From 12cf8d4db7f0d239caf7ff3d94b62da2d953495c Mon Sep 17 00:00:00 2001 From: Aurelien DARRAGON Date: Wed, 9 Aug 2023 10:11:49 +0200 Subject: [PATCH] BUG/MINOR: hlua: fix invalid use of lua_pop on error paths Multiple error paths made invalid use of lua_pop(): When the stack is emptied using lua_settop(0), lua_pop() (which is implemented as a lua_settop() macro) should not be used right after, because it could lead to invalid reads since the stack is already empty. Unfortunately, some remnants from initial lua stack implementation kept doing so, resulting in haproxy crashs on some lua runtime errors paths from time to time (ie: ERRRUN, ERRMEM). Moreover, the extra lua_pop() instruction, even if it was safe, is totally pointless in such case. Removing such unsafe lua_pop() statements when we know that the stack is already empty. This must be backported in every stable versions. --- src/hlua.c | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/src/hlua.c b/src/hlua.c index 72081528e..5e4ce69e7 100644 --- a/src/hlua.c +++ b/src/hlua.c @@ -1777,7 +1777,6 @@ resume_execution: } msg = lua_tostring(lua->T, -1); lua_settop(lua->T, 0); /* Empty the stack. */ - lua_pop(lua->T, 1); trace = hlua_traceback(lua->T, ", "); if (msg) lua_pushfstring(lua->T, "[state-id %d] runtime error: %s from %s", lua->state_id, msg, trace); @@ -1800,7 +1799,6 @@ resume_execution: } msg = lua_tostring(lua->T, -1); lua_settop(lua->T, 0); /* Empty the stack. */ - lua_pop(lua->T, 1); if (msg) lua_pushfstring(lua->T, "[state-id %d] message handler error: %s", lua->state_id, msg); else @@ -12907,7 +12905,6 @@ int hlua_post_init_state(lua_State *L) kind = "runtime error"; msg = lua_tostring(L, -1); lua_settop(L, 0); /* Empty the stack. */ - lua_pop(L, 1); trace = hlua_traceback(L, ", "); if (msg) ha_alert("Lua init: %s: '%s' from %s\n", kind, msg, trace); @@ -12928,8 +12925,7 @@ int hlua_post_init_state(lua_State *L) case LUA_ERRMEM: if (!kind) kind = "out of memory error"; - lua_settop(L, 0); - lua_pop(L, 1); + lua_settop(L, 0); /* Empty the stack. */ trace = hlua_traceback(L, ", "); ha_alert("Lua init: %s: %s\n", kind, trace); return_status = 0;