From d3cf1670271645cc6299907e50fb9209a8e13743 Mon Sep 17 00:00:00 2001
From: abmdocrt <lianyukang@selectdb.com>
Date: Thu, 6 Nov 2025 11:39:49 +0800
Subject: [PATCH] [Fix](mysql) Disable renegotiation during TLS (#57631)

---
 .../org/apache/doris/mysql/MysqlChannel.java  | 38 +++++++++++++------
 1 file changed, 26 insertions(+), 12 deletions(-)

diff --git a/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlChannel.java b/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlChannel.java
index da3d251ceb52d2..8dfabfb9b6ec82 100644
--- a/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlChannel.java
+++ b/fe/fe-core/src/main/java/org/apache/doris/mysql/MysqlChannel.java
@@ -276,6 +276,12 @@ protected void decryptData(ByteBuffer dstBuf, boolean isHeader) throws SSLExcept
         // unwrap will remove ssl header.
         while (true) {
             SSLEngineResult result = sslEngine.unwrap(dstBuf, decryptAppData);
+            if (result.getStatus() == SSLEngineResult.Status.OK
+                    && result.getHandshakeStatus() != SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING) {
+                LOG.warn("SSL renegotiation requested by {} is not supported. handshakeStatus={}",
+                        remoteHostPortString, result.getHandshakeStatus());
+                throw new SSLException("SSL renegotiation is not supported.");
+            }
             if (handleUnwrapResult(result) && !dstBuf.hasRemaining()) {
                 break;
             }
@@ -339,20 +345,22 @@ public ByteBuffer fetchOnePacket() throws IOException {
             result.limit(result.position() + packetLen);
             readLen = readAll(result, false);
             if (isSslMode && remainingBuffer.position() == 0 && result.hasRemaining()) {
+                int available = result.limit();
+                if (available < PACKET_HEADER_LEN) {
+                    LOG.warn("SSL mode: invalid mysql packet header, available bytes: " + available);
+                    throw new IOException("Invalid mysql packet header.");
+                }
                 byte[] header = result.array();
                 int mysqlPacketLength = (header[0] & 0xFF) | ((header[1] & 0xFF) << 8) | ((header[2] & 0xFF) << 16);
-                if (result.position() >= 4 && mysqlPacketLength > 0 && mysqlPacketLength
-                        <= MAX_PHYSICAL_PACKET_LENGTH) {
-                    int packetId = header[3] & 0xFF;
-                    if (packetId != sequenceId) {
-                        LOG.warn("receive packet sequence id[" + packetId + "] want to get[" + sequenceId + "]");
-                        throw new IOException("Bad packet sequence.");
-                    }
-                } else {
-                    if (LOG.isDebugEnabled()) {
-                        LOG.debug("SSL mode: skipping sequence check, packet length: " + mysqlPacketLength
-                                + ", buffer position: " + result.position());
-                    }
+                if (mysqlPacketLength > MAX_PHYSICAL_PACKET_LENGTH) {
+                    LOG.warn("SSL mode: mysql packet length(" + mysqlPacketLength + ") is larger than max physical "
+                            + "packet length(" + MAX_PHYSICAL_PACKET_LENGTH + ")");
+                    throw new IOException("Mysql packet too large.");
+                }
+                int packetId = header[3] & 0xFF;
+                if (packetId != sequenceId) {
+                    LOG.warn("receive packet sequence id[" + packetId + "] want to get[" + sequenceId + "]");
+                    throw new IOException("Bad packet sequence.");
                 }
                 // remove mysql packet header
                 result.position(4);
@@ -453,6 +461,12 @@ protected ByteBuffer encryptData(ByteBuffer dstBuf) throws SSLException {
         encryptNetData.clear();
         while (true) {
             SSLEngineResult result = sslEngine.wrap(dstBuf, encryptNetData);
+            if (result.getStatus() == SSLEngineResult.Status.OK
+                    && result.getHandshakeStatus() != SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING) {
+                LOG.warn("SSL renegotiation requested by {} is not supported while writing. handshakeStatus={}",
+                        remoteHostPortString, result.getHandshakeStatus());
+                throw new SSLException("SSL renegotiation is not supported.");
+            }
             if (handleWrapResult(result) && !dstBuf.hasRemaining()) {
                 break;
             }