Description:
Using libmysql and prepared statements with many concurrent queries may lead to a NULL pointer dereference in net_clear() line 294 of sql/net_serv.cc if server is gone.

After the server is gone net->vio may be NULL thus the following parameter to net_data_is_ready() causes a NULL pointer dereference and a segmentation fault.

294: while((ready= net_data_is_ready(net->vio->sd)) > 0)

How to repeat:
Use mysql client library with prepared statements (don't know if it can happen without) and many concurrent queries. Then shutdown the mysql server. In many (not all) cases a segmentation fault occurs.

Suggested fix:
At least the variables net and net->vio in net_clear() should be checked if they are not equal to NULL before using them. May be another problem elsewhere leads to the NULL pointer dereference.

Thank you for a problem report. Please, send the resolved stack trace from any of the segmentation faults you can cause this way.

Here it comes. #3 is part of my program.

[...]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x8056a00 (LWP 100119)]
0x281e9ab4 in net_clear (net=0x8064800) at net.c:227
227     {
(gdb) info stack
#0  0x281e9ab4 in net_clear (net=0x8064800) at net.c:227
#1  0x281c1a5f in cli_stmt_execute (stmt=0x8081000) at libmysql.c:2557
#2  0x281c4d96 in mysql_stmt_execute (stmt=0x8081000) at libmysql.c:2904
#3  0x281ae4cf in get_mysql_row (id=87, stmt=0x8081000, statement=0x281b1290,
    result=0xbf5f9aec) at program.c:254
[...]

This is the net parameter for net_clear(). vio = 0x0 causes the NULL pointer dereference and thus the segmentation fault.

(gdb) print *(NET *)0x8064800
$1 = {vio = 0x0, buff = 0x0, buff_end = 0x8076000 "",
  write_pos = 0x8074000 "\025", read_pos = 0x8074000 "\025", fd = 7,
  max_packet = 8192, max_packet_size = 1073741824, pkt_nr = 1,
  compress_pkt_nr = 0, write_timeout = 31536000, read_timeout = 31536000,
  retry_count = 1, fcntl = 0, compress = 0 '\0', remain_in_buf = 0,
  length = 0, buf_length = 0, where_b = 0, return_status = 0x0,
  reading_or_writing = 0 '\0', save_char = 0 '\0', no_send_ok = 0 '\0',
  no_send_eof = 0 '\0', no_send_error = 0 '\0',
  last_error = "Can't connect to local MySQL server through socket '/tmp/mysql.sock' (2)", '\0' <repeats 439 times>, sqlstate = "HY000", last_errno = 2002,
  error = 2 '\002', query_cache_query = 0x0, report_error = 0 '\0',
  return_errno = 0 '\0'}

Please, can you add your testcase here.

No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

Verified by reading bk tree source code.

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x2b47a67281a0 (LWP 12255)]
0x00002b47ac43cfb4 in net_clear () from /usr/lib/libmysqlclient.so.15
(gdb) bt
#0  0x00002b47ac43cfb4 in net_clear () from /usr/lib/libmysqlclient.so.15
#1  0x00002b47ac4122e8 in cli_stmt_execute () from /usr/lib/libmysqlclient.so.15
#2  0x00002b47ac411f15 in mysql_stmt_execute () from /usr/lib/libmysqlclient.so.15
#3  0x00002b47ac1867a8 in mysql_st_internal_execute41 ()
   from /usr/lib/perl5/auto/DBD/mysql/mysql.so
#4  0x00002b47ac18ba85 in mysql_st_execute () from /usr/lib/perl5/auto/DBD/mysql/mysql.so
#5  0x00002b47ac1929c7 in XS_DBD__mysql__st_execute () from /usr/lib/perl5/auto/DBD/mysql/mysql.so
#6  0x00002b47abd6b28f in XS_DBI_dispatch () from /usr/lib/perl5/auto/DBI/DBI.so
#7  0x00002b47a585fdd3 in Perl_pp_entersub () from /usr/lib/libperl.so.5.8
#8  0x00002b47a585e63e in Perl_runops_standard () from /usr/lib/libperl.so.5.8
#9  0x00002b47a5808eef in perl_run () from /usr/lib/libperl.so.5.8
#10 0x000000000040185c in main ()

There is related bug #33384.

This isn't just related to bug #33384, it's a duplicate. Although it was opened later, that report has more information and a suggested fix. We'll track it there.