BUG/MEDIUM: hlua/cli: fix cli applet UAF in hlua_applet_wakeup()
Recent commit e5e36ce09 ("BUG/MEDIUM: hlua/cli: Fix lua CLI commands
to work with applet's buffers") revealed a bug in hlua cli applet handling
Indeed, playing with Willy's lua tetris script on the cli, a segfault
would be encountered when forcefully closing the session by sending a
CTRL+C on the terminal.
In fact the crash was caused by a UAF: while the cli applet was already
freed, the lua task responsible for waking it up would still point to it.
Thus hlua_applet_wakeup() could be called even if the applet didn't exist
anymore.
To fix the issue, in hlua_cli_io_release_fct() we must also free the hlua
task linked to the applet, like we already do for
hlua_applet_tcp_release() and hlua_applet_http_release().
While this bug exists on stable versions (where it should be backported
too for precaution), it only seems to be triggered starting with 3.0.
This commit is contained in:
Aurelien DARRAGON
parent
6986e3f41f
commit
21601f4a27
@ -11880,6 +11880,8 @@ static void hlua_cli_io_release_fct(struct appctx *appctx)
|
|||||||
{
|
{
|
||||||
struct hlua_cli_ctx *ctx = appctx->svcctx;
|
struct hlua_cli_ctx *ctx = appctx->svcctx;
|
||||||
|
|
||||||
|
task_destroy(ctx->task);
|
||||||
|
ctx->task = NULL;
|
||||||
hlua_ctx_destroy(ctx->hlua);
|
hlua_ctx_destroy(ctx->hlua);
|
||||||
ctx->hlua = NULL;
|
ctx->hlua = NULL;
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user