RepoMirrors/haproxy
1
0
Fork 0
mirror of http://git.haproxy.org/git/haproxy.git/ synced 2024-12-15 07:54:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

BUG/MAJOR: lua segmentation fault when the request is like 'GET ?arg=val HTTP/1.1'

Browse Source 
Error in the HTTP parser. The function http_get_path() can
return NULL and this case is not catched in the code. So, we
try to dereference NULL pointer, and a segfault occurs.

These two lines are useful to prevent the bug.

   acl prevent_bug path_beg /
	http-request deny if !prevent_bug

This bug fix should be backported in 1.6 and 1.7
This commit is contained in:
Thierry FOURNIER 2017-02-22 02:06:16 +01:00 committed by Willy Tarreau
parent e3cc3a3026
commit 7d38863552
1 changed files with 16 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
src/hlua.c
View File

@ -3642,22 +3642,24 @@ static int hlua_applet_http_new(lua_State *L, struct appctx *ctx)
/* Get path and qs */
path = http_get_path(txn);
end = txn->req.chn->buf->p + txn->req.sl.rq.u + txn->req.sl.rq.u_l;
p = path;
while (p < end && *p != '?')
p++;
if (path) {
end = txn->req.chn->buf->p + txn->req.sl.rq.u + txn->req.sl.rq.u_l;
p = path;
while (p < end && *p != '?')
p++;
/* Stores the request path. */
lua_pushstring(L, "path");
lua_pushlstring(L, path, p - path);
lua_settable(L, -3);
/* Stores the request path. */
lua_pushstring(L, "path");
lua_pushlstring(L, path, p - path);
lua_settable(L, -3);
/* Stores the query string. */
lua_pushstring(L, "qs");
if (*p == '?')
p++;
lua_pushlstring(L, p, end - p);
lua_settable(L, -3);
/* Stores the query string. */
lua_pushstring(L, "qs");
if (*p == '?')
p++;
lua_pushlstring(L, p, end - p);
lua_settable(L, -3);
}
/* Stores the request path. */
lua_pushstring(L, "length");