From 4f33f5b6560033bb0b3c275bc9602e6e60dd4d05 Mon Sep 17 00:00:00 2001 From: Thomas Wouters Date: Fri, 1 Mar 2024 10:57:03 +0100 Subject: [PATCH 1/2] Fix possible segfault in collection_unpack When var->value_len somehow becomes 0, we risk wrapping around to 4294967295 due to it being an unsigned int. Fixes #3082 --- apache2/persist_dbm.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apache2/persist_dbm.c b/apache2/persist_dbm.c index e4f8036f6f..79f99dcc44 100644 --- a/apache2/persist_dbm.c +++ b/apache2/persist_dbm.c @@ -59,7 +59,7 @@ static apr_table_t *collection_unpack(modsec_rec *msr, const unsigned char *blob } blob_offset += 2; - if (blob_offset + var->name_len > blob_size) return NULL; + if (var->name_len < 1 || blob_offset + var->name_len > blob_size) return NULL; var->name = apr_pstrmemdup(msr->mp, (const char *)blob + blob_offset, var->name_len - 1); blob_offset += var->name_len; var->name_len--; @@ -67,7 +67,7 @@ static apr_table_t *collection_unpack(modsec_rec *msr, const unsigned char *blob var->value_len = (blob[blob_offset] << 8) + blob[blob_offset + 1]; blob_offset += 2; - if (blob_offset + var->value_len > blob_size) return NULL; + if (var->value_len < 1 || blob_offset + var->value_len > blob_size) return NULL; var->value = apr_pstrmemdup(msr->mp, (const char *)blob + blob_offset, var->value_len - 1); blob_offset += var->value_len; var->value_len--; From 31bf935f743fb2617549a47f79349fa85dd67aa6 Mon Sep 17 00:00:00 2001 From: Marc Stern Date: Sun, 3 Mar 2024 16:20:07 +0100 Subject: [PATCH 2/2] Update CHANGES --- CHANGES | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGES b/CHANGES index 517e76b74c..eb1b846c06 100644 --- a/CHANGES +++ b/CHANGES @@ -1,6 +1,8 @@ DD mmm YYYY - 2.9.x (to be released) ------------------- + * Fix possible segfault in collection_unpack + [Issue #3072 - @twouters] * Set the minimum security protocol version for SecRemoteRules [Issue security/code-scanning/2 - @airween] * Allow lua version 5.4