nginx: src/core/ngx_palloc.c comparison

comparison src/core/ngx_palloc.c @ 6452:6be7e59fdd2c

Core: moved logging before freeing large blocks of pool. This fixes use-after-free memory access with enabled debug log when pool->log is allocated as a large block.

author	Valentin Bartenev <vbart@nginx.com>
date	Wed, 23 Mar 2016 17:44:04 +0300
parents	c45c9812cf11
children	12248fe20689

comparison

equal deleted inserted replaced

-:155871d773cc
+:6be7e59fdd2c
 "run cleanup: %p", c);
 c->handler(c->data);
 }
 }
-for (l = pool->large; l; l = l->next) {
-ngx_log_debug1(NGX_LOG_DEBUG_ALLOC, pool->log, 0, "free: %p", l->alloc);
-if (l->alloc) {
-ngx_free(l->alloc);
-}
-}
 #if (NGX_DEBUG)
 /*
 * we could allocate the pool->log from this pool
 * so we cannot use this log while free()ing the pool
 */
+for (l = pool->large; l; l = l->next) {
+ngx_log_debug1(NGX_LOG_DEBUG_ALLOC, pool->log, 0, "free: %p", l->alloc);
+}
 for (p = pool, n = pool->d.next; /* void */; p = n, n = n->d.next) {
 ngx_log_debug2(NGX_LOG_DEBUG_ALLOC, pool->log, 0,
 "free: %p, unused: %uz", p, p->d.end - p->d.last);
 if (n == NULL) {
 break;
 }
 }
 #endif
+for (l = pool->large; l; l = l->next) {
+if (l->alloc) {
+ngx_free(l->alloc);
+}
+}
 for (p = pool, n = pool->d.next; /* void */; p = n, n = n->d.next) {
 ngx_free(p);
 if (n == NULL) {

Mercurial > hg > nginx

comparison src/core/ngx_palloc.c @ 6452:6be7e59fdd2c