From 9520104e106229a57eeaf9117de7e87b555ef6ee Mon Sep 17 00:00:00 2001 From: Build System Date: Wed, 13 May 2026 14:17:43 +0200 Subject: [PATCH] fix: free intervention strings on mcf NULL early return path When msc_intervention() succeeds and fills intervention.log and/or intervention.url, then ngx_http_get_module_loc_conf() returns NULL (unexpected misconfiguration), the function returned immediately with NGX_HTTP_INTERNAL_SERVER_ERROR without freeing either string. Free both intervention.log and intervention.url before the early return to prevent the leak on this error path. Severity: Medium Reported-by: Security audit 2026-05-13 --- src/ngx_http_modsecurity_module.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/ngx_http_modsecurity_module.c b/src/ngx_http_modsecurity_module.c index d3d9624d..1e55ade0 100644 --- a/src/ngx_http_modsecurity_module.c +++ b/src/ngx_http_modsecurity_module.c @@ -163,6 +163,12 @@ ngx_http_modsecurity_process_intervention (Transaction *transaction, ngx_http_re mcf = ngx_http_get_module_loc_conf(r, ngx_http_modsecurity_module); if (mcf == NULL) { + if (intervention.log != NULL) { + free(intervention.log); + } + if (intervention.url != NULL) { + free(intervention.url); + } return NGX_HTTP_INTERNAL_SERVER_ERROR; }