Bug #28984 crasher on connect with out of range password length in protocol
Submitted: 8 Jun 2007 20:48 Modified: 26 Jun 2007 21:10
Reporter: Chad MILLER
Status: Closed
Category:Server: Parser Severity:S1 (Critical)
Version:4.1, 5.0, 5.1 OS:Any
Assigned to: Bugs System Target Version:
Tags: Security, DoS, crash

[8 Jun 2007 20:48] Chad MILLER 
Description:
Reported bug from Dormando on IRC.  He sends garbage in the packet and the server SEGVs. 
This is before auth.

How to repeat:
Send a password length byte greater than ordinal 127.

See demo program sent to security@ .

Suggested fix:
Cast the *passwd to uchar.
[8 Jun 2007 22:11] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/28432

ChangeSet@1.2654, 2007-06-08 16:10:53-04:00, cmiller@zippy.cornsilk.net +1 -0
  Bug #28984: crasher on connect with out of range password length in \
  	protocol
  
  One could send a malformed packet that caused the server to SEGV.  In 
  recent versions of the password protocol, the client tells the server 
  what length the ciphertext is (almost always 20).  If that length was
  large enough to overflow a signed char, then the number would jump to 
  very large after being casted to unsigned int.
  
  Instead, cast the *passwd char to uchar.
[11 Jun 2007 22:04] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/28524

ChangeSet@1.2486, 2007-06-11 16:03:05-04:00, cmiller@zippy.cornsilk.net +1 -0
  Bug#28984: crasher on connect with out of range password length in \
  	protocol
  
  Update for function moved to new file in 5.1.
  
  One could send a malformed packet that caused the server to SEGV.  In 
  recent versions of the password protocol, the client tells the server 
  what length the ciphertext is (almost always 20).  If that length was
  large enough to overflow a signed char, then the number would jump to 
  very large after being casted to unsigned int.
    
  Instead, cast the *passwd char to uchar.
[12 Jun 2007 14:48] Bugs System 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/28573

ChangeSet@1.2666, 2007-06-12 08:47:36-04:00, cmiller@zippy.cornsilk.net +1 -0
  Bug#28984: crasher on connect with out of range password length in \
  	protocol
  
  Fixed duplicated code, same as last commit.
  
  One could send a malformed packet that caused the server to SEGV.  In 
  recent versions of the password protocol, the client tells the server 
  what length the ciphertext is (almost always 20).  If that length was
  large enough to overflow a signed char, then the number would jump to 
  very large after being casted to unsigned int.
  
  Instead, cast the *passwd char to uchar.
[16 Jun 2007 6:50] Bugs System 
Pushed into 5.0.44
[16 Jun 2007 6:50] Bugs System 
Pushed into 5.1.20-beta
[25 Jun 2007 8:13] Bugs System 
Pushed into 4.1.24
[26 Jun 2007 21:10] Paul DuBois 
Noted in 4.1.24, 5.0.44, 5.1.20 changelogs.

A malformed password packet in the connection protocol could cause 
the server to crash.
[10 Jul 2007 15:29] Bugs System 
Pushed into 4.1.24
[20 Jul 2007 18:09] Paul DuBois 
CVE number has been assigned:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3780