1--TEST-- 2GHSA-h35g-vwh6-m678 (mysqlnd leaks partial content of the heap - auth message buffer over-read) 3--EXTENSIONS-- 4mysqli 5--FILE-- 6<?php 7require_once 'fake_server.inc'; 8 9$servername = "127.0.0.1"; 10$username = "root"; 11$password = ""; 12 13$process = run_fake_server_in_background('auth_response_message_over_read'); 14$process->wait(); 15 16try { 17 $conn = new mysqli( $servername, $username, $password, "", $process->getPort()); 18 $info = mysqli_info($conn); 19 var_dump($info); 20} catch (Exception $e) { 21 echo $e->getMessage() . PHP_EOL; 22} 23 24$process->terminate(); 25 26print "done!"; 27?> 28--EXPECTF-- 29[*] Server started on 127.0.0.1:%d 30[*] Connection established 31[*] Sending - Server Greeting: 580000000a352e352e352d31302e352e31382d4d6172696144420003000000473e3f6047257c6700fef7080200ff81150000000000000f0000006c6b55463f49335f686c6431006d7973716c5f6e61746976655f70617373776f7264 32[*] Received: 6900000185a21a00000000c0080000000000000000000000000000000000000000000000726f6f7400006d7973716c5f6e61746976655f70617373776f7264002c0c5f636c69656e745f6e616d65076d7973716c6e640c5f7365727665725f686f7374093132372e302e302e31 33[*] Sending - Malicious OK Auth Response [Extract heap through buffer over-read]: 0900000200000002000000fcff 34 35Warning: mysqli::__construct(): OK packet message length is past the packet size in %s on line %d 36Unknown error while trying to connect via tcp://127.0.0.1:%d 37done! 38
