BUG/MEDIUM: httpclient/lua: crash because of b_xfer and get_trash_chunk()

When using the lua httpclient, haproxy could crash because a b_xfer is
done in httpclient_xfer, which will do a zero-copy swap of the data in
the buffers. The ptr will then be free() by the pool.

However this can't work with a trash buffer, because the area was not
allocated from the pool buffer, so the pool is not suppose to free it
because it does not know this ptr, using -DDEBUG_MEMORY_POOLS will
result with a crash during the free.

Fix the problem by using b_force_xfer() instead of b_xfer which copy
the data instead. The problem still exist with the trash however, and
the trash API must be reworked.

diff --git a/src/http_client.c b/src/http_client.c
index 24d8fbe3b92dbd04e1f7df07506005d1b2b56d3a..1eb3cd18a3d4d641ce91bb5483568a88da6ed992 100644 (file)
--- a/src/http_client.c
+++ b/src/http_client.c
@@ -311,7 +311,7 @@ int httpclient_res_xfer(struct httpclient *hc, struct buffer *dst)
 {
        int ret;
 
-       ret = b_xfer(dst, &hc->res.buf, MIN(1024, b_data(&hc->res.buf)));
+       ret = b_force_xfer(dst, &hc->res.buf, MIN(1024, b_data(&hc->res.buf)));
        /* call the client once we consumed all data */
        if (!b_data(&hc->res.buf) && hc->appctx)
                appctx_wakeup(hc->appctx);