From ef5cb581b8bf03d24b04b8deca7fce9df87e35a3 Mon Sep 17 00:00:00 2001 From: Build System Date: Wed, 13 May 2026 14:09:56 +0200 Subject: [PATCH 1/3] fix: replace strdup(error) with nginx pool allocation in config handlers In ngx_conf_set_rules, ngx_conf_set_rules_file, and ngx_conf_set_rules_remote, rule load errors returned a strdup()- allocated string. Nginx treats the returned char* as a constant string and never frees it, causing a heap leak on every failed nginx -s reload when rule files have errors. Replace with ngx_pstrdup(cf->pool, ...) so the error string is allocated from the config pool and freed automatically when nginx reloads configuration. Severity: High Reported-by: Security audit 2026-05-13 --- src/ngx_http_modsecurity_module.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/ngx_http_modsecurity_module.c b/src/ngx_http_modsecurity_module.c index d3d9624d..1e88203e 100644 --- a/src/ngx_http_modsecurity_module.c +++ b/src/ngx_http_modsecurity_module.c @@ -367,7 +367,7 @@ ngx_conf_set_rules(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) if (res < 0) { dd("Failed to load the rules: '%s' - reason: '%s'", rules, error); - return strdup(error); + return ngx_pstrdup(cf->pool, &(ngx_str_t){ngx_strlen(error), (u_char *)error}); } mmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_modsecurity_module); @@ -401,7 +401,7 @@ ngx_conf_set_rules_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) if (res < 0) { dd("Failed to load the rules from: '%s' - reason: '%s'", rules_set, error); - return strdup(error); + return ngx_pstrdup(cf->pool, &(ngx_str_t){ngx_strlen(error), (u_char *)error}); } mmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_modsecurity_module); @@ -440,7 +440,7 @@ ngx_conf_set_rules_remote(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) if (res < 0) { dd("Failed to load the rules from: '%s' - reason: '%s'", rules_remote_server, error); - return strdup(error); + return ngx_pstrdup(cf->pool, &(ngx_str_t){ngx_strlen(error), (u_char *)error}); } mmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_modsecurity_module); From 0dc8f95ad20f2a3d8f89e45f6283297e5a8ba426 Mon Sep 17 00:00:00 2001 From: Build System Date: Wed, 13 May 2026 16:48:40 +0200 Subject: [PATCH 2/3] fix: cast ngx_pstrdup return to char* to satisfy -Werror=pointer-sign ngx_pstrdup returns u_char* but the config handler return type is char*. nginx builds with -Werror=pointer-sign so this produced a compile error. Add explicit (char*) cast at all three call sites. --- src/ngx_http_modsecurity_module.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/ngx_http_modsecurity_module.c b/src/ngx_http_modsecurity_module.c index 1e88203e..7dd020d3 100644 --- a/src/ngx_http_modsecurity_module.c +++ b/src/ngx_http_modsecurity_module.c @@ -367,7 +367,7 @@ ngx_conf_set_rules(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) if (res < 0) { dd("Failed to load the rules: '%s' - reason: '%s'", rules, error); - return ngx_pstrdup(cf->pool, &(ngx_str_t){ngx_strlen(error), (u_char *)error}); + return (char *) ngx_pstrdup(cf->pool, &(ngx_str_t){ngx_strlen(error), (u_char *)error}); } mmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_modsecurity_module); @@ -401,7 +401,7 @@ ngx_conf_set_rules_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) if (res < 0) { dd("Failed to load the rules from: '%s' - reason: '%s'", rules_set, error); - return ngx_pstrdup(cf->pool, &(ngx_str_t){ngx_strlen(error), (u_char *)error}); + return (char *) ngx_pstrdup(cf->pool, &(ngx_str_t){ngx_strlen(error), (u_char *)error}); } mmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_modsecurity_module); @@ -440,7 +440,7 @@ ngx_conf_set_rules_remote(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) if (res < 0) { dd("Failed to load the rules from: '%s' - reason: '%s'", rules_remote_server, error); - return ngx_pstrdup(cf->pool, &(ngx_str_t){ngx_strlen(error), (u_char *)error}); + return (char *) ngx_pstrdup(cf->pool, &(ngx_str_t){ngx_strlen(error), (u_char *)error}); } mmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_modsecurity_module); From 9d91d5644f8cf9a2fdc9815cc3a1ecf63fe3af71 Mon Sep 17 00:00:00 2001 From: Build System Date: Wed, 13 May 2026 17:18:57 +0200 Subject: [PATCH 3/3] style: remove trailing whitespace in comment --- src/ngx_http_modsecurity_module.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ngx_http_modsecurity_module.c b/src/ngx_http_modsecurity_module.c index 7dd020d3..f2652910 100644 --- a/src/ngx_http_modsecurity_module.c +++ b/src/ngx_http_modsecurity_module.c @@ -580,7 +580,7 @@ ngx_http_modsecurity_init(ngx_conf_t *cf) } /** * - * We want to process everything in the NGX_HTTP_ACCESS_PHASE because we need to allow + * We want to process everything in the NGX_HTTP_ACCESS_PHASE because we need to allow * ngx_http_limit_*_module to run * */