Bug #55322 SHOW BINLOG EVENTS increases @@SESSION.MAX_ALLOWED_PACKET
Submitted: 16 Jul 2010 15:12 Modified: 14 Oct 2010 12:33
Reporter: Sven Sandberg Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Replication Severity:S1 (Critical)
Version:5.1+ OS:Any
Assigned to: Sven Sandberg
Tags: max_allowed_packet, SHOW BINLOG EVENTS
Triage: Triaged: D2 (Serious)

[16 Jul 2010 15:12] Sven Sandberg
Description:
When SHOW BINLOG EVENTS is executed, it increases the value of @@SESSION.MAX_ALLOWED_PACKET. The value is not restored at the end of SHOW BINLOG EVENTS.

How to repeat:
SELECT @@max_allowed_packet;
SHOW BINLOG EVENTS;
SELECT @@max_allowed_packet;
SHOW BINLOG EVENTS;
SELECT @@max_allowed_packet;

Suggested fix:
1. It looks strange to increase max_allowed_packet in the first place. Maximum is maximum, and automatically increasing it because a query may return something bigger defats the purpose of having a maximum. We should consider if it is better to not change it at all.

2. If there is a good reason to increase max_allowed_packet, then we should restore it at the end of the statement.
[19 Jul 2010 14:29] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/113867

3412 Sven Sandberg	2010-07-19
      BUG#55322: SHOW BINLOG EVENTS increases @@SESSION.MAX_ALLOWED_PACKET
      Problem: when SHOW BINLOG EVENTS was issued, it increased the value of
      @@session.max_allowed_packet. This allowed a non-root user to increase
      the amount of memory used by her thread arbitrarily. Thus, it removes
      the bound on the amount of system resources used by a client, so it
      presents a security risk (DoS attack).
      Fix: it is correct to increase the value of @@session.max_allowed_packet
      while executing SHOW BINLOG EVENTS (see BUG 30345). However, the
      increase should only be temporary. Thus, the fix is to restore the value
      when SHOW BINLOG EVENTS ends.
      The value of @@session.max_allowed_packet is also increased in
      mysql_binlog_send (i.e., the binlog dump thread). It is not clear if this
      can cause any trouble, since normally the client that issues
      COM_BINLOG_DUMP will not issue any other commands that would be affected
      by the increased value of @@session.max_allowed_packet. However, we
      restore the value just in case.
     @ mysql-test/suite/rpl/r/rpl_packet.result
        update result file
     @ mysql-test/suite/rpl/t/rpl_packet.test
        Add test that verifies that @@session.max_allowed_packet does not change
        when issuing SHOW BINLOG EVENTS.
        Make previous sub-test clean up.
        Add comments listing the bugs in this test case.
     @ sql/sql_repl.cc
        Restore the old value of thd->variables.max_allowed_packet at the
        end of mysql_binlog_send and mysql_show_binlog_events.
[20 Jul 2010 15:27] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/113963

3412 Sven Sandberg	2010-07-20
      BUG#55322: SHOW BINLOG EVENTS increases @@SESSION.MAX_ALLOWED_PACKET
      
      Problem: when SHOW BINLOG EVENTS was issued, it increased the value of
      @@session.max_allowed_packet. This allowed a non-root user to increase
      the amount of memory used by her thread arbitrarily. Thus, it removes
      the bound on the amount of system resources used by a client, so it
      presents a security risk (DoS attack).
      
      Fix: it is correct to increase the value of @@session.max_allowed_packet
      while executing SHOW BINLOG EVENTS (see BUG 30435). However, the
      increase should only be temporary. Thus, the fix is to restore the value
      when SHOW BINLOG EVENTS ends.
      The value of @@session.max_allowed_packet is also increased in
      mysql_binlog_send (i.e., the binlog dump thread). It is not clear if this
      can cause any trouble, since normally the client that issues
      COM_BINLOG_DUMP will not issue any other commands that would be affected
      by the increased value of @@session.max_allowed_packet. However, we
      restore the value just in case.
     @ mysql-test/suite/rpl/r/rpl_packet.result
        update result file
     @ mysql-test/suite/rpl/t/rpl_packet.test
        Add test that verifies that @@session.max_allowed_packet does not change
        when issuing SHOW BINLOG EVENTS.
        Make previous sub-test clean up.
        Add comments listing the bugs in this test case.
     @ sql/sql_repl.cc
        Restore the old value of thd->variables.max_allowed_packet at the
        end of mysql_binlog_send and mysql_show_binlog_events.
[26 Jul 2010 9:57] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/114323

3457 Sven Sandberg	2010-07-26 [merge]
      merged BUG#55322 to 5.1-bugteam
[26 Jul 2010 10:57] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/114335

3147 Sven Sandberg	2010-07-26 [merge]
      merged BUG#55322 from 5.1-bugteam to trunk-merge
[26 Jul 2010 10:59] Sven Sandberg
pushed to 5.1-bugteam and trunk-merge
[4 Aug 2010 7:51] Bugs System
Pushed into mysql-trunk 5.5.6-m3 (revid:alik@sun.com-20100731131027-1n61gseejyxsqk5d) (version source revid:alik@sun.com-20100731074942-o840woifuqioxxe4) (merge vers: 5.5.6-m3) (pib:18)
[4 Aug 2010 8:05] Bugs System
Pushed into mysql-trunk 5.6.1-m4 (revid:alik@ibmvm-20100804080001-bny5271e65xo34ig) (version source revid:alik@sun.com-20100731075120-qz9z8c25zum2wgmm) (merge vers: 5.6.99-m4) (pib:18)
[4 Aug 2010 8:21] Bugs System
Pushed into mysql-trunk 5.6.1-m4 (revid:alik@ibmvm-20100804081533-c1d3rbipo9e8rt1s) (version source revid:alik@sun.com-20100731075120-qz9z8c25zum2wgmm) (merge vers: 5.6.99-m4) (pib:18)
[4 Aug 2010 9:02] Bugs System
Pushed into mysql-next-mr (revid:alik@ibmvm-20100804081630-ntapn8bf9pko9vj3) (version source revid:alik@sun.com-20100731075120-qz9z8c25zum2wgmm) (pib:20)
[4 Aug 2010 16:05] Jon Stephens
Documented bugfix in the 5.1.50 and 5.5.6 changelogs as follows:

        Executing SHOW BINLOG EVENTS increased the value of
        max_allowed_packet applying to the session that executed the
        statement.

Set NM status, waiting for mysql-next-mr merge version.
[4 Aug 2010 16:08] Jon Stephens
Closed: already pushed to mysql-next-mr and mysql-trunk, so no need to wait for additional version info.
[19 Aug 2010 15:39] Bugs System
Pushed into mysql-5.1 5.1.51 (revid:build@mysql.com-20100819151858-muaaor6jojb5ouzj) (version source revid:build@mysql.com-20100819151858-muaaor6jojb5ouzj) (merge vers: 5.1.51) (pib:20)
[14 Oct 2010 8:29] Bugs System
Pushed into mysql-5.1-telco-7.0 5.1.51-ndb-7.0.20 (revid:martin.skold@mysql.com-20101014082627-jrmy9xbfbtrebw3c) (version source revid:martin.skold@mysql.com-20101014082627-jrmy9xbfbtrebw3c) (merge vers: 5.1.51-ndb-7.0.20) (pib:21)
[14 Oct 2010 8:45] Bugs System
Pushed into mysql-5.1-telco-6.3 5.1.51-ndb-6.3.39 (revid:martin.skold@mysql.com-20101014083757-5qo48b86d69zjvzj) (version source revid:martin.skold@mysql.com-20101014083757-5qo48b86d69zjvzj) (merge vers: 5.1.51-ndb-6.3.39) (pib:21)
[14 Oct 2010 8:59] Bugs System
Pushed into mysql-5.1-telco-6.2 5.1.51-ndb-6.2.19 (revid:martin.skold@mysql.com-20101014084420-y54ecj85j5we27oa) (version source revid:martin.skold@mysql.com-20101014084420-y54ecj85j5we27oa) (merge vers: 5.1.51-ndb-6.2.19) (pib:21)
[14 Oct 2010 12:33] Jon Stephens
Already documented for 5.1.50, no new changelog entry required. 

Setting back to Closed state.