Removed multiple heap-allocated copies in Pm::init & parse_pm_content #3233
Conversation
eduar-hte
force-pushed
the
remove-copies-pm-operator
branch
from
e8e2050 to
521a51c
Compare
|
Hi @eduar-hte, thanks again for this PR.
uhmm, this is a bit scary. I see you fixed this behavior, but I'm afraid we should definitely must inform users about this issue. I'm not sure we need to open a CVE, but when we release the new version, we need to draw the attention of users. @marcstern, @fzipi, @theseion, @gberkes (and of course @eduar-hte) - what do you think guys?
Would it be there any conflict between this PR and #3231 (for eg. if I merge this one first...)? I added one comment to my review. |
No, they're independent from each other. I mentioned that PR (and the previous one, PR #3222) because they were originally on the same This commit was even part of my original submission for PR #3231, but I moved it to its own PR for that PR to be focused on |
Not nice. Fortunately, this affects something that probably only a few people use, which is parsing of |
eduar-hte
force-pushed
the
remove-copies-pm-operator
branch
from
521a51c to
18efe21
Compare
As @theseion mentions, I assume this is not currently being used because it'd just not work as is. In addition to the fix, I think it'd be appropriate to exit the function in error when an invalid hex character is expected and not found (similarly to the way an invalid escape sequence is handled). I'll update the commit to include this. |
- The previous version of this function was doing three strdup copies to parse the pm content. The updated version only copies the value once (in order not to modify the Operator's m_param member variable), and then performs the updates inline. - Binary parsing was broken because digits were not compared as characters. - Fail parsing when an invalid hex character is found. - Error message in parse_pm_content would reference freed memory if accessed by caller. Removed anyway because it was unused.
eduar-hte
force-pushed
the
remove-copies-pm-operator
branch
from
18efe21 to
3e9d810
Compare
|
|
@eduar-hte - thanks for fix ( @theseion, @eduar-hte - thanks guys for answers. Going to merge this. |
what
Removed multiple heap-allocated copies of operator
Pm's parameter and other unnecessary heap allocations.changes
parse_pm_contentstrdupcopies to parse the pm content. The updated version only copies the value once (in order not to modify the operator'sm_parammember variable), and then performs the updates inline.0would have been interpreted as the null terminator when doingstrdupbefore, thus truncating the content).parse_pm_contentwould reference freed memory if accessed by caller (see here, here, here, here & here). Removed anyway because it was unused.parse_pm_contenttosrc/operators/pm.ccas this function was introduced in ModSecurity v3 and only used byPm::init.Pm::initparse_pm_contentnow returns astd::stringinstead of achar *).std::istringstream issis no longer heap allocated.std::vector<std::string> vecto storeacmppatterns, leveragingstd::for_eachto add them as they're parsed from the stream.src/operators/pm_f.cc(all code inmodsecurity::operators::PmFis inline).misc
This PR was originally part of a
remove copiesbranch which included PR #3231 & #3222, but was broken down into separate PRs to group changes and simplify the review process. I'm not including this in theperformance improvementseries because even though these changes are related to the initialization of rules (and thus thePmoperator).