Hi, Daniel! On Oct 26, Daniel Black wrote:
On Thu, Oct 22, 2020 at 8:25 PM Sergei Golubchik <serg@mariadb.org> wrote:
Hi, Daniel!
On Oct 22, Daniel Black wrote:
@@ -14539,6 +14539,12 @@ static int native_password_get_salt(const char *hash, size_t hash_length,
if (hash_length != SCRAMBLED_PASSWORD_CHAR_LENGTH) { + if (hash_length == 7 && strcmp(hash, "invalid") == 0) + { + memcpy(out, "invalid", 7); + *out_length= 7; + return 0; + }
okay. After you said ASAN, I think I can see why this could be problematic.
Updated:
I don't see why you did it that complex with invalid_password and everything. It seems you could've fixed the ASAN error from your first patch with just @@ -14498,7 +14498,7 @@ static int native_password_authenticate(MYSQL_PLUGIN_VI> info->password_used= PASSWORD_USED_YES; if (pkt_len == SCRAMBLE_LENGTH) { - if (!info->auth_string_length) + if (info->auth_string_length != SCRAMBLE_LENGTH) DBUG_RETURN(CR_AUTH_USER_CREDENTIALS); if (check_scramble(pkt, thd->scramble, (uchar*)info->auth_string)) Regards, Sergei VP of MariaDB Server Engineering and security@mariadb.org