BUG/MEDIUM: lua: segfault if a converter or a sample doesn't return anything

In the case of a Lua sample-fetch or converter doesn't return any
value, an acces outside the Lua stack can be performed. This patch
check the stack size before converting the top value to a HAProxy
internal sample.

A workaround consist to check that a value value is always returned
with sample fetches and converters.

This patch should be backported in the version 1.6 and 1.7

diff --git a/src/hlua.c b/src/hlua.c
index 643d3fce0ba0f983f0ed98c2ae0e8cc6c08cb172..b8d2c88de3f859544c6ff94178da8c6e25313693 100644 (file)
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -5496,6 +5496,10 @@ static int hlua_sample_conv_wrapper(const struct arg *arg_p, struct sample *smp,
        switch (hlua_ctx_resume(stream->hlua, 0)) {
        /* finished. */
        case HLUA_E_OK:
+               /* If the stack is empty, the function fails. */
+               if (lua_gettop(stream->hlua->T) <= 0)
+                       return 0;
+
                /* Convert the returned value in sample. */
                hlua_lua2smp(stream->hlua->T, -1, smp);
                lua_pop(stream->hlua->T, 1);
@@ -5617,6 +5621,10 @@ static int hlua_sample_fetch_wrapper(const struct arg *arg_p, struct sample *smp
                        stream_int_retnclose(&stream->si[0], &msg);
                        return 0;
                }
+               /* If the stack is empty, the function fails. */
+               if (lua_gettop(stream->hlua->T) <= 0)
+                       return 0;
+
                /* Convert the returned value in sample. */
                hlua_lua2smp(stream->hlua->T, -1, smp);
                lua_pop(stream->hlua->T, 1);