MySQL Bugs: #37917: COM_STMT_CLOSE can be tricked to read invalid memory

Bug #37917	COM_STMT_CLOSE can be tricked to read invalid memory
Submitted:	7 Jul 2008 8:40	Modified:	17 Jul 2008 11:15
Reporter:	Jan Kneschke	Email Updates:
Status:	Won't fix	Impact on me:	None
Category:	MySQL Server	Severity:	S3 (Non-critical)
Version:	5.0.51a	OS:	Any
Assigned to:		CPU Architecture:	Any

View
Add Comment
Files
Developer
Edit Submission
View Progress Log
Contributions

Description:
mysql_stmt_close() reads 4 bytes from the network-buffer without checking that there are enough bytes provided.

This is related to http://bugs.mysql.com/37916

How to repeat:
read sql_prepare.cc

  @note
    we don't send any reply to this command.

  void mysql_stmt_close(THD *thd, char *packet)
  {
    /* There is always space for 4 bytes in packet buffer */
    ulong stmt_id= uint4korr(packet);

Suggested fix:
* add packet_len parameter
* check if there are at least 4 bytes in the packet

Closing on the same premise as Bug#37915 -- the buffer is allocated and it's "okay" to look at uninitialized data in this case.