Client should reject CLIENT-only error codes sent by the server

Per @vuvova in #223 (comment): > I don't think the client should accept client-side errors from the server > at all. If the server sends an error packet with error codes in the ranges `CR_{MIN,MAX}_ERROR` (codes [2000, 2999]) or `CER_{MIN,MAX}_ERROR` (codes [5000, 5999]), we will replace these with `CR_MALFORMED_PACKET`, rather than propagating them to the client user.
mariadb-corporation · Dec 13, 2023 · f5f8032 · f5f8032
1 parent c2b322d
commit f5f8032
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/libmariadb/mariadb_lib.c b/libmariadb/mariadb_lib.c
@@ -241,6 +241,17 @@ ma_net_safe_read(MYSQL *mysql)
         }
         goto restart;
       }
+      if (last_errno >= CR_MIN_ERROR && last_errno <= CR_MAX_ERROR ||
+          last_errno >= CER_MIN_ERROR && last_errno <= CER_MAX_ERROR)
+      {
+        /* The server appears to have sent an error code within the
+         * range(s) of error codes that should only be generated
+         * client-side.
+         */
+        my_set_error(mysql, CR_MALFORMED_PACKET, SQLSTATE_UNKNOWN, 0);
+      }
+      else
+      {
         net->last_errno= last_errno;
         if (pos[0]== '#')
         {
@@ -254,6 +265,7 @@ ma_net_safe_read(MYSQL *mysql)
         ma_strmake(net->last_error,(char*) pos,
                 min(len,sizeof(net->last_error)-1));
       }
+    }
     else
     {
       my_set_error(mysql, CR_UNKNOWN_ERROR, SQLSTATE_UNKNOWN, 0);