[CP]Protocol security vulnerabilities

obdev · ob-robot · commit 479fb2ad4a4a · 2025-11-03T16:16:57.000Z
diff --git a/deps/oblib/src/rpc/obmysql/ob_mysql_util.cpp b/deps/oblib/src/rpc/obmysql/ob_mysql_util.cpp
@@ -110,7 +110,30 @@ int ObMySQLUtil::get_length(const char *&pos, uint64_t &length)
       get_uint3(pos, s4);
       length = s4;
     } else if (sentinel == 254) {
-      get_uint8(pos, length);
+      if (lib::is_oracle_mode()) {
+        get_uint8(pos, length);
+      } else {
+        /*
+          In our client-server protocol all numbers bigger than 2^24
+          stored as 8 bytes with uint8korr. Here we always know that
+          parameter length is less than 2^4 so we don't look at the second
+          4 bytes. But still we need to obey the protocol hence 9 in the
+          assignment below.
+          if (packet_left_len < 9) {
+            *header_len = 0;
+            return 0;
+          }
+          *header_len = 9;
+          return static_cast<ulong>(uint4korr(packet + 1));
+
+          OceanBase length parsing compatible with mysql, so we don't look at the second
+          4 bytes. But still we need to obey the protocol hence 9 in the
+          assignment below.
+        */
+        get_uint4(pos, s4);
+        length = s4;
+        pos += 4;
+      }
     } else {
       // 255??? won't get here.
       pos--;                  // roll back
diff --git a/deps/oblib/src/rpc/obmysql/packet/ompk_handshake_response.cpp b/deps/oblib/src/rpc/obmysql/packet/ompk_handshake_response.cpp
@@ -67,8 +67,9 @@ int OMPKHandshakeResponse::decode()
 
   // get username
   if (OB_SUCC(ret) && pos < end) {
-    username_ = ObString::make_string(pos);
-    pos += strlen(pos) + 1;
+    int64_t len = strnlen(pos, end - pos);
+    username_ = ObString(0, len, const_cast<char *>(pos));
+    pos += len + 1;
   }
 
   // get auth response
@@ -93,24 +94,27 @@ int OMPKHandshakeResponse::decode()
       pos += auth_response_len;
     } else {
       //string[NUL]    auth-response
-      auth_response_ = ObString::make_string(pos);
-      pos += strlen(pos) + 1;
+      int64_t len = strnlen(pos, end - pos);
+      auth_response_ = ObString(0, len, const_cast<char *>(pos));
+      pos += len + 1;
     }
   }
 
   // get database name
   if (OB_SUCC(ret) && pos < end) {
     if (capability_.cap_flags_.OB_CLIENT_CONNECT_WITH_DB) {
-      database_ = ObString::make_string(pos);
-      pos += strlen(pos) + 1;
+      int64_t len = strnlen(pos, end - pos);
+      database_ = ObString(0, len, const_cast<char *>(pos));
+      pos += len + 1;
     }
   }
 
   // get auth plugin name
   if (OB_SUCC(ret) && pos < end) {
     if (capability_.cap_flags_.OB_CLIENT_PLUGIN_AUTH) {
-      auth_plugin_name_ = ObString::make_string(pos);
-      pos += strlen(pos) + 1;
+      int64_t len = strnlen(pos, end - pos);
+      auth_plugin_name_ = ObString(0, len, const_cast<char *>(pos));
+      pos += len + 1;
     }
   }
 
diff --git a/tools/deploy/mysql_test/test_suite/column_store/r/mysql/basic_column_group_syntax.result b/tools/deploy/mysql_test/test_suite/column_store/r/mysql/basic_column_group_syntax.result
@@ -1,7 +1,7 @@
-create table tt1(a int, b int, c int, primary key(a)) with column group (all columns, each column);
-create index idx_tt1 on tt1(b);
-create table tt2(d int, e int);
-alter table tt1 modify column c varchar(20);
-alter table tt1 drop column c;
-drop table tt1;
-drop table tt2;
+create table cg_tt1(a int, b int, c int, primary key(a)) with column group (all columns, each column);
+create index idx_cg_tt1 on cg_tt1(b);
+create table cg_tt2(d int, e int);
+alter table cg_tt1 modify column c varchar(20);
+alter table cg_tt1 drop column c;
+drop table cg_tt1;
+drop table cg_tt2;
diff --git a/tools/deploy/mysql_test/test_suite/column_store/t/basic_column_group_syntax.test b/tools/deploy/mysql_test/test_suite/column_store/t/basic_column_group_syntax.test
@@ -8,50 +8,50 @@ connection sys_conn;
 --disable_query_log
 --disable_warnings
 set @@recyclebin = off;
-drop table if exists tt1;
-drop table if exists tt2;
+drop table if exists cg_tt1;
+drop table if exists cg_tt2;
 --enable_warnings
 --enable_query_log
 
-create table tt1(a int, b int, c int, primary key(a)) with column group (all columns, each column);
-create index idx_tt1 on tt1(b);
-create table tt2(d int, e int);
-alter table tt1 modify column c varchar(20);
-alter table tt1 drop column c;
+create table cg_tt1(a int, b int, c int, primary key(a)) with column group (all columns, each column);
+create index idx_cg_tt1 on cg_tt1(b);
+create table cg_tt2(d int, e int);
+alter table cg_tt1 modify column c varchar(20);
+alter table cg_tt1 drop column c;
 
-let $tt1_table_id= query_get_value(select table_id from __all_virtual_table where table_name='tt1', table_id, 1);
-let $tt2_table_id= query_get_value(select table_id from __all_virtual_table where table_name='tt2', table_id, 1);
+let $cg_tt1_table_id= query_get_value(select table_id from __all_virtual_table where table_name='cg_tt1', table_id, 1);
+let $cg_tt2_table_id= query_get_value(select table_id from __all_virtual_table where table_name='cg_tt2', table_id, 1);
 
-## In tt1 table schema, there exists 4 column_group: __cg_default, __cg_all, __cg_a, __cg_b
-let $tt1_cg_cnt = query_get_value(select count(*) as cg_cnt from __all_column_group where table_id=$tt1_table_id, cg_cnt, 1);
-if ($tt1_cg_cnt != 5)
+## In cg_tt1 table schema, there exists 4 column_group: __cg_default, __cg_all, __cg_a, __cg_b
+let $cg_tt1_cg_cnt = query_get_value(select count(*) as cg_cnt from __all_column_group where table_id=$cg_tt1_table_id, cg_cnt, 1);
+if ($cg_tt1_cg_cnt != 5)
 {
-    --echo unexpected column_group count of table tt1, real value is $tt1_cg_cnt
+    --echo unexpected column_group count of table cg_tt1, real value is $cg_tt1_cg_cnt
 }
-## tt1 default_type column_group will have none column_id mapping, cuz it has all_type & each_type column_group
-let $tt1_default_cg_id = query_get_value(select column_group_id from __all_column_group where table_id=$tt1_table_id and column_group_name='__co_default', column_group_id, 1);
-let $tt1_column_id_cnt = query_get_value(select count(*) as mapping_cnt from __all_column_group_mapping where table_id=$tt1_table_id and column_group_id=$tt1_default_cg_id, mapping_cnt, 1);
-if ($tt1_column_id_cnt != 0)
+## cg_tt1 default_type column_group will have none column_id mapping, cuz it has all_type & each_type column_group
+let $cg_tt1_default_cg_id = query_get_value(select column_group_id from __all_column_group where table_id=$cg_tt1_table_id and column_group_name='__co_default', column_group_id, 1);
+let $cg_tt1_column_id_cnt = query_get_value(select count(*) as mapping_cnt from __all_column_group_mapping where table_id=$cg_tt1_table_id and column_group_id=$cg_tt1_default_cg_id, mapping_cnt, 1);
+if ($cg_tt1_column_id_cnt != 0)
 {
-    --echo unexpected column_group mapping count of table tt1, real value is $tt1_column_id_cnt;
+    --echo unexpected column_group mapping count of table cg_tt1, real value is $cg_tt1_column_id_cnt;
 }
 
-## In tt2 table schema, there exists only 1 column_group: __co_default
-let $tt2_cg_cnt = query_get_value(select count(*) as cg_cnt from __all_column_group where table_id=$tt2_table_id, cg_cnt, 1);
-if ($tt2_cg_cnt != 1)
+## In cg_tt2 table schema, there exists only 1 column_group: __co_default
+let $cg_tt2_cg_cnt = query_get_value(select count(*) as cg_cnt from __all_column_group where table_id=$cg_tt2_table_id, cg_cnt, 1);
+if ($cg_tt2_cg_cnt != 1)
 {
-    --echo unexpected column_group count of table tt2, real value is $tt2_cg_cnt
+    --echo unexpected column_group count of table cg_tt2, real value is $cg_tt2_cg_cnt
 }
-## tt2 default_type column_group will have 3 column_id mapping, include d, e, pk_increment
-let $tt2_default_cg_id = query_get_value(select column_group_id from __all_column_group where table_id=$tt2_table_id and column_group_name='__co_default', column_group_id, 1);
-let $tt2_column_id_cnt = query_get_value(select count(*) as mapping_cnt from __all_column_group_mapping where table_id=$tt2_table_id and column_group_id=$tt2_default_cg_id, mapping_cnt, 1);
-if ($tt2_column_id_cnt != 3)
+## cg_tt2 default_type column_group will have 3 column_id mapping, include d, e, pk_increment
+let $cg_tt2_default_cg_id = query_get_value(select column_group_id from __all_column_group where table_id=$cg_tt2_table_id and column_group_name='__co_default', column_group_id, 1);
+let $cg_tt2_column_id_cnt = query_get_value(select count(*) as mapping_cnt from __all_column_group_mapping where table_id=$cg_tt2_table_id and column_group_id=$cg_tt2_default_cg_id, mapping_cnt, 1);
+if ($cg_tt2_column_id_cnt != 3)
 {
-    --echo unexpected column_group mapping count of table tt2, real value is $tt2_column_id_cnt
+    --echo unexpected column_group mapping count of table cg_tt2, real value is $cg_tt2_column_id_cnt
 }
 
-drop table tt1;
-drop table tt2;
+drop table cg_tt1;
+drop table cg_tt2;
 
 --disable_query_log
 set @@recyclebin = on;
diff --git a/tools/deploy/mysql_test/test_suite/merge_uncommitted/t/commit_after_minor_merge.test b/tools/deploy/mysql_test/test_suite/merge_uncommitted/t/commit_after_minor_merge.test
@@ -6,6 +6,7 @@
 set @@session.explicit_defaults_for_timestamp=off;
 --enable_query_log
 
+--source mysql_test/include/wait_daily_merge.inc
 connect (conn0,$OBMYSQL_MS0,admin,$OBMYSQL_PWD,oceanbase,$OBMYSQL_PORT);
 
 let $__timeout_def__ = 60 * 1000 * 1000;
