Mercurial > hg > nginx
comparison src/core/ngx_resolver.c @ 7566:571383f75a9a
Resolver: fixed possible use-after-free while resolving PTR.
Previously, if a response to the PTR request was cached, and ngx_resolver_dup()
failed to allocate memory for the resulting name, then the original node was
freed but left in expire_queue. A subsequent address resolving would end up
in a use-after-free memory access of the node either in ngx_resolver_expire()
or ngx_resolver_process_ptr(), when accessing it through expire_queue.
The fix is to leave the resolver node intact.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 10 Sep 2019 15:42:34 +0300 |
parents | cbc5dee8d5d2 |
children | 8fe7ebe5adc4 |
comparison
equal
deleted
inserted
replaced
7565:fd6dcc6f8a49 | 7566:571383f75a9a |
---|---|
970 | 970 |
971 ngx_queue_insert_head(expire_queue, &rn->queue); | 971 ngx_queue_insert_head(expire_queue, &rn->queue); |
972 | 972 |
973 name = ngx_resolver_dup(r, rn->name, rn->nlen); | 973 name = ngx_resolver_dup(r, rn->name, rn->nlen); |
974 if (name == NULL) { | 974 if (name == NULL) { |
975 goto failed; | 975 ngx_resolver_free(r, ctx); |
976 return NGX_ERROR; | |
976 } | 977 } |
977 | 978 |
978 ctx->name.len = rn->nlen; | 979 ctx->name.len = rn->nlen; |
979 ctx->name.data = name; | 980 ctx->name.data = name; |
980 | 981 |