nginx + mod_security segfaults

[Igor D'Astolfo]

I just made a test with nginx 1.7.9 and mod_security for nginx, following this tutorial: ​http://www.nginxtips.com/how-to-install-mod_security-on-nginx/

I configured nginx as reverse proxy with mod_security enabled. After few requests nginx was segfaulting, always when serving images. I checked the coredump, this is the output:

Program terminated with signal SIGSEGV, Segmentation fault.
#0 ngx_http_upstream_copy_allow_ranges (r=0x2678680, h=0x7fff406e6f40, offset=<optimized out>) at src/http/ngx_http_upstream.c:4571
4571 if (r->upstream->conf->force_ranges) {

so I tried to set proxy_force_ranges flag in configuration and the segfault went away.

Note that if I turn off modsecurity the proxy alone works fine.

[Maxim Dounin]

The ModSecurity 3rd party module is known to be very unstable. AFAIK, it is not expected to work at all unless you are using ​nginx_refactoring branch. In either case, this isn't a proper place to report problems with ModSecurity, likely ​their issue tracker on GitHub is a correct place.

[driehuis@…]

The ngx_http_upstream_copy_allow_ranges blindly dives into a a structure that gets passed around as an opaque object, so a caller can't reasonably be expected to check it for completeness.

This fix addresses the issue by checking that the conf member is set before derefencing it.

--- orig/nginx-1.7.9/src/http/ngx_http_upstream.c   2014-12-23 16:28:40.000000000 +0100
+++ nginx-1.7.9/src/http/ngx_http_upstream.c    2015-02-10 14:29:10.211240721 +0100
@@ -4569,5 +4569,5 @@
     ngx_table_elt_t  *ho;

-    if (r->upstream->conf->force_ranges) {
+    if (r->upstream->conf && r->upstream->conf->force_ranges) {
         return NGX_OK;
     }

[Maxim Dounin]

The ngx_http_upstream_copy_allow_ranges() function is a handler called to copy headers within upstream module. It is expected to be only called when r->upstream exists and r->upstream->conf is set. If it's called with r->upstream->conf not set - it means the bug is elsewhere.