owasp-modsecurity/ModSecurity-nginx

Possible dereference of Null

Opened this issue · 2 comments

LM4O322 commented

In result of static analyse of nginx source code (including ngx_http_modsecurity_module) with Svace static analyzer I found error of cathegory "DEREFERENCE OF NULL" (checker finds situations where possible value equal to null can be dereferenced) in ngx_http_modsecurity_module.c

Initialization with possible null returned value here:

ModSecurity-nginx/src/ngx_http_modsecurity_module.c

Line 202 in fd28e6a

location = ngx_list_push(&r->headers_out.headers);

And dereference of location->key field here:

ModSecurity-nginx/src/ngx_http_modsecurity_module.c

Line 203 in fd28e6a

ngx_str_set(&location->key, "Location");

Found by Linux Verification Center with SVACE

LM4O322 commented

I think that a check should be added to the value assigned to the location variable.

airween commented

Hi @LM4O322,

could you send a PR to fix this issue?