Double Free Memory #3471
Description
Describe the bug
When this function is called it causes a double free: (Taken from examples\using_bodies_in_chunks\simple_request.cc)
static void logCb(void *data, const void *ruleMessagev) {
if (ruleMessagev == NULL) {
std::cout << "I've got a call but the message was null ;(";
std::cout << std::endl;
return;
}
const modsecurity::RuleMessage *ruleMessage = \
reinterpret_cast<const modsecurity::RuleMessage *>(ruleMessagev);
std::cout << "Rule Id: " << std::to_string(ruleMessage->m_rule.m_ruleId);
std::cout << " phase: " << std::to_string(ruleMessage->getPhase());
std::cout << std::endl;
if (ruleMessage->m_isDisruptive) {
std::cout << " * Disruptive action: ";
std::cout << modsecurity::RuleMessage::log(*ruleMessage);
std::cout << std::endl;
std::cout << " ** %d is meant to be informed by the webserver.";
std::cout << std::endl;
} else {
std::cout << " * Match, but no disruptive action: ";
std::cout << modsecurity::RuleMessage::log(*ruleMessage);
std::cout << std::endl;
}
}
Logs and dumps
WebServerHoster.exe!_mi_page_ptr_unalign(const mi_page_s * page, const void * p) Line 68 C
WebServerHoster.exe!mi_free_generic_mt(mi_page_s * page, mi_segment_s * segment, void * p) Line 96 C
WebServerHoster.exe!mi_free(void * p) Line 172 C
WebServerHoster.exe!mi_free_size(void * p, unsigned __int64 size) Line 355 C
WebServerHoster.exe!operator delete(void * p, unsigned __int64 n) Line 47 C++
[External Code]
WebServerHoster.exe!logCb(void * data, const void * ruleMessagev) Line 89 C++
[External Code]
WebServerHoster.exe!HttpSession::handlerequestSSL(std::string request) Line 1562 C++
WebServerHoster.exe!HttpSession::recievebytes() Line 194 C++
WebServerHoster.exe!startServerHTTPS(int port, ssl_ctx_st * sslContext) Line 1697 C++
[External Code]
To Reproduce
Send a request with no host header via curl:
e.g
curl -H "Host:" http://localhost
Expected behavior
It should log without double freeing
Rule Set (please complete the following information):
Running coreruleset-4.19.0
Additional context
Not sure if the double free happens without sending no host header also this function:
modsecurity::RuleMessage::log(*ruleMessage);
IS the function that explicitly called double free in my crash log.