maria-developers team mailing list archive
-
maria-developers team
-
Mailing list archive
-
Message #12453
Re: 7807d9b6939: MDEV-22974: mysql_native_password make "invalid" valid
Hi, Daniel!
On Oct 26, Daniel Black wrote:
> On Thu, Oct 22, 2020 at 8:25 PM Sergei Golubchik <serg@xxxxxxxxxxx> wrote:
> >
> > Hi, Daniel!
> >
> > On Oct 22, Daniel Black wrote:
> > > @@ -14539,6 +14539,12 @@ static int native_password_get_salt(const char *hash, size_t hash_length,
> > >
> > > if (hash_length != SCRAMBLED_PASSWORD_CHAR_LENGTH)
> > > {
> > > + if (hash_length == 7 && strcmp(hash, "invalid") == 0)
> > > + {
> > > + memcpy(out, "invalid", 7);
> > > + *out_length= 7;
> > > + return 0;
> > > + }
> >
> > okay. After you said ASAN, I think I can see why this could be
> > problematic.
> >
> Updated:
I don't see why you did it that complex with invalid_password and
everything. It seems you could've fixed the ASAN error from your first
patch with just
@@ -14498,7 +14498,7 @@ static int native_password_authenticate(MYSQL_PLUGIN_VI>
info->password_used= PASSWORD_USED_YES;
if (pkt_len == SCRAMBLE_LENGTH)
{
- if (!info->auth_string_length)
+ if (info->auth_string_length != SCRAMBLE_LENGTH)
DBUG_RETURN(CR_AUTH_USER_CREDENTIALS);
if (check_scramble(pkt, thd->scramble, (uchar*)info->auth_string))
Regards,
Sergei
VP of MariaDB Server Engineering
and security@xxxxxxxxxxx
Follow ups
References