mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2026-04-10 21:41:39 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MINOR: hlua: fix stack overflow in httpclient headers conversion

Browse Source 
hlua_httpclient_table_to_hdrs() declares a VLA of size
global.tune.max_http_hdr (default 101) on the stack but never checks
hdr_num against that bound. A Lua script that supplies a header table
with more than 101 values writes struct http_hdr entries (two ist =
two heap pointers + two lengths) past the end of the VLA, smashing
the stack frame.

Trigger from any Lua action/task/service:

    local hc = core.httpclient()
    local v = {}
    for i = 1, 300 do v[i] = "x" end
    hc:get{ url = "http://127.0.0.1/", headers = { ["X"] = v } }

Each out-of-bounds entry writes a heap pointer (controllable
allocation contents via istdup) plus an attacker-chosen length onto
the stack, overwriting the saved return address.

[wla: this is only reachable if the Lua script passes more than
max_http_hdr header values, which requires access to the script itself]

This must be backported as far as the httpclient Lua API exists.

Signed-off-by: William Lallemand <wlallemand@haproxy.com>
This commit is contained in:
Greg Kroah-Hartman 2026-04-07 09:48:07 +02:00 committed by William Lallemand
parent a03120e228
commit 2db801c635
1 changed files with 5 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
src/hlua.c
View File

@ -8074,6 +8074,11 @@ struct http_hdr *hlua_httpclient_table_to_hdrs(lua_State *L)
goto skip_headers;
}
if (hdr_num >= global.tune.max_http_hdr) {
lua_pop(L, 2);
goto skip_headers;
}
v = lua_tolstring(L, -1, &vlen);
value = ist2(v, vlen);
name = ist2(n, nlen);