On Tue, Apr 07, 2026 at 01:37:50PM +0200, William Lallemand wrote:
> On Tue, Apr 07, 2026 at 09:48:07AM +0200, Greg Kroah-Hartman wrote:
> > Subject: [PATCH 02/10] BUG: hlua: fix stack overflow in httpclient headers
> > conversion
> > hlua_httpclient_table_to_hdrs() declares a VLA of size
> > global.tune.max_http_hdr (default 101) on the stack but never checks
> > hdr_num against that bound. A Lua script that supplies a header table
> > with more than 101 values writes struct http_hdr entries (two ist =
> > two heap pointers + two lengths) past the end of the VLA, smashing
> > the stack frame.
> >
> > Trigger from any Lua action/task/service:
> >
> > local hc = core.httpclient()
> > local v = {}
> > for i = 1, 300 do v[i] = "x" end
> > hc:get{ url = "http://127.0.0.1/";, headers = { ["X"] = v } }
> >
> > Each out-of-bounds entry writes a heap pointer (controllable
> > allocation contents via istdup) plus an attacker-chosen length onto
> > the stack, overwriting the saved return address. With no stack
> > canary, this is direct RCE; with a canary, it requires a leak first.
> >
> > Reachable from any deployment that loads Lua scripts. While Lua
> > scripts are nominally trusted, this turns "can edit Lua" into "can
> > execute arbitrary native code", which is a meaningful boundary in
> > many setups (Lua sandbox escape).
> >
> > This must be backported as far as the httpclient Lua API exists.
>
> Merged as a BUG/MINOR. I removed the paragraph about executing arbitrary code
> and the part about an RCE. It's a bit excessive since it requires an access to
> the lua script, which already allows to execute anything.
True, if you can run a lua script, you really can do anything, sorry
about that, I should have caught that.
thanks,
greg k-h
