upstream/haproxy
1
0
Fork 0
mirror of https://github.com/haproxy/haproxy.git synced 2026-06-11 01:41:49 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 14

BUG/MEDIUM: hlua: Fix integer underflow when receiving line from lua cosocket

Browse source 
In hlua_socket_receive_yield(), when we try to get a line, the trailing CRLF is
stripped by decrementing the block length. The '\n' is first skipped, then,
possible a preceeding '\r'. But the block lenght is never checked. If an empty
line is returned, this leads to an integer underflow and most probably to a
crash because this length is used to copy data into a LUA string.

To fix the issue, the block length is now properly tested against 0 before
decrementing it.

This patch must be backported to all stable versions.
This commit is contained in:
Christopher Faulet 2026-05-22 16:11:52 +02:00
parent 57b526e022
commit 9091cfa617
1 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
src/hlua.c
View file

@ -2949,20 +2949,20 @@ __LJMP static int hlua_socket_receive_yield(struct lua_State *L, int status, lua
/* remove final \r\n. */
if (nblk == 1) {
if (blk1[len1-1] == '\n') {
if (len1 && blk1[len1-1] == '\n') {
len1--;
skip_at_end++;
if (blk1[len1-1] == '\r') {
if (len1 && blk1[len1-1] == '\r') {
len1--;
skip_at_end++;
}
}
}
else {
if (blk2[len2-1] == '\n') {
if (len2 && blk2[len2-1] == '\n') {
len2--;
skip_at_end++;
if (blk2[len2-1] == '\r') {
if (len2 && blk2[len2-1] == '\r') {
len2--;
skip_at_end++;
}