From 636823622ccc06c62d0cdbcbdb8917f4a7b42e48 Mon Sep 17 00:00:00 2001
From: dmiller <dmiller@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Tue, 29 Nov 2016 22:35:51 +0000
Subject: [PATCH] Fix parsing salt value for mysql. Fixes #596

---
 CHANGELOG        | 4 ++++
 nselib/mysql.lua | 2 +-
 2 files changed, 5 insertions(+), 1 deletion(-)

diff --git a/CHANGELOG b/CHANGELOG
index 3a6ceb1a0..c5e0ed9b7 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -1,5 +1,9 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+o [NSE][GH#596] Fix a bug in mysql.lua that caused authentication failures in
+  mysql-brute and other scripts due to including a null terminator in the salt
+  value. This bug affects Nmap 7.25BETA2 and later releases.  [Daniel Miller]
+
 o The --open option now implies --defeat-rst-ratelimit. This may result in
   inaccuracies in the numbers of "Not shown:" closed and filtered ports, but
   only in situations where it also speeds up scan times. [Daniel Miller]
diff --git a/nselib/mysql.lua b/nselib/mysql.lua
index 355af1842..b52580a31 100644
--- a/nselib/mysql.lua
+++ b/nselib/mysql.lua
@@ -149,7 +149,7 @@ function receiveGreeting( socket )
         stdnse.debug2("reserved bytes are not nulls")
       end
       if response.capabilities & Capabilities.Support41Auth > 0 then
-        pos, tmp = bin.unpack("A" .. math.max(13, auth_plugin_len - 8), data, pos)
+        pos, tmp, _ = bin.unpack("A" .. (math.max(13, auth_plugin_len - 8) - 1) .. "x", data, pos)
         response.salt = response.salt .. tmp
       end
       if response.extcapabilities & ExtCapabilities.SupportsAuthPlugins > 0 then