[Mod-security-developers] ModSec + NGINX bug in move_brigade_to_chain
Brought to you by:
victorhora,
zimmerletw
Menu
▾
▴
[Mod-security-developers] ModSec + NGINX bug in move_brigade_to_chain
|
From: Carlos V. <ca...@ta...> - 2014-07-08 17:51:18
|
Hi: I'm testing ModSec 2.7.5 and 2.8.0 with NGINX and find a problem when SecResponseBodyAccess is turned on. The error is produced by a dangling pointer in move_brigade_to_chain() (apr_bucket_nginx.c). It has already been reported in March ( https://github.com/SpiderLabs/ModSecurity/issues/681). There are two ngx_alloc_chain_link() in the function, the second is correct, but the first one does not initialize 'cl->next' before copying it to the last link (ll). It is enough to add : cl->next = NULL; just after cl->buf->last_buf = 1. This causes crazy behavior as infinite allocation loops and seg-faults. |
