github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 13:56:01 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fix potential memory corruption in msre_create_var_ex allocating per-request data out of global pool.

Browse Source
This commit is contained in:
brectanus 2007-03-08 16:15:45 +00:00
parent 8898759c47
commit ab55a8716e
4 changed files with 12 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES
View File

@ -1,7 +1,9 @@
01 Mar 2007 - 2.1.1-dev1 01 Mar 2007 - 2.1.1-dev3
------------------------ ------------------------
* Fixed potential memory corruption when expanding macros.
* Fixed error when a collection var was fetched in the same second as creation * Fixed error when a collection var was fetched in the same second as creation
by setting the rate to zero. by setting the rate to zero.

11
apache2/re.c
View File

@ -121,10 +121,10 @@ msre_action_metadata *msre_resolve_action(msre_engine *engine, const char *name)
* Creates a new variable instance given the variable name * Creates a new variable instance given the variable name
* and an (optional) parameter. * and an (optional) parameter.
*/ */
msre_var *msre_create_var_ex(msre_engine *engine, const char *name, const char *param, msre_var *msre_create_var_ex(apr_pool_t *pool, msre_engine *engine, const char *name, const char *param,
modsec_rec *msr, char **error_msg) modsec_rec *msr, char **error_msg)
{ {
msre_var *var = apr_pcalloc(engine->mp, sizeof(msre_var)); msre_var *var = apr_pcalloc(pool, sizeof(msre_var));
if (var == NULL) return NULL; if (var == NULL) return NULL;
if (error_msg == NULL) return NULL; if (error_msg == NULL) return NULL;
@ -147,7 +147,7 @@ msre_var *msre_create_var_ex(msre_engine *engine, const char *name, const char *
/* CGI HTTP variables emulation. */ /* CGI HTTP variables emulation. */
if (strncasecmp(var->name, "HTTP_", 5) == 0) { if (strncasecmp(var->name, "HTTP_", 5) == 0) {
if (var->param != NULL) { if (var->param != NULL) {
*error_msg = apr_psprintf(engine->mp, "Variable %s does not support parameters.", *error_msg = apr_psprintf(pool, "Variable %s does not support parameters.",
var->name); var->name);
return NULL; return NULL;
} }
@ -196,11 +196,14 @@ msre_var *msre_create_var_ex(msre_engine *engine, const char *name, const char *
/** /**
* Create a new variable object from the provided name and value. * Create a new variable object from the provided name and value.
*
* NOTE: this allocates out of the global pool and should not be used
* per-request
*/ */
msre_var *msre_create_var(msre_ruleset *ruleset, const char *name, const char *param, msre_var *msre_create_var(msre_ruleset *ruleset, const char *name, const char *param,
modsec_rec *msr, char **error_msg) modsec_rec *msr, char **error_msg)
{ {
msre_var *var = msre_create_var_ex(ruleset->engine, name, param, msr, error_msg); msre_var *var = msre_create_var_ex(ruleset->engine->mp, ruleset->engine, name, param, msr, error_msg);
if (var == NULL) return NULL; if (var == NULL) return NULL;
/* Validate & initialise variable */ /* Validate & initialise variable */

2
apache2/re.h
View File

@ -54,7 +54,7 @@ msre_action_metadata *msre_resolve_action(msre_engine *engine, const char *name)
msre_var *msre_create_var(msre_ruleset *ruleset, const char *name, const char *param, msre_var *msre_create_var(msre_ruleset *ruleset, const char *name, const char *param,
modsec_rec *msr, char **error_msg); modsec_rec *msr, char **error_msg);
msre_var *msre_create_var_ex(msre_engine *engine, const char *name, const char *param, msre_var *msre_create_var_ex(apr_pool_t *pool, msre_engine *engine, const char *name, const char *param,
modsec_rec *msr, char **error_msg); modsec_rec *msr, char **error_msg);
msre_action *msre_create_action(msre_engine *engine, const char *name, msre_action *msre_create_action(msre_engine *engine, const char *name,

2
apache2/re_actions.c
View File

@ -131,7 +131,7 @@ int DSOLOCAL expand_macros(modsec_rec *msr, msc_string *var, msre_rule *rule, ap
*(msc_string **)apr_array_push(arr) = part; *(msc_string **)apr_array_push(arr) = part;
/* Resolve the macro and add that to the array. */ /* Resolve the macro and add that to the array. */
var_resolved = msre_create_var_ex(msr->modsecurity->msre, var_name, var_value, var_resolved = msre_create_var_ex(mptmp, msr->modsecurity->msre, var_name, var_value,
msr, &my_error_msg); msr, &my_error_msg);
if (var_resolved != NULL) { if (var_resolved != NULL) {
var_generated = generate_single_var(msr, var_resolved, rule, mptmp); var_generated = generate_single_var(msr, var_resolved, rule, mptmp);