Bug #101971 The net_length_size function Session tracker used have bug crash client
Submitted: 11 Dec 2020 3:59 Modified: 11 Dec 2020 12:32
Reporter: ggwdwsbs W Email Updates:
Status: Verified Impact on me:
Category:MySQL Server: Command-line Clients Severity:S3 (Non-critical)
Version:8.0.22, 5.7.32 OS:Any
Assigned to: CPU Architecture:Any

[11 Dec 2020 3:59] ggwdwsbs W
The net_length_size function Session tracker used have bug, it will cause client crash.

You get the byte length of a number using net_length_size function (pack.cc:160). If number < 252 you return 1 byte, so number '251' will return 1. 

But when encoder a number using net_store_length, you give number '251' 3 bytes. It is longer than the length you prep_append, which is 1 byte.

So the ok packet get wrong and client have trouble in decoding it.

This bug may affect other positions such as log_event.h or handler_connection_attributes.cc

How to repeat:
Set a system variable tracked by sys_var session tracker, and make the total length encoded in ok packet exactly 251.

Use following test case to repeat it:

set session_track_system_variables = "12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678,session_track_system_variables";

Suggested fix:
Fix the net_length_size function to if (num < (ulonglong)251LL) return 1;
[11 Dec 2020 8:47] andy zhang
The same problem exists on 5.7 also.
[11 Dec 2020 12:32] MySQL Verification Team

Thank you for the report and feedback.
Observed that 8.0.22 affected.

[15 Dec 2020 7:52] sifang Zhao
Seems like the same problem in this pr: