github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 13:56:01 +03:00
Code Issues Packages Projects Releases Wiki Activity

Adds verification before access the strcmp

Browse Source 
Audit log was making the assumption that "arg->origin" was filled which
is not necessary true. This commit adds an verification.
This commit is contained in:
Felipe Zimmerle 2014-03-20 11:02:36 -07:00
parent c5c2690809
commit 966e7e1ff1
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
apache2/msc_logging.c
View File

@ -53,7 +53,7 @@ static int sec_auditlog_write(modsec_rec *msr, const char *data, unsigned int le
msr_log(msr, 1, "Audit log: Failed writing (requested %" APR_SIZE_T_FMT msr_log(msr, 1, "Audit log: Failed writing (requested %" APR_SIZE_T_FMT
" bytes, written %" APR_SIZE_T_FMT "): %s", nbytes, nbytes_written, " bytes, written %" APR_SIZE_T_FMT "): %s", nbytes, nbytes_written,
apr_strerror(rc, errstr, sizeof(errstr)); apr_strerror(rc, errstr, sizeof(errstr)));
/* Concurrent log format: don't leak file handle. */ /* Concurrent log format: don't leak file handle. */
if (msr->txcfg->auditlog_type == AUDITLOG_CONCURRENT) { if (msr->txcfg->auditlog_type == AUDITLOG_CONCURRENT) {
@ -704,7 +704,9 @@ void sec_audit_logger(modsec_rec *msr) {
telts = (const apr_table_entry_t*)tarr->elts; telts = (const apr_table_entry_t*)tarr->elts;
for(i = 0; i < tarr->nelts; i++) { for(i = 0; i < tarr->nelts; i++) {
msc_arg *arg = (msc_arg *)telts[i].val; msc_arg *arg = (msc_arg *)telts[i].val;
if (strcmp(arg->origin, "BODY") != 0) continue; if (arg->origin != NULL &&
strcmp(arg->origin, "BODY") != 0)
continue;
if (last_offset == 0) { /* The first time we're here. */ if (last_offset == 0) { /* The first time we're here. */
if (arg->value_origin_offset > offset) { if (arg->value_origin_offset > offset) {