BUG/MAJOR: lua segmentation fault when the request is like 'GET ?arg=val HTTP/1.1'

Error in the HTTP parser. The function http_get_path() can
return NULL and this case is not catched in the code. So, we
try to dereference NULL pointer, and a segfault occurs.

These two lines are useful to prevent the bug.

   acl prevent_bug path_beg /
	http-request deny if !prevent_bug

This bug fix should be backported in 1.6 and 1.7

diff --git a/src/hlua.c b/src/hlua.c
index 41f1805d9a135694fc16e83e9df8d002cba5e43a..5383fe9a49b810d1c46d1f59d7e66e3576f7c212 100644 (file)
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -3642,22 +3642,24 @@ static int hlua_applet_http_new(lua_State *L, struct appctx *ctx)
 
        /* Get path and qs */
        path = http_get_path(txn);
-       end = txn->req.chn->buf->p + txn->req.sl.rq.u + txn->req.sl.rq.u_l;
-       p = path;
-       while (p < end && *p != '?')
-               p++;
+       if (path) {
+               end = txn->req.chn->buf->p + txn->req.sl.rq.u + txn->req.sl.rq.u_l;
+               p = path;
+               while (p < end && *p != '?')
+                       p++;
 
-       /* Stores the request path. */
-       lua_pushstring(L, "path");
-       lua_pushlstring(L, path, p - path);
-       lua_settable(L, -3);
+               /* Stores the request path. */
+               lua_pushstring(L, "path");
+               lua_pushlstring(L, path, p - path);
+               lua_settable(L, -3);
 
-       /* Stores the query string. */
-       lua_pushstring(L, "qs");
-       if (*p == '?')
-               p++;
-       lua_pushlstring(L, p, end - p);
-       lua_settable(L, -3);
+               /* Stores the query string. */
+               lua_pushstring(L, "qs");
+               if (*p == '?')
+                       p++;
+               lua_pushlstring(L, p, end - p);
+               lua_settable(L, -3);
+       }
 
        /* Stores the request path. */
        lua_pushstring(L, "length");