From: Thierry FOURNIER <thierry.fournier@ozon.io>
Date: Wed, 22 Feb 2017 01:06:16 +0000 (+0100)
Subject: BUG/MAJOR: lua segmentation fault when the request is like 'GET ?arg=val HTTP/1.1'
X-Git-Tag: v1.8-dev1~136
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7d388635526cffa79f4a62906f17afa5990f6092;p=thirdparty%2Fhaproxy.git

BUG/MAJOR: lua segmentation fault when the request is like 'GET ?arg=val HTTP/1.1'

Error in the HTTP parser. The function http_get_path() can
return NULL and this case is not catched in the code. So, we
try to dereference NULL pointer, and a segfault occurs.

These two lines are useful to prevent the bug.

   acl prevent_bug path_beg /
	http-request deny if !prevent_bug

This bug fix should be backported in 1.6 and 1.7
---

diff --git a/src/hlua.c b/src/hlua.c
index 41f1805d9a..5383fe9a49 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -3642,22 +3642,24 @@ static int hlua_applet_http_new(lua_State *L, struct appctx *ctx)
 
 	/* Get path and qs */
 	path = http_get_path(txn);
-	end = txn->req.chn->buf->p + txn->req.sl.rq.u + txn->req.sl.rq.u_l;
-	p = path;
-	while (p < end && *p != '?')
-		p++;
+	if (path) {
+		end = txn->req.chn->buf->p + txn->req.sl.rq.u + txn->req.sl.rq.u_l;
+		p = path;
+		while (p < end && *p != '?')
+			p++;
 
-	/* Stores the request path. */
-	lua_pushstring(L, "path");
-	lua_pushlstring(L, path, p - path);
-	lua_settable(L, -3);
+		/* Stores the request path. */
+		lua_pushstring(L, "path");
+		lua_pushlstring(L, path, p - path);
+		lua_settable(L, -3);
 
-	/* Stores the query string. */
-	lua_pushstring(L, "qs");
-	if (*p == '?')
-		p++;
-	lua_pushlstring(L, p, end - p);
-	lua_settable(L, -3);
+		/* Stores the query string. */
+		lua_pushstring(L, "qs");
+		if (*p == '?')
+			p++;
+		lua_pushlstring(L, p, end - p);
+		lua_settable(L, -3);
+	}
 
 	/* Stores the request path. */
 	lua_pushstring(L, "length");