Description
When we have request which contain a large number of form variables (appr. 600Kb), I think I counted 19996 form variables, we observe a segmentation fault in our production system:
[Thu May 04 12:32:36 2017] [notice] child pid 23562 exit signal Segmentation fault (11), possible coredump in /tmp/apache2-gdb-dump
gdb shows that it crashed in
#0 0x00007f3edbf6ed54 in libinjection_sqli_tokenize (sf=0x7ffefd99b6f0) at libinjection/libinjection_sqli.c:1305
1305 folded_text[position] = s[*pos];
list:
1300 if (current->type != CHAR_NULL) {
1301 printf ("\nPos %zu\n " , *pos);
1302 printf ("Current %c\n", s[*pos]);
1303 printf ("Type %c\n",current->type);
1304 sf->stats_tokens += 1;
1305 folded_text[position] = s[*pos];
1306 folded_type[position] = sf->current->type;
1307 position = position + 1;
1308 return TRUE;
1309 }
In our QA system, it goes out of memory.
Although the form has a large number of variables, these could be inspected one by one. I'm not certain how libinjection handles this, but it seems there is somewhere a memory leak.
Smaller requests work fine, and with mod_security set to off, it also works OK. In detectiononly mode it fails, as well as when set to on.