From: William Lallemand Date: Thu, 30 Sep 2021 08:07:57 +0000 (+0200) Subject: BUG/MEDIUM: httpclient/lua: crash because of b_xfer and get_trash_chunk() X-Git-Tag: v2.5-dev9~116 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4d601848871c38cca3182ab2edee932eaf1a531e;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: httpclient/lua: crash because of b_xfer and get_trash_chunk() When using the lua httpclient, haproxy could crash because a b_xfer is done in httpclient_xfer, which will do a zero-copy swap of the data in the buffers. The ptr will then be free() by the pool. However this can't work with a trash buffer, because the area was not allocated from the pool buffer, so the pool is not suppose to free it because it does not know this ptr, using -DDEBUG_MEMORY_POOLS will result with a crash during the free. Fix the problem by using b_force_xfer() instead of b_xfer which copy the data instead. The problem still exist with the trash however, and the trash API must be reworked. --- diff --git a/src/http_client.c b/src/http_client.c index 24d8fbe3b9..1eb3cd18a3 100644 --- a/src/http_client.c +++ b/src/http_client.c @@ -311,7 +311,7 @@ int httpclient_res_xfer(struct httpclient *hc, struct buffer *dst) { int ret; - ret = b_xfer(dst, &hc->res.buf, MIN(1024, b_data(&hc->res.buf))); + ret = b_force_xfer(dst, &hc->res.buf, MIN(1024, b_data(&hc->res.buf))); /* call the client once we consumed all data */ if (!b_data(&hc->res.buf) && hc->appctx) appctx_wakeup(hc->appctx);