Bug #16365 Prepared Statements: DoS with too many open statements
Submitted: 11 Jan 2006 10:25 Modified: 27 Apr 2006 12:48
Reporter: Konstantin Osipov (OCA) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Prepared statements Severity:S2 (Serious)
Version:4.1 OS:Any (All)
Assigned to: Konstantin Osipov CPU Architecture:Any

[11 Jan 2006 10:25] Konstantin Osipov
Description:
There is no limit as to how many statements can be open per connection or MySQL server. That can lead to a Denial Of Server attack, as the server will crash with OOM (out of memory) when the amount of statements becomes gigantic.
The solution is to add a global server variable max_stmt_count that would limit the total amount of prepared statements (and cursors) per server. 
The default value of the variable shall be 16382 (average size of a statement is 80k, so this number limits the total possible amount of consumed memory with 1.3G)

How to repeat:
See description.
[24 Mar 2006 15:38] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/4126
[7 Apr 2006 19:39] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/4658
[10 Apr 2006 9:52] Konstantin Osipov
Pushed into 4.1.19 and merged into 5.0.21
[21 Apr 2006 17:53] Trudy Pelzer
Fix merged into 5.1.10.
[27 Apr 2006 12:40] Paul DuBois
Noted in 4.1.19, 5.0.21, 5.1.10 changelogs.

<emphasis role="bold">Security enhancement</emphasis>: Added
the global <literal>max_prepared_stmt_count</literal> system
variable to limit the total number of prepared statements in
the server. This limits the potential for denial-of-service
attacks based on running the server out of memory by preparing
huge numbers of statements. The current number of prepared
statements is available through the
<literal>prepared_stmt_count</literal> system variable. (Bug
#16365)

Also updated the list of system variables in the database
administration chapter.