From: Cyril Bonté Date: Sun, 1 Mar 2015 23:08:41 +0000 (+0100) Subject: BUG/MEDIUM: lua: segfault when calling haproxy sample fetches from lua X-Git-Tag: v1.6-dev1~78 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=928ae5c82248b2e53d854f988df413e63e4c5943;p=thirdparty%2Fhaproxy.git BUG/MEDIUM: lua: segfault when calling haproxy sample fetches from lua When a Lua script calls an internal haproxy sample fetch, it may segfault in some conditions : - when a fetch has no argument, - when there is no room left to store the special type ARGT_STOP in the argument list (this one shouldn't happen currently as there isn't any sample fetch with enough arguments to fill the allocated buffer). Example of Lua code which reproduces a segfault : core.register_fetches("segfault", function(txn, ...) return txn.req_ver(txn) end) --- diff --git a/src/hlua.c b/src/hlua.c index 51e149e710..35253fa140 100644 --- a/src/hlua.c +++ b/src/hlua.c @@ -2348,15 +2348,15 @@ __LJMP static int hlua_txn_close(lua_State *L) /* This function is an LUA binding. It is called with each sample-fetch. * It uses closure argument to store the associated sample-fetch. It - * returns only one argument or throws an error. An error is throwed - * only if an error is encoutered during the argument parsing. If + * returns only one argument or throws an error. An error is thrown + * only if an error is encountered during the argument parsing. If * the "sample-fetch" function fails, nil is returned. */ __LJMP static int hlua_run_sample_fetch(lua_State *L) { struct hlua_txn *s; struct hlua_sample_fetch *f; - struct arg args[ARGM_NBARGS]; + struct arg args[ARGM_NBARGS + 1]; int i; struct sample smp; @@ -2367,7 +2367,7 @@ __LJMP static int hlua_run_sample_fetch(lua_State *L) s = MAY_LJMP(hlua_checktxn(L, 1)); /* Get extra arguments. */ - for (i = 0; i <= lua_gettop(L); i++) { + for (i = 0; i < lua_gettop(L) - 1; i++) { if (i >= ARGM_NBARGS) break; hlua_lua2arg(L, i + 2, &args[i]); @@ -2377,8 +2377,8 @@ __LJMP static int hlua_run_sample_fetch(lua_State *L) /* Check arguments. */ MAY_LJMP(hlua_lua2arg_check(L, 1, args, f->f->arg_mask)); - /* Run the special args cehcker. */ - if (!f->f->val_args(args, NULL)) { + /* Run the special args checker. */ + if (f->f->val_args && !f->f->val_args(args, NULL)) { lua_pushfstring(L, "error in arguments"); WILL_LJMP(lua_error(L)); }