| Bug #37915 | COM_STMT_EXECUTE can be trickted into reading invalid memory | ||
|---|---|---|---|
| Submitted: | 7 Jul 2008 7:58 | Modified: | 7 Jul 2008 20:22 |
| Reporter: | Jan Kneschke | Email Updates: | |
| Status: | Not a Bug | Impact on me: | |
| Category: | MySQL Server | Severity: | S3 (Non-critical) |
| Version: | 5.0.51b | OS: | Any |
| Assigned to: | CPU Architecture: | Any | |
[7 Jul 2008 20:22]
Konstantin Osipov
This is intentional. We always know that the packet is bigger and are saving on one if. I know it sounds insane, but this is how this code was written, i verified it works, and have no intention to change what's not broken -- in many other places in the server we do the same when parse the input packet.
[8 Jul 2008 12:31]
Jan Kneschke
The "suggested fix" section is containing the "buggy code section". The real suggested fix is: * check the length before using the data and * return a error-packet or close the connection
Description: a empty COM_STMT_EXECUTE commands leads to access of invalid memory. How to repeat: 09:22:02.487155 writev(9, [{"\1\0\0\0\27", 5}], 1) = 5 09:22:02.489021 recvfrom(9, "R\0\0\1\377\333\4#HY000Unknown prepared statement handler (16777216) given to mysql_stmt_execute", 86, 0, NULL, NULL) = 86 16777216 isn't a provided stmt-id. Suggested fix: sql_prepare.cc (mysql_stmt_execute()) ulong stmt_id= uint4korr(packet); ulong flags= (ulong) packet[4]; packet+= 9; ...