Fix: accessed released memory in mysql_client.c where dcb->data was released in gw_mysql_do_authentication and accessed afterwards.
This commit is contained in:
VilhoRaatikka
@ -437,8 +437,6 @@ static int gw_mysql_do_authentication(DCB *dcb, GWBUF *queue) {
|
|||||||
/* Detect now if there are enough bytes to continue */
|
/* Detect now if there are enough bytes to continue */
|
||||||
if (client_auth_packet_size < (4 + 4 + 4 + 1 + 23))
|
if (client_auth_packet_size < (4 + 4 + 4 + 1 + 23))
|
||||||
{
|
{
|
||||||
free(dcb->data);
|
|
||||||
dcb->data = NULL;
|
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -457,8 +455,6 @@ static int gw_mysql_do_authentication(DCB *dcb, GWBUF *queue) {
|
|||||||
|
|
||||||
if (username == NULL)
|
if (username == NULL)
|
||||||
{
|
{
|
||||||
free(dcb->data);
|
|
||||||
dcb->data = NULL;
|
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -529,8 +525,7 @@ static int gw_mysql_do_authentication(DCB *dcb, GWBUF *queue) {
|
|||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
free(dcb->data);
|
return 1;
|
||||||
dcb->data = NULL;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* let's free the auth_token now */
|
/* let's free the auth_token now */
|
||||||
@ -723,7 +718,12 @@ int gw_read_client_event(
|
|||||||
"state = MYSQL_AUTH_FAILED.",
|
"state = MYSQL_AUTH_FAILED.",
|
||||||
protocol->owner_dcb->fd,
|
protocol->owner_dcb->fd,
|
||||||
pthread_self())));
|
pthread_self())));
|
||||||
|
/**
|
||||||
|
* Release MYSQL_session since it is not used anymore.
|
||||||
|
*/
|
||||||
|
free(dcb->data);
|
||||||
|
dcb->data = NULL;
|
||||||
|
|
||||||
dcb_close(dcb);
|
dcb_close(dcb);
|
||||||
}
|
}
|
||||||
read_buffer = gwbuf_consume(read_buffer, nbytes_read);
|
read_buffer = gwbuf_consume(read_buffer, nbytes_read);
|
||||||
|
|||||||
@ -2359,7 +2359,10 @@ static bool route_single_stmt(
|
|||||||
*
|
*
|
||||||
* !!! Note that according to MySQL protocol
|
* !!! Note that according to MySQL protocol
|
||||||
* there can only be one such non-sescmd stmt at the time.
|
* there can only be one such non-sescmd stmt at the time.
|
||||||
*
|
* It is possible that bref->bref_pending_cmd includes a pending
|
||||||
|
* command if rwsplit is parent or child for another router,
|
||||||
|
* which runs all the same commands.
|
||||||
|
*
|
||||||
* If the assertion below traps, pending queries are treated
|
* If the assertion below traps, pending queries are treated
|
||||||
* somehow wrong, or client is sending more queries before
|
* somehow wrong, or client is sending more queries before
|
||||||
* previous is received.
|
* previous is received.
|
||||||
@ -2722,8 +2725,9 @@ static void clientReply (
|
|||||||
|
|
||||||
CHK_GWBUF(bref->bref_pending_cmd);
|
CHK_GWBUF(bref->bref_pending_cmd);
|
||||||
|
|
||||||
if ((ret = bref->bref_dcb->func.write(bref->bref_dcb,
|
if ((ret = bref->bref_dcb->func.write(
|
||||||
gwbuf_clone(bref->bref_pending_cmd))) == 1)
|
bref->bref_dcb,
|
||||||
|
gwbuf_clone(bref->bref_pending_cmd))) == 1)
|
||||||
{
|
{
|
||||||
ROUTER_INSTANCE* inst = (ROUTER_INSTANCE *)instance;
|
ROUTER_INSTANCE* inst = (ROUTER_INSTANCE *)instance;
|
||||||
atomic_add(&inst->stats.n_queries, 1);
|
atomic_add(&inst->stats.n_queries, 1);
|
||||||
|
|||||||
Reference in New Issue
Block a user