Skip to content

Commit 7c0cc09

Browse files
authored
fix(ebpf): relax MySQL split header length check (#11794)
When MySQL packet header is read separately, prev_count == 4 means the 4-byte MySQL header has already been cached and the current buffer starts from the payload. The packet payload length in the MySQL header does not necessarily equal the current syscall read/write length. Requiring len == count may cause valid split packets to skip MySQL inference. Remove this strict check and always parse seq from the cached header and command bytes from the current payload buffer in the prev_count == 4 path. The later full packet length validation is still kept for initial protocol confirmation.
1 parent 579c1c9 commit 7c0cc09

1 file changed

Lines changed: 14 additions & 7 deletions

File tree

agent/src/ebpf/kernel/include/protocol_inference.h

Lines changed: 14 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -768,18 +768,25 @@ static __inline enum message_type infer_mysql_message(const char *buf,
768768

769769
if (conn_info->prev_count == 4) {
770770
len = *(__u32 *) conn_info->prev_buf & 0x00ffffff;
771-
if (len == count) {
772-
seq = conn_info->prev_buf[3];
773-
count += 4;
774-
com = buf[0];
775-
point_1 = buf[2];
776-
point_2 = buf[4];
777-
}
771+
seq = conn_info->prev_buf[3];
772+
count += 4;
773+
com = buf[0];
774+
point_1 = buf[2];
775+
point_2 = buf[4];
778776
}
779777

780778
if (count < 5 || len == 0)
781779
return MSG_UNKNOWN;
782780

781+
/*
782+
* To prevent stale data from a previous map value remaining in
783+
* the unused portion of `__infer_buf->data` when the current
784+
* syscall provides fewer than 9 bytes of actual data.
785+
*/
786+
if (count < 9) {
787+
point_1 = point_2 = 0;
788+
}
789+
783790
bool is_mysqld = is_current_comm("mysqld");
784791
if (is_socket_info_valid(conn_info->socket_info_ptr)) {
785792
/*

0 commit comments

Comments
 (0)