Mercurial > hg > nginx-quic
comparison src/core/ngx_resolver.c @ 4658:c92289afb5be stable-1.2
Merge of r4611, r4620: resolver fixes.
*) Fixed segmentation fault in ngx_resolver_create_name_query().
If name passed for resolution was { 0, NULL } (e.g. as a result
of name server returning CNAME pointing to ".") pointer wrapped
to (void *) -1 resulting in segmentation fault on an attempt to
dereference it.
Reported by Lanshun Zhou.
*) Resolver: protection from duplicate responses.
If we already had CNAME in resolver node (i.e. rn->cnlen and rn->u.cname
set), and got additional response with A record, it resulted in rn->cnlen
set and rn->u.cname overwritten by rn->u.addr (or rn->u.addrs), causing
segmentation fault later in ngx_resolver_free_node() on an attempt to free
overwritten rn->u.cname. The opposite (i.e. CNAME got after A) might cause
similar problems as well.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 04 Jun 2012 10:15:55 +0000 |
parents | 1bddc91e78d6 |
children | 474bbe8ca79c |
comparison
equal
deleted
inserted
replaced
4657:36b220b82f23 | 4658:c92289afb5be |
---|---|
511 | 511 |
512 ngx_queue_remove(&rn->queue); | 512 ngx_queue_remove(&rn->queue); |
513 | 513 |
514 /* lock alloc mutex */ | 514 /* lock alloc mutex */ |
515 | 515 |
516 ngx_resolver_free_locked(r, rn->query); | 516 if (rn->query) { |
517 rn->query = NULL; | 517 ngx_resolver_free_locked(r, rn->query); |
518 rn->query = NULL; | |
519 } | |
518 | 520 |
519 if (rn->cnlen) { | 521 if (rn->cnlen) { |
520 ngx_resolver_free_locked(r, rn->u.cname); | 522 ngx_resolver_free_locked(r, rn->u.cname); |
521 } | 523 } |
522 | 524 |
1407 | 1409 |
1408 if (naddrs > 1) { | 1410 if (naddrs > 1) { |
1409 ngx_resolver_free(r, addrs); | 1411 ngx_resolver_free(r, addrs); |
1410 } | 1412 } |
1411 | 1413 |
1414 ngx_resolver_free(r, rn->query); | |
1415 rn->query = NULL; | |
1416 | |
1412 return; | 1417 return; |
1413 | 1418 |
1414 } else if (cname) { | 1419 } else if (cname) { |
1415 | 1420 |
1416 /* CNAME only */ | 1421 /* CNAME only */ |
1438 if (ctx) { | 1443 if (ctx) { |
1439 ctx->name = name; | 1444 ctx->name = name; |
1440 | 1445 |
1441 (void) ngx_resolve_name_locked(r, ctx); | 1446 (void) ngx_resolve_name_locked(r, ctx); |
1442 } | 1447 } |
1448 | |
1449 ngx_resolver_free(r, rn->query); | |
1450 rn->query = NULL; | |
1443 | 1451 |
1444 return; | 1452 return; |
1445 } | 1453 } |
1446 | 1454 |
1447 ngx_log_error(r->log_level, r->log, 0, | 1455 ngx_log_error(r->log_level, r->log, 0, |
1832 | 1840 |
1833 len = 0; | 1841 len = 0; |
1834 p--; | 1842 p--; |
1835 *p-- = '\0'; | 1843 *p-- = '\0'; |
1836 | 1844 |
1845 if (ctx->name.len == 0) { | |
1846 return NGX_DECLINED; | |
1847 } | |
1848 | |
1837 for (s = ctx->name.data + ctx->name.len - 1; s >= ctx->name.data; s--) { | 1849 for (s = ctx->name.data + ctx->name.len - 1; s >= ctx->name.data; s--) { |
1838 if (*s != '.') { | 1850 if (*s != '.') { |
1839 *p = *s; | 1851 *p = *s; |
1840 len++; | 1852 len++; |
1841 | 1853 |