From 7c210e6aa87365b9b87b9d7e904b41f860f278b9 Mon Sep 17 00:00:00 2001 From: Thierry FOURNIER Date: Fri, 27 Oct 2017 14:13:51 +0200 Subject: [PATCH] BUG/MINOR: lua: const attribute of a string is overridden If HAProxy is compiled without PCRE regexes, this can cause a write in const memory. The probability of a consequence is very low. --- src/hlua_fcn.c | 26 ++++++++++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/src/hlua_fcn.c b/src/hlua_fcn.c index c37e2a96eb..a5cae8676d 100644 --- a/src/hlua_fcn.c +++ b/src/hlua_fcn.c @@ -1119,11 +1119,22 @@ static int hlua_regex_exec(struct lua_State *L) struct my_regex *regex; const char *str; size_t len; + struct chunk *tmp; regex = hlua_check_regex(L, 1); str = luaL_checklstring(L, 2, &len); - lua_pushboolean(L, regex_exec2(regex, (char *)str, len)); + /* Copy the string because regex_exec2 require a 'char *' + * and not a 'const char *'. + */ + tmp = get_trash_chunk(); + if (len >= tmp->size) { + lua_pushboolean(L, 0); + return 1; + } + memcpy(tmp->str, str, len); + + lua_pushboolean(L, regex_exec2(regex, tmp->str, len)); return 1; } @@ -1136,11 +1147,22 @@ static int hlua_regex_match(struct lua_State *L) regmatch_t pmatch[20]; int ret; int i; + struct chunk *tmp; regex = hlua_check_regex(L, 1); str = luaL_checklstring(L, 2, &len); - ret = regex_exec_match2(regex, (char *)str, len, 20, pmatch, 0); + /* Copy the string because regex_exec2 require a 'char *' + * and not a 'const char *'. + */ + tmp = get_trash_chunk(); + if (len >= tmp->size) { + lua_pushboolean(L, 0); + return 1; + } + memcpy(tmp->str, str, len); + + ret = regex_exec_match2(regex, tmp->str, len, 20, pmatch, 0); lua_pushboolean(L, ret); lua_newtable(L); if (ret) { -- 2.47.3