Avoids segfault while running with proxy_pass

Duplicates the headers variables while coping data from/to ModSecurity.
This seems to fix the segfault that was happening while using proxy_pass.
The variable is later cleaned, which means that we don't have a leak
because of that.

Author: Felipe Zimmerle

nginx/modsecurity/config

@@ -6,21 +6,23 @@ CFLAGS="$CFLAGS \
     -I/usr/include/apache2 \
     -I/usr/include/libxml2 \
     -DWITH_LUA -I/usr/include/lua5.1   \
-    -DWITH_PCRE_STUDY -DMODSEC_PCRE_MATCH_LIMIT=1500 -DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500  -DREQUEST_EARLY          \
+    -DWITH_PCRE_STUDY -DMODSEC_PCRE_MATCH_LIMIT=1500 -DMODSEC_PCRE_MATCH_LIMIT_RECURSION=1500  -DREQUEST_EARLY          -DWITH_APU_CRYPTO -DWITH_REMOTE_RULES \
      \
-    -DWITH_YAJL -I/usr/include/yajl  "
+    -DWITH_YAJL -I/usr/include/yajl   \
+    -DWITH_SSDEEP -I/usr/"
 
 
 CORE_LIBS="$CORE_LIBS \
-     -L/usr/lib -lapr-1 \
-     -L/usr/lib -laprutil-1 \
+     -L/usr/lib/x86_64-linux-gnu -lapr-1 \
+     -L/usr/lib/x86_64-linux-gnu -laprutil-1 \
     -I/usr/include/apache2 \
     -L/usr/lib/x86_64-linux-gnu -lcurl \
     -lxml2 \
     -llua5.1   \
     -lpcre \
-    -L/usr/lib  -lcap \
-    -lyajl  "
+    -L/usr/lib   \
+    -lyajl   \
+    -lfuzzy"
 
 ngx_addon_name=ngx_http_modsecurity
 

nginx/modsecurity/ngx_http_modsecurity.c

@@ -807,10 +807,10 @@ ngx_http_modsecurity_save_headers_out_visitor(void *data,
 {
     ngx_http_request_t             *r = data;
     ngx_table_elt_t                *h, he, *new_h;
-    ngx_http_upstream_header_t     *hh;
-    ngx_http_upstream_main_conf_t  *umcf;
+    //ngx_http_upstream_header_t     *hh;
+    //ngx_http_upstream_main_conf_t  *umcf;
 
-    umcf = ngx_http_get_module_main_conf(r, ngx_http_upstream_module);
+    //umcf = ngx_http_get_module_main_conf(r, ngx_http_upstream_module);
 
     h = &he;
 
@@ -829,31 +829,37 @@ ngx_http_modsecurity_save_headers_out_visitor(void *data,
 
     h->hash = ngx_hash_key(h->lowcase_key, h->key.len);
 
-    hh = ngx_hash_find(&umcf->headers_in_hash, h->hash,
-                       h->lowcase_key, h->key.len);
-
-    if (hh) {
-        /* copy all */
-        if (hh->copy_handler(r, h, hh->conf) != NGX_OK) {
-            return 0;
-        }
-    } else {
-        /* Add the response header directly to headers_out if not present in
-         * the hash. This is done to passthrough such response headers.
-         * Remember the response headers were cleared earlier using
-         * ngx_http_clean_header(r) call in ngx_http_modsecurity_save_headers_out.
-         */
-
-        new_h = ngx_list_push(&r->headers_out.headers);
-        if (new_h == NULL) {
-            return NGX_ERROR;
-        }
+    //hh = ngx_hash_find(&umcf->headers_in_hash, h->hash,
+    //                   h->lowcase_key, h->key.len);
+
+    // While using proxy_pass with a combination of other factores
+    // there seems to be a memory corruption if we use hh->copy_handler.
+    // Temporary using new_h. This demand a further investigation.
+    //
+    //if (hh) {
+    //    /* copy all */
+    //    if (hh->copy_handler(r, h, hh->conf) != NGX_OK) {
+    //        return 0;
+    //    }
+    //} else {
+    
+    /* Add the response header directly to headers_out if not present in
+     * the hash. This is done to passthrough such response headers.
+     * Remember the response headers were cleared earlier using
+     * ngx_http_clean_header(r) call in ngx_http_modsecurity_save_headers_out.
+     */
 
-        new_h->hash = h->hash;
-        new_h->key = h->key;
-        new_h->value = h->value;
+    new_h = ngx_list_push(&r->headers_out.headers);
+    if (new_h == NULL) {
+        return NGX_ERROR;
     }
 
+    new_h->hash = h->hash;
+    new_h->key = h->key;
+    new_h->value = h->value;
+
+   // }
+
     ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
                    "ModSecurity: save headers out: \"%V: %V\"",
                    &h->key, &h->value);