Bug#21863597 SHOW STATUS LIKE '%SSL%' CRASHING SERVER

Christopher Powers · bjornmu · commit fb1f0abaeb4f · 2015-09-29T06:52:07.000+02:00
The 5.7 implementation of SHOW STATUS exposed a potential crash in the
handling of SSL status variables. The crash occurs because the SSL status
variable callback function, show_ssl_get_server_not_after(), passes a null
ASN1 time pointer to my_asn1_time_to_string().

This callback function and its counterpart, show_ssl_get_server_not_before(),
now check the value of the ASN1 time pointer. If NULL, then the callback
returns an empty string.

(cherry picked from commit 4b3ba08e4cc6067d9f7159c7a31cbbe4b9718b71)
diff --git a/sql/mysqld.cc b/sql/mysqld.cc
@@ -6434,11 +6434,19 @@ show_ssl_get_server_not_before(THD *thd, SHOW_VAR *var, char *buff)
     X509 *cert= SSL_get_certificate(ssl_acceptor);
     ASN1_TIME *not_before= X509_get_notBefore(cert);
 
+    if (not_before == NULL)
+    {
+      var->value= empty_c_string;
+      return 0;
+    }
+
     var->value= my_asn1_time_to_string(not_before, buff,
                                        SHOW_VAR_FUNC_BUFF_SIZE);
-    if (!var->value)
+    if (var->value == NULL)
+    {
+      var->value= empty_c_string;
       return 1;
-    var->value= buff;
+    }
   }
   else
     var->value= empty_c_string;
@@ -6466,10 +6474,19 @@ show_ssl_get_server_not_after(THD *thd, SHOW_VAR *var, char *buff)
     X509 *cert= SSL_get_certificate(ssl_acceptor);
     ASN1_TIME *not_after= X509_get_notAfter(cert);
 
+    if (not_after == NULL)
+    {
+      var->value= empty_c_string;
+      return 0;
+    }
+
     var->value= my_asn1_time_to_string(not_after, buff,
                                        SHOW_VAR_FUNC_BUFF_SIZE);
-    if (!var->value)
+    if (var->value == NULL)
+    {
+      var->value= empty_c_string;
       return 1;
+    }
   }
   else
     var->value= empty_c_string;
