From 90fc6d211c27e024476b4fe98600cb59d43dca6d Mon Sep 17 00:00:00 2001 From: "Bes Dollma (bdollma)" Date: Mon, 27 Jan 2025 18:01:27 +0200 Subject: [PATCH 1/2] Fix for issue 1666 Null termination strip from authData in case of promotion Signed-off-by: Bes Dollma (bdollma) --- AUTHORS | 2 ++ auth_test.go | 24 ++++++++++++------------ packets.go | 7 ++++++- 3 files changed, 20 insertions(+), 13 deletions(-) diff --git a/AUTHORS b/AUTHORS index a38395797..123b5dc50 100644 --- a/AUTHORS +++ b/AUTHORS @@ -23,6 +23,7 @@ Ariel Mashraki Artur Melanchyk Asta Xie B Lamarche +Bes Dollma Brian Hendriks Bulat Gaifullin Caine Jette @@ -146,4 +147,5 @@ PingCAP Inc. Pivotal Inc. Shattered Silicon Ltd. Stripe Inc. +ThousandEyes Zendesk Inc. diff --git a/auth_test.go b/auth_test.go index 8caed1fff..46e1e3b4e 100644 --- a/auth_test.go +++ b/auth_test.go @@ -734,9 +734,9 @@ func TestAuthSwitchCachingSHA256PasswordCached(t *testing.T) { expectedReply := []byte{ // 1. Packet: Hash - 32, 0, 0, 3, 129, 93, 132, 95, 114, 48, 79, 215, 128, 62, 193, 118, 128, - 54, 75, 208, 159, 252, 227, 215, 129, 15, 242, 97, 19, 159, 31, 20, 58, - 153, 9, 130, + 32, 0, 0, 3, 219, 72, 64, 97, 56, 197, 167, 203, 64, 236, 168, 80, 223, + 56, 103, 217, 196, 176, 124, 60, 253, 41, 195, 10, 205, 190, 177, 206, 63, + 118, 211, 69, } if !bytes.Equal(conn.written, expectedReply) { t.Errorf("got unexpected data: %v", conn.written) @@ -803,9 +803,9 @@ func TestAuthSwitchCachingSHA256PasswordFullRSA(t *testing.T) { expectedReplyPrefix := []byte{ // 1. Packet: Hash - 32, 0, 0, 3, 129, 93, 132, 95, 114, 48, 79, 215, 128, 62, 193, 118, 128, - 54, 75, 208, 159, 252, 227, 215, 129, 15, 242, 97, 19, 159, 31, 20, 58, - 153, 9, 130, + 32, 0, 0, 3, 219, 72, 64, 97, 56, 197, 167, 203, 64, 236, 168, 80, 223, + 56, 103, 217, 196, 176, 124, 60, 253, 41, 195, 10, 205, 190, 177, 206, 63, + 118, 211, 69, // 2. Packet: Pub Key Request 1, 0, 0, 5, 2, @@ -848,9 +848,9 @@ func TestAuthSwitchCachingSHA256PasswordFullRSAWithKey(t *testing.T) { expectedReplyPrefix := []byte{ // 1. Packet: Hash - 32, 0, 0, 3, 129, 93, 132, 95, 114, 48, 79, 215, 128, 62, 193, 118, 128, - 54, 75, 208, 159, 252, 227, 215, 129, 15, 242, 97, 19, 159, 31, 20, 58, - 153, 9, 130, + 32, 0, 0, 3, 219, 72, 64, 97, 56, 197, 167, 203, 64, 236, 168, 80, 223, + 56, 103, 217, 196, 176, 124, 60, 253, 41, 195, 10, 205, 190, 177, 206, 63, + 118, 211, 69, // 2. Packet: Encrypted Password 0, 1, 0, 5, // [changing bytes] @@ -891,9 +891,9 @@ func TestAuthSwitchCachingSHA256PasswordFullSecure(t *testing.T) { expectedReply := []byte{ // 1. Packet: Hash - 32, 0, 0, 3, 129, 93, 132, 95, 114, 48, 79, 215, 128, 62, 193, 118, 128, - 54, 75, 208, 159, 252, 227, 215, 129, 15, 242, 97, 19, 159, 31, 20, 58, - 153, 9, 130, + 32, 0, 0, 3, 219, 72, 64, 97, 56, 197, 167, 203, 64, 236, 168, 80, 223, + 56, 103, 217, 196, 176, 124, 60, 253, 41, 195, 10, 205, 190, 177, 206, 63, + 118, 211, 69, // 2. Packet: Cleartext password 7, 0, 0, 5, 115, 101, 99, 114, 101, 116, 0, diff --git a/packets.go b/packets.go index 9951bdf80..a49a2e8e4 100644 --- a/packets.go +++ b/packets.go @@ -509,7 +509,12 @@ func (mc *mysqlConn) readAuthResult() ([]byte, string, error) { return nil, "", ErrMalformPkt } plugin := string(data[1:pluginEndIndex]) - authData := data[pluginEndIndex+1:] + var authData []byte + if pluginEndIndex == len(data)-1 { + authData = data[pluginEndIndex+1:] + } else { + authData = data[pluginEndIndex+1 : len(data)-1] + } return authData, plugin, nil default: // Error otherwise From e5d765e2892c024c6ea619ed253c22e3ee5de516 Mon Sep 17 00:00:00 2001 From: Bes Dollma <143414965+bdollma-te@users.noreply.github.com> Date: Tue, 28 Jan 2025 14:25:52 +0200 Subject: [PATCH 2/2] strip null termination from authData Only if authData is provided and indeed is null terminated, then strip it. Co-authored-by: Inada Naoki --- packets.go | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/packets.go b/packets.go index a49a2e8e4..4b8362160 100644 --- a/packets.go +++ b/packets.go @@ -509,11 +509,9 @@ func (mc *mysqlConn) readAuthResult() ([]byte, string, error) { return nil, "", ErrMalformPkt } plugin := string(data[1:pluginEndIndex]) - var authData []byte - if pluginEndIndex == len(data)-1 { - authData = data[pluginEndIndex+1:] - } else { - authData = data[pluginEndIndex+1 : len(data)-1] + authData := data[pluginEndIndex+1:] + if len(authData) > 0 && authData[len(authData)-1] == 0 { + authData = authData[:len(authData)-1] } return authData, plugin, nil