Tightens MysqlxSession::is_frame_allowed: a backend frame outside the
per-state allowed set now closes the session with X-Protocol Error 4006
("Backend sent an unexpected message in the current response state")
instead of being forwarded blindly to the client. This guards against
a buggy or hostile backend pushing a frame whose shape the client cannot
parse, which would silently desync the wire and (in the worst case)
amplify a backend protocol bug into a client-side fault.
Adds a new private sub-state field MysqlxSession::seen_column_metadata_
that gates RESULTSET_ROW frames in the four response states where the
X-Protocol requires ColumnMetaData to precede any Row:
- RESP_WAITING_STMT_EXECUTE
- RESP_WAITING_CRUD
- RESP_WAITING_PREPARE_EXECUTE
- RESP_WAITING_CURSOR_OPEN
The flag is set when ColumnMetaData is forwarded in the validation loop,
cleared at every transition into a state that begins a new column-
metadata sequence (in dispatch_client_message), at terminal-frame flush
in handler_waiting_server_msg, and at init() / reset(). It is
deliberately NOT cleared on transition into RESP_WAITING_CURSOR_FETCH —
per the X-Protocol spec, ColumnMetaData is sent at Cursor::Open and not
re-sent at Cursor::Fetch, so CURSOR_FETCH's allowed-set unconditionally
accepts RESULTSET_ROW. The dispatch handler skips the clear at
CURSOR_FETCH entry to make this carry-across explicit.
The rejection action in handler_waiting_server_msg pops the offending
frame from the backend queue (does not forward), emits a fatal error
frame to the client, marks backend_conn_ non-reusable so
return_backend_to_pool deletes it instead of caching a poisoned
connection, sets healthy=false and status_=X_SESSION_CLOSING, and
short-circuits before the bytes_recv accounting (so the disallowed
frame is not double-counted as forwarded traffic).
Tests in mysqlx_message_dispatch_unit-t (20 new assertions across
8 cases) cover:
1. StmtExecute → Row-without-metadata (canonical hostile-backend
case the issue called out): expect Error frame, !healthy,
X_SESSION_CLOSING.
2. StmtExecute → ColumnMetaData → Row → SQL_STMT_EXECUTE_OK: happy
path, terminal flushes seen_column_metadata_.
3. CursorOpen → ColumnMetaData → Row → FETCH_SUSPENDED: terminal,
response_state_ resets, flag cleared at boundary (Cursor::Fetch
does not consult it).
4. CursorOpen → ColumnMetaData → FETCH_DONE: terminal, clean exit.
5. PreparePrepare → SQL_STMT_EXECUTE_OK (allowed-set is OK-only):
expect rejection, X_SESSION_CLOSING.
6. PreparePrepare → OK: happy path.
7. STMT_EXECUTE → ColumnMetaData → NOTICE → Row → SQL_STMT_EXECUTE_OK:
NOTICE is universal-allowed, non-terminal, doesn't consume the
response.
8. CURSOR_FETCH → Row (with seen_column_metadata_=false): forwarded,
NOT rejected (the per-state-pair carve-out for Cursor::Fetch).
Tests use a new setup_session_for_validation helper that drives the
auth flow, attaches a fake backend over a socketpair, parks the
session in WAITING_SERVER_XMSG with the desired response_state_ via
the test-only set_response_state_for_test (gated behind
MYSQLX_TEST_BUILD), and lets the test write synthetic server frames
to the backend half of the pair. Drains pending client-side bytes via
a non-blocking helper so the validation hook's output is unambiguous.
Closes the rejection-side acceptance criterion of #5694. Refs: #5694.
Rene Cannao
2 months ago