| Bug #83645 | Buffer overflow of acl_user->salt when auth->set_salt is called in acl_load | ||
|---|---|---|---|
| Submitted: | 2 Nov 2016 7:06 | Modified: | 3 Nov 2016 2:09 |
| Reporter: | Rungong An | Email Updates: | |
| Status: | Verified | Impact on me: | |
| Category: | MySQL Server: Pluggable Authentication | Severity: | S4 (Feature request) |
| Version: | 5.7.16 | OS: | Linux |
| Assigned to: | CPU Architecture: | Any | |
[2 Nov 2016 16:15]
MySQL Verification Team
This is not a bug in our Plugin Interface, but it is an insufficient documentation in our Doxygen pages. Doxygen has only this for the description of the function in question: ----------------------------------------------------- Plugin API to convert scrambled password to binary form based on scramble type. Parameters [in] password The password hash containing the salt. [in] password_len The length of the password hash. [in,out] salt Used as password hash based on the authentication plugin. [in,out] salt_len The length of salt. Return values 0 OK 1 ERROR ----------------------------------------------------- The important point is that salt_len is both sent as a parameter and it is returned. Hence, the length of the buffer is passed when the function is called and the actual length is expected after the call. That way, plugin gets the maximum length that the function can receive. If a string with longer length is passed, then it is a bug in the authentication plugin code itself. It is not a bug in the Plugin API !!! To conclude, there is not bug in the authentication Plugin API, there is only insufficient explanation in this DOxygen page: http://dev.mysql.com/doc/dev/mysql-server/latest/plugin__auth_8h.html#ada91fc3e784a74c9a37... Hence, this bug is verified as DOxygen documentation bug for this Plugin API. The above page is made for MySQL 8.0, but it is equally valid for 5.7.
[3 Nov 2016 2:09]
Rungong An
Thanks.
Description: As the user defined st_mysql_auth.set_salt may produce a salt longer than SCRMBLE_LENGTH, authentication error and buffer overflow may occur caused by the call of user defined st_mysql_auth.set_salt function. The call locates in >acl_load >>set_user_salt function(sql_auth_cache.cc 1281): result= auth->set_salt(acl_user->auth_string.str, acl_user->auth_string.length, acl_user->salt, &acl_user->salt_len); How to repeat: None Suggested fix: A simple way is to make the length of salt in ACL_USER class to be longer and inform plugin developers the length limitation.