git.ipfire.org Git - thirdparty/rspamd.git/commit

author	Vsevolod Stakhov <vsevolod@rspamd.com>
	Sun, 21 Dec 2025 20:05:27 +0000 (20:05 +0000)
committer	Vsevolod Stakhov <vsevolod@rspamd.com>
	Sun, 21 Dec 2025 21:33:54 +0000 (21:33 +0000)
commit	584c2fdfe6720543ae8be9b6de5b6960ba0e6bdb
tree	c2a37161fb5d4e6fca8740a239c40273fa927a07	tree
parent	6ce0a58d2b80fa41c8d5a5d2bffa1883cc87bbe7	commit \| diff

[Feature] Add task registry for safe Lua task reference validation

Implement a global task registry that maps unique uint64_t keys to task
pointers. This prevents use-after-free bugs when Lua code holds references
to tasks that may have been freed (e.g., in async Redis callbacks).

Key changes:
- Add lua_key field to rspamd_task struct
- Implement task registry using khash (O(1) lookup)
- Store lua_key in Lua userdata instead of raw pointer
- Lookup via registry when extracting task from Lua
- Remove task from registry FIRST in rspamd_task_free()

The counter-based key approach avoids issues with:
- Pointer reuse after free (memory allocator may reuse addresses)
- Lua number precision (52-bit mantissa is sufficient for counter)
- NaN/subnormal float values that could cause issues

This fixes potential use-after-free in Redis script waitq callbacks
when Redis is unavailable longer than task lifetime.

src/libserver/cfg_utils.cxx		diff \| blob \| blame \| history
src/libserver/task.c		diff \| blob \| blame \| history
src/libserver/task.h		diff \| blob \| blame \| history
src/lua/lua_task.c		diff \| blob \| blame \| history