Bug #27944 Filtering THD::client capabilities
Submitted: 19 Apr 2007 1:53 Modified: 31 Mar 2008 18:38
Reporter: Marc ALFF Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: General Severity:S3 (Non-critical)
Version:5.0.42-BK OS:Any
Assigned to: Andrey Hristov CPU Architecture:Any

[19 Apr 2007 1:53] Marc ALFF
Description:
In the handshake protocol between the server and a client,
- the server offers CLIENT_XXX capabilities supported in the server
- the client replies with the CLIENT_XXX capabilities supported in the client

In sql/sql_connect.cc (5.1) or sql/sql_parse.cc (5.0), in check_connection(),
the server:
- computes client_flags,
- sends a message to the client:
int2store(end, client_flags);
- reads the response from the handshake:

[1] thd->client_capabilities=uint2korr(net->read_pos);
[2] thd->client_capabilities|= ((ulong) uint2korr(net->read_pos+2)) << 16;

[1] and [2] are naive: it's trusting the client to actually honor
the client_flags advertised by the server in the handshake.

This code can be exploited to bypass:
- opt_using_transactions
- ssl_acceptor_fd
and claim arbitrary capabilities, exposing further the server to crashes.

How to repeat:
Found by code review

Suggested fix:
When offering client_flags, list all the capabilities supported
(a lot are missing)

When reading the client reply,
Add
thd->client_capabilities &= client_flags;
to filter out capabilities not offered by the server.

Also, consider renaming client_flags to server_flags.
[20 Apr 2007 14:46] Marc ALFF

 
[24 Jan 2008 19:21] Jim Winstead
Re-assigning to the correct team.
[26 Feb 2008 12:54] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/42983

ChangeSet@1.2578, 2008-02-26 13:54:26+01:00, andrey@whirlpool.hristov.com +2 -0
  Fix for Bug #27944 Filtering THD::client capabilities
  
  Add all CLIENT_ flags to a define and use ti to filter the client_capabilities.
[25 Mar 2008 15:17] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/44402

ChangeSet@1.2569, 2008-03-25 17:16:44+02:00, andrey@whirlpool.hristov.com +2 -0
  Fix for Bug #27944 Filtering THD::client capabilities
  
  Add all CLIENT_ flags to a define and use ti to filter the client_capabilities.
[25 Mar 2008 16:04] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/44412

ChangeSet@1.2569, 2008-03-25 18:03:53+02:00, andrey@whirlpool.hristov.com +2 -0
  Fix for Bug #27944 Filtering THD::client capabilities
  
  The server used to trust blindly information from the client about its capabilities.
  During the connection handshake the server sends information about what it supports and
  then the client sends back a set of capabilities which cover all of the server or less of them.
  Before this changeset the server didn't check whether the flags sent by the client were valid
  for the server. For example, if the server doesn't support compressed protocol but the client
  does and sends that bit turned on, the server didn't check it.
  The change make the server code less error prone to problems related to the value of THD::client_capabilities.
  
  Clearly there is no vulnerability being fixed but this is a maintainenance fix to prevent misusage in
  the future.
[25 Mar 2008 16:19] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/44415

ChangeSet@1.2569, 2008-03-25 18:18:58+02:00, andrey@whirlpool.hristov.com +2 -0
  Fix for Bug #27944 Filtering THD::client capabilities
  
  The server used to trust blindly information from the client about
  its capabilities. During the connection handshake the server sends
  information about what it supports and then the client sends back a
  set of capabilities which cover all of the server's or less.
  Before this changeset the server didn't check whether the flags sent
  by the client were valid for the server. For example, if the server
  doesn't support compressed protocol but the client does and sends that
  bit turned on, the server didn't check it. The change make the server code
  less error prone to problems related to the value of THD::client_capabilities.
  
  Clearly there is no vulnerability being fixed but this is a maintainenance
  fix to prevent misusage in the future.
[25 Mar 2008 19:40] Andrey Hristov
Queued to 5.1-bugteam
[31 Mar 2008 14:53] Bugs System
Pushed into 5.1.24-rc
[31 Mar 2008 18:32] Paul DuBois
No user-visible effects. No changelog entry needed.
[3 Apr 2008 13:02] Bugs System
Pushed into 6.0.5-alpha