Hi Carlos,

In the same issue that you have linked, there is a comment pointing to the "nginx_refactoring" branch where you can find this fix and others.
The branch still in development/test as more minor issues should be fixed before merge it to our mainline.

Felipe "Zimmerle" Costa
Security Researcher, SpiderLabs


From: Carlos Vidal <carlos@tarkus.se>
Reply-To: "mod-security-developers@lists.sourceforge.net" <mod-security-developers@lists.sourceforge.net>
Date: Tuesday, July 8, 2014 2:20 PM
To: "mod-security-developers@lists.sourceforge.net" <mod-security-developers@lists.sourceforge.net>
Subject: [Mod-security-developers] ModSec + NGINX bug in move_brigade_to_chain


I'm testing ModSec 2.7.5 and 2.8.0 with NGINX and find a problem when SecResponseBodyAccess is turned on.

The error is produced by a dangling pointer in move_brigade_to_chain() (apr_bucket_nginx.c). It has already been reported in March (https://github.com/SpiderLabs/ModSecurity/issues/681).

There are two ngx_alloc_chain_link() in the function, the second is correct, but the first one does not initialize 'cl->next' before copying it to the last link (ll). It is enough to add :

   cl->next = NULL;

just after cl->buf->last_buf = 1.

This causes crazy behavior as infinite allocation loops and seg-faults.

This transmission may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, you are hereby notified that any disclosure, copying, distribution, or use of the information contained herein (including any reliance thereon) is strictly prohibited. If you received this transmission in error, please immediately contact the sender and destroy the material in its entirety, whether in electronic or hard copy format.