bugfix: lua panic handling in ngx.socket.tcp

If luaL_pushresult() encounters a buffer larger than 2GB, it triggers a Lua panic. This panic is handled by ngx_http_lua_atpanic(), which performs a longjmp() back to the last setjmp() call point (e.g., ngx_http_lua_log_by_chunk()), potentially causing a SEGFAULT or ABORT signal if stack protection is enabled. The fix sets the handler that manages Lua panics directly within ngx_http_lua_socket_push_input_data().
openresty · Nov 16, 2024 · ad71e4b · ad71e4b
1 parent 950b1fb
commit ad71e4b
Showing 1 changed file with 11 additions and 1 deletion.
diff --git a/src/ngx_http_lua_socket_tcp.c b/src/ngx_http_lua_socket_tcp.c
@@ -13,6 +13,7 @@
 #include "ngx_http_lua_socket_tcp.h"
 #include "ngx_http_lua_input_filters.h"
 #include "ngx_http_lua_util.h"
+#include "ngx_http_lua_exception.h"
 #include "ngx_http_lua_uthread.h"
 #include "ngx_http_lua_output.h"
 #include "ngx_http_lua_contentby.h"
@@ -5950,7 +5951,16 @@ ngx_http_lua_socket_push_input_data(ngx_http_request_t *r,
         nbufs++;
     }
 
-    luaL_pushresult(&luabuf);
+    /* set Lua VM panic handler */
+    lua_atpanic(L, ngx_http_lua_atpanic);
+
+    NGX_LUA_EXCEPTION_TRY {
+
+        luaL_pushresult(&luabuf);
+
+    } NGX_LUA_EXCEPTION_CATCH {
+        dd("nginx execution restored");
+    }
 
 #if (DDEBUG)
     dd("size: %d, nbufs: %d", (int) size, (int) nbufs);