Invalid memory access in parser_conn_limits_operator() · Issue #2815 · owasp-modsecurity/ModSecurity (original) (raw)

First problem (quite unusual, I admit):

config_orig_path = apr_pstrndup(mp, filename, strlen(filename) - strlen(apr_filepath_name_get(filename)));
apr_filepath_merge(&file, config_orig_path, param, APR_FILEPATH_TRUENAME, mp);

config_orig_path can be NULL, so

config_orig_path = apr_pstrndup(mp, filename, strlen(filename) - strlen(apr_filepath_name_get(filename)));
if (!config_orig_path) {
   return apr_psprintf(mp, "ModSecurity: failed to duplicate filename in parser_conn_limits_operator");
}
apr_filepath_merge(&file, config_orig_path, param, APR_FILEPATH_TRUENAME, mp);

Second problem (I found it in prod, difficult to troubleshoot):

char* param = strchr(p2, ' ');
[...]
param++;

In case we use the SecConnReadStateLimit diective without operator (only a regex), paparm is NULL => memory fault, crash without any message.
Fix:

if (!param && *p2) return apr_psprintf(mp, "ModSecurity: Invalid operator for " \
   "SecConnReadStateLimit: %s, expected operators: @ipMatch, @ipMatchF " \
   "or @ipMatchFromFile with or without !", p2);
param++;