maria-developers team mailing list archive

[Daniel Black <daniel@xxxxxxxxxxx>]

That works for me.

Pushed first patch with above simple fix.

On Sat, Oct 31, 2020 at 4:45 AM Sergei Golubchik <serg@xxxxxxxxxxx> wrote:
>
> Hi, Daniel!
>
> On Oct 26, Daniel Black wrote:
> > On Thu, Oct 22, 2020 at 8:25 PM Sergei Golubchik <serg@xxxxxxxxxxx> wrote:
> > >
> > > Hi, Daniel!
> > >
> > > On Oct 22, Daniel Black wrote:
> > > > @@ -14539,6 +14539,12 @@ static int native_password_get_salt(const char *hash, size_t hash_length,
> > > >
> > > >    if (hash_length != SCRAMBLED_PASSWORD_CHAR_LENGTH)
> > > >    {
> > > > +    if (hash_length == 7 && strcmp(hash, "invalid") == 0)
> > > > +    {
> > > > +      memcpy(out, "invalid", 7);
> > > > +      *out_length= 7;
> > > > +      return 0;
> > > > +    }
> > >
> > > okay. After you said ASAN, I think I can see why this could be
> > > problematic.
> > >
> > Updated:
>
> I don't see why you did it that complex with invalid_password and
> everything. It seems you could've fixed the ASAN error from your first
> patch with just
>
> @@ -14498,7 +14498,7 @@ static int native_password_authenticate(MYSQL_PLUGIN_VI>
>    info->password_used= PASSWORD_USED_YES;
>    if (pkt_len == SCRAMBLE_LENGTH)
>    {
> -    if (!info->auth_string_length)
> +    if (info->auth_string_length != SCRAMBLE_LENGTH)
>        DBUG_RETURN(CR_AUTH_USER_CREDENTIALS);
>
>      if (check_scramble(pkt, thd->scramble, (uchar*)info->auth_string))
>
> Regards,
> Sergei
> VP of MariaDB Server Engineering
> and security@xxxxxxxxxxx