Mercurial > hg > nginx
comparison src/core/ngx_resolver.c @ 7566:571383f75a9a
Resolver: fixed possible use-after-free while resolving PTR.
Previously, if a response to the PTR request was cached, and ngx_resolver_dup()
failed to allocate memory for the resulting name, then the original node was
freed but left in expire_queue. A subsequent address resolving would end up
in a use-after-free memory access of the node either in ngx_resolver_expire()
or ngx_resolver_process_ptr(), when accessing it through expire_queue.
The fix is to leave the resolver node intact.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Tue, 10 Sep 2019 15:42:34 +0300 |
| parents | cbc5dee8d5d2 |
| children | 8fe7ebe5adc4 |
comparison
equal
deleted
inserted
replaced
| 7565:fd6dcc6f8a49 | 7566:571383f75a9a |
|---|---|
| 970 | 970 |
| 971 ngx_queue_insert_head(expire_queue, &rn->queue); | 971 ngx_queue_insert_head(expire_queue, &rn->queue); |
| 972 | 972 |
| 973 name = ngx_resolver_dup(r, rn->name, rn->nlen); | 973 name = ngx_resolver_dup(r, rn->name, rn->nlen); |
| 974 if (name == NULL) { | 974 if (name == NULL) { |
| 975 goto failed; | 975 ngx_resolver_free(r, ctx); |
| 976 return NGX_ERROR; | |
| 976 } | 977 } |
| 977 | 978 |
| 978 ctx->name.len = rn->nlen; | 979 ctx->name.len = rn->nlen; |
| 979 ctx->name.data = name; | 980 ctx->name.data = name; |
| 980 | 981 |