BUG/MEDIUM: hlua: make hlua_ctx_renew() safe

hlua_ctx_renew() is called from unsafe places where the caller doesn't expect it to LJMP.. however hlua_ctx_renew() makes use of Lua library function that could potentially raise errors, such as lua_newthread(), and it does nothing to catch errors. Because of this, haproxy could unexpectedly crash. This was discovered and reported by GH user @JB0925 on #2745. To fix the issue, let's simply make hlua_ctx_renew() safe by applying the same logic implemented for hlua_ctx_init() or hlua_ctx_destroy(), which is catching Lua errors by leveraging SET_SAFE_LJMP_PARENT() helper. It should be backported to all stable versions.
2026-02-18 07:41:19 +01:00 · 2024-10-08 11:34:10 +02:00 · 2024-10-08 11:34:10 +02:00 · d0e0105181
commit d0e0105181
parent 3f4a788329
1 changed files with 8 additions and 1 deletions
--- a/src/hlua.c
+++ b/src/hlua.c
@ -1811,10 +1811,15 @@ static int hlua_ctx_renew(struct hlua *lua, int keep_msg)
 	lua_State *T;
 	int new_ref;

+	if (!SET_SAFE_LJMP_PARENT(lua))
+		return 0;
+
 	/* New Lua coroutine. */
 	T = lua_newthread(hlua_states[lua->state_id]);
-	if (!T)
+	if (!T) {
+		RESET_SAFE_LJMP_PARENT(lua);
 		return 0;
+	}

 	/* Copy last error message. */
 	if (keep_msg)
@ -1836,6 +1841,8 @@ static int hlua_ctx_renew(struct hlua *lua, int keep_msg)
 	lua->T = T;
 	lua->Tref = luaL_ref(hlua_states[lua->state_id], LUA_REGISTRYINDEX);

+	RESET_SAFE_LJMP_PARENT(lua);
+
 	/* Set context. */
 	hlua_sethlua(lua);