lua: fix stack leak in ubus method handling

[project/ubus.git] / lua / ubus.c

diff --git a/lua/ubus.c b/lua/ubus.c
index 92fb0a151fb9ac445938abc3e68848f4b49fc192..86e34b7c0739f6c568925bfb5feeb4d34ca0d570 100644 (file)
--- a/lua/ubus.c
+++ b/lua/ubus.c
@@ -302,8 +302,9 @@ ubus_method_handler(struct ubus_context *ctx, struct ubus_object *obj,
                lua_call(state, 2, 1);
                if (lua_isnumber(state, -1))
                        rv = lua_tonumber(state, -1);
-       } else
-               lua_pop(state, 1);
+       }
+
+       lua_pop(state, 1);
 
        return rv;
 }
@@ -382,6 +383,9 @@ static int ubus_lua_load_methods(lua_State *L, struct ubus_method *m)
 
        /* setup the policy pointers */
        p = malloc(sizeof(struct blobmsg_policy) * plen);
+       if (!p)
+               return 1;
+
        memset(p, 0, sizeof(struct blobmsg_policy) * plen);
        m->policy = p;
        lua_pushnil(L);
@@ -417,6 +421,9 @@ static struct ubus_object* ubus_lua_load_object(lua_State *L)
 
        /* setup object pointers */
        obj = malloc(sizeof(struct ubus_lua_object));
+       if (!obj)
+               return NULL;
+
        memset(obj, 0, sizeof(struct ubus_lua_object));
        obj->o.name = lua_tostring(L, -2);
 
@@ -427,6 +434,11 @@ static struct ubus_object* ubus_lua_load_object(lua_State *L)
 
        /* setup type pointers */
        obj->o.type = malloc(sizeof(struct ubus_object_type));
+       if (!obj->o.type) {
+               free(obj);
+               return NULL;
+       }
+
        memset(obj->o.type, 0, sizeof(struct ubus_object_type));
        obj->o.type->name = lua_tostring(L, -2);
        obj->o.type->id = 0;
@@ -529,10 +541,11 @@ ubus_lua_call_cb(struct ubus_request *req, int type, struct blob_attr *msg)
 {
        lua_State *L = (lua_State *)req->priv;
 
-       if (!msg)
+       if (!msg && L)
                lua_pushnil(L);
 
-       ubus_lua_parse_blob_array(L, blob_data(msg), blob_len(msg), true);
+       if (msg && L)
+               ubus_lua_parse_blob_array(L, blob_data(msg), blob_len(msg), true);
 }
 
 static int
@@ -585,10 +598,13 @@ ubus_event_handler(struct ubus_context *ctx, struct ubus_event_handler *ev,
 
        lua_getglobal(state, "__ubus_cb_event");
        lua_rawgeti(state, -1, listener->r);
+       lua_remove(state, -2);
 
        if (lua_isfunction(state, -1)) {
                ubus_lua_parse_blob_array(state, blob_data(msg), blob_len(msg), true);
                lua_call(state, 1, 0);
+       } else {
+               lua_pop(state, 1);
        }
 }
 
@@ -598,6 +614,9 @@ ubus_lua_load_event(lua_State *L)
        struct ubus_lua_event* event = NULL;
 
        event = malloc(sizeof(struct ubus_lua_event));
+       if (!event)
+               return NULL;
+
        memset(event, 0, sizeof(struct ubus_lua_event));
        event->e.cb = ubus_event_handler;
 
@@ -666,6 +685,7 @@ ubus_lua__gc(lua_State *L)
 {
        struct ubus_lua_connection *c = luaL_checkudata(L, 1, METANAME);
 
+       blob_buf_free(&c->buf);
        if (c->ctx != NULL)
        {
                ubus_free(c->ctx);