BUG/MAJOR: lua segmentation fault when the request is like 'GET ?arg=val HTTP/1.1'

Error in the HTTP parser. The function http_get_path() can return NULL and this case is not catched in the code. So, we try to dereference NULL pointer, and a segfault occurs. These two lines are useful to prevent the bug. acl prevent_bug path_beg / http-request deny if !prevent_bug This bug fix should be backported in 1.6 and 1.7
2024-12-15 07:54:33 +00:00 · 2017-02-22 02:06:16 +01:00 · 2017-02-22 02:06:16 +01:00 · 7d38863552
commit 7d38863552
parent e3cc3a3026
1 changed files with 16 additions and 14 deletions
--- a/src/hlua.c
+++ b/src/hlua.c
@ -3642,22 +3642,24 @@ static int hlua_applet_http_new(lua_State *L, struct appctx *ctx)
 	/* Get path and qs */
 	path = http_get_path(txn);
-	end = txn->req.chn->buf->p + txn->req.sl.rq.u + txn->req.sl.rq.u_l;
+	if (path) {
-	p = path;
+		end = txn->req.chn->buf->p + txn->req.sl.rq.u + txn->req.sl.rq.u_l;
-	while (p < end && *p != '?')
+		p = path;
-		p++;
+		while (p < end && *p != '?')
 			p++;
-	/* Stores the request path. */
+		/* Stores the request path. */
-	lua_pushstring(L, "path");
+		lua_pushstring(L, "path");
-	lua_pushlstring(L, path, p - path);
+		lua_pushlstring(L, path, p - path);
-	lua_settable(L, -3);
+		lua_settable(L, -3);
-	/* Stores the query string. */
+		/* Stores the query string. */
-	lua_pushstring(L, "qs");
+		lua_pushstring(L, "qs");
-	if (*p == '?')
+		if (*p == '?')
-		p++;
+			p++;
-	lua_pushlstring(L, p, end - p);
+		lua_pushlstring(L, p, end - p);
-	lua_settable(L, -3);
+		lua_settable(L, -3);
 	}
 	/* Stores the request path. */
 	lua_pushstring(L, "length");