Bug #17883203 : MYSQL EMBEDDED MYSQL_STMT_EXECUTE RETURN

Arun Kuruvila · Arun Kuruvila · commit 5eb6d463a358 · 2015-12-02T11:37:18.000+05:30
"MALFORMED COMMUNICATION PACKET" ERROR

Description :- C API, "mysql_stmt_execute" fails with an
error, "malformed communication packet", even for a simple
query when prepared statments are used with libmysqld.

Analysis :- The packet size specified in
"emb_stmt_execute()" [libmysqld/lib_sql.cc] and "execute()
[libmysql/libmysql.c] should be consistent across libraries
(libmysqld/libmysql) because "mysql_stmt_execute()"
[sql/sql_prepare.cc ] is being called from both functions
depending upon the libaries (libmysqld/libmysql) used.
Currently the packet size used in "emb_stmt_execute() is 5
and in "execute()" is 9. When the C API,
"mysql_stmt_execute", is executed from an application which
is linked with libmysqld, it fails in the function
"mysql_stmt_execute()" because of incorrect packet size.
Another bug also exists in the "Protocol::net_store_data()"
[libmysqld/lib_sql.cc] due to dereferencing an undefined
"next_field" pointer which results in a segmentation fault.

Fix:-
(a)The packet size is made consistent across libmysqld
and libmysql.
(b) For the problem found internally:
Functions "prepare_for_resend(), "net_store_data()" (with
and without charset conversion) are defined seperately for
Protocol_binary class in case of embedded library.
diff --git a/libmysqld/lib_sql.cc b/libmysqld/lib_sql.cc
@@ -2,7 +2,7 @@
  * Copyright (c)  2000
  * SWsoft  company
  *
- * Modifications copyright (c) 2001, 2014. Oracle and/or its affiliates.
+ * Modifications copyright (c) 2001, 2015. Oracle and/or its affiliates.
  * All rights reserved.
  *
  * This material is provided "as is", with absolutely no warranty expressed
@@ -327,15 +327,26 @@ static my_bool emb_read_query_result(MYSQL *mysql)
   return 0;
 }
 
+#define HEADER_SIZE 9
 static int emb_stmt_execute(MYSQL_STMT *stmt)
 {
   DBUG_ENTER("emb_stmt_execute");
-  uchar header[5];
+  /*
+    Header size is made similar to non-embedded library.
+    It should be consistent across embedded and non-embedded
+    libraries.
+  */
+  uchar header[HEADER_SIZE];
   THD *thd;
   my_bool res;
 
   int4store(header, stmt->stmt_id);
   header[4]= (uchar) stmt->flags;
+  /*
+    Dummy value is stored in the last 4 bytes of the header
+    to make it consistent with non-embedded library.
+  */
+  int4store(header + 5, 1);
   thd= (THD*)stmt->mysql->thd;
   thd->client_param_count= stmt->param_count;
   thd->client_params= stmt->params;
@@ -1276,6 +1287,14 @@ bool net_send_error_packet(THD *thd, uint sql_errno, const char *err,
   return FALSE;
 }
 
+void Protocol_binary::prepare_for_resend()
+{
+  MYSQL_DATA *data= thd->cur_data;
+  next_mysql_field= data->embedded_info->fields_list;
+  packet->length(bit_fields + 1);
+  memset(const_cast<char*>(packet->ptr()), 0, 1 + bit_fields);
+  field_pos= 0;
+}
 
 void Protocol_text::prepare_for_resend()
 {
@@ -1312,6 +1331,78 @@ bool Protocol_text::store_null()
   return false;
 }
 
+bool Protocol_binary::net_store_data(const uchar *from, size_t length)
+{
+  if (!thd->mysql)            // bootstrap file handling
+    return 0;
+
+  ulong packet_length= packet->length();
+  /*
+     The +9 comes from that strings of length longer than 16M require
+     9 bytes to be stored (see net_store_length).
+  */
+  if (packet_length + 9 + length > packet->alloced_length() &&
+      packet->realloc(packet_length + 9 + length))
+    return 1;
+  uchar *to= net_store_length((uchar*)packet->ptr() + packet_length, length);
+  memcpy(to, from, length);
+  packet->length((uint)(to + length - (uchar*)packet->ptr()));
+  if (next_mysql_field->max_length < length)
+    next_mysql_field->max_length= length;
+  ++next_mysql_field;
+  return 0;
+}
+
+bool Protocol_binary::net_store_data(const uchar *from, size_t length,
+                                     const CHARSET_INFO *from_cs,
+                                     const CHARSET_INFO *to_cs)
+{
+  uint dummy_errors;
+  /* Calculate maxumum possible result length */
+  uint conv_length= to_cs->mbmaxlen * length / from_cs->mbminlen;
+
+  if (!thd->mysql)            // bootstrap file handling
+    return 0;
+
+  if (conv_length > 250)
+  {
+    /*
+      For strings with conv_length greater than 250 bytes
+      we don't know how many bytes we will need to store length: one or two,
+      because we don't know result length until conversion is done.
+      For example, when converting from utf8 (mbmaxlen=3) to latin1,
+      conv_length=300 means that the result length can vary between 100 to 300.
+      length=100 needs one byte, length=300 needs to bytes.
+
+      Thus conversion directly to "packet" is not worthy.
+      Let's use "convert" as a temporary buffer.
+    */
+    return (convert->copy((const char*)from, length, from_cs,
+                          to_cs, &dummy_errors) ||
+            net_store_data((const uchar*)convert->ptr(), convert->length()));
+  }
+
+  ulong packet_length= packet->length();
+  ulong new_length= packet_length + conv_length + 1;
+
+  if (new_length > packet->alloced_length() && packet->realloc(new_length))
+    return 1;
+
+  char *length_pos= (char*) packet->ptr() + packet_length;
+  char *to= length_pos + 1;
+
+  to+= length= copy_and_convert(to, conv_length, to_cs,
+                                (const char*)from, length, from_cs,
+                                &dummy_errors);
+
+  net_store_length((uchar*)length_pos, to - length_pos - 1);
+  packet->length((uint)(to - packet->ptr()));
+  if (next_mysql_field->max_length < length)
+    next_mysql_field->max_length= length;
+  ++next_mysql_field;
+  return 0;
+}
+
 bool Protocol::net_store_data(const uchar *from, size_t length)
 {
   char *field_buf;
diff --git a/sql/protocol.cc b/sql/protocol.cc
@@ -1,4 +1,4 @@
-/* Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -42,9 +42,6 @@ static bool write_eof_packet(THD *, NET *, uint, uint);
 
 #ifndef EMBEDDED_LIBRARY
 bool Protocol::net_store_data(const uchar *from, size_t length)
-#else
-bool Protocol_binary::net_store_data(const uchar *from, size_t length)
-#endif
 {
   ulong packet_length=packet->length();
   /* 
@@ -59,7 +56,7 @@ bool Protocol_binary::net_store_data(const uchar *from, size_t length)
   packet->length((uint) (to+length-(uchar*) packet->ptr()));
   return 0;
 }
-
+#endif
 
 
 
@@ -1244,12 +1241,14 @@ bool Protocol_binary::prepare_for_send(uint num_columns)
 }
 
 
+#ifndef EMBEDDED_LIBRARY
 void Protocol_binary::prepare_for_resend()
 {
   packet->length(bit_fields+1);
   memset(const_cast<char*>(packet->ptr()), 0, 1+bit_fields);
   field_pos=0;
 }
+#endif
 
 
 bool Protocol_binary::store(const char *from, size_t length,
diff --git a/sql/protocol.h b/sql/protocol.h
@@ -1,7 +1,7 @@
 #ifndef PROTOCOL_INCLUDED
 #define PROTOCOL_INCLUDED
 
-/* Copyright (c) 2002, 2011, Oracle and/or its affiliates. All rights reserved.
+/* Copyright (c) 2002, 2015, Oracle and/or its affiliates. All rights reserved.
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
@@ -45,8 +45,9 @@ class Protocol
   MYSQL_FIELD *next_mysql_field;
   MEM_ROOT *alloc;
 #endif
-  bool net_store_data(const uchar *from, size_t length,
-                      const CHARSET_INFO *fromcs, const CHARSET_INFO *tocs);
+  virtual bool net_store_data(const uchar *from, size_t length,
+                              const CHARSET_INFO *fromcs,
+                              const CHARSET_INFO *tocs);
   bool store_string_aux(const char *from, size_t length,
                         const CHARSET_INFO *fromcs, const CHARSET_INFO *tocs);
 
@@ -178,6 +179,9 @@ class Protocol_binary :public Protocol
 #ifdef EMBEDDED_LIBRARY
   virtual bool write();
   bool net_store_data(const uchar *from, size_t length);
+  bool net_store_data(const uchar *from, size_t length,
+                      const CHARSET_INFO *fromcs,
+                      const CHARSET_INFO *tocs);
 #endif
   virtual bool store_null();
   virtual bool store_tiny(longlong from);
diff --git a/tests/mysql_client_test.c b/tests/mysql_client_test.c
@@ -19441,6 +19441,53 @@ static void test_bug20810928()
 }
 
 
+/*
+  BUG#17883203: MYSQL EMBEDDED MYSQL_STMT_EXECUTE RETURN
+                "MALFORMED COMMUNICATION PACKET" ERROR
+*/
+#define BUG17883203_STRING_SIZE 50
+
+static void test_bug17883203()
+{
+  MYSQL_STMT *stmt;
+  MYSQL_BIND bind;
+  char str_data[BUG17883203_STRING_SIZE];
+  my_bool is_null;
+  my_bool error;
+  unsigned long length;
+  const char stmt_text[] ="SELECT VERSION()";
+  int rc;
+
+  myheader("test_bug17883203");
+
+  stmt = mysql_stmt_init(mysql);
+  check_stmt(stmt);
+  rc= mysql_stmt_prepare(stmt, stmt_text, strlen(stmt_text));
+  check_execute(stmt, rc);
+  rc= mysql_stmt_execute(stmt);
+  check_execute(stmt, rc);
+  memset(&bind, 0, sizeof(bind));
+
+  bind.buffer_type= MYSQL_TYPE_STRING;
+  bind.buffer= (char *)str_data;
+  bind.buffer_length= BUG17883203_STRING_SIZE;
+  bind.is_null= &is_null;
+  bind.length= &length;
+  bind.error= &error;
+
+  rc= mysql_stmt_bind_result(stmt, &bind);
+  check_execute(stmt, rc);
+  rc= mysql_stmt_fetch(stmt);
+  check_execute(stmt, rc);
+
+  if (!opt_silent)
+  {
+    fprintf(stdout, "\n Version: %s", str_data);
+  }
+  mysql_stmt_close(stmt);
+}
+
+
 static struct my_tests_st my_tests[]= {
   { "disable_query_logs", disable_query_logs },
   { "test_view_sp_list_fields", test_view_sp_list_fields },
@@ -19717,6 +19764,7 @@ static struct my_tests_st my_tests[]= {
 #endif
   { "test_bug17512527", test_bug17512527},
   { "test_bug20810928", test_bug20810928 },
+  { "test_bug17883203", test_bug17883203 },
   { 0, 0 }
 };
 

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-/* Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.`
	`1`	`+/* Copyright (c) 2000, 2015, Oracle and/or its affiliates. All rights reserved.`
`2`	`2`
`3`	`3`	`This program is free software; you can redistribute it and/or modify`
`4`	`4`	`it under the terms of the GNU General Public License as published by`
`@@ -42,9 +42,6 @@ static bool write_eof_packet(THD , NET , uint, uint);`
`42`	`42`
`43`	`43`	`#ifndef EMBEDDED_LIBRARY`
`44`	`44`	`bool Protocol::net_store_data(const uchar *from, size_t length)`
`45`		`-#else`
`46`		`-bool Protocol_binary::net_store_data(const uchar *from, size_t length)`
`47`		`-#endif`
`48`	`45`	`{`
`49`	`46`	`ulong packet_length=packet->length();`
`50`	`47`	`/*`
`@@ -59,7 +56,7 @@ bool Protocol_binary::net_store_data(const uchar *from, size_t length)`
`59`	`56`	`packet->length((uint) (to+length-(uchar*) packet->ptr()));`
`60`	`57`	`return 0;`
`61`	`58`	`}`
`62`		`-`
	`59`	`+#endif`
`63`	`60`
`64`	`61`
`65`	`62`
`@@ -1244,12 +1241,14 @@ bool Protocol_binary::prepare_for_send(uint num_columns)`
`1244`	`1241`	`}`
`1245`	`1242`
`1246`	`1243`
	`1244`	`+#ifndef EMBEDDED_LIBRARY`
`1247`	`1245`	`void Protocol_binary::prepare_for_resend()`
`1248`	`1246`	`{`
`1249`	`1247`	`packet->length(bit_fields+1);`
`1250`	`1248`	`memset(const_cast<char*>(packet->ptr()), 0, 1+bit_fields);`
`1251`	`1249`	`field_pos=0;`
`1252`	`1250`	`}`
	`1251`	`+#endif`
`1253`	`1252`
`1254`	`1253`
`1255`	`1254`	`bool Protocol_binary::store(const char *from, size_t length,`