From 4d601848871c38cca3182ab2edee932eaf1a531e Mon Sep 17 00:00:00 2001 From: William Lallemand Date: Thu, 30 Sep 2021 10:07:57 +0200 Subject: [PATCH] BUG/MEDIUM: httpclient/lua: crash because of b_xfer and get_trash_chunk() When using the lua httpclient, haproxy could crash because a b_xfer is done in httpclient_xfer, which will do a zero-copy swap of the data in the buffers. The ptr will then be free() by the pool. However this can't work with a trash buffer, because the area was not allocated from the pool buffer, so the pool is not suppose to free it because it does not know this ptr, using -DDEBUG_MEMORY_POOLS will result with a crash during the free. Fix the problem by using b_force_xfer() instead of b_xfer which copy the data instead. The problem still exist with the trash however, and the trash API must be reworked. --- src/http_client.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/http_client.c b/src/http_client.c index 24d8fbe..1eb3cd1 100644 --- a/src/http_client.c +++ b/src/http_client.c @@ -311,7 +311,7 @@ int httpclient_res_xfer(struct httpclient *hc, struct buffer *dst) { int ret; - ret = b_xfer(dst, &hc->res.buf, MIN(1024, b_data(&hc->res.buf))); + ret = b_force_xfer(dst, &hc->res.buf, MIN(1024, b_data(&hc->res.buf))); /* call the client once we consumed all data */ if (!b_data(&hc->res.buf) && hc->appctx) appctx_wakeup(hc->appctx); -- 1.7.10.4