From: Cheng Longfei <chenglongfei@ztgame.com>
Date: Wed, 30 Jul 2025 05:50:01 +0000 (+0800)
Subject: lua: fix null dereference in tx HTTP accessor functions
X-Git-Tag: suricata-8.0.2~55
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F13912%2Fhead;p=thirdparty%2Fsuricata.git

lua: fix null dereference in tx HTTP accessor functions

Fix crashes in Lua when calling tx:response_line(), tx:request_line(),
tx:request_uri_raw(), or tx:request_host() on incomplete or malformed
HTTP transactions.

These functions return bstr pointers which may be NULL. Add NULL
checks before calling bstr_ptr() and bstr_len() to avoid segfaults.

Ticket: #7829
(cherry picked from commit 9fb33bbaf6902cf4f0498b52330e2bb85cba974c)
---

diff --git a/src/util-lua-http.c b/src/util-lua-http.c
index 7849f4ae52..f5599a4bb5 100644
--- a/src/util-lua-http.c
+++ b/src/util-lua-http.c
@@ -23,7 +23,6 @@
  */
 
 #include "suricata-common.h"
-
 #include "app-layer-htp.h"
 #include "util-lua.h"
 #include "util-lua-common.h"
@@ -65,9 +64,13 @@ static int LuaHttpGetRequestHost(lua_State *luastate)
         lua_pushnil(luastate);
         return 1;
     }
+    const struct bstr *host = htp_tx_request_hostname(tx->tx);
+    if (host == NULL) {
+        lua_pushnil(luastate);
+        return 1;
+    }
 
-    return LuaPushStringBuffer(luastate, bstr_ptr(htp_tx_request_hostname(tx->tx)),
-            bstr_len(htp_tx_request_hostname(tx->tx)));
+    return LuaPushStringBuffer(luastate, bstr_ptr(host), bstr_len(host));
 }
 
 static int LuaHttpGetRequestUriRaw(lua_State *luastate)
@@ -77,9 +80,13 @@ static int LuaHttpGetRequestUriRaw(lua_State *luastate)
         lua_pushnil(luastate);
         return 1;
     }
+    const struct bstr *uri = htp_tx_request_uri(tx->tx);
+    if (uri == NULL) {
+        lua_pushnil(luastate);
+        return 1;
+    }
 
-    return LuaPushStringBuffer(
-            luastate, bstr_ptr(htp_tx_request_uri(tx->tx)), bstr_len(htp_tx_request_uri(tx->tx)));
+    return LuaPushStringBuffer(luastate, bstr_ptr(uri), bstr_len(uri));
 }
 
 static int LuaHttpGetRequestUriNormalized(lua_State *luastate)
@@ -107,8 +114,13 @@ static int LuaHttpGetRequestLine(lua_State *luastate)
         return 1;
     }
 
-    return LuaPushStringBuffer(
-            luastate, bstr_ptr(htp_tx_request_line(tx->tx)), bstr_len(htp_tx_request_line(tx->tx)));
+    const struct bstr *line = htp_tx_request_line(tx->tx);
+    if (line == NULL) {
+        lua_pushnil(luastate);
+        return 1;
+    }
+
+    return LuaPushStringBuffer(luastate, bstr_ptr(line), bstr_len(line));
 }
 
 static int LuaHttpGetResponseLine(lua_State *luastate)
@@ -119,8 +131,13 @@ static int LuaHttpGetResponseLine(lua_State *luastate)
         return 1;
     }
 
-    return LuaPushStringBuffer(luastate, bstr_ptr(htp_tx_response_line(tx->tx)),
-            bstr_len(htp_tx_response_line(tx->tx)));
+    const struct bstr *line = htp_tx_response_line(tx->tx);
+    if (line == NULL) {
+        lua_pushnil(luastate);
+        return 1;
+    }
+
+    return LuaPushStringBuffer(luastate, bstr_ptr(line), bstr_len(line));
 }
 
 static int LuaHttpGetHeader(lua_State *luastate, int dir)