Modsecurity: V2/Master which large number of form variables cause segmentation fault or out of memory error

Created on 10 May 2017  Â·  4Comments  Â·  Source: SpiderLabs/ModSecurity

When we have request which contain a large number of form variables (appr. 600Kb), I think I counted 19996 form variables, we observe a segmentation fault in our production system:

[Thu May 04 12:32:36 2017] [notice] child pid 23562 exit signal Segmentation fault (11), possible coredump in /tmp/apache2-gdb-dump

gdb shows that it crashed in

0 0x00007f3edbf6ed54 in libinjection_sqli_tokenize (sf=0x7ffefd99b6f0) at libinjection/libinjection_sqli.c:1305

1305 folded_text[position] = s[*pos];

list:

1300 if (current->type != CHAR_NULL) {
1301 printf ("nPos %zun " , pos);
1302 printf ("Current %cn", s[
pos]);
1303 printf ("Type %cn",current->type);
1304 sf->stats_tokens += 1;
1305 folded_text[position] = s[*pos];
1306 folded_type[position] = sf->current->type;
1307 position = position + 1;
1308 return TRUE;
1309 }

In our QA system, it goes out of memory.

Although the form has a large number of variables, these could be inspected one by one. I'm not certain how libinjection handles this, but it seems there is somewhere a memory leak.

Smaller requests work fine, and with mod_security set to off, it also works OK. In detectiononly mode it fails, as well as when set to on.

Most helpful comment

I just did update to the latest version and did some testing. First results
look promising, memory usage seems to be stable. Only in debug mode it
becomes unworkable, but that is no showstopper for me.

Bart-Jan

2017-06-01 4:14 GMT+02:00 Felipe Zimmerle notifications@github.com:

Hi @bjdijk https://github.com/bjdijk,

I've just updated the libinjection version to v3.10.0. Do you mind to test
it again?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/SpiderLabs/ModSecurity/issues/1412#issuecomment-305369832,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ANKHxTPXc3zKsWjOLipdg9RE5y2CXzBDks5r_h6egaJpZM4NW394
.

All 4 comments

Hi @bjdijk,

Thank you for the report! I've just opened the issue client9/libinjection#124, asking the libInjection contributors which version better fit ModSecurity in terms of stability.

Hi @bjdijk,

I've just updated the libinjection version to v3.10.0. Do you mind to test it and provide us some feedback?

I just did update to the latest version and did some testing. First results
look promising, memory usage seems to be stable. Only in debug mode it
becomes unworkable, but that is no showstopper for me.

Bart-Jan

2017-06-01 4:14 GMT+02:00 Felipe Zimmerle notifications@github.com:

Hi @bjdijk https://github.com/bjdijk,

I've just updated the libinjection version to v3.10.0. Do you mind to test
it again?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/SpiderLabs/ModSecurity/issues/1412#issuecomment-305369832,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ANKHxTPXc3zKsWjOLipdg9RE5y2CXzBDks5r_h6egaJpZM4NW394
.

Thank you @bjdijk ;)

Was this page helpful?
0 / 5 - 0 ratings

Related issues

ITILMaster picture ITILMaster  Â·  6Comments

zimmerle picture zimmerle  Â·  3Comments

SteffenAL picture SteffenAL  Â·  5Comments

mmojadad picture mmojadad  Â·  3Comments

narookak picture narookak  Â·  4Comments