Mercurial > hg > nginx
annotate src/core/ngx_resolver.h @ 6351:497d0cff8ace
Resolver: fixed use-after-free memory accesses with CNAME.
When several requests were waiting for a response, then after getting
a CNAME response only the last request's context had the name updated.
Contexts of other requests had the wrong name. This name was used by
ngx_resolve_name_done() to find the node to remove the request context
from. When the name was wrong, the request could not be properly
cancelled, its context was freed but stayed linked to the node's waiting
list. This happened e.g. when the first request was aborted or timed
out before the resolving completed. When it completed, this triggered
a use-after-free memory access by calling ctx->handler of already freed
request context. The bug manifests itself by
"could not cancel <name> resolving" alerts in error_log.
When a request was responded with a CNAME, the request context kept
the pointer to the original node's rn->u.cname. If the original node
expired before the resolving timed out or completed with an error,
this would trigger a use-after-free memory access via ctx->name in
ctx->handler().
The fix is to keep ctx->name unmodified. The name from context
is no longer used by ngx_resolve_name_done(). Instead, we now keep
the pointer to resolver node to which this request is linked.
Keeping the original name intact also improves logging.
author | Roman Arutyunyan <arut@nginx.com> |
---|---|
date | Tue, 26 Jan 2016 16:46:59 +0300 |
parents | 7316c57e4fe7 |
children | 69977457e1a6 |
rev | line source |
---|---|
1649 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4412 | 4 * Copyright (C) Nginx, Inc. |
1649 | 5 */ |
6 | |
7 | |
8 #include <ngx_config.h> | |
9 #include <ngx_core.h> | |
10 | |
11 | |
12 #ifndef _NGX_RESOLVER_H_INCLUDED_ | |
13 #define _NGX_RESOLVER_H_INCLUDED_ | |
14 | |
15 | |
16 #define NGX_RESOLVE_A 1 | |
17 #define NGX_RESOLVE_CNAME 5 | |
18 #define NGX_RESOLVE_PTR 12 | |
19 #define NGX_RESOLVE_MX 15 | |
20 #define NGX_RESOLVE_TXT 16 | |
5477
98876ce2a7fd
Resolver: implemented IPv6 name to address resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5476
diff
changeset
|
21 #if (NGX_HAVE_INET6) |
98876ce2a7fd
Resolver: implemented IPv6 name to address resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5476
diff
changeset
|
22 #define NGX_RESOLVE_AAAA 28 |
98876ce2a7fd
Resolver: implemented IPv6 name to address resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5476
diff
changeset
|
23 #endif |
1965 | 24 #define NGX_RESOLVE_DNAME 39 |
1649 | 25 |
26 #define NGX_RESOLVE_FORMERR 1 | |
27 #define NGX_RESOLVE_SERVFAIL 2 | |
28 #define NGX_RESOLVE_NXDOMAIN 3 | |
29 #define NGX_RESOLVE_NOTIMP 4 | |
30 #define NGX_RESOLVE_REFUSED 5 | |
31 #define NGX_RESOLVE_TIMEDOUT NGX_ETIMEDOUT | |
32 | |
33 | |
1683
1e0b028055ec
allow to use IP addresses without defined resolver
Igor Sysoev <igor@sysoev.ru>
parents:
1649
diff
changeset
|
34 #define NGX_NO_RESOLVER (void *) -1 |
1e0b028055ec
allow to use IP addresses without defined resolver
Igor Sysoev <igor@sysoev.ru>
parents:
1649
diff
changeset
|
35 |
1969 | 36 #define NGX_RESOLVER_MAX_RECURSION 50 |
37 | |
1683
1e0b028055ec
allow to use IP addresses without defined resolver
Igor Sysoev <igor@sysoev.ru>
parents:
1649
diff
changeset
|
38 |
1649 | 39 typedef struct { |
40 ngx_connection_t *connection; | |
41 struct sockaddr *sockaddr; | |
42 socklen_t socklen; | |
43 ngx_str_t server; | |
3408
71193a456616
add context to a resolver log
Igor Sysoev <igor@sysoev.ru>
parents:
3269
diff
changeset
|
44 ngx_log_t log; |
1649 | 45 } ngx_udp_connection_t; |
46 | |
47 | |
48 typedef struct ngx_resolver_ctx_s ngx_resolver_ctx_t; | |
49 | |
50 typedef void (*ngx_resolver_handler_pt)(ngx_resolver_ctx_t *ctx); | |
51 | |
52 | |
53 typedef struct { | |
6348
7316c57e4fe7
Resolver: fixed crashes in timeout handler.
Ruslan Ermilov <ru@nginx.com>
parents:
5921
diff
changeset
|
54 ngx_rbtree_node_t node; |
1649 | 55 ngx_queue_t queue; |
56 | |
6348
7316c57e4fe7
Resolver: fixed crashes in timeout handler.
Ruslan Ermilov <ru@nginx.com>
parents:
5921
diff
changeset
|
57 /* PTR: resolved name, A: name to resolve */ |
7316c57e4fe7
Resolver: fixed crashes in timeout handler.
Ruslan Ermilov <ru@nginx.com>
parents:
5921
diff
changeset
|
58 u_char *name; |
1649 | 59 |
5476
950c9ed3e66f
Resolver: implemented IPv6 address to name resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5475
diff
changeset
|
60 #if (NGX_HAVE_INET6) |
950c9ed3e66f
Resolver: implemented IPv6 address to name resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5475
diff
changeset
|
61 /* PTR: IPv6 address to resolve (IPv4 address is in rbtree node key) */ |
950c9ed3e66f
Resolver: implemented IPv6 address to name resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5475
diff
changeset
|
62 struct in6_addr addr6; |
950c9ed3e66f
Resolver: implemented IPv6 address to name resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5475
diff
changeset
|
63 #endif |
950c9ed3e66f
Resolver: implemented IPv6 address to name resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5475
diff
changeset
|
64 |
1649 | 65 u_short nlen; |
66 u_short qlen; | |
67 | |
68 u_char *query; | |
5477
98876ce2a7fd
Resolver: implemented IPv6 name to address resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5476
diff
changeset
|
69 #if (NGX_HAVE_INET6) |
98876ce2a7fd
Resolver: implemented IPv6 name to address resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5476
diff
changeset
|
70 u_char *query6; |
98876ce2a7fd
Resolver: implemented IPv6 name to address resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5476
diff
changeset
|
71 #endif |
1649 | 72 |
73 union { | |
74 in_addr_t addr; | |
75 in_addr_t *addrs; | |
76 u_char *cname; | |
77 } u; | |
78 | |
5477
98876ce2a7fd
Resolver: implemented IPv6 name to address resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5476
diff
changeset
|
79 u_char code; |
1649 | 80 u_short naddrs; |
81 u_short cnlen; | |
82 | |
5477
98876ce2a7fd
Resolver: implemented IPv6 name to address resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5476
diff
changeset
|
83 #if (NGX_HAVE_INET6) |
98876ce2a7fd
Resolver: implemented IPv6 name to address resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5476
diff
changeset
|
84 union { |
98876ce2a7fd
Resolver: implemented IPv6 name to address resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5476
diff
changeset
|
85 struct in6_addr addr6; |
98876ce2a7fd
Resolver: implemented IPv6 name to address resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5476
diff
changeset
|
86 struct in6_addr *addrs6; |
98876ce2a7fd
Resolver: implemented IPv6 name to address resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5476
diff
changeset
|
87 } u6; |
98876ce2a7fd
Resolver: implemented IPv6 name to address resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5476
diff
changeset
|
88 |
98876ce2a7fd
Resolver: implemented IPv6 name to address resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5476
diff
changeset
|
89 u_short naddrs6; |
98876ce2a7fd
Resolver: implemented IPv6 name to address resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5476
diff
changeset
|
90 #endif |
98876ce2a7fd
Resolver: implemented IPv6 name to address resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5476
diff
changeset
|
91 |
1649 | 92 time_t expire; |
93 time_t valid; | |
5477
98876ce2a7fd
Resolver: implemented IPv6 name to address resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5476
diff
changeset
|
94 uint32_t ttl; |
1649 | 95 |
96 ngx_resolver_ctx_t *waiting; | |
97 } ngx_resolver_node_t; | |
98 | |
99 | |
100 typedef struct { | |
101 /* has to be pointer because of "incomplete type" */ | |
102 ngx_event_t *event; | |
4225
016352c19049
Support of several servers in the "resolver" directive.
Igor Sysoev <igor@sysoev.ru>
parents:
3408
diff
changeset
|
103 void *dummy; |
1649 | 104 ngx_log_t *log; |
105 | |
5921
5004210e8c78
Resolver: fixed debug event logging.
Ruslan Ermilov <ru@nginx.com>
parents:
5478
diff
changeset
|
106 /* event ident must be after 3 pointers as in ngx_connection_t */ |
1649 | 107 ngx_int_t ident; |
108 | |
4225
016352c19049
Support of several servers in the "resolver" directive.
Igor Sysoev <igor@sysoev.ru>
parents:
3408
diff
changeset
|
109 /* simple round robin DNS peers balancer */ |
016352c19049
Support of several servers in the "resolver" directive.
Igor Sysoev <igor@sysoev.ru>
parents:
3408
diff
changeset
|
110 ngx_array_t udp_connections; |
016352c19049
Support of several servers in the "resolver" directive.
Igor Sysoev <igor@sysoev.ru>
parents:
3408
diff
changeset
|
111 ngx_uint_t last_connection; |
016352c19049
Support of several servers in the "resolver" directive.
Igor Sysoev <igor@sysoev.ru>
parents:
3408
diff
changeset
|
112 |
1649 | 113 ngx_rbtree_t name_rbtree; |
114 ngx_rbtree_node_t name_sentinel; | |
115 | |
116 ngx_rbtree_t addr_rbtree; | |
117 ngx_rbtree_node_t addr_sentinel; | |
118 | |
119 ngx_queue_t name_resend_queue; | |
120 ngx_queue_t addr_resend_queue; | |
121 | |
122 ngx_queue_t name_expire_queue; | |
123 ngx_queue_t addr_expire_queue; | |
124 | |
5476
950c9ed3e66f
Resolver: implemented IPv6 address to name resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5475
diff
changeset
|
125 #if (NGX_HAVE_INET6) |
5478
3cb3175a6fef
The "ipv6=" boolean parameter of the "resolver" directive.
Ruslan Ermilov <ru@nginx.com>
parents:
5477
diff
changeset
|
126 ngx_uint_t ipv6; /* unsigned ipv6:1; */ |
5476
950c9ed3e66f
Resolver: implemented IPv6 address to name resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5475
diff
changeset
|
127 ngx_rbtree_t addr6_rbtree; |
950c9ed3e66f
Resolver: implemented IPv6 address to name resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5475
diff
changeset
|
128 ngx_rbtree_node_t addr6_sentinel; |
950c9ed3e66f
Resolver: implemented IPv6 address to name resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5475
diff
changeset
|
129 ngx_queue_t addr6_resend_queue; |
950c9ed3e66f
Resolver: implemented IPv6 address to name resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5475
diff
changeset
|
130 ngx_queue_t addr6_expire_queue; |
950c9ed3e66f
Resolver: implemented IPv6 address to name resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5475
diff
changeset
|
131 #endif |
950c9ed3e66f
Resolver: implemented IPv6 address to name resolving.
Ruslan Ermilov <ru@nginx.com>
parents:
5475
diff
changeset
|
132 |
1649 | 133 time_t resend_timeout; |
134 time_t expire; | |
135 time_t valid; | |
136 | |
137 ngx_uint_t log_level; | |
138 } ngx_resolver_t; | |
139 | |
140 | |
141 struct ngx_resolver_ctx_s { | |
142 ngx_resolver_ctx_t *next; | |
143 ngx_resolver_t *resolver; | |
144 ngx_udp_connection_t *udp_connection; | |
145 | |
6348
7316c57e4fe7
Resolver: fixed crashes in timeout handler.
Ruslan Ermilov <ru@nginx.com>
parents:
5921
diff
changeset
|
146 /* event ident must be after 3 pointers as in ngx_connection_t */ |
7316c57e4fe7
Resolver: fixed crashes in timeout handler.
Ruslan Ermilov <ru@nginx.com>
parents:
5921
diff
changeset
|
147 ngx_int_t ident; |
7316c57e4fe7
Resolver: fixed crashes in timeout handler.
Ruslan Ermilov <ru@nginx.com>
parents:
5921
diff
changeset
|
148 |
1649 | 149 ngx_int_t state; |
150 ngx_str_t name; | |
151 | |
152 ngx_uint_t naddrs; | |
5475
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
153 ngx_addr_t *addrs; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
154 ngx_addr_t addr; |
07dd5bd222ac
Changed resolver API to use ngx_addr_t.
Ruslan Ermilov <ru@nginx.com>
parents:
4412
diff
changeset
|
155 struct sockaddr_in sin; |
1649 | 156 |
157 ngx_resolver_handler_pt handler; | |
158 void *data; | |
159 ngx_msec_t timeout; | |
160 | |
161 ngx_uint_t quick; /* unsigned quick:1; */ | |
1969 | 162 ngx_uint_t recursion; |
1649 | 163 ngx_event_t *event; |
6351
497d0cff8ace
Resolver: fixed use-after-free memory accesses with CNAME.
Roman Arutyunyan <arut@nginx.com>
parents:
6348
diff
changeset
|
164 |
497d0cff8ace
Resolver: fixed use-after-free memory accesses with CNAME.
Roman Arutyunyan <arut@nginx.com>
parents:
6348
diff
changeset
|
165 ngx_resolver_node_t *node; |
1649 | 166 }; |
167 | |
168 | |
4225
016352c19049
Support of several servers in the "resolver" directive.
Igor Sysoev <igor@sysoev.ru>
parents:
3408
diff
changeset
|
169 ngx_resolver_t *ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, |
016352c19049
Support of several servers in the "resolver" directive.
Igor Sysoev <igor@sysoev.ru>
parents:
3408
diff
changeset
|
170 ngx_uint_t n); |
1649 | 171 ngx_resolver_ctx_t *ngx_resolve_start(ngx_resolver_t *r, |
172 ngx_resolver_ctx_t *temp); | |
173 ngx_int_t ngx_resolve_name(ngx_resolver_ctx_t *ctx); | |
174 void ngx_resolve_name_done(ngx_resolver_ctx_t *ctx); | |
175 ngx_int_t ngx_resolve_addr(ngx_resolver_ctx_t *ctx); | |
176 void ngx_resolve_addr_done(ngx_resolver_ctx_t *ctx); | |
177 char *ngx_resolver_strerror(ngx_int_t err); | |
178 | |
179 | |
180 #endif /* _NGX_RESOLVER_H_INCLUDED_ */ |