Skip to content

fix: heap buffer overflow in acmp pm#3544

Open
airween wants to merge 3 commits intoowasp-modsecurity:v3/masterfrom
airween:v3/acmppmfix
Open

fix: heap buffer overflow in acmp pm#3544
airween wants to merge 3 commits intoowasp-modsecurity:v3/masterfrom
airween:v3/acmppmfix

Conversation

@airween
Copy link
Copy Markdown
Member

@airween airween commented Apr 12, 2026

what

This PR fixes a possible heap buffer overflow in ACMP (Aho Corasick) pattern matching function.

why

There is a bug report, received in email from @fumfel and his team. Also they provided this fix.

references

The original report:

Root Cause
----------

The function acmp_add_pattern() receives a pattern and its length as
separate parameters: (const char *pattern, size_t length). However, the
code uses strlen(pattern) instead of length to determine buffer sizes.

When pattern contains embedded null bytes (which is valid -- the length
parameter accounts for them), strlen() returns the offset of the first
null byte, which is shorter than the actual length. The buffer allocated
is too small, and subsequent operations (the for loop copying text, and
strcpy copying pattern) write past the end of the heap allocation.

other notes

The bug can only be exploited if the admin puts a \0 character into an argument of any @pm (or similar) operator.

@airween airween requested review from Copilot and fzipi April 12, 2026 18:03
Copilot AI reviewed Apr 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes a potential heap buffer overflow in the ACMP (Aho–Corasick) pattern insertion path by ensuring allocations and copies use the provided pattern length (not strlen()), which correctly supports patterns containing embedded NUL bytes.

Changes:

  • Replace strlen(pattern)-based allocations with length-based allocations in acmp_add_pattern.
  • Replace strcpy with memcpy and add explicit NUL-termination to avoid overruns with embedded NULs.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread src/utils/acmp.cc Outdated
Comment thread src/utils/acmp.cc Outdated
@airween airween mentioned this pull request Apr 12, 2026
Open
@airween airween added the 3.x Related to ModSecurity version 3.x label Apr 12, 2026
theseion
theseion requested changes Apr 19, 2026
View reviewed changes
Comment thread src/utils/acmp.cc Outdated
Comment thread src/utils/acmp.cc
Comment thread src/utils/acmp.cc Outdated
@airween @theseion
Move function into a bracket separated block
f103e4e 
Co-authored-by: Max Leske <250711+theseion@users.noreply.github.com>
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Apr 19, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
2 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

theseion
theseion reviewed Apr 19, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@theseion theseion left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As this issue doesn't appear to depend on special compiler flags, could we add a test?

@airween
Copy link
Copy Markdown
Member Author

airween commented Apr 19, 2026

As this issue doesn't appear to depend on special compiler flags, could we add a test?

Unfortunately I was not able. @fzipi also tried to help me with this, but all tests were passed always...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@theseion theseion theseion requested changes

Copilot code review Copilot Copilot left review comments

@fzipi fzipi Awaiting requested review from fzipi

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

3.x Related to ModSecurity version 3.x

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@airween @theseion