From: Aurelien DARRAGON <adarragon@haproxy.com>
Date: Wed, 24 Jan 2024 15:10:55 +0000 (+0100)
Subject: BUG/MINOR: hlua: fix uninitialized var in hlua_core_get_var()
X-Git-Tag: v3.0-dev2~18
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=564addcb727bfb3dd46507ec824f11c20c6bb861;p=thirdparty%2Fhaproxy.git

BUG/MINOR: hlua: fix uninitialized var in hlua_core_get_var()

As raised by Coverity in GH #2223, f034139bc0 ("MINOR: lua: Allow reading
"proc." scoped vars from LUA core.") causes uninitialized reads due to
smp being passed to vars_get_by_name() without being initialized first.

Indeed, vars_get_by_name() tries to read smp->sess and smp->strm pointers.
As we're only interested in the PROC var scope, it is safe to call
vars_get_by_name() with sess and strm pointers set to NULL, thus we
simply memset smp prior to calling vars_get_by_name() to fix the issue.

This should be backported in 2.9 with f034139bc0.
---

diff --git a/src/hlua.c b/src/hlua.c
index 008f6726fc..8f6f988667 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -2026,6 +2026,7 @@ static int hlua_set_map(lua_State *L)
 	if (len < 5 || strncmp(name, "proc.", 5) != 0)
 		WILL_LJMP(luaL_error(L, "'get_var': Only 'proc.' scope allowed to be retrieved in 'core.get_var()'."));
 
+	memset(&smp, 0, sizeof(smp));
 	if (!vars_get_by_name(name, len, &smp, NULL)) {
 		lua_pushnil(L);
 		return 1;