github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-13 21:36:00 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fix segfault due to invalid memory access on SharedFiles class

Browse Source 
Issue #1318
This commit is contained in:
Felipe Zimmerle 2017-02-17 17:47:53 -03:00 committed by Felipe Zimmerle
parent 87f6b478fb
commit 01c13da510
No known key found for this signature in database
GPG Key ID: E6DFB08CE8B11277
2 changed files with 37 additions and 99 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

127
src/utils/shared_files.cc
View File

@ -37,27 +37,22 @@ namespace utils {
msc_file_handler_t *SharedFiles::find_handler( msc_file_handler_t *SharedFiles::find_handler(
const std::string &fileName) { const std::string &fileName) {
msc_file_handler_t *current = m_first; for (const auto &i: m_handlers) {
while (current != NULL) { if (i.first == fileName) {
if (current->file_name == fileName) { return i.second;
return current;
} }
current = reinterpret_cast<msc_file_handler_t *>(current->next);
} }
return NULL; return NULL;
} }
msc_file_handler_t *SharedFiles::add_new_handler( msc_file_handler_t *SharedFiles::add_new_handler(
const std::string &fileName, std::string *error) { const std::string &fileName, std::string *error) {
msc_file_handler_t *current = m_first;
int shm_id; int shm_id;
key_t mem_key_structure; key_t mem_key_structure;
key_t mem_key_file_name;
msc_file_handler_t *new_debug_log; msc_file_handler_t *new_debug_log;
char *shm_ptr2;
FILE *fp; FILE *fp;
bool toBeCreated = true;
fp = fopen(fileName.c_str(), "a"); fp = fopen(fileName.c_str(), "a");
if (fp == 0) { if (fp == 0) {
@ -72,81 +67,44 @@ msc_file_handler_t *SharedFiles::add_new_handler(
goto err_mem_key; goto err_mem_key;
} }
mem_key_file_name = ftok(fileName.c_str(), 2); shm_id = shmget(mem_key_structure, sizeof (msc_file_handler_t) + fileName.size() + 1,
if (mem_key_file_name < 0) { IPC_CREAT | IPC_EXCL | 0666);
error->assign("Failed to select key for the shared memory (2): ");
error->append(strerror(errno));
goto err_mem_key;
}
shm_id = shmget(mem_key_structure, sizeof (msc_file_handler_t),
IPC_CREAT | 0666);
if (shm_id < 0) { if (shm_id < 0) {
error->assign("Failed to allocate shared memory (1): "); shm_id = shmget(mem_key_structure, sizeof (msc_file_handler_t)
error->append(strerror(errno)); + fileName.size() + 1, IPC_CREAT | 0666);
goto err_shmget1; toBeCreated = false;
if (shm_id < 0) {
error->assign("Failed to allocate shared memory (1): ");
error->append(strerror(errno));
goto err_shmget1;
}
} }
new_debug_log = reinterpret_cast<msc_file_handler_t *>( new_debug_log = reinterpret_cast<msc_file_handler_t *>(
shmat(shm_id, NULL, 0)); shmat(shm_id, NULL, 0));
if ((reinterpret_cast<char *>(new_debug_log)[0]) == -1) { if ((reinterpret_cast<char *>(new_debug_log)[0]) == -1) {
error->assign("Failed to attach shared memory (1): "); error->assign("Failed to attach shared memory (1): ");
error->append(strerror(errno)); error->append(strerror(errno));
goto err_shmat1; goto err_shmat1;
} }
memset(new_debug_log, '\0', sizeof(msc_file_handler_t));
pthread_mutex_init(&new_debug_log->lock, NULL); if (toBeCreated) {
new_debug_log->fp = fp; memset(new_debug_log, '\0', sizeof(msc_file_handler_t));
new_debug_log->file_handler = fileno(new_debug_log->fp); pthread_mutex_init(&new_debug_log->lock, NULL);
new_debug_log->next = NULL; new_debug_log->fp = fp;
new_debug_log->previous = NULL; new_debug_log->file_handler = fileno(new_debug_log->fp);
new_debug_log->shm_id_structure = shm_id; new_debug_log->shm_id_structure = shm_id;
shm_id = shmget(mem_key_file_name, (fileName.size() + 1 * sizeof(char)), memcpy(new_debug_log->file_name, fileName.c_str(), fileName.size());
IPC_CREAT | 0666); new_debug_log->file_name[fileName.size()] = '\0';
if (shm_id < 0) {
error->assign("Failed to allocate shared memory (2): ");
error->append(strerror(errno));
goto err_shmget2;
}
new_debug_log->shm_id_file_name = shm_id;
shm_ptr2 = reinterpret_cast<char *>(shmat(shm_id, NULL, 0));
if (shm_ptr2[0] == -1) {
error->assign("Failed to attach shared memory (2): ");
error->append(strerror(errno));
goto err_shmat2;
}
memcpy(shm_ptr2, fileName.c_str(), fileName.size());
shm_ptr2[fileName.size()] = '\0';
new_debug_log->file_name = shm_ptr2;
if (m_first == NULL) {
m_first = new_debug_log;
} else {
current = m_first;
while (current != NULL) {
if (current->next == NULL) {
current->next = new_debug_log;
new_debug_log->previous = current;
new_debug_log->next = NULL;
current = NULL;
} else {
current = reinterpret_cast<msc_file_handler_t *>(
current->next);
}
}
} }
m_handlers.push_back(std::make_pair(fileName, new_debug_log));
return new_debug_log; return new_debug_log;
err_shmget2:
err_shmat2:
shmdt(shm_ptr2);
fclose(new_debug_log->fp);
err_shmget1: err_shmget1:
err_shmat1: err_shmat1:
shmdt(new_debug_log); shmdt(new_debug_log);
err_mem_key: err_mem_key:
fclose(fp);
err_fh: err_fh:
return NULL; return NULL;
} }
@ -173,6 +131,7 @@ bool SharedFiles::open(const std::string& fileName, std::string *error) {
void SharedFiles::close(const std::string& fileName) { void SharedFiles::close(const std::string& fileName) {
msc_file_handler_t *a; msc_file_handler_t *a;
int j = 0;
if (fileName.empty()) { if (fileName.empty()) {
return; return;
@ -186,41 +145,23 @@ void SharedFiles::close(const std::string& fileName) {
a->using_it--; a->using_it--;
if (a->using_it == 0) { if (a->using_it == 0) {
bool first = false;
int shm_id1 = a->shm_id_structure; int shm_id1 = a->shm_id_structure;
int shm_id2 = a->shm_id_file_name;
msc_file_handler_t *p , *n; msc_file_handler_t *p , *n;
pthread_mutex_lock(&a->lock); pthread_mutex_lock(&a->lock);
fclose(a->fp); fclose(a->fp);
p = reinterpret_cast<msc_file_handler_t *>(a->previous);
n = reinterpret_cast<msc_file_handler_t *>(a->next);
if (p != NULL) {
p->next = reinterpret_cast<msc_file_handler_t *>(n);
}
if (n != NULL) {
n->previous = reinterpret_cast<msc_file_handler_t *>(p);
}
a->previous = NULL;
a->next = NULL;
pthread_mutex_unlock(&a->lock); pthread_mutex_unlock(&a->lock);
pthread_mutex_destroy(&a->lock); pthread_mutex_destroy(&a->lock);
if (a->file_name == m_first->file_name) {
first = true;
}
shmdt(a->file_name);
shmdt(a); shmdt(a);
shmctl(shm_id1, IPC_RMID, NULL); shmctl(shm_id1, IPC_RMID, NULL);
shmctl(shm_id2, IPC_RMID, NULL);
if (first) {
m_first = NULL;
}
a = NULL;
} }
for (const auto &i: m_handlers) {
if (i.first == fileName) {
j++;
}
}
m_handlers.erase(m_handlers.begin() + j, m_handlers.begin() + j + 1);
} }

9
src/utils/shared_files.h
View File

@ -33,15 +33,12 @@ namespace utils {
typedef struct msc_file_handler { typedef struct msc_file_handler {
char *file_name;
FILE *fp; FILE *fp;
int file_handler; int file_handler;
int shm_id_file_name;
int shm_id_structure; int shm_id_structure;
int using_it; int using_it;
pthread_mutex_t lock; pthread_mutex_t lock;
void *next; char file_name[];
void *previous;
} msc_file_handler_t; } msc_file_handler_t;
@ -62,7 +59,7 @@ class SharedFiles {
std::string *error); std::string *error);
private: private:
SharedFiles() : m_first(NULL) { } SharedFiles() { }
~SharedFiles() { } ~SharedFiles() { }
// C++ 03 // C++ 03
@ -73,7 +70,7 @@ class SharedFiles {
SharedFiles(SharedFiles const&); SharedFiles(SharedFiles const&);
void operator=(SharedFiles const&); void operator=(SharedFiles const&);
msc_file_handler_t *m_first; std::vector<std::pair<std::string, msc_file_handler *>> m_handlers;
}; };