Mercurial > hg > nginx-quic
comparison src/core/ngx_palloc.c @ 6452:6be7e59fdd2c
Core: moved logging before freeing large blocks of pool.
This fixes use-after-free memory access with enabled debug log
when pool->log is allocated as a large block.
author | Valentin Bartenev <vbart@nginx.com> |
---|---|
date | Wed, 23 Mar 2016 17:44:04 +0300 |
parents | c45c9812cf11 |
children | 12248fe20689 |
comparison
equal
deleted
inserted
replaced
6451:155871d773cc | 6452:6be7e59fdd2c |
---|---|
54 "run cleanup: %p", c); | 54 "run cleanup: %p", c); |
55 c->handler(c->data); | 55 c->handler(c->data); |
56 } | 56 } |
57 } | 57 } |
58 | 58 |
59 for (l = pool->large; l; l = l->next) { | |
60 | |
61 ngx_log_debug1(NGX_LOG_DEBUG_ALLOC, pool->log, 0, "free: %p", l->alloc); | |
62 | |
63 if (l->alloc) { | |
64 ngx_free(l->alloc); | |
65 } | |
66 } | |
67 | |
68 #if (NGX_DEBUG) | 59 #if (NGX_DEBUG) |
69 | 60 |
70 /* | 61 /* |
71 * we could allocate the pool->log from this pool | 62 * we could allocate the pool->log from this pool |
72 * so we cannot use this log while free()ing the pool | 63 * so we cannot use this log while free()ing the pool |
73 */ | 64 */ |
74 | 65 |
66 for (l = pool->large; l; l = l->next) { | |
67 ngx_log_debug1(NGX_LOG_DEBUG_ALLOC, pool->log, 0, "free: %p", l->alloc); | |
68 } | |
69 | |
75 for (p = pool, n = pool->d.next; /* void */; p = n, n = n->d.next) { | 70 for (p = pool, n = pool->d.next; /* void */; p = n, n = n->d.next) { |
76 ngx_log_debug2(NGX_LOG_DEBUG_ALLOC, pool->log, 0, | 71 ngx_log_debug2(NGX_LOG_DEBUG_ALLOC, pool->log, 0, |
77 "free: %p, unused: %uz", p, p->d.end - p->d.last); | 72 "free: %p, unused: %uz", p, p->d.end - p->d.last); |
78 | 73 |
79 if (n == NULL) { | 74 if (n == NULL) { |
80 break; | 75 break; |
81 } | 76 } |
82 } | 77 } |
83 | 78 |
84 #endif | 79 #endif |
80 | |
81 for (l = pool->large; l; l = l->next) { | |
82 if (l->alloc) { | |
83 ngx_free(l->alloc); | |
84 } | |
85 } | |
85 | 86 |
86 for (p = pool, n = pool->d.next; /* void */; p = n, n = n->d.next) { | 87 for (p = pool, n = pool->d.next; /* void */; p = n, n = n->d.next) { |
87 ngx_free(p); | 88 ngx_free(p); |
88 | 89 |
89 if (n == NULL) { | 90 if (n == NULL) { |