Bug #101448 when the input of net_length_size is 251, the return should be 3
Submitted: 4 Nov 2020 2:30 Modified: 12 Nov 2020 13:02
Reporter: sifang Zhao (OCA) Email Updates:
Status: Closed Impact on me:
Category:MySQL Server: Connection Handling Severity:S3 (Non-critical)
Version:8.0 OS:Any
Assigned to: CPU Architecture:Any

[4 Nov 2020 2:30] sifang Zhao
The implementation of net_length_size might be wrong when input of num is 251.

Since 251 is reserved for NULL, when 251 is the input of net_store_length's 2nd parameter(i.e. length), it store 252 in the first byte of buffer, and store the 251 in the next 2 bytes.

I checked one usage in Session_gtids_ctx_encoder_string::encode, the calculated len is used to prepare the buffer(buf.prep_append).

So I think in very rare condition, the code might cause buffer overflow.

How to repeat:
I read the logic of the code, no sufficient test case available.

Suggested fix:
uint net_length_size(ulonglong num) {
- if (num < (ulonglong)252LL) return 1;
+ if (num < (ulonglong)251LL) return 1;
  if (num < (ulonglong)65536LL) return 3;
  if (num < (ulonglong)16777216LL) return 4;
  return 9;
[4 Nov 2020 13:11] MySQL Verification Team
Hi Mr. Zhao,

Thank you for your bug report.

However, this is not a bug. This part of code was written in mid-1990's since when it works without any problems.

Seems to me that you have mixed network buffer length with field buffer length. Actually NULL is a valid value for the fields in the result set.

Not. a bug.
[4 Nov 2020 13:35] MySQL Verification Team
Hi Mr. Zhao,

After further analysis, we concluded that you are correct.

Verified as reported.

Thank you, very much !!!
[17 Nov 2020 18:49] Paul DuBois
Posted by developer:
Fixed in 8.0.23.

A potential buffer overflow was fixed. Thanks to Sifang Zhao for
pointing out the issue, and for suggesting a fix (although it was not
[18 Nov 2020 12:33] MySQL Verification Team
Thank you, Paul.