BUG/MEDIUM: lua: segfault when calling haproxy sample fetches from lua

When a Lua script calls an internal haproxy sample fetch, it may segfault in
some conditions :
- when a fetch has no argument,
- when there is no room left to store the special type ARGT_STOP in the argument
  list (this one shouldn't happen currently as there isn't any sample fetch with
  enough arguments to fill the allocated buffer).

Example of Lua code which reproduces a segfault :
core.register_fetches("segfault", function(txn, ...)
  return txn.req_ver(txn)
end)

diff --git a/src/hlua.c b/src/hlua.c
index 51e149e71087aea56cb283360dea959c6e930bfd..35253fa1401b81961c948124afed5c926f5d31ff 100644 (file)
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -2348,15 +2348,15 @@ __LJMP static int hlua_txn_close(lua_State *L)
 
 /* This function is an LUA binding. It is called with each sample-fetch.
  * It uses closure argument to store the associated sample-fetch. It
- * returns only one argument or throws an error. An error is throwed
- * only if an error is encoutered during the argument parsing. If
+ * returns only one argument or throws an error. An error is thrown
+ * only if an error is encountered during the argument parsing. If
  * the "sample-fetch" function fails, nil is returned.
  */
 __LJMP static int hlua_run_sample_fetch(lua_State *L)
 {
        struct hlua_txn *s;
        struct hlua_sample_fetch *f;
-       struct arg args[ARGM_NBARGS];
+       struct arg args[ARGM_NBARGS + 1];
        int i;
        struct sample smp;
 
@@ -2367,7 +2367,7 @@ __LJMP static int hlua_run_sample_fetch(lua_State *L)
        s = MAY_LJMP(hlua_checktxn(L, 1));
 
        /* Get extra arguments. */
-       for (i = 0; i <= lua_gettop(L); i++) {
+       for (i = 0; i < lua_gettop(L) - 1; i++) {
                if (i >= ARGM_NBARGS)
                        break;
                hlua_lua2arg(L, i + 2, &args[i]);
@@ -2377,8 +2377,8 @@ __LJMP static int hlua_run_sample_fetch(lua_State *L)
        /* Check arguments. */
        MAY_LJMP(hlua_lua2arg_check(L, 1, args, f->f->arg_mask));
 
-       /* Run the special args cehcker. */
-       if (!f->f->val_args(args, NULL)) {
+       /* Run the special args checker. */
+       if (f->f->val_args && !f->f->val_args(args, NULL)) {
                lua_pushfstring(L, "error in arguments");
                WILL_LJMP(lua_error(L));
        }