ModSec for Nginx leaks memory for HTTP/1.0 requests

[vkrivopalov]

Describe the bug

We have observed a memory leak in ModSecurity for Nginx that happens in both detection-only and prevention modes for HTTP/1.0 requests. This leak reproduces with both v2.9.2 and 2.9.3

Steps to reproduce the behavior:

1. Create a simple payload file like this:

> cat aaa.aaa 
aaaaaaaaaaaaaaaaaaaaaaaa​

2. Run Apache Bench against your v2 gateway. Apache Bench uses HTTP/1.0:

ab -p aaa.aaa -n 100000 -c 100 -k http://mywafv2/

3. Observe the memory consumption of Nginx worker process with ps aux | grep nginx

You should notice how memory consumption keeps growing over time.

Expected behavior

Memory consumption keeps at approximately the same level over the entire stress testing.

Actual behavior
Memory consumption keeps growing throughout stress testing and does not go down after it is completed.

Server (please complete the following information):

• ModSecurity version (and connector): v2.9.2 and v2.9.3
• WebServer: nginx-1.13.8
• OS (and distro): Ubuntu Linux 16.04.3 LTS

Rule Set (please complete the following information):
CRS 3.0, no custom or commercial rules.

Additional context

• Valgrind did not show any apparent leaks, only "still reachable" and "possibly lost".
• HTTP/1.1 doesn't seem to be affected, I've used SuperBenchmarker (https://github.com/aliostad/SuperBenchmarker) and memory consumption was stable.

[victorhora]

Hi @argenet,

ModSecurity 2.x for Nginx is no longer supported for a while since we introduced libModSecurity and the Nginx connector.

For instance you can see many of the issues present on 2.9.x with Nginx which were (or are) being addressed with the new architecture of libModSecurity + Nginx connector by looking at the "TBF by libmodsec" tag on GitHub.

If you need to ModSecurity with Nginx we encourage you to migrate to v3.