MDEV-38431: [10.6] Fix COM_CHANGE_USER for long passwords #4534
+198
−5
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When password >= 251 bytes, LENENC uses 3-byte prefix (0xFC + 2 bytes), but the old code assumed 1-byte prefix with 'db + passwd_len + 1'. Fix: use 'passwd + passwd_len' since passwd has already been advanced past the length prefix by safe_net_field_length_ll().
Add regression test for auth switch with long password bug. The test verifies that connecting with passwords >= 251 bytes (which triggers 3-byte LENENC encoding) correctly preserves the database name during authentication plugin switching. Test cases: - Short password baseline (7 bytes) - Long password (260 bytes) - triggers 3-byte LENENC - Very long password (500 bytes)
Use double quotes instead of single quotes for password arguments in --exec commands to work on both Unix and Windows platforms.
Add tests for mysql_change_user() with database parameter: - Test 4: Short password - verifies basic COM_CHANGE_USER works - Test 5: Long password (260 bytes) - verifies LENENC encoding path
Test 5 explains why 260-byte password works with auth switching. Test 6 (disabled) documents the libmariadb 255-byte limit that would crash in debug builds or return ERROR 2027 in release builds.
Add CLIENT_PLUGIN_AUTH_LENENC_CLIENT_DATA support to parse_com_change_user_packet() to allow passwords longer than 255 bytes in COM_CHANGE_USER packets. Previously, parse_com_change_user_packet() only supported single-byte length encoding (max 255 bytes), while parse_client_handshake_packet() supported LENENC. This change mirrors the fix in libmariadb's send_change_user_packet() and enables Test 6 which verifies COM_CHANGE_USER with 260-byte passwords without auth switching.
The comment was incorrect - the plugin is installed by the test itself with INSTALL PLUGIN IF NOT EXISTS, not preloaded by MTR.
…NECTION When CLIENT_SECURE_CONNECTION is not set, the password is null-terminated and the passwd pointer is not incremented, so we need +1 to skip past the null terminator when calculating the db pointer.
gkodinov
added
the
External Contribution
gkodinov
requested changes
Jan 13, 2026
Member
gkodinov
left a comment
gkodinov
left a comment
There was a problem hiding this comment.
Please use https://jira.mariadb.org/browse/MDEV-38550 instead of the original one.
Author
|
Will continue working on this after #4509 got merged. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Follow up of #4509, which focuses on auth switch. This PR focuses on COM_CHANGE_USER.