Mercurial > hg > nginx-quic
annotate src/http/ngx_http_upstream_round_robin.h @ 6359:dac6eda40475 stable-1.8
Resolver: fixed use-after-free memory accesses with CNAME.
When several requests were waiting for a response, then after getting
a CNAME response only the last request's context had the name updated.
Contexts of other requests had the wrong name. This name was used by
ngx_resolve_name_done() to find the node to remove the request context
from. When the name was wrong, the request could not be properly
cancelled, its context was freed but stayed linked to the node's waiting
list. This happened e.g. when the first request was aborted or timed
out before the resolving completed. When it completed, this triggered
a use-after-free memory access by calling ctx->handler of already freed
request context. The bug manifests itself by
"could not cancel <name> resolving" alerts in error_log.
When a request was responded with a CNAME, the request context kept
the pointer to the original node's rn->u.cname. If the original node
expired before the resolving timed out or completed with an error,
this would trigger a use-after-free memory access via ctx->name in
ctx->handler().
The fix is to keep ctx->name unmodified. The name from context
is no longer used by ngx_resolve_name_done(). Instead, we now keep
the pointer to resolver node to which this request is linked.
Keeping the original name intact also improves logging.
author | Roman Arutyunyan <arut@nginx.com> |
---|---|
date | Tue, 26 Jan 2016 16:46:59 +0300 |
parents | 94ce52db3367 |
children | 6ff0ebd6fbf4 |
rev | line source |
---|---|
884 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4412 | 4 * Copyright (C) Nginx, Inc. |
884 | 5 */ |
6 | |
7 | |
8 #ifndef _NGX_HTTP_UPSTREAM_ROUND_ROBIN_H_INCLUDED_ | |
9 #define _NGX_HTTP_UPSTREAM_ROUND_ROBIN_H_INCLUDED_ | |
10 | |
11 | |
12 #include <ngx_config.h> | |
13 #include <ngx_core.h> | |
14 #include <ngx_http.h> | |
15 | |
16 | |
17 typedef struct { | |
18 struct sockaddr *sockaddr; | |
19 socklen_t socklen; | |
20 ngx_str_t name; | |
5717
efc84a5723b3
Upstream: generic hash module.
Roman Arutyunyan <arut@nginx.com>
parents:
5136
diff
changeset
|
21 ngx_str_t server; |
884 | 22 |
1344
8f5b5641966c
fair upstream weight balancer
Igor Sysoev <igor@sysoev.ru>
parents:
1284
diff
changeset
|
23 ngx_int_t current_weight; |
4621
c90801720a0c
Upstream: smooth weighted round-robin balancing.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4412
diff
changeset
|
24 ngx_int_t effective_weight; |
1344
8f5b5641966c
fair upstream weight balancer
Igor Sysoev <igor@sysoev.ru>
parents:
1284
diff
changeset
|
25 ngx_int_t weight; |
884 | 26 |
27 ngx_uint_t fails; | |
28 time_t accessed; | |
4207
4fc91bae6f83
Better recheck of dead upstream servers.
Maxim Dounin <mdounin@mdounin.ru>
parents:
3264
diff
changeset
|
29 time_t checked; |
884 | 30 |
31 ngx_uint_t max_fails; | |
32 time_t fail_timeout; | |
33 | |
34 ngx_uint_t down; /* unsigned down:1; */ | |
35 | |
1344
8f5b5641966c
fair upstream weight balancer
Igor Sysoev <igor@sysoev.ru>
parents:
1284
diff
changeset
|
36 #if (NGX_HTTP_SSL) |
1284
be2b895d31e0
fix segfault when session was freed twice
Igor Sysoev <igor@sysoev.ru>
parents:
954
diff
changeset
|
37 ngx_ssl_session_t *ssl_session; /* local to a process */ |
884 | 38 #endif |
39 } ngx_http_upstream_rr_peer_t; | |
40 | |
41 | |
1378 | 42 typedef struct ngx_http_upstream_rr_peers_s ngx_http_upstream_rr_peers_t; |
43 | |
44 struct ngx_http_upstream_rr_peers_s { | |
884 | 45 ngx_uint_t number; |
46 | |
4655
382c523d253a
Upstream: weights support in ip_hash balancer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4621
diff
changeset
|
47 ngx_uint_t total_weight; |
382c523d253a
Upstream: weights support in ip_hash balancer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4621
diff
changeset
|
48 |
382c523d253a
Upstream: weights support in ip_hash balancer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4621
diff
changeset
|
49 unsigned single:1; |
382c523d253a
Upstream: weights support in ip_hash balancer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4621
diff
changeset
|
50 unsigned weighted:1; |
382c523d253a
Upstream: weights support in ip_hash balancer.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4621
diff
changeset
|
51 |
884 | 52 ngx_str_t *name; |
53 | |
1378 | 54 ngx_http_upstream_rr_peers_t *next; |
55 | |
884 | 56 ngx_http_upstream_rr_peer_t peer[1]; |
1378 | 57 }; |
884 | 58 |
59 | |
60 typedef struct { | |
61 ngx_http_upstream_rr_peers_t *peers; | |
62 ngx_uint_t current; | |
954
f16424aa5d89
style fix: remove trailing spaces
Igor Sysoev <igor@sysoev.ru>
parents:
884
diff
changeset
|
63 uintptr_t *tried; |
884 | 64 uintptr_t data; |
65 } ngx_http_upstream_rr_peer_data_t; | |
66 | |
67 | |
68 ngx_int_t ngx_http_upstream_init_round_robin(ngx_conf_t *cf, | |
69 ngx_http_upstream_srv_conf_t *us); | |
70 ngx_int_t ngx_http_upstream_init_round_robin_peer(ngx_http_request_t *r, | |
71 ngx_http_upstream_srv_conf_t *us); | |
1658 | 72 ngx_int_t ngx_http_upstream_create_round_robin_peer(ngx_http_request_t *r, |
73 ngx_http_upstream_resolved_t *ur); | |
884 | 74 ngx_int_t ngx_http_upstream_get_round_robin_peer(ngx_peer_connection_t *pc, |
75 void *data); | |
76 void ngx_http_upstream_free_round_robin_peer(ngx_peer_connection_t *pc, | |
77 void *data, ngx_uint_t state); | |
78 | |
79 #if (NGX_HTTP_SSL) | |
1284
be2b895d31e0
fix segfault when session was freed twice
Igor Sysoev <igor@sysoev.ru>
parents:
954
diff
changeset
|
80 ngx_int_t |
be2b895d31e0
fix segfault when session was freed twice
Igor Sysoev <igor@sysoev.ru>
parents:
954
diff
changeset
|
81 ngx_http_upstream_set_round_robin_peer_session(ngx_peer_connection_t *pc, |
be2b895d31e0
fix segfault when session was freed twice
Igor Sysoev <igor@sysoev.ru>
parents:
954
diff
changeset
|
82 void *data); |
be2b895d31e0
fix segfault when session was freed twice
Igor Sysoev <igor@sysoev.ru>
parents:
954
diff
changeset
|
83 void ngx_http_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc, |
884 | 84 void *data); |
85 #endif | |
86 | |
87 | |
88 #endif /* _NGX_HTTP_UPSTREAM_ROUND_ROBIN_H_INCLUDED_ */ |