ProxySQL pre-auth heap overflow in MySQL and PostgreSQL first-packet handling

A remote unauthenticated attacker sends a crafted first packet to a ProxySQL frontend listener (e.g., MySQL port 6033 or PostgreSQL port 6133) that declares an oversized packet length in the protocol header. ProxySQL passes that attacker-controlled length directly to `recv()` [ref_id=1], writing past the fixed 32768-byte input queue. The bug is reachable before any authentication or protocol validation occurs, making it a pre-authentication heap buffer overflow [CWE-122]. The advisory [ref_id=1] provides ASAN proof demonstrating heap-buffer-overflow with WRITE sizes of 65532 bytes (MySQL) and 99999 bytes (PostgreSQL).

The vulnerable code resides in `MySQL_Data_Stream::read_from_net()` at `lib/mysql_data_stream.cpp:653-665` and in `PgSQL_Data_Stream::read_from_net()` at `lib/PgSQL_Data_Stream.cpp:517-534`. Both paths read a fixed-size input queue (`QUEUE_T_DEFAULT_SIZE` of 32768 bytes) but use an attacker-controlled packet length directly as the size argument to a second `recv()` call without bound checking. Advisory [ref_id=1] confirms these exact code locations and the 32 KB queue size.

Version 3.0.9 patches the issue by ensuring the protocol header length is validated before it is used as a `recv()` size [ref_id=1]. The advisory recommends three corrective actions: first-read only the protocol header, validate the declared packet length against `max_allowed_packet` limits, and never call `recv()` with a length exceeding the remaining capacity of the fixed queue. A prior partial fix (commit 9cc20a8) only added a PROXY-protocol prefix check but did not address the general unbounded `recv()` path for ordinary MySQL or PostgreSQL first packets.