ModSecurity icon indicating copy to clipboard operation
ModSecurity copied to clipboard

Published 20 hours ago verified publisher icon owasp-modsecurity

`ValidateSchema::evaluate` is not thread safe

Open saiskee opened this issue 3 years ago • 0 comments

Describe the bug

ValidateSchema::evaluate is not thread safe. It is setting member variables of ValidateSchema, in this case m_parserCtx when this variable is used only once in the function. This causes a use-after-free error in the following scenario:

  1. T1 runs [xmlSchemaNewParserCtxt](https://github.com/SpiderLabs/ModSecurity/blob/4127c1bf52d2b30a5c2c3e641b8085fd9a720f43/src/operators/validate_schema.cc#L46)
  2. T2 runs [xmlSchemaNewParserCtxt](https://github.com/SpiderLabs/ModSecurity/blob/4127c1bf52d2b30a5c2c3e641b8085fd9a720f43/src/operators/validate_schema.cc#L46)
  3. T1 runs [freeXmlSchemaParser](https://github.com/SpiderLabs/ModSecurity/blob/4127c1bf52d2b30a5c2c3e641b8085fd9a720f43/src/operators/validate_schema.cc#L130)
  4. T2 runs [freeXmlSchemaParser](https://github.com/SpiderLabs/ModSecurity/blob/4127c1bf52d2b30a5c2c3e641b8085fd9a720f43/src/operators/validate_schema.cc#L130), causing a use-after-free on m_parserCtx

Expected behavior/fix m_parserCtx is no longer needed as a member, so we use a local variable instead.

saiskee avatar Nov 10 '21 21:11 saiskee