Hi, Nikita, On Sep 09, Nikita Malyavin wrote:
revision-id: bd616a3733c (mariadb-11.6.1-13-gbd616a3733c) parent(s): bbbb429a1eb author: Nikita Malyavin committer: Nikita Malyavin timestamp: 2024-09-07 20:46:19 +0200 message:
Auth: set thd->scramble in all cases during writing Initial Handshake Packet
--- sql/sql_acl.cc | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-)
diff --git a/sql/sql_acl.cc b/sql/sql_acl.cc index 93efc5806cc..7845af55413 100644 --- a/sql/sql_acl.cc +++ b/sql/sql_acl.cc @@ -13504,17 +13504,21 @@ static bool send_server_handshake_packet(MPVIO_EXT *mpvio, mpvio->cached_server_packet.pkt_len= data_len; }
- if (data_len < SCRAMBLE_LENGTH) + if (thd->scramble[SCRAMBLE_LENGTH] != 0)
old code was obviously wrong but the new one makes no sense either. How can thd->scramble[SCRAMBLE_LENGTH] be not zero at this point? I'd think you need to execute the code below unconditionally.
{ + DBUG_ASSERT(thd->scramble[SCRAMBLE_LENGTH] == 1); // Sanity + if (data_len) { /* the first packet *must* have at least 20 bytes of a scramble. - if a plugin provided less, we pad it to 20 with zeros + if a plugin provided less, we pad it to 20 with zeros, + plus extra zero termination sign is put in thd->scramble. + If more is provided, we'll use only 20 bytes as a handshake scramble.
Not sure it's a good idea. Why not to send the complete scramble? True, it won't fit on the client side into mysql->scramble[]. Two ways to fix it: * Write the first 20 bytes. The server will only store the first 20 bytes too, and for COM_CHANGE_USER they'll use the first 20 bytes only (for the login auth they can use the complete scramble). That's a rather hackish fix, a proper fix would be * store the complete scramble in MYSQL. The first 20 bytes in MYSQL::scramble_buff, the rest in MySQL::extension.scramble_suffix
*/ - memcpy(scramble_buf, data, data_len); - bzero(scramble_buf + data_len, SCRAMBLE_LENGTH - data_len); - data= scramble_buf; + size_t fill_size= MY_MIN(SCRAMBLE_LENGTH, data_len); + memcpy(thd->scramble, data, fill_size); + bzero(thd->scramble + fill_size, SCRAMBLE_LENGTH - fill_size + 1); }
Regards, Sergei Chief Architect, MariaDB Server and security@mariadb.org