Fatal BUG in Modsecurity 2.8.0

[hemao77]

A fatal BUG 2.8.0.
this BUG will cause Nginx crash and can be easily reproduced.

The Root cause is located in function move_brigade_to_chain

the "next" ngx_chain_t sturcture is not initialized before use and leave in random value. this will cause crash in chunked filter module in nginx, and can be easily reproduced when deployed as reverse-proxy and chunked traffic pass thru .

patch:
ngx_int_t
move_brigade_to_chain(apr_bucket_brigade _bb, ngx_chain_t *_ll, ngx_pool_t *pool) {
apr_bucket *e;
ngx_buf_t *buf;
ngx_chain_t *cl;

cl = NULL;

if (APR_BRIGADE_EMPTY(bb)) {
    *ll = NULL;
    return NGX_OK;
}

for (e = APR_BRIGADE_FIRST(bb);
        e != APR_BRIGADE_SENTINEL(bb);
        e = APR_BUCKET_NEXT(e)) {

    if (APR_BUCKET_IS_EOS(e)) {
        if (cl == NULL) {
            cl = ngx_alloc_chain_link(pool);
            if (cl == NULL) {
                break;
            }

            cl->buf = ngx_calloc_buf(pool);
            if (cl->buf == NULL) {
                break;
            }

+++ cl->next = NULL;
cl->buf->last_buf = 1;
*ll = cl;
} else {
cl->buf->last_buf = 1;
}
apr_brigade_cleanup(bb);
return NGX_OK;
}
if (APR_BUCKET_IS_METADATA(e)) {
continue;
}

    buf = apr_bucket_to_ngx_buf(e, pool);
    if (buf == NULL) {
        break;
    }

    cl = ngx_alloc_chain_link(pool);
    if (cl == NULL) {
        break;
    }

    cl->buf = buf;
    cl->next = NULL;
    *ll = cl;
    ll = &cl->next;
}

apr_brigade_cleanup(bb);
/* no eos or error */
return NGX_ERROR;

}

[zimmerle]

Hi @hemao77 thanks for the patch, see #142 and nginx_refactoing branch:

https://github.com/SpiderLabs/ModSecurity/tree/nginx_refactoring

cl->next = NULL is set here: https://github.com/SpiderLabs/ModSecurity/blob/nginx_refactoring/nginx/modsecurity/apr_bucket_nginx.c#L253