BUG/MAJOR: lua segmentation fault when the request is like 'GET ?arg=val HTTP/1.1'
Error in the HTTP parser. The function http_get_path() can
return NULL and this case is not catched in the code. So, we
try to dereference NULL pointer, and a segfault occurs.
These two lines are useful to prevent the bug.
acl prevent_bug path_beg /
http-request deny if !prevent_bug
This bug fix should be backported in 1.6 and 1.7
diff --git a/src/hlua.c b/src/hlua.c
index 41f1805..5383fe9 100644
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -3642,22 +3642,24 @@
/* Get path and qs */
path = http_get_path(txn);
- end = txn->req.chn->buf->p + txn->req.sl.rq.u + txn->req.sl.rq.u_l;
- p = path;
- while (p < end && *p != '?')
- p++;
+ if (path) {
+ end = txn->req.chn->buf->p + txn->req.sl.rq.u + txn->req.sl.rq.u_l;
+ p = path;
+ while (p < end && *p != '?')
+ p++;
- /* Stores the request path. */
- lua_pushstring(L, "path");
- lua_pushlstring(L, path, p - path);
- lua_settable(L, -3);
+ /* Stores the request path. */
+ lua_pushstring(L, "path");
+ lua_pushlstring(L, path, p - path);
+ lua_settable(L, -3);
- /* Stores the query string. */
- lua_pushstring(L, "qs");
- if (*p == '?')
- p++;
- lua_pushlstring(L, p, end - p);
- lua_settable(L, -3);
+ /* Stores the query string. */
+ lua_pushstring(L, "qs");
+ if (*p == '?')
+ p++;
+ lua_pushlstring(L, p, end - p);
+ lua_settable(L, -3);
+ }
/* Stores the request path. */
lua_pushstring(L, "length");