Mercurial > hg > nginx
comparison src/core/ngx_resolver.c @ 6077:0395f788b080 stable-1.6
Resolver: fixed use-after-free memory access.
In 954867a2f0a6, we switched to using resolver node as the
timer event data, so make sure we do not free resolver node
memory until the corresponding timer is deleted.
author | Ruslan Ermilov <ru@nginx.com> |
---|---|
date | Thu, 20 Nov 2014 15:24:40 +0300 |
parents | 60d2cb03faee |
children |
comparison
equal
deleted
inserted
replaced
6076:1d6eb39d05c9 | 6077:0395f788b080 |
---|---|
1566 | 1566 |
1567 ngx_queue_remove(&rn->queue); | 1567 ngx_queue_remove(&rn->queue); |
1568 | 1568 |
1569 ngx_rbtree_delete(&r->name_rbtree, &rn->node); | 1569 ngx_rbtree_delete(&r->name_rbtree, &rn->node); |
1570 | 1570 |
1571 ngx_resolver_free_node(r, rn); | |
1572 | |
1573 /* unlock name mutex */ | 1571 /* unlock name mutex */ |
1574 | 1572 |
1575 while (next) { | 1573 while (next) { |
1576 ctx = next; | 1574 ctx = next; |
1577 ctx->state = code; | 1575 ctx->state = code; |
1578 next = ctx->next; | 1576 next = ctx->next; |
1579 | 1577 |
1580 ctx->handler(ctx); | 1578 ctx->handler(ctx); |
1581 } | 1579 } |
1580 | |
1581 ngx_resolver_free_node(r, rn); | |
1582 | 1582 |
1583 return; | 1583 return; |
1584 } | 1584 } |
1585 | 1585 |
1586 i = ans; | 1586 i = ans; |
2141 | 2141 |
2142 ngx_queue_remove(&rn->queue); | 2142 ngx_queue_remove(&rn->queue); |
2143 | 2143 |
2144 ngx_rbtree_delete(tree, &rn->node); | 2144 ngx_rbtree_delete(tree, &rn->node); |
2145 | 2145 |
2146 ngx_resolver_free_node(r, rn); | |
2147 | |
2148 /* unlock addr mutex */ | 2146 /* unlock addr mutex */ |
2149 | 2147 |
2150 while (next) { | 2148 while (next) { |
2151 ctx = next; | 2149 ctx = next; |
2152 ctx->state = code; | 2150 ctx->state = code; |
2153 next = ctx->next; | 2151 next = ctx->next; |
2154 | 2152 |
2155 ctx->handler(ctx); | 2153 ctx->handler(ctx); |
2156 } | 2154 } |
2155 | |
2156 ngx_resolver_free_node(r, rn); | |
2157 | 2157 |
2158 return; | 2158 return; |
2159 } | 2159 } |
2160 | 2160 |
2161 i += sizeof(ngx_resolver_qs_t); | 2161 i += sizeof(ngx_resolver_qs_t); |