Fixed memory leak in v1 cookie parser reported by Sogeti/ESEC R&D (MODSEC-121).

2026-01-13 06:57:10 +03:00 · 2010-02-05 18:07:56 +00:00
parent 7262e026d2
commit d66760d09c
2 changed files with 17 additions and 3 deletions
--- a/2
+++ b/2
@@ -1,6 +1,8 @@
 14 Jan 2010 - 2.5.12
 --------------------

+ * Fixed memory leak in v1 cookie parser.  Reported by Sogeti/ESEC R&D.
+
 * Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.)

 * Update copyright to 2010.
--- a/apache2/msc_parsers.c
+++ b/apache2/msc_parsers.c
@@ -22,7 +22,9 @@
 /**
 *
 */
-int parse_cookies_v0(modsec_rec *msr, char *_cookie_header, apr_table_t *cookies) {
+int parse_cookies_v0(modsec_rec *msr, char *_cookie_header,
+                     apr_table_t *cookies)
+{
    char *attr_name = NULL, *attr_value = NULL;
    char *cookie_header;
    char *saveptr = NULL;
@@ -85,13 +87,21 @@ int parse_cookies_v0(modsec_rec *msr, char *_cookie_header, apr_table_t *cookies
 /**
 *
 */
-int parse_cookies_v1(modsec_rec *msr, char *_cookie_header, apr_table_t *cookies) {
+int parse_cookies_v1(modsec_rec *msr, char *_cookie_header,
+                     apr_table_t *cookies)
+{
    char *attr_name = NULL, *attr_value = NULL, *p = NULL;
    char *prev_attr_name = NULL;
    char *cookie_header = NULL;
    int cookie_count = 0;

    if (_cookie_header == NULL) return -1;
+    // XXX Should it not match _v0 parser?
+    //if (_cookie_header == NULL) {
+    //    msr_log(msr, 1, "Cookie parser: Received null for argument.");
+    //    return -1;
+    //}
+
    cookie_header = strdup(_cookie_header);
    if (cookie_header == NULL) return -1;

@@ -213,6 +223,7 @@ int parse_cookies_v1(modsec_rec *msr, char *_cookie_header, apr_table_t *cookies
        while( (*p != 0)&&( (*p == ',')||(*p == ';')||(isspace(*p)) ) ) p++;
    }

+    free(cookie_header);
    return cookie_count;
 }

@@ -322,7 +333,8 @@ int parse_arguments(modsec_rec *msr, const char *s, apr_size_t inputlength,
 /**
 *
 */
-void add_argument(modsec_rec *msr, apr_table_t *arguments, msc_arg *arg) {
+void add_argument(modsec_rec *msr, apr_table_t *arguments, msc_arg *arg)
+{
    if (msr->txcfg->debuglog_level >= 5) {
        msr_log(msr, 5, "Adding request argument (%s): name \"%s\", value \"%s\"",
            arg->origin, log_escape_ex(msr->mp, arg->name, arg->name_len),