From: Aurelien DARRAGON <adarragon@haproxy.com>
Date: Tue, 4 Jun 2024 13:15:29 +0000 (+0200)
Subject: BUG/MINOR: hlua: fix leak in hlua_ckch_set() error path
X-Git-Tag: v3.1-dev1~67
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=755c2daf0f88885fd6825c55ae59198726c4905e;p=thirdparty%2Fhaproxy.git

BUG/MINOR: hlua: fix leak in hlua_ckch_set() error path

in hlua_ckch_commit_yield() and hlua_ckch_set(), when an error occurs,
we enter the error path and try to raise an error from the <err> msg
pointer which must be freed afterwards.

However, the fact that luaL_error() never returns was overlooked, because
of that <err> msg is never freed in such case.

To fix the issue, let's use hlua_pushfstring_safe() helper to push the
err on the lua stack and then free it before throwing the error using
lua_error().

It should be backported up to 2.6 with 30fcca18 ("MINOR: ssl/lua:
CertCache.set() allows to update an SSL certificate file")
---

diff --git a/src/hlua.c b/src/hlua.c
index 227d3b60ca..f108c6ed8a 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -13135,8 +13135,9 @@ __LJMP static int hlua_ckch_commit_yield(lua_State *L, int status, lua_KContext
 error:
 	ckch_store_free(new_ckchs);
 	HA_SPIN_UNLOCK(CKCH_LOCK, &ckch_lock);
-	WILL_LJMP(luaL_error(L, "%s", err));
+	hlua_pushfstring_safe(L, "%s", err);
 	free(err);
+	WILL_LJMP(lua_error(L));
 
 	return 0;
 }
@@ -13279,7 +13280,9 @@ end:
 
 	if (errcode & ERR_CODE) {
 		ckch_store_free(new_ckchs);
-		WILL_LJMP(luaL_error(L, "%s", err));
+		hlua_pushfstring_safe(L, "%s", err);
+		free(err);
+		WILL_LJMP(lua_error(L));
 	}
 	free(err);