From e75bb3d7d660a842b7bde343c96c3128d98f3ece Mon Sep 17 00:00:00 2001 From: Jiping Yin Date: Thu, 11 Jun 2026 22:18:26 +0800 Subject: [PATCH] fix(ebpf): relax MySQL split header length check When MySQL packet header is read separately, prev_count == 4 means the 4-byte MySQL header has already been cached and the current buffer starts from the payload. The packet payload length in the MySQL header does not necessarily equal the current syscall read/write length. Requiring len == count may cause valid split packets to skip MySQL inference. Remove this strict check and always parse seq from the cached header and command bytes from the current payload buffer in the prev_count == 4 path. The later full packet length validation is still kept for initial protocol confirmation. --- .../ebpf/kernel/include/protocol_inference.h | 21 ++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/agent/src/ebpf/kernel/include/protocol_inference.h b/agent/src/ebpf/kernel/include/protocol_inference.h index b9042d6952d..ee52e2aeb2c 100644 --- a/agent/src/ebpf/kernel/include/protocol_inference.h +++ b/agent/src/ebpf/kernel/include/protocol_inference.h @@ -768,18 +768,25 @@ static __inline enum message_type infer_mysql_message(const char *buf, if (conn_info->prev_count == 4) { len = *(__u32 *) conn_info->prev_buf & 0x00ffffff; - if (len == count) { - seq = conn_info->prev_buf[3]; - count += 4; - com = buf[0]; - point_1 = buf[2]; - point_2 = buf[4]; - } + seq = conn_info->prev_buf[3]; + count += 4; + com = buf[0]; + point_1 = buf[2]; + point_2 = buf[4]; } if (count < 5 || len == 0) return MSG_UNKNOWN; + /* + * To prevent stale data from a previous map value remaining in + * the unused portion of `__infer_buf->data` when the current + * syscall provides fewer than 9 bytes of actual data. + */ + if (count < 9) { + point_1 = point_2 = 0; + } + bool is_mysqld = is_current_comm("mysqld"); if (is_socket_info_valid(conn_info->socket_info_ptr)) { /*