]> git.ipfire.org Git - thirdparty/haproxy.git/commitdiff
BUG/MEDIUM: lua: fix a segfault in txn:done() if called twice
authorWilly Tarreau <w@1wt.eu>
Fri, 28 Aug 2015 08:06:15 +0000 (10:06 +0200)
committerWilly Tarreau <w@1wt.eu>
Fri, 28 Aug 2015 08:28:24 +0000 (10:28 +0200)
When called from an http ruleset, txn:done() can still crash the process
because it closes the stream without consuming pending data resulting in
the transaction's buffer representation to differ from the real buffer.

This patch also adjusts the transaction's state to indicate that it's
closed to be consistent with what's already done in redirect rules.

src/hlua.c

index ffcfb836a870ebeec082050f6395a4da9e3ca8b3..aa23696c1b5d18a1d2c1177dba010c96f6681f4a 100644 (file)
@@ -3655,6 +3655,28 @@ __LJMP static int hlua_txn_done(lua_State *L)
        ic = &htxn->s->req;
        oc = &htxn->s->res;
 
+       if (htxn->s->txn) {
+               /* HTTP mode, let's stay in sync with the stream */
+               bi_fast_delete(ic->buf, htxn->s->txn->req.sov);
+               htxn->s->txn->req.next -= htxn->s->txn->req.sov;
+               htxn->s->txn->req.sov = 0;
+               ic->analysers &= AN_REQ_HTTP_XFER_BODY;
+               oc->analysers = AN_RES_HTTP_XFER_BODY;
+               htxn->s->txn->req.msg_state = HTTP_MSG_CLOSED;
+               htxn->s->txn->rsp.msg_state = HTTP_MSG_DONE;
+
+               /* Trim any possible response */
+               oc->buf->i = 0;
+               htxn->s->txn->rsp.next = htxn->s->txn->rsp.sov = 0;
+
+               /* Note that if we want to support keep-alive, we need
+                * to bypass the close/shutr_now calls below, but that
+                * may only be done if the HTTP request was already
+                * processed and the connection header is known (ie
+                * not during TCP rules).
+                */
+       }
+
        channel_auto_read(ic);
        channel_abort(ic);
        channel_auto_close(ic);