Bug #88092 Contribution by Facebook: Read compressed packets of size 0xffffff
Submitted: 14 Oct 2017 0:45 Modified: 2 Nov 2017 21:38
Reporter: FBContrib Admin Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Connection Handling Severity:S3 (Non-critical)
Version:5.6 OS:Any
Assigned to: CPU Architecture:Any

[14 Oct 2017 0:45] FBContrib Admin
Description:
Background innformation provided by Facebook:
Abstract:

Repo: https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_mysql_mysql-2Dserver&d=DwI... 

Patch on top of 5.6.35: https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_mysql_mysql-2Dserver_tree_... 

This fixes: http://bugs.mysql.com/bug.php?id=82792

Currently when using the compressed protocol we buffer received packets and return them as they are requested. We save the first char of the next packet when returning a packet, and replace it with a null byte. When we receive large packets (>0xffffff) they are split over multiple packets. A zero size packet is used to terminate a multi-packet if it is an exact multiple of 0xffffff. In this case the character that is saved is the first byte of the 0 byte header, rather than the first byte of the header of the next packet. When this character is restored it can result in the next packet being mangled. (size will be wrong but the sequence number will be fine).

I checked the 8.0 branch where the file was moved to sql-common/net_serv.cc, but the problem looks to still exist.

How to repeat:
See description

Suggested fix:
See contribution code attached
[14 Oct 2017 0:45] FBContrib Admin
Read compressed packets of size 0xffffff 
(*) This code is contributed under the Facebook agreement

Contribution: fb_patch_1.txt (text/plain), 617 bytes.

[17 Oct 2017 10:30] Ståle Deraas
Posted by developer:
 
Thank you for the provided patch!

We have checked with the provided test, and it fails on 5.6 and the provided patch makes the test pass.
In 8.0 the provided test also fails, but the provided patch does *not* make the test pass. So further investigations on why it does not pass needs to be done.
[2 Nov 2017 21:38] Paul Dubois
Posted by developer:
 
Fixed in 8.0.4, 9.0.0.

With compression enabled for the client/server protocol, logical
packets that are multiples of size 0xFFFFFF could cause the
connection to be dropped. Thanks to Facebook Inc. for the patch.