| Bug #101448 | when the input of net_length_size is 251, the return should be 3 | ||
|---|---|---|---|
| Submitted: | 4 Nov 2020 2:30 | Modified: | 12 Nov 2020 13:02 |
| Reporter: | sifang Zhao (OCA) | Email Updates: | |
| Status: | Closed | Impact on me: | |
| Category: | MySQL Server: Connection Handling | Severity: | S3 (Non-critical) |
| Version: | 8.0 | OS: | Any |
| Assigned to: | CPU Architecture: | Any | |
[4 Nov 2020 13:11]
MySQL Verification Team
Hi Mr. Zhao, Thank you for your bug report. However, this is not a bug. This part of code was written in mid-1990's since when it works without any problems. Seems to me that you have mixed network buffer length with field buffer length. Actually NULL is a valid value for the fields in the result set. Not. a bug.
[4 Nov 2020 13:35]
MySQL Verification Team
Hi Mr. Zhao, After further analysis, we concluded that you are correct. Verified as reported. Thank you, very much !!!
[17 Nov 2020 18:49]
Paul DuBois
Posted by developer: Fixed in 8.0.23. A potential buffer overflow was fixed. Thanks to Sifang Zhao for pointing out the issue, and for suggesting a fix (although it was not used).
[18 Nov 2020 12:33]
MySQL Verification Team
Thank you, Paul.
Description: The implementation of net_length_size might be wrong when input of num is 251. Since 251 is reserved for NULL, when 251 is the input of net_store_length's 2nd parameter(i.e. length), it store 252 in the first byte of buffer, and store the 251 in the next 2 bytes. I checked one usage in Session_gtids_ctx_encoder_string::encode, the calculated len is used to prepare the buffer(buf.prep_append). So I think in very rare condition, the code might cause buffer overflow. How to repeat: I read the logic of the code, no sufficient test case available. Suggested fix: uint net_length_size(ulonglong num) { - if (num < (ulonglong)252LL) return 1; + if (num < (ulonglong)251LL) return 1; if (num < (ulonglong)65536LL) return 3; if (num < (ulonglong)16777216LL) return 4; return 9; }