQL_HEADER_LEN;
         MySQLProtocol* proto = (MySQLProtocol*)session->client_dcb->protocol;
-        uint8_t payload[gwbuf_length(packetbuf) - MYSQL_HEADER_LEN];
-        gwbuf_copy_data(packetbuf, MYSQL_HEADER_LEN, sizeof(payload), payload);
+        std::vector<uint8_t> payload;
+        payload.resize(payloadlen);
+        gwbuf_copy_data(packetbuf, MYSQL_HEADER_LEN, payloadlen, &payload[0]);
 
         // Will contains extra data but the username is null-terminated
-        char user[gwbuf_length(proto->stored_query) - MYSQL_HEADER_LEN - 1];
-        gwbuf_copy_data(proto->stored_query, MYSQL_HEADER_LEN + 1,
-                        sizeof(user), (uint8_t*)user);
+        char user[MYSQL_USER_MAXLEN + 1];
+        gwbuf_copy_data(proto->stored_query, MYSQL_HEADER_LEN + 1, sizeof(user), (uint8_t*)user);
 
         char* end = user + sizeof(user);
 
@@ -1559,7 +1561,7 @@ static bool reauthenticate_client(MXS_SESSION* session, GWBUF* packetbuf)
         strcpy(data->user, user);
 
         int rc = session->client_dcb->authfunc.reauthenticate(session->client_dcb, data->user,
-                                                              payload, sizeof(payload),
+                                                              &payload[0], payload.size(),
                                                               proto->scramble, sizeof(proto->scramble),
                                                               data->client_sha1, sizeof(data->client_sha1));