[debian-mysql] Bug#966633: libmariadb3: In Perl, doing a ping() after a disconnect() causes a segfault using DBD::mysql

[Dianne Skoll]

Package: libmariadb3
Version: 1:10.3.22-0+deb10u1
Severity: important
Tags: patch

Hi,

The issue is described at https://github.com/perl5-dbi/DBD-mysql/issues/306
The following Perl script segfaults quite regularly:

use Test::More;
use DBI;

my $dbname = 'mysql';
my $user = 'user';
my $password = 'password';
chomp $password;
my $dbh = DBI->connect("dbi:mysql:$dbname;host=localhost",$user, $password,
    { mysql_auto_reconnect => 0 });
$dbh->disconnect();
ok( ! $dbh->ping(), 'dbh is disconnected and did not segv');

done_testing();

The problem is that mysql_close frees a couple of objects, but does not
set the pointer to those objects to NULL.  The ping() call references
freed memory and behavior is undefined.

The patch below fixes the problem.

Regards,

Dianne.

===================================================================
--- mariadb-10.3-10.3.22.orig/libmariadb/libmariadb/mariadb_lib.c
+++ mariadb-10.3-10.3.22/libmariadb/libmariadb/mariadb_lib.c
@@ -2000,6 +2000,8 @@ mysql_close(MYSQL *mysql)
     if (mysql->extension)
       free(mysql->extension);
 
+    mysql->net.extension = NULL;
+    mysql->extension = NULL;
     mysql->net.pvio= 0;
     if (mysql->free_me)
       free(mysql);
===================================================================


-- System Information:
Debian Release: 10.4
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 5.7.11 (SMP w/12 CPU cores)
Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE=C (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)