<p dir="ltr">B.</p>
<div class="gmail_quote">On Apr 13, 2014 5:18 PM, "Maxim Dounin" <<a href="mailto:mdounin@mdounin.ru">mdounin@mdounin.ru</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Hello!<br>
<br>
On Sat, Apr 12, 2014 at 04:44:28PM -0700, Robert Paprocki wrote:<br>
<br>
> Hello,<br>
><br>
> I have compiled nginx-1.5.13 with modsecurity-2.7.7 and am seeing<br>
> occasional segfaults when sending requests to the server. mod_security<br>
> was compiled as a standalone module per the instructions made available<br>
> at<br>
> <a href="https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX" target="_blank">https://github.com/SpiderLabs/ModSecurity/wiki/Reference-Manual#Installation_for_NGINX</a>.<br>
> The segfaults appear sporadic and do not seem to match up with any given<br>
> request. Below is my nginx configuration:<br>
<br>
[...]<br>
<br>
> Also, a backtrace of the core dump:<br>
> (gdb) bt<br>
> #0 0x080a1827 in ngx_http_write_filter (r=0x83bb078, in=0x8baaa6c) at<br>
> src/http/ngx_http_write_filter_module.c:121<br>
<br>
This points to the following code line:<br>
<br>
cl->buf = ln->buf;<br>
<br>
That is, dereferencing ln->buf fails, which may only happen if the<br>
buffer chain ("in" argument) is broken.<br>
<br>
[...]<br>
<br>
> #8 0x080cfc78 in ngx_http_gunzip_body_filter (r=0x83bb078, in=0x8baaa6c)<br>
> at src/http/modules/ngx_http_gunzip_filter_module.c:184<br>
> #9 0x081146bd in ngx_http_modsecurity_body_filter (r=0x83bb078,<br>
> in=0xbf7ff8b4)<br>
> at<br>
> ../modsecurity-apache_2.7.7/nginx/modsecurity//ngx_http_modsecurity.c:1252<br>
> #10 0x08055381 in ngx_output_chain (ctx=0x8baa9b8, in=0xbf7ff8b4) at<br>
> src/core/ngx_output_chain.c:66<br>
<br>
And this clearly shows that the buffer chain was chaned by<br>
mod_security output body filter. Note "in" argument of<br>
mod_security ("in=0xbf7ff8b4") and gunzip filter which follows it<br>
("in=0x8baaa6c").<br>
<br>
That is, from the backtrace it looks like mod_security changed the<br>
buffer chain and did it wrong, with a segfault as a result.<br>
<br>
--<br>
Maxim Dounin<br>
<a href="http://nginx.org/" target="_blank">http://nginx.org/</a><br>
<br>
_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br>
</blockquote></div>