From 8943c4ba7ae574a9d7775469d84a4ac07f2a56c4 Mon Sep 17 00:00:00 2001 From: Build System Date: Wed, 13 May 2026 14:09:22 +0200 Subject: [PATCH] fix: free intervention.url on redirect path and check ngx_list_push return When ModSecurity fires a redirect intervention, intervention.url is allocated by msc_intervention() and must be freed by the caller. Previously it was leaked on every redirect, causing unbounded memory growth on busy servers using redirect-based rules. Additionally, the ngx_list_push() call was not checked for NULL before dereferencing the returned pointer, which would cause a worker crash under out-of-memory conditions. Fixes: - Add free(intervention.url) before returning the redirect status code - Add NULL check for ngx_list_push() return; free url and return 500 on allocation failure Severity: Critical (memory leak) / Medium (NULL deref) Reported-by: Security audit 2026-05-13 --- src/ngx_http_modsecurity_module.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/ngx_http_modsecurity_module.c b/src/ngx_http_modsecurity_module.c index d3d9624d..9da3a2ac 100644 --- a/src/ngx_http_modsecurity_module.c +++ b/src/ngx_http_modsecurity_module.c @@ -208,6 +208,10 @@ ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_re ngx_table_elt_t *location = NULL; location = ngx_list_push(&r->headers_out.headers); + if (location == NULL) { + free(intervention.url); + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } ngx_str_set(&location->key, "Location"); location->value = a; r->headers_out.location = location; @@ -217,6 +221,8 @@ ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_re ngx_http_modsecurity_store_ctx_header(r, &location->key, &location->value); #endif + free(intervention.url); + intervention.url = NULL; return intervention.status; }