Merge commit from fork

fix: prevent segmentation fault if the XML node is empty
2025-08-13 13:26:01 +03:00 · 2025-07-01 21:40:15 +02:00 · 2025-07-01 21:40:15 +02:00 · ecd7b97368
commit ecd7b97368
parent c01e5db35b 8879413abf
2 changed files with 18 additions and 7 deletions
--- a/apache2/msc_xml.c
+++ b/apache2/msc_xml.c
@ -36,6 +36,7 @@ static void msc_xml_on_start_elementns(
    xml_parser_state->pathlen += (taglen + 1);
    char *newpath = apr_pstrcat(msr->mp, xml_parser_state->currpath, ".", (char *)localname, NULL);
    xml_parser_state->currpath = newpath;
+    xml_parser_state->currpathbufflen += taglen + 1; // +1 for the '.' character here too

    int *new_stack_item = (int *)apr_array_push(xml_parser_state->has_child_stack);
    *new_stack_item = 0;
@ -44,6 +45,7 @@ static void msc_xml_on_start_elementns(
    // this is necessary because if there is any text between the tags (new line, etc)
    // it will be added to the current value
    xml_parser_state->currval = NULL;
+    xml_parser_state->currvalbufflen = 0;

    // if there is an item before the current one we set that has a child
    if (xml_parser_state->depth > 1) {
@ -72,8 +74,12 @@ static void msc_xml_on_end_elementns(
        if (apr_table_elts(msr->arguments)->nelts >= msr->txcfg->arguments_limit) {
            if (msr->txcfg->debuglog_level >= 4) {
                msr_log(msr, 4, "Skipping request argument, over limit (XML): name \"%s\", value \"%s\"",
-                        log_escape_ex(msr->mp, xml_parser_state->currpath, strlen(xml_parser_state->currpath)),
-                        log_escape_ex(msr->mp, xml_parser_state->currval, strlen(xml_parser_state->currval)));
+                        log_escape_ex(msr->mp, xml_parser_state->currpath, xml_parser_state->currpathbufflen),
+                        log_escape_ex(msr->mp,
+                                      (xml_parser_state->currval == NULL ? apr_pstrndup(msr->mp, "", 1) : xml_parser_state->currval),
+                                      (xml_parser_state->currvalbufflen == 0 ? 1 : xml_parser_state->currvalbufflen)
+                                     )
+                        );
            }
            msr->msc_reqbody_error = 1;
            msr->xml->xml_error = apr_psprintf(msr->mp, "More than %ld ARGS (GET + XML)", msr->txcfg->arguments_limit);
@ -84,15 +90,15 @@ static void msc_xml_on_end_elementns(
            msc_arg * arg = (msc_arg *) apr_pcalloc(msr->mp, sizeof(msc_arg));

            arg->name = xml_parser_state->currpath;
-            arg->name_len = strlen(arg->name);
-            arg->value = xml_parser_state->currval;
-            arg->value_len = strlen(xml_parser_state->currval);
+            arg->name_len = xml_parser_state->currpathbufflen;
+            arg->value = (xml_parser_state->currval == NULL) ? apr_pstrndup(msr->mp, "", 1) : xml_parser_state->currval;
+            arg->value_len = (xml_parser_state->currvalbufflen == 0) ? 1 : xml_parser_state->currvalbufflen;
            arg->value_origin_len = arg->value_len;
            arg->origin = "XML";

            if (msr->txcfg->debuglog_level >= 9) {
                msr_log(msr, 9, "Adding XML argument '%s' with value '%s'",
-                    xml_parser_state->currpath, xml_parser_state->currval);
+                    arg->name, arg->value);
            }

            apr_table_addn(msr->arguments,
@ -106,9 +112,11 @@ static void msc_xml_on_end_elementns(
    // -1 is needed because we don't need the last '.'
    char * newpath = apr_pstrndup(msr->mp, xml_parser_state->currpath, xml_parser_state->pathlen - 1);
    xml_parser_state->currpath = newpath;
+    xml_parser_state->currpathbufflen = xml_parser_state->pathlen - 1;

    xml_parser_state->depth--;
    xml_parser_state->currval = NULL;
+    xml_parser_state->currvalbufflen = 0;
 }

 static void msc_xml_on_characters(void *ctx, const xmlChar *ch, int len) {
@ -123,6 +131,7 @@ static void msc_xml_on_characters(void *ctx, const xmlChar *ch, int len) {
                                            ((xml_parser_state->currval != NULL) ? xml_parser_state->currval : ""),
                                            apr_pstrndup(msr->mp, (const char *)ch, len),
                                            NULL);
+    xml_parser_state->currvalbufflen += len;
    // check if the memory allocation was successful
    if (xml_parser_state->currval == NULL) {
        msr->xml->xml_error = apr_psprintf(msr->mp, "Failed to allocate memory for XML value.");
@ -174,8 +183,9 @@ int xml_init(modsec_rec *msr, char **error_msg) {
        msr->xml->xml_parser_state->depth           = 0;
        msr->xml->xml_parser_state->pathlen         = 4; // "xml\0"
        msr->xml->xml_parser_state->currpath        = apr_pstrdup(msr->mp, "xml");
+        msr->xml->xml_parser_state->currpathbufflen = 3; // "xml"
        msr->xml->xml_parser_state->currval         = NULL;
-        msr->xml->xml_parser_state->currpathbufflen = 4;
+        msr->xml->xml_parser_state->currvalbufflen  = 0;
        // initialize the stack with item of 10
        // this will store the information about nodes
        // 10 is just an initial value, it can be automatically incremented
--- a/apache2/msc_xml.h
+++ b/apache2/msc_xml.h
@ -31,6 +31,7 @@ struct msc_xml_parser_state {
    char               * currpath;
    char               * currval;
    size_t               currpathbufflen;
+    size_t               currvalbufflen;
    apr_pool_t         * mp;
 };