Fixed bug #79011

auth_plugin_data_len here is 21, including the trailing null byte. Directly use SCRAMBLE_LENGTH instead. Also add a sanity check that the provided scramble is long enough.
2024-09-21 18:07:23 +00:00 · 2020-01-24 14:52:28 +01:00 · 2020-01-24 14:52:28 +01:00 · bb5cdd9b74
commit bb5cdd9b74
parent 555567468a
2 changed files with 9 additions and 1 deletions
--- a/2
+++ b/2
@ -25,6 +25,8 @@ PHP                                                                        NEWS
 - MySQLnd:
  . Fixed bug #79084 (mysqlnd may fetch wrong column indexes with MYSQLI_BOTH).
    (cmb)
+  . Fixed bug #79011 (MySQL caching_sha2_password Access denied for password
+    with more than 20 chars). (Nikita)

 - Opcache:
  . Fixed #79114 (Eval class during preload causes class to be only half
--- a/ext/mysqlnd/mysqlnd_auth.c
+++ b/ext/mysqlnd/mysqlnd_auth.c
@ -915,6 +915,12 @@ mysqlnd_caching_sha2_get_auth_data(struct st_mysqlnd_authentication_plugin * sel
 	DBG_INF_FMT("salt(%d)=[%.*s]", auth_plugin_data_len, auth_plugin_data_len, auth_plugin_data);
 	*auth_data_len = 0;

+	if (auth_plugin_data_len < SCRAMBLE_LENGTH) {
+		SET_CLIENT_ERROR(conn->error_info, CR_MALFORMED_PACKET, UNKNOWN_SQLSTATE, "The server sent wrong length for scramble");
+		DBG_ERR_FMT("The server sent wrong length for scramble %u. Expected %u", auth_plugin_data_len, SCRAMBLE_LENGTH);
+		DBG_RETURN(NULL);
+	}
+
 	DBG_INF("First auth step: send hashed password");
 	/* copy scrambled pass*/
 	if (passwd && passwd_len) {
@ -1022,7 +1028,7 @@ mysqlnd_caching_sha2_get_and_use_key(MYSQLND_CONN_DATA *conn,
 		char xor_str[passwd_len + 1];
 		memcpy(xor_str, passwd, passwd_len);
 		xor_str[passwd_len] = '\0';
-		mysqlnd_xor_string(xor_str, passwd_len, (char *) auth_plugin_data, auth_plugin_data_len);
+		mysqlnd_xor_string(xor_str, passwd_len, (char *) auth_plugin_data, SCRAMBLE_LENGTH);

 		server_public_key_len = RSA_size(server_public_key);
 		/*