Mercurial > hg > nginx
annotate src/os/unix/ngx_user.c @ 7048:80224192163c
Resolver: fixed possible use-after-free while resolving SRV.
Resolving an SRV record includes resolving its host names in subrequests.
Previously, if memory allocation failed while reporting a subrequest result
after receiving a response from a DNS server, the SRV resolve handler was
called immediately with the NGX_ERROR state. However, if the SRV record
included another copy of the resolved name, it was reported once again.
This could trigger the use-after-free memory access after SRV resolve
handler freed the resolve context by calling ngx_resolve_name_done().
Now the SRV resolve handler is called only when all its subrequests are
completed.
author | Roman Arutyunyan <arut@nginx.com> |
---|---|
date | Tue, 04 Jul 2017 18:07:29 +0300 |
parents | e284f3ff6831 |
children | 4a670c18e5e6 |
rev | line source |
---|---|
503 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4412 | 4 * Copyright (C) Nginx, Inc. |
503 | 5 */ |
6 | |
7 | |
8 #include <ngx_config.h> | |
9 #include <ngx_core.h> | |
10 | |
11 | |
12 /* | |
13 * Solaris has thread-safe crypt() | |
14 * Linux has crypt_r(); "struct crypt_data" is more than 128K | |
15 * FreeBSD needs the mutex to protect crypt() | |
16 * | |
17 * TODO: | |
18 * ngx_crypt_init() to init mutex | |
19 */ | |
20 | |
21 | |
22 #if (NGX_CRYPT) | |
23 | |
527 | 24 #if (NGX_HAVE_GNU_CRYPT_R) |
503 | 25 |
26 ngx_int_t | |
3922
9c057d5e1c27
"$apr1", "{PLAIN}", and "{SSHA}" password methods in auth basic module
Igor Sysoev <igor@sysoev.ru>
parents:
3796
diff
changeset
|
27 ngx_libc_crypt(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted) |
503 | 28 { |
29 char *value; | |
30 size_t len; | |
31 struct crypt_data cd; | |
32 | |
509 | 33 cd.initialized = 0; |
5955
fd6fd02f6a4d
Fixed building with musl libc (ticket #685).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4982
diff
changeset
|
34 #ifdef __GLIBC__ |
529 | 35 /* work around the glibc bug */ |
36 cd.current_salt[0] = ~salt[0]; | |
5955
fd6fd02f6a4d
Fixed building with musl libc (ticket #685).
Maxim Dounin <mdounin@mdounin.ru>
parents:
4982
diff
changeset
|
37 #endif |
509 | 38 |
503 | 39 value = crypt_r((char *) key, (char *) salt, &cd); |
40 | |
4982
6ccd3a50b40f
Core: crypt_r() error handling fixed.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4499
diff
changeset
|
41 if (value) { |
3796
7dec2852e8fd
allocate last zero byte in ngx_crypt()
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
42 len = ngx_strlen(value) + 1; |
503 | 43 |
2049 | 44 *encrypted = ngx_pnalloc(pool, len); |
4982
6ccd3a50b40f
Core: crypt_r() error handling fixed.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4499
diff
changeset
|
45 if (*encrypted == NULL) { |
6ccd3a50b40f
Core: crypt_r() error handling fixed.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4499
diff
changeset
|
46 return NGX_ERROR; |
503 | 47 } |
4982
6ccd3a50b40f
Core: crypt_r() error handling fixed.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4499
diff
changeset
|
48 |
6ccd3a50b40f
Core: crypt_r() error handling fixed.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4499
diff
changeset
|
49 ngx_memcpy(*encrypted, value, len); |
6ccd3a50b40f
Core: crypt_r() error handling fixed.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4499
diff
changeset
|
50 return NGX_OK; |
503 | 51 } |
52 | |
4982
6ccd3a50b40f
Core: crypt_r() error handling fixed.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4499
diff
changeset
|
53 ngx_log_error(NGX_LOG_CRIT, pool->log, ngx_errno, "crypt_r() failed"); |
509 | 54 |
503 | 55 return NGX_ERROR; |
56 } | |
57 | |
58 #else | |
59 | |
60 ngx_int_t | |
3922
9c057d5e1c27
"$apr1", "{PLAIN}", and "{SSHA}" password methods in auth basic module
Igor Sysoev <igor@sysoev.ru>
parents:
3796
diff
changeset
|
61 ngx_libc_crypt(ngx_pool_t *pool, u_char *key, u_char *salt, u_char **encrypted) |
503 | 62 { |
63 char *value; | |
64 size_t len; | |
509 | 65 ngx_err_t err; |
503 | 66 |
67 value = crypt((char *) key, (char *) salt); | |
68 | |
69 if (value) { | |
3796
7dec2852e8fd
allocate last zero byte in ngx_crypt()
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
70 len = ngx_strlen(value) + 1; |
503 | 71 |
2049 | 72 *encrypted = ngx_pnalloc(pool, len); |
4982
6ccd3a50b40f
Core: crypt_r() error handling fixed.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4499
diff
changeset
|
73 if (*encrypted == NULL) { |
6ccd3a50b40f
Core: crypt_r() error handling fixed.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4499
diff
changeset
|
74 return NGX_ERROR; |
503 | 75 } |
509 | 76 |
4982
6ccd3a50b40f
Core: crypt_r() error handling fixed.
Maxim Dounin <mdounin@mdounin.ru>
parents:
4499
diff
changeset
|
77 ngx_memcpy(*encrypted, value, len); |
509 | 78 return NGX_OK; |
503 | 79 } |
80 | |
509 | 81 err = ngx_errno; |
82 | |
83 ngx_log_error(NGX_LOG_CRIT, pool->log, err, "crypt() failed"); | |
84 | |
85 return NGX_ERROR; | |
503 | 86 } |
87 | |
88 #endif | |
89 | |
90 #endif /* NGX_CRYPT */ |