From: Christopher Faulet <cfaulet@haproxy.com>
Date: Fri, 22 May 2026 14:11:52 +0000 (+0200)
Subject: BUG/MEDIUM: hlua: Fix integer underflow when receiving line from lua cosocket
X-Git-Tag: v3.4-dev14~62
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9091cfa617a4f593785b6093548dff70a07b1e0f;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: hlua: Fix integer underflow when receiving line from lua cosocket

In hlua_socket_receive_yield(), when we try to get a line, the trailing CRLF is
stripped by decrementing the block length. The '\n' is first skipped, then,
possible a preceeding '\r'. But the block lenght is never checked. If an empty
line is returned, this leads to an integer underflow and most probably to a
crash because this length is used to copy data into a LUA string.

To fix the issue, the block length is now properly tested against 0 before
decrementing it.

This patch must be backported to all stable versions.
---

diff --git a/src/hlua.c b/src/hlua.c
index cde144ab2..b87b587e4 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -2949,20 +2949,20 @@ __LJMP static int hlua_socket_receive_yield(struct lua_State *L, int status, lua
 
 		/* remove final \r\n. */
 		if (nblk == 1) {
-			if (blk1[len1-1] == '\n') {
+			if (len1 && blk1[len1-1] == '\n') {
 				len1--;
 				skip_at_end++;
-				if (blk1[len1-1] == '\r') {
+				if (len1 && blk1[len1-1] == '\r') {
 					len1--;
 					skip_at_end++;
 				}
 			}
 		}
 		else {
-			if (blk2[len2-1] == '\n') {
+			if (len2 && blk2[len2-1] == '\n') {
 				len2--;
 				skip_at_end++;
-				if (blk2[len2-1] == '\r') {
+				if (len2 && blk2[len2-1] == '\r') {
 					len2--;
 					skip_at_end++;
 				}