Re: [Mod-security-developers] simple GET request cause ModSecurity nginx crash

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

hi all,
i had compile 2.7-iis-nginx with Nginx-1.2.3(lasest stable version) at
Ubuntu 12.04, and this bug also existence，GDB debug，crash scene bellow：
(gdb) r
Starting program: /opt/modsec-2.7-iis-nginx-1.2.3/sbin/nginx
[Thread debugging using libthread_db enabled]

Program received signal SIGSEGV, Segmentation fault.
0x00000000004ac091 in ngx_http_modsecurity_access_handler (
    req=0x943240)
    at
/home/yorkng/nginx-1.2.3/src/addon/2.7-iis-nginx/nginx/modsecurity/ngx_http_modsecurity_module.c:393
393       ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "request
body: %s", req->request_body->bufs);
(gdb) p req->request_body->bufs
Cannot access memory at address 0x8
(gdb)


On Mon, Aug 13, 2012 at 6:23 PM, yorkng zhuo <yor...@gm...> wrote:

> hello all,
> i'm testing ModSecurity nginx at ubuntu 12.04, nginx version 1.1.20
> when i use curl like this: curl http://localhost/secret, then the nginx
> worker process crash. i use gdb debug it, trouble spots is here
>
> 2.7-iis-nginx/nginx/modsecurity/ngx_http_modsecurity_module.c
> ----------------------------------------
> 392    ngx_http_read_request_body(req, ngx_http_dummy_payload_hander);
> 393    *ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "request
> body: %s", req->request_body->bufs);*
> 394
> 395    if(status == DECLIEND)
>
> ----------------------------------------
>
> *when GET request have no body,  the req->request_body->bufs is
> undefined, like this:*
> -----------------------------------------
> Starting program: /opt/modsec-2.7-iis-nginx/sbin/nginx
> [Thread debugging using libthread_db enabled]
>
> Breakpoint 1, ngx_http_modsecurity_access_handler (req=0x942100)
>     at
> /home/yorkng/project/svn/nginxsec/branch/nsafe/src/addon/2.7-iis-nginx/nginx/modsecurity/ngx_http_modsecurity_module.c:392
> warning: Source file is more recent than executable.
> 392       ngx_http_read_request_body(req, ngx_http_dummy_payload_handler);
> (gdb) p req->request_body->bufs
> Cannot access memory at address 0x8
> (gdb)
> ------------------------------------------
>
> my resolve patch is bellow:*
>
> *--- nginx/modsecurity/ngx_http_modsecurity_module.c     (revision 2018)
> +++ nginx/modsecurity/ngx_http_modsecurity_module.c     (working copy)
> @@ -390,19 +390,25 @@
>    ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "status: %d",
> status);
>
>    ngx_http_read_request_body(req, ngx_http_dummy_payload_handler);
> -  ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "request body:
> %s", req->request_body->bufs);
> +  if (req->headers_in.content_length) {
> +    ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "request body:
> %s", req->request_body->bufs);
> +  }
> +  else {
> +    ngx_log_error(NGX_LOG_INFO, req->connection->log, 0, "request body:
> ");
> +  }
>
>    if(status == DECLINED)
>    {*
> *
>


-- 
Regards,

Yorkng