Mercurial > hg > nginx-quic
comparison src/core/ngx_resolver.h @ 6348:7316c57e4fe7
Resolver: fixed crashes in timeout handler.
If one or more requests were waiting for a response, then after
getting a CNAME response, the timeout event on the first request
remained active, pointing to the wrong node with an empty
rn->waiting list, and that could cause either null pointer
dereference or use-after-free memory access if this timeout
expired.
If several requests were waiting for a response, and the first
request terminated (e.g., due to client closing a connection),
other requests were left without a timeout and could potentially
wait indefinitely.
This is fixed by introducing per-request independent timeouts.
This change also reverts 954867a2f0a6 and 5004210e8c78.
author | Ruslan Ermilov <ru@nginx.com> |
---|---|
date | Tue, 26 Jan 2016 16:46:31 +0300 |
parents | 5004210e8c78 |
children | 497d0cff8ace |
comparison
equal
deleted
inserted
replaced
6347:81d44cd4044e | 6348:7316c57e4fe7 |
---|---|
49 | 49 |
50 typedef void (*ngx_resolver_handler_pt)(ngx_resolver_ctx_t *ctx); | 50 typedef void (*ngx_resolver_handler_pt)(ngx_resolver_ctx_t *ctx); |
51 | 51 |
52 | 52 |
53 typedef struct { | 53 typedef struct { |
54 ngx_rbtree_node_t node; | |
55 ngx_queue_t queue; | |
56 | |
54 /* PTR: resolved name, A: name to resolve */ | 57 /* PTR: resolved name, A: name to resolve */ |
55 u_char *name; | 58 u_char *name; |
56 | |
57 ngx_queue_t queue; | |
58 | |
59 /* event ident must be after 3 pointers as in ngx_connection_t */ | |
60 ngx_int_t ident; | |
61 | |
62 ngx_rbtree_node_t node; | |
63 | 59 |
64 #if (NGX_HAVE_INET6) | 60 #if (NGX_HAVE_INET6) |
65 /* PTR: IPv6 address to resolve (IPv4 address is in rbtree node key) */ | 61 /* PTR: IPv6 address to resolve (IPv4 address is in rbtree node key) */ |
66 struct in6_addr addr6; | 62 struct in6_addr addr6; |
67 #endif | 63 #endif |
145 struct ngx_resolver_ctx_s { | 141 struct ngx_resolver_ctx_s { |
146 ngx_resolver_ctx_t *next; | 142 ngx_resolver_ctx_t *next; |
147 ngx_resolver_t *resolver; | 143 ngx_resolver_t *resolver; |
148 ngx_udp_connection_t *udp_connection; | 144 ngx_udp_connection_t *udp_connection; |
149 | 145 |
146 /* event ident must be after 3 pointers as in ngx_connection_t */ | |
147 ngx_int_t ident; | |
148 | |
150 ngx_int_t state; | 149 ngx_int_t state; |
151 ngx_str_t name; | 150 ngx_str_t name; |
152 | 151 |
153 ngx_uint_t naddrs; | 152 ngx_uint_t naddrs; |
154 ngx_addr_t *addrs; | 153 ngx_addr_t *addrs; |