ModSecurity icon indicating copy to clipboard operation
ModSecurity copied to clipboard
verified publisher icon owasp-modsecurity

Fix memory leak

Open FireBurn opened this issue 1 month ago • 1 comments

This is a potential fix to https://github.com/owasp-modsecurity/ModSecurity/issues/2848

It was AI generated by Google AI Studio

Here are it's workings:

Based on the Valgrind output and the provided code, the memory leak is located in the TransactionAnchoredVariables class (which is part of the Transaction object).

The stack trace indicates that memory allocated during the construction of AnchoredSetVariableTranslationProxy (specifically inside a std::function initialization) is never freed.

==27426== 1 bytes in 1 blocks are possibly lost ...
==27426== at 0x482BBB5: operator new(unsigned int) ...
==27426== by 0x94EB43A: ... function<...>::operator= ...
==27426== by 0x94EB43A: AnchoredSetVariableTranslationProxy ...
==27426== by 0x94EB43A: modsecurity::TransactionAnchoredVariables::TransactionAnchoredVariables(modsecurity::Transaction*) ...

In src/transaction.cc, the Transaction constructor initializes TransactionAnchoredVariables:

Transaction::Transaction(ModSecurity *ms, RulesSet *rules, const char *id,
    void *logCbData, const time_t timestamp)
    : ...
    TransactionAnchoredVariables(this) { // <--- Initialization here
    ...

And in src/variables/variable.h, the code accesses m_variableArgsNames as if it were an object (using &), not a pointer:

anchoredSetVariableTranslationProxy = &t->m_variableArgsNames;

This usage pattern combined with the leak indicates that TransactionAnchoredVariables declares its members (like m_variableArgsNames) as references (&) but initializes them using new in its constructor.

Because they are references, the TransactionAnchoredVariables destructor does not (and cannot) delete the objects they refer to. Consequently, the AnchoredSetVariableTranslationProxy objects (and their internal std::function members) are leaked when the Transaction is destroyed.

To fix this: The members in TransactionAnchoredVariables should be changed from references (e.g., AnchoredSetVariableTranslationProxy &) to pointers (e.g., std::unique_ptr<AnchoredSetVariableTranslationProxy>), or they should be deleted manually in the TransactionAnchoredVariables destructor if raw pointers are used. Given the &t->member usage, they were likely intended to be value members or references binding to dynamic memory (which is the bug).

FireBurn avatar Nov 21 '25 12:11 FireBurn

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonarqubecloud[bot] avatar Nov 22 '25 15:11 sonarqubecloud[bot]