From d66760d09cec2e438c85c2b27a2c6afc8ac372ad Mon Sep 17 00:00:00 2001
From: b1v1r <b1v1r@9017d574-64ec-4062-9424-5e00b32a252b>
Date: Fri, 5 Feb 2010 18:07:56 +0000
Subject: [PATCH] Fixed memory leak in v1 cookie parser reported by Sogeti/ESEC
 R&D (MODSEC-121).

---
 CHANGES               |  2 ++
 apache2/msc_parsers.c | 18 +++++++++++++++---
 2 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index fb03438f..be540944 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,6 +1,8 @@
 14 Jan 2010 - 2.5.12
 --------------------
 
+ * Fixed memory leak in v1 cookie parser.  Reported by Sogeti/ESEC R&D.
+
  * Now support macro expansion in numeric operators (@eq, @ge, @lt, etc.)
 
  * Update copyright to 2010.
diff --git a/apache2/msc_parsers.c b/apache2/msc_parsers.c
index f2f9218d..c61ebc25 100644
--- a/apache2/msc_parsers.c
+++ b/apache2/msc_parsers.c
@@ -22,7 +22,9 @@
 /**
  *
  */
-int parse_cookies_v0(modsec_rec *msr, char *_cookie_header, apr_table_t *cookies) {
+int parse_cookies_v0(modsec_rec *msr, char *_cookie_header,
+                     apr_table_t *cookies)
+{
     char *attr_name = NULL, *attr_value = NULL;
     char *cookie_header;
     char *saveptr = NULL;
@@ -85,13 +87,21 @@ int parse_cookies_v0(modsec_rec *msr, char *_cookie_header, apr_table_t *cookies
 /**
  *
  */
-int parse_cookies_v1(modsec_rec *msr, char *_cookie_header, apr_table_t *cookies) {
+int parse_cookies_v1(modsec_rec *msr, char *_cookie_header,
+                     apr_table_t *cookies)
+{
     char *attr_name = NULL, *attr_value = NULL, *p = NULL;
     char *prev_attr_name = NULL;
     char *cookie_header = NULL;
     int cookie_count = 0;
 
     if (_cookie_header == NULL) return -1;
+    // XXX Should it not match _v0 parser?
+    //if (_cookie_header == NULL) {
+    //    msr_log(msr, 1, "Cookie parser: Received null for argument.");
+    //    return -1;
+    //}
+
     cookie_header = strdup(_cookie_header);
     if (cookie_header == NULL) return -1;
 
@@ -213,6 +223,7 @@ int parse_cookies_v1(modsec_rec *msr, char *_cookie_header, apr_table_t *cookies
         while( (*p != 0)&&( (*p == ',')||(*p == ';')||(isspace(*p)) ) ) p++;
     }
 
+    free(cookie_header);
     return cookie_count;
 }
 
@@ -322,7 +333,8 @@ int parse_arguments(modsec_rec *msr, const char *s, apr_size_t inputlength,
 /**
  *
  */
-void add_argument(modsec_rec *msr, apr_table_t *arguments, msc_arg *arg) {
+void add_argument(modsec_rec *msr, apr_table_t *arguments, msc_arg *arg)
+{
     if (msr->txcfg->debuglog_level >= 5) {
         msr_log(msr, 5, "Adding request argument (%s): name \"%s\", value \"%s\"",
             arg->origin, log_escape_ex(msr->mp, arg->name, arg->name_len),