Mercurial > hg > nginx

comparison src/core/ngx_resolver.c @ 6077:0395f788b080 stable-1.6

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Resolver: fixed use-after-free memory access. In 954867a2f0a6, we switched to using resolver node as the timer event data, so make sure we do not free resolver node memory until the corresponding timer is deleted.
author Ruslan Ermilov <ru@nginx.com>
date Thu, 20 Nov 2014 15:24:40 +0300
parents 60d2cb03faee
children
comparison
equal deleted inserted replaced
6076:1d6eb39d05c9 6077:0395f788b080
1566 1566
1567 ngx_queue_remove(&rn->queue); 1567 ngx_queue_remove(&rn->queue);
1568 1568
1569 ngx_rbtree_delete(&r->name_rbtree, &rn->node); 1569 ngx_rbtree_delete(&r->name_rbtree, &rn->node);
1570 1570
1571 ngx_resolver_free_node(r, rn);
1572
1573 /* unlock name mutex */ 1571 /* unlock name mutex */
1574 1572
1575 while (next) { 1573 while (next) {
1576 ctx = next; 1574 ctx = next;
1577 ctx->state = code; 1575 ctx->state = code;
1578 next = ctx->next; 1576 next = ctx->next;
1579 1577
1580 ctx->handler(ctx); 1578 ctx->handler(ctx);
1581 } 1579 }
1580
1581 ngx_resolver_free_node(r, rn);
1582 1582
1583 return; 1583 return;
1584 } 1584 }
1585 1585
1586 i = ans; 1586 i = ans;
2141 2141
2142 ngx_queue_remove(&rn->queue); 2142 ngx_queue_remove(&rn->queue);
2143 2143
2144 ngx_rbtree_delete(tree, &rn->node); 2144 ngx_rbtree_delete(tree, &rn->node);
2145 2145
2146 ngx_resolver_free_node(r, rn);
2147
2148 /* unlock addr mutex */ 2146 /* unlock addr mutex */
2149 2147
2150 while (next) { 2148 while (next) {
2151 ctx = next; 2149 ctx = next;
2152 ctx->state = code; 2150 ctx->state = code;
2153 next = ctx->next; 2151 next = ctx->next;
2154 2152
2155 ctx->handler(ctx); 2153 ctx->handler(ctx);
2156 } 2154 }
2155
2156 ngx_resolver_free_node(r, rn);
2157 2157
2158 return; 2158 return;
2159 } 2159 }
2160 2160
2161 i += sizeof(ngx_resolver_qs_t); 2161 i += sizeof(ngx_resolver_qs_t);