Mercurial > hg > nginx-quic
annotate auto/include @ 6359:dac6eda40475 stable-1.8
Resolver: fixed use-after-free memory accesses with CNAME.
When several requests were waiting for a response, then after getting
a CNAME response only the last request's context had the name updated.
Contexts of other requests had the wrong name. This name was used by
ngx_resolve_name_done() to find the node to remove the request context
from. When the name was wrong, the request could not be properly
cancelled, its context was freed but stayed linked to the node's waiting
list. This happened e.g. when the first request was aborted or timed
out before the resolving completed. When it completed, this triggered
a use-after-free memory access by calling ctx->handler of already freed
request context. The bug manifests itself by
"could not cancel <name> resolving" alerts in error_log.
When a request was responded with a CNAME, the request context kept
the pointer to the original node's rn->u.cname. If the original node
expired before the resolving timed out or completed with an error,
this would trigger a use-after-free memory access via ctx->name in
ctx->handler().
The fix is to keep ctx->name unmodified. The name from context
is no longer used by ngx_resolve_name_done(). Instead, we now keep
the pointer to resolver node to which this request is linked.
Keeping the original name intact also improves logging.
| author | Roman Arutyunyan <arut@nginx.com> |
|---|---|
| date | Tue, 26 Jan 2016 16:46:59 +0300 |
| parents | 434548349838 |
| children | e3faa5fb7772 |
| rev | line source |
|---|---|
|
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
253
diff
changeset
|
1 |
|
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
253
diff
changeset
|
2 # Copyright (C) Igor Sysoev |
| 4412 | 3 # Copyright (C) Nginx, Inc. |
|
444
42d11f017717
nginx-0.1.0-2004-09-29-20:00:49 import; remove years from copyright
Igor Sysoev <igor@sysoev.ru>
parents:
253
diff
changeset
|
4 |
|
196
11fbd0fc041d
nginx-0.0.1-2003-11-26-18:42:18 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
5 |
| 455 | 6 echo $ngx_n "checking for $ngx_include ...$ngx_c" |
| 7 | |
| 8 cat << END >> $NGX_AUTOCONF_ERR | |
| 9 | |
| 10 ---------------------------------------- | |
| 11 checking for $ngx_include | |
| 12 | |
| 13 END | |
| 14 | |
|
196
11fbd0fc041d
nginx-0.0.1-2003-11-26-18:42:18 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
15 |
|
210
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
197
diff
changeset
|
16 ngx_found=no |
|
197
0b81c7a0b133
nginx-0.0.1-2003-11-27-10:45:22 import
Igor Sysoev <igor@sysoev.ru>
parents:
196
diff
changeset
|
17 |
|
210
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
197
diff
changeset
|
18 cat << END > $NGX_AUTOTEST.c |
|
196
11fbd0fc041d
nginx-0.0.1-2003-11-26-18:42:18 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
19 |
|
2624
418c9f97bd01
fix FreeBSD before 7 building, broken in r2616
Igor Sysoev <igor@sysoev.ru>
parents:
645
diff
changeset
|
20 $NGX_INCLUDE_SYS_PARAM_H |
| 455 | 21 #include <$ngx_include> |
|
210
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
197
diff
changeset
|
22 |
|
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
197
diff
changeset
|
23 int main() { |
|
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
197
diff
changeset
|
24 return 0; |
|
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
197
diff
changeset
|
25 } |
|
196
11fbd0fc041d
nginx-0.0.1-2003-11-26-18:42:18 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
26 |
|
210
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
197
diff
changeset
|
27 END |
|
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
197
diff
changeset
|
28 |
| 455 | 29 |
| 30 ngx_test="$CC -o $NGX_AUTOTEST $NGX_AUTOTEST.c" | |
| 31 | |
| 32 eval "$ngx_test >> $NGX_AUTOCONF_ERR 2>&1" | |
|
196
11fbd0fc041d
nginx-0.0.1-2003-11-26-18:42:18 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
33 |
|
210
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
197
diff
changeset
|
34 if [ -x $NGX_AUTOTEST ]; then |
| 455 | 35 |
| 36 ngx_found=yes | |
| 37 | |
|
210
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
197
diff
changeset
|
38 echo " found" |
| 455 | 39 |
| 645 | 40 ngx_name=`echo $ngx_include \ |
| 41 | tr abcdefghijklmnopqrstuvwxyz/. ABCDEFGHIJKLMNOPQRSTUVWXYZ__` | |
| 455 | 42 |
| 43 | |
| 509 | 44 have=NGX_HAVE_$ngx_name . auto/have_headers |
| 455 | 45 |
| 46 eval "NGX_INCLUDE_$ngx_name='#include <$ngx_include>'" | |
| 47 | |
| 577 | 48 #STUB |
| 455 | 49 eval "NGX_$ngx_name='#include <$ngx_include>'" |
|
196
11fbd0fc041d
nginx-0.0.1-2003-11-26-18:42:18 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
50 |
|
11fbd0fc041d
nginx-0.0.1-2003-11-26-18:42:18 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
51 else |
|
210
00cafae0bdf1
nginx-0.0.1-2003-12-14-23:10:27 import
Igor Sysoev <igor@sysoev.ru>
parents:
197
diff
changeset
|
52 echo " not found" |
| 455 | 53 |
| 54 echo "----------" >> $NGX_AUTOCONF_ERR | |
| 55 cat $NGX_AUTOTEST.c >> $NGX_AUTOCONF_ERR | |
| 56 echo "----------" >> $NGX_AUTOCONF_ERR | |
| 57 echo $ngx_test >> $NGX_AUTOCONF_ERR | |
| 58 echo "----------" >> $NGX_AUTOCONF_ERR | |
|
196
11fbd0fc041d
nginx-0.0.1-2003-11-26-18:42:18 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
59 fi |
|
11fbd0fc041d
nginx-0.0.1-2003-11-26-18:42:18 import
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
60 |
|
5309
434548349838
Configure: fixed autotest cleanup commands.
Sergey Kandaurov <pluknet@nginx.com>
parents:
4412
diff
changeset
|
61 rm -rf $NGX_AUTOTEST* |