From: Greg Kroah-Hartman Date: Tue, 7 Apr 2026 07:48:07 +0000 (+0200) Subject: BUG: hlua: fix stack overflow in httpclient headers conversion X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a03120e228abc654d1f0d5bcb0240c6972721735;p=thirdparty%2Fhaproxy.git BUG: hlua: fix stack overflow in httpclient headers conversion hlua_httpclient_table_to_hdrs() declares a VLA of size global.tune.max_http_hdr (default 101) on the stack but never checks hdr_num against that bound. A Lua script that supplies a header table with more than 101 values writes struct http_hdr entries (two ist = two heap pointers + two lengths) past the end of the VLA, smashing the stack frame. Trigger from any Lua action/task/service: local hc = core.httpclient() local v = {} for i = 1, 300 do v[i] = "x" end hc:get{ url = "http://127.0.0.1/", headers = { ["X"] = v } } Each out-of-bounds entry writes a heap pointer (controllable allocation contents via istdup) plus an attacker-chosen length onto the stack, overwriting the saved return address. With no stack canary, this is direct RCE; with a canary, it requires a leak first. Reachable from any deployment that loads Lua scripts. While Lua scripts are nominally trusted, this turns "can edit Lua" into "can execute arbitrary native code", which is a meaningful boundary in many setups (Lua sandbox escape). This must be backported as far as the httpclient Lua API exists. --- diff --git a/src/hlua.c b/src/hlua.c index 6e56583df..c66849c48 100644 --- a/src/hlua.c +++ b/src/hlua.c @@ -8069,6 +8069,11 @@ struct http_hdr *hlua_httpclient_table_to_hdrs(lua_State *L) goto next_value; } + if (hdr_num >= global.tune.max_http_hdr) { + lua_pop(L, 2); + goto skip_headers; + } + v = lua_tolstring(L, -1, &vlen); value = ist2(v, vlen); name = ist2(n, nlen);