github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-15 23:55:03 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fixed use after free in ModSecurity::processContentOffset

Browse Source 
- Use after free issue detected with Address Sanitizer while running
  the reading_logs_with_offset example.
- Keeps reference to last element in vars vector with vars.back(). Then
  it removes the element from vars calling vars.pop_back() which
  invalidates the reference, but it's accessed later in the function.
This commit is contained in:
Eduardo Arias 2024-04-23 17:10:47 -03:00
parent 7bff2f77aa
commit 50c35345ed
1 changed files with 10 additions and 16 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/modsecurity.cc
View File

@ -258,14 +258,11 @@ int ModSecurity::processContentOffset(const char *content, size_t len,
strlen("highlight")); strlen("highlight"));
yajl_gen_array_open(g); yajl_gen_array_open(g);
while (vars.size() > 3) { for(auto [it, pending] = std::tuple{vars.rbegin(), vars.size()}; pending > 3; pending -= 3) {
std::string value;
yajl_gen_map_open(g); yajl_gen_map_open(g);
vars.pop_back(); it++;
const std::string &startingAt = vars.back().str(); const std::string &startingAt = it->str(); it++;
vars.pop_back(); const std::string &size = it->str(); it++;
const std::string &size = vars.back().str();
vars.pop_back();
yajl_gen_string(g, yajl_gen_string(g,
reinterpret_cast<const unsigned char*>("startingAt"), reinterpret_cast<const unsigned char*>("startingAt"),
strlen("startingAt")); strlen("startingAt"));
@ -284,7 +281,7 @@ int ModSecurity::processContentOffset(const char *content, size_t len,
return -1; return -1;
} }
value = std::string(content, stoi(startingAt), stoi(size)); const auto value = std::string(content, stoi(startingAt), stoi(size));
if (varValue.size() > 0) { if (varValue.size() > 0) {
varValue.append(" " + value); varValue.append(" " + value);
} else { } else {
@ -340,16 +337,13 @@ int ModSecurity::processContentOffset(const char *content, size_t len,
yajl_gen_map_open(g); yajl_gen_map_open(g);
while (ops.size() > 3) { for(auto [it, pending] = std::tuple{ops.rbegin(), ops.size()}; pending > 3; pending -= 3) {
std::string value;
yajl_gen_string(g, reinterpret_cast<const unsigned char*>("highlight"), yajl_gen_string(g, reinterpret_cast<const unsigned char*>("highlight"),
strlen("highlight")); strlen("highlight"));
yajl_gen_map_open(g); yajl_gen_map_open(g);
ops.pop_back(); it++;
std::string startingAt = ops.back().str(); const std::string &startingAt = it->str(); it++;
ops.pop_back(); const std::string &size = ops.back().str(); it++;
std::string size = ops.back().str();
ops.pop_back();
yajl_gen_string(g, yajl_gen_string(g,
reinterpret_cast<const unsigned char*>("startingAt"), reinterpret_cast<const unsigned char*>("startingAt"),
strlen("startingAt")); strlen("startingAt"));
@ -371,7 +365,7 @@ int ModSecurity::processContentOffset(const char *content, size_t len,
reinterpret_cast<const unsigned char*>("value"), reinterpret_cast<const unsigned char*>("value"),
strlen("value")); strlen("value"));
value = std::string(varValue, stoi(startingAt), stoi(size)); const auto value = std::string(varValue, stoi(startingAt), stoi(size));
yajl_gen_string(g, yajl_gen_string(g,
reinterpret_cast<const unsigned char*>(value.c_str()), reinterpret_cast<const unsigned char*>(value.c_str()),