From: Willy Tarreau Date: Fri, 28 Aug 2015 08:06:15 +0000 (+0200) Subject: BUG/MEDIUM: lua: fix a segfault in txn:done() if called twice X-Git-Tag: v1.6-dev4~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=630ef4585af1544b20bf5708f9fa8f5453e6ad25;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: lua: fix a segfault in txn:done() if called twice When called from an http ruleset, txn:done() can still crash the process because it closes the stream without consuming pending data resulting in the transaction's buffer representation to differ from the real buffer. This patch also adjusts the transaction's state to indicate that it's closed to be consistent with what's already done in redirect rules. --- diff --git a/src/hlua.c b/src/hlua.c index ffcfb836a8..aa23696c1b 100644 --- a/src/hlua.c +++ b/src/hlua.c @@ -3655,6 +3655,28 @@ __LJMP static int hlua_txn_done(lua_State *L) ic = &htxn->s->req; oc = &htxn->s->res; + if (htxn->s->txn) { + /* HTTP mode, let's stay in sync with the stream */ + bi_fast_delete(ic->buf, htxn->s->txn->req.sov); + htxn->s->txn->req.next -= htxn->s->txn->req.sov; + htxn->s->txn->req.sov = 0; + ic->analysers &= AN_REQ_HTTP_XFER_BODY; + oc->analysers = AN_RES_HTTP_XFER_BODY; + htxn->s->txn->req.msg_state = HTTP_MSG_CLOSED; + htxn->s->txn->rsp.msg_state = HTTP_MSG_DONE; + + /* Trim any possible response */ + oc->buf->i = 0; + htxn->s->txn->rsp.next = htxn->s->txn->rsp.sov = 0; + + /* Note that if we want to support keep-alive, we need + * to bypass the close/shutr_now calls below, but that + * may only be done if the HTTP request was already + * processed and the connection header is known (ie + * not during TCP rules). + */ + } + channel_auto_read(ic); channel_abort(ic); channel_auto_close(ic);