From: Thierry Fournier <thierry.fournier@ozon.io>
Date: Tue, 10 Nov 2020 19:38:20 +0000 (+0100)
Subject: BUG/MINOR: lua: set buffer size during map lookups
X-Git-Tag: v2.4-dev1~64
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=91dc0c0d8fdc2fb091b49699ebb323d01aa1d9f6;p=thirdparty%2Fhaproxy.git

BUG/MINOR: lua: set buffer size during map lookups

This size is used by some pattern matching to determine if there
is sufficient room in the buffer to add final \0 if necessary.
If the size is not set, the conditions use uninitialized value.

Note: it seems this bug can't cause a crash.

Should be backported until 2.2 (at least)
---

diff --git a/src/hlua.c b/src/hlua.c
index 97dcebd889..f497892be4 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -1664,6 +1664,7 @@ __LJMP static inline int _hlua_map_lookup(struct lua_State *L, int str)
 		smp.data.type = SMP_T_STR;
 		smp.flags = SMP_F_CONST;
 		smp.data.u.str.area = (char *)MAY_LJMP(luaL_checklstring(L, 2, (size_t *)&smp.data.u.str.data));
+		smp.data.u.str.size = smp.data.u.str.data + 1;
 	}
 
 	pat = pattern_exec_match(&desc->pat, &smp, 1);