When the username and password are too long, it can cause a panic error in ping method.

[pengdaCN]

Issue description

When the username is operated with a length of 4096 bits, it will definitely cause a panic error. The password has not been verified yet.

Example code

package main

import (
	"database/sql"
	"fmt"
	_ "github.com/go-sql-driver/mysql"
	"strings"
	"testing"
)

func main() {
	connStr := fmt.Sprintf("%s:%s@tcp(%s)/?timeout=%ds", strings.Repeat(`mysql`, 5000), `password`, `10.4.7.7:3306`, 3)
	db, err := sql.Open("mysql", connStr)
	if err != nil {
		panic(err)
	}

	err = db.Ping()
	if err != nil {
		panic(err)
	}
}

Error log

panic: runtime error: slice bounds out of range [:25080] with capacity 4096 [recovered]
	panic: runtime error: slice bounds out of range [:25080] with capacity 4096

Configuration

Driver version (or git SHA):
1.7

Go version: run go version in your console
go version go1.21.0 linux/amd64

Server version: E.g. MySQL 5.6, MariaDB 10.0.20
mariadb
Server OS: E.g. Debian 8.1 (Jessie), Windows 10
ubuntu22 wsl

[kratkyzobak]

Same problem here. We are using JWT tokens to authorize against Azure MySQL Flexible Server. Our username and token combined are over 4k for some identities.

Problem is in this part of code

mysql/packets.go

Line 395 in 2f15276

func (mc *mysqlConn) writeAuthSwitchPacket(authData []byte) error {

.

There should be control, if pktLen is really bellow limit for small buffer and if not, use takeBuffer instead.

slice bounds out of range [:4111] with capacity 4096