[PR] [fix](fe) Bound length in MysqlProto.readLenEncodedString [doris]

Mon, 25 May 2026 01:30:18 -0700 


MarkLee131 opened a new pull request, #63604:
URL: https://github.com/apache/doris/pull/63604

   ### What problem does this PR solve?
   
   Issue Number: close #63603
   
   Problem Summary:
   
   `MysqlProto.readLenEncodedString` reads a length-encoded integer and passes 
it straight to `new byte[(int) length]` with no bound. The length is fully 
attacker-controlled (a `0xFE` lead byte carries an 8-byte value), and it is 
read before authentication from `MysqlAuthPacket.readFrom` (the auth-response 
field at `MysqlAuthPacket.java:93` and the connection-attributes loop at 
`MysqlAuthPacket.java:110-118`). A small handshake response can therefore 
request
   a ~2 GiB allocation, and a length with the high bit set casts to a negative 
size (`NegativeArraySizeException`).
   
   This PR rejects a length that is negative or larger than the bytes remaining 
in the buffer before allocating. A well-formed length-encoded string's payload 
always fits in the remaining buffer, so valid input is unaffected. One guard 
covers both reach paths.
   
   
   ### Release note
   
   None
   
   ### Check List (For Author)
   
   - Test
       - [ ] Regression test
       - [x] Unit Test
       - [ ] Manual test (add detailed scripts or steps below)
       - [ ] No need to test or manual test. Explain why:
           - [ ] This is a refactor/code format and no logic has been changed.
           - [ ] Previous test can cover this change.
           - [ ] No code files have been changed.
           - [ ] Other reason
   
   - Behavior changed:
       - [x] No.
       - [ ] Yes.
   
   - Does this need documentation?
       - [x] No.
       - [ ] Yes.
   
   The Unit Test is `MysqlProtoLenEncStringTest` (added in this PR): oversized 
and negative-cast lengths are rejected with `IllegalArgumentException`; a 
normal short length-encoded string still parses.
   
   
   ### Check List (For Reviewer who merge this PR)
   
   - [ ] Confirm the release note
   - [ ] Confirm test cases
   - [ ] Confirm document
   - [ ] Add branch pick label <!-- Add branch pick label that this PR should 
merge into -->
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to