Bug #28984 crasher on connect with out of range password length in protocol
Submitted: 8 Jun 2007 18:48 Modified: 26 Jun 2007 19:10
Reporter: Chad MILLER Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Parser Severity:S1 (Critical)
Version:4.1, 5.0, 5.1 OS:Any
Assigned to: Chad MILLER
Tags: crash, DoS, Security

[8 Jun 2007 18:48] Chad MILLER
Description:
Reported bug from Dormando on IRC.  He sends garbage in the packet and the server SEGVs.  This is before auth.

How to repeat:
Send a password length byte greater than ordinal 127.

See demo program sent to security@ .

Suggested fix:
Cast the *passwd to uchar.
[8 Jun 2007 20:11] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/28432

ChangeSet@1.2654, 2007-06-08 16:10:53-04:00, cmiller@zippy.cornsilk.net +1 -0
  Bug #28984: crasher on connect with out of range password length in \
  	protocol
  
  One could send a malformed packet that caused the server to SEGV.  In 
  recent versions of the password protocol, the client tells the server 
  what length the ciphertext is (almost always 20).  If that length was
  large enough to overflow a signed char, then the number would jump to 
  very large after being casted to unsigned int.
  
  Instead, cast the *passwd char to uchar.
[11 Jun 2007 20:04] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/28524

ChangeSet@1.2486, 2007-06-11 16:03:05-04:00, cmiller@zippy.cornsilk.net +1 -0
  Bug#28984: crasher on connect with out of range password length in \
  	protocol
  
  Update for function moved to new file in 5.1.
  
  One could send a malformed packet that caused the server to SEGV.  In 
  recent versions of the password protocol, the client tells the server 
  what length the ciphertext is (almost always 20).  If that length was
  large enough to overflow a signed char, then the number would jump to 
  very large after being casted to unsigned int.
    
  Instead, cast the *passwd char to uchar.
[12 Jun 2007 12:48] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/28573

ChangeSet@1.2666, 2007-06-12 08:47:36-04:00, cmiller@zippy.cornsilk.net +1 -0
  Bug#28984: crasher on connect with out of range password length in \
  	protocol
  
  Fixed duplicated code, same as last commit.
  
  One could send a malformed packet that caused the server to SEGV.  In 
  recent versions of the password protocol, the client tells the server 
  what length the ciphertext is (almost always 20).  If that length was
  large enough to overflow a signed char, then the number would jump to 
  very large after being casted to unsigned int.
  
  Instead, cast the *passwd char to uchar.
[16 Jun 2007 4:50] Bugs System
Pushed into 5.0.44
[16 Jun 2007 4:50] Bugs System
Pushed into 5.1.20-beta
[25 Jun 2007 6:13] Bugs System
Pushed into 4.1.24
[26 Jun 2007 19:10] Paul Dubois
Noted in 4.1.24, 5.0.44, 5.1.20 changelogs.

A malformed password packet in the connection protocol could cause 
the server to crash.
[10 Jul 2007 13:29] Bugs System
Pushed into 4.1.24
[20 Jul 2007 16:09] Paul Dubois
CVE number has been assigned:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3780