Fixed out-of-bounds reads of packet length

modutil_get_complete_packets was assuming that at least 3 bytes of each packet is available. This results in an out-of-bounds read if less than 3 bytes of data for a partial result set is available.
2015-11-26 12:47:08 +02:00 · 2015-11-26 12:47:08 +02:00 · b67232a4fa
commit b67232a4fa
parent 63da12e5b5
1 changed files with 8 additions and 0 deletions
--- a/server/core/modutil.c
+++ b/server/core/modutil.c
@ -575,6 +575,14 @@ GWBUF* modutil_get_complete_packets(GWBUF** p_readbuf)
    {
 	ptr += len;
 	total += len;
+
+    /** We need at least 3 bytes of the packet header to know how long the whole
+     * packet is going to be. */
+    if (total + 3 >= blen)
+    {
+        break;
+    }
+
 	len = gw_mysql_get_byte3(ptr) + 4;
    }