Mercurial > hg > nginx
comparison src/core/ngx_resolver.h @ 6348:7316c57e4fe7
Resolver: fixed crashes in timeout handler.
If one or more requests were waiting for a response, then after
getting a CNAME response, the timeout event on the first request
remained active, pointing to the wrong node with an empty
rn->waiting list, and that could cause either null pointer
dereference or use-after-free memory access if this timeout
expired.
If several requests were waiting for a response, and the first
request terminated (e.g., due to client closing a connection),
other requests were left without a timeout and could potentially
wait indefinitely.
This is fixed by introducing per-request independent timeouts.
This change also reverts 954867a2f0a6 and 5004210e8c78.
| author | Ruslan Ermilov <ru@nginx.com> |
|---|---|
| date | Tue, 26 Jan 2016 16:46:31 +0300 |
| parents | 5004210e8c78 |
| children | 497d0cff8ace |
comparison
equal
deleted
inserted
replaced
| 6347:81d44cd4044e | 6348:7316c57e4fe7 |
|---|---|
| 49 | 49 |
| 50 typedef void (*ngx_resolver_handler_pt)(ngx_resolver_ctx_t *ctx); | 50 typedef void (*ngx_resolver_handler_pt)(ngx_resolver_ctx_t *ctx); |
| 51 | 51 |
| 52 | 52 |
| 53 typedef struct { | 53 typedef struct { |
| 54 ngx_rbtree_node_t node; | |
| 55 ngx_queue_t queue; | |
| 56 | |
| 54 /* PTR: resolved name, A: name to resolve */ | 57 /* PTR: resolved name, A: name to resolve */ |
| 55 u_char *name; | 58 u_char *name; |
| 56 | |
| 57 ngx_queue_t queue; | |
| 58 | |
| 59 /* event ident must be after 3 pointers as in ngx_connection_t */ | |
| 60 ngx_int_t ident; | |
| 61 | |
| 62 ngx_rbtree_node_t node; | |
| 63 | 59 |
| 64 #if (NGX_HAVE_INET6) | 60 #if (NGX_HAVE_INET6) |
| 65 /* PTR: IPv6 address to resolve (IPv4 address is in rbtree node key) */ | 61 /* PTR: IPv6 address to resolve (IPv4 address is in rbtree node key) */ |
| 66 struct in6_addr addr6; | 62 struct in6_addr addr6; |
| 67 #endif | 63 #endif |
| 145 struct ngx_resolver_ctx_s { | 141 struct ngx_resolver_ctx_s { |
| 146 ngx_resolver_ctx_t *next; | 142 ngx_resolver_ctx_t *next; |
| 147 ngx_resolver_t *resolver; | 143 ngx_resolver_t *resolver; |
| 148 ngx_udp_connection_t *udp_connection; | 144 ngx_udp_connection_t *udp_connection; |
| 149 | 145 |
| 146 /* event ident must be after 3 pointers as in ngx_connection_t */ | |
| 147 ngx_int_t ident; | |
| 148 | |
| 150 ngx_int_t state; | 149 ngx_int_t state; |
| 151 ngx_str_t name; | 150 ngx_str_t name; |
| 152 | 151 |
| 153 ngx_uint_t naddrs; | 152 ngx_uint_t naddrs; |
| 154 ngx_addr_t *addrs; | 153 ngx_addr_t *addrs; |