From 630ef4585af1544b20bf5708f9fa8f5453e6ad25 Mon Sep 17 00:00:00 2001 From: Willy Tarreau Date: Fri, 28 Aug 2015 10:06:15 +0200 Subject: [PATCH] BUG/MEDIUM: lua: fix a segfault in txn:done() if called twice When called from an http ruleset, txn:done() can still crash the process because it closes the stream without consuming pending data resulting in the transaction's buffer representation to differ from the real buffer. This patch also adjusts the transaction's state to indicate that it's closed to be consistent with what's already done in redirect rules. --- src/hlua.c | 22 ++++++++++++++++++++++ 1 file changed, 22 insertions(+) diff --git a/src/hlua.c b/src/hlua.c index ffcfb836a..aa23696c1 100644 --- a/src/hlua.c +++ b/src/hlua.c @@ -3655,6 +3655,28 @@ __LJMP static int hlua_txn_done(lua_State *L) ic = &htxn->s->req; oc = &htxn->s->res; + if (htxn->s->txn) { + /* HTTP mode, let's stay in sync with the stream */ + bi_fast_delete(ic->buf, htxn->s->txn->req.sov); + htxn->s->txn->req.next -= htxn->s->txn->req.sov; + htxn->s->txn->req.sov = 0; + ic->analysers &= AN_REQ_HTTP_XFER_BODY; + oc->analysers = AN_RES_HTTP_XFER_BODY; + htxn->s->txn->req.msg_state = HTTP_MSG_CLOSED; + htxn->s->txn->rsp.msg_state = HTTP_MSG_DONE; + + /* Trim any possible response */ + oc->buf->i = 0; + htxn->s->txn->rsp.next = htxn->s->txn->rsp.sov = 0; + + /* Note that if we want to support keep-alive, we need + * to bypass the close/shutr_now calls below, but that + * may only be done if the HTTP request was already + * processed and the connection header is known (ie + * not during TCP rules). + */ + } + channel_auto_read(ic); channel_abort(ic); channel_auto_close(ic);