Bug #76485 read net data error cause net.buff free, but net.read_pos pointer to bad memory
Submitted: 25 Mar 2015 16:56 Modified: 27 Apr 2015 11:43
Reporter: jian jian Email Updates:
Status: No Feedback Impact on me:
None 
Category:Connector / C Severity:S1 (Critical)
Version:6.1.6 OS:Any
Assigned to: Assigned Account CPU Architecture:Any

[25 Mar 2015 16:56] jian jian
Description:
in cli_safe_read_with_ok function cli_advanced_command of file client.c:
  if (len == packet_error || len == 0)
  {
    DBUG_PRINT("error",("Wrong connection or packet. fd: %s  len: %lu",
			vio_description(net->vio),len));
#ifdef MYSQL_SERVER
    if (net->vio && (net->last_errno == ER_NET_READ_INTERRUPTED))
      return (packet_error);
#endif /*MYSQL_SERVER*/
    end_server(mysql);// free mysql.net.buff
    set_mysql_error(mysql, net->last_errno == ER_NET_PACKET_TOO_LARGE ?
                    CR_NET_PACKET_TOO_LARGE: CR_SERVER_LOST, unknown_sqlstate);
    return (packet_error);
  }

in function cli_advanced_command of file client.c:

  result=0;
  if (!skip_check)
  {
    result= ((mysql->packet_length= cli_safe_read_with_ok(mysql, 1, NULL)) ==
             packet_error ? 1 : 0); 

#if defined(CLIENT_PROTOCOL_TRACING)
    /*
      Return to READY_FOR_COMMAND protocol stage in case server reports error 
      or sends OK packet.
    */
    if (!result || mysql->net.read_pos[0] == 0x00)//read_pos is pointer to mysql.net.buff
      MYSQL_TRACE_STAGE(mysql, READY_FOR_COMMAND);
#endif

when cli_safe_read_with_ok is error,  mysql.net.buff is freed, but mysql.net.read_pos is still pointer to the memory freed, and cli_advanced_command will use the read_pos if CLIENT_PROTOCOL_TRACING is defined.

How to repeat:
The issue is accidental. 

Suggested fix:
while free mysql.net.buff in end_server, set read_pos to zero. check read_pos is zero ro not in cli_advanced_command.
[27 Mar 2015 11:43] Chiranjeevi Battula
Hello jian,

Thank you for the bug report.
I could not repeat the issue on MySQL Connector/C 6.1.6. Could you please provide complete repeatable test case to confirm this issue at our end?

Thanks,
Chiranjeevi.
[28 Apr 2015 1:00] Bugs System
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".