Segmentation fault on a request with invalid HTTP method and error_page enabled #164
Description
Example configuration:
load_module /home/test/ngx_http_modsecurity_module-debug.so;
user nginx;
worker_processes 1;
worker_rlimit_core 1000M;
working_directory /tmp/;
error_log /var/log/nginx/error.log debug;
pid /var/run/nginx.pid;
events {
worker_connections 65536;
}
http {
root /usr/share/nginx/html;
access_log off;
server {
listen 80 default_server;
server_name localhost;
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
error_page 400 /error.html;
error_page 403 /error403.html;
}
}
Invalid request is being made with the nc:
root@vagrant:/etc/nginx# nc localhost 80
wrong
root@vagrant:/etc/nginx#
Backtrace:
Core was generated by `nginx: worke'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
106 ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
#1 0x00007fde2914cee0 in std::char_traits<char>::length (__s=0x0) at /usr/include/c++/5/bits/char_traits.h:267
#2 std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::assign (__s=0x0, this=0x55e2ddd61198) at /usr/include/c++/5/bits/basic_string.h:1166
#3 std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::operator= (__s=0x0, this=0x55e2ddd61198) at /usr/include/c++/5/bits/basic_string.h:559
#4 modsecurity::Transaction::processURI (this=0x55e2ddd5f600, uri=uri@entry=0x0, method=method@entry=0x55e2de8c1132 "GET",
http_version=http_version@entry=0x7fde29481425 "1.0") at transaction.cc:399
#5 0x00007fde2914dde5 in modsecurity::msc_process_uri (transaction=<optimized out>, uri=uri@entry=0x0, protocol=protocol@entry=0x55e2de8c1132 "GET",
http_version=http_version@entry=0x7fde29481425 "1.0") at transaction.cc:1833
#6 0x00007fde294802d7 in ngx_http_modsecurity_rewrite_handler (r=0x55e2de8c0420) at ../ModSecurity-nginx/src/ngx_http_modsecurity_rewrite.c:136
#7 0x000055e2dc4f4aa3 in ngx_http_core_rewrite_phase (r=0x55e2de8c0420, ph=0x55e2ddd6db70) at src/http/ngx_http_core_module.c:912
#8 0x000055e2dc4f01ed in ngx_http_core_run_phases (r=r@entry=0x55e2de8c0420) at src/http/ngx_http_core_module.c:858
#9 0x000055e2dc4f02d2 in ngx_http_handler (r=r@entry=0x55e2de8c0420) at src/http/ngx_http_core_module.c:841
#10 0x000055e2dc4f6c4c in ngx_http_internal_redirect (r=r@entry=0x55e2de8c0420, uri=uri@entry=0x7ffce8084bd0, args=args@entry=0x7ffce8084be0)
at src/http/ngx_http_core_module.c:2449
#11 0x000055e2dc4f7bf6 in ngx_http_send_error_page (err_page=0x55e2ded81b98, r=0x55e2de8c0420) at src/http/ngx_http_special_response.c:619
#12 ngx_http_special_response_handler (r=r@entry=0x55e2de8c0420, error=error@entry=400) at src/http/ngx_http_special_response.c:466
#13 0x000055e2dc4fb1f9 in ngx_http_finalize_request (r=0x55e2de8c0420, rc=400) at src/http/ngx_http_request.c:2481
#14 0x000055e2dc4fcb8e in ngx_http_process_request_line (rev=0x7fde1fafe0d0) at src/http/ngx_http_request.c:1167
#15 0x000055e2dc4e1b54 in ngx_epoll_process_events (cycle=0x55e2ddcfdd00, timer=<optimized out>, flags=<optimized out>) at src/event/modules/ngx_epoll_module.c:902
#16 0x000055e2dc4d60ca in ngx_process_events_and_timers (cycle=cycle@entry=0x55e2ddcfdd00) at src/event/ngx_event.c:242
#17 0x000055e2dc4df5b5 in ngx_worker_process_cycle (cycle=cycle@entry=0x55e2ddcfdd00, data=data@entry=0x0) at src/os/unix/ngx_process_cycle.c:750
#18 0x000055e2dc4dd9ae in ngx_spawn_process (cycle=cycle@entry=0x55e2ddcfdd00, proc=0x55e2dc4df560 <ngx_worker_process_cycle>, data=0x0,
name=0x55e2dc59440b "worker process", respawn=respawn@entry=0) at src/os/unix/ngx_process.c:199
#19 0x000055e2dc4e091e in ngx_reap_children (cycle=0x55e2ddcfdd00) at src/os/unix/ngx_process_cycle.c:622
#20 ngx_master_process_cycle (cycle=0x55e2ddcfdd00) at src/os/unix/ngx_process_cycle.c:175
#21 0x000055e2dc4b38d8 in main (argc=<optimized out>, argv=<optimized out>) at src/core/nginx.c:382
(gdb)