Mercurial > hg > nginx
comparison src/core/ngx_resolver.c @ 4658:c92289afb5be stable-1.2
Merge of r4611, r4620: resolver fixes.
*) Fixed segmentation fault in ngx_resolver_create_name_query().
If name passed for resolution was { 0, NULL } (e.g. as a result
of name server returning CNAME pointing to ".") pointer wrapped
to (void *) -1 resulting in segmentation fault on an attempt to
dereference it.
Reported by Lanshun Zhou.
*) Resolver: protection from duplicate responses.
If we already had CNAME in resolver node (i.e. rn->cnlen and rn->u.cname
set), and got additional response with A record, it resulted in rn->cnlen
set and rn->u.cname overwritten by rn->u.addr (or rn->u.addrs), causing
segmentation fault later in ngx_resolver_free_node() on an attempt to free
overwritten rn->u.cname. The opposite (i.e. CNAME got after A) might cause
similar problems as well.
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Mon, 04 Jun 2012 10:15:55 +0000 |
| parents | 1bddc91e78d6 |
| children | 474bbe8ca79c |
comparison
equal
deleted
inserted
replaced
| 4657:36b220b82f23 | 4658:c92289afb5be |
|---|---|
| 511 | 511 |
| 512 ngx_queue_remove(&rn->queue); | 512 ngx_queue_remove(&rn->queue); |
| 513 | 513 |
| 514 /* lock alloc mutex */ | 514 /* lock alloc mutex */ |
| 515 | 515 |
| 516 ngx_resolver_free_locked(r, rn->query); | 516 if (rn->query) { |
| 517 rn->query = NULL; | 517 ngx_resolver_free_locked(r, rn->query); |
| 518 rn->query = NULL; | |
| 519 } | |
| 518 | 520 |
| 519 if (rn->cnlen) { | 521 if (rn->cnlen) { |
| 520 ngx_resolver_free_locked(r, rn->u.cname); | 522 ngx_resolver_free_locked(r, rn->u.cname); |
| 521 } | 523 } |
| 522 | 524 |
| 1407 | 1409 |
| 1408 if (naddrs > 1) { | 1410 if (naddrs > 1) { |
| 1409 ngx_resolver_free(r, addrs); | 1411 ngx_resolver_free(r, addrs); |
| 1410 } | 1412 } |
| 1411 | 1413 |
| 1414 ngx_resolver_free(r, rn->query); | |
| 1415 rn->query = NULL; | |
| 1416 | |
| 1412 return; | 1417 return; |
| 1413 | 1418 |
| 1414 } else if (cname) { | 1419 } else if (cname) { |
| 1415 | 1420 |
| 1416 /* CNAME only */ | 1421 /* CNAME only */ |
| 1438 if (ctx) { | 1443 if (ctx) { |
| 1439 ctx->name = name; | 1444 ctx->name = name; |
| 1440 | 1445 |
| 1441 (void) ngx_resolve_name_locked(r, ctx); | 1446 (void) ngx_resolve_name_locked(r, ctx); |
| 1442 } | 1447 } |
| 1448 | |
| 1449 ngx_resolver_free(r, rn->query); | |
| 1450 rn->query = NULL; | |
| 1443 | 1451 |
| 1444 return; | 1452 return; |
| 1445 } | 1453 } |
| 1446 | 1454 |
| 1447 ngx_log_error(r->log_level, r->log, 0, | 1455 ngx_log_error(r->log_level, r->log, 0, |
| 1832 | 1840 |
| 1833 len = 0; | 1841 len = 0; |
| 1834 p--; | 1842 p--; |
| 1835 *p-- = '\0'; | 1843 *p-- = '\0'; |
| 1836 | 1844 |
| 1845 if (ctx->name.len == 0) { | |
| 1846 return NGX_DECLINED; | |
| 1847 } | |
| 1848 | |
| 1837 for (s = ctx->name.data + ctx->name.len - 1; s >= ctx->name.data; s--) { | 1849 for (s = ctx->name.data + ctx->name.len - 1; s >= ctx->name.data; s--) { |
| 1838 if (*s != '.') { | 1850 if (*s != '.') { |
| 1839 *p = *s; | 1851 *p = *s; |
| 1840 len++; | 1852 len++; |
| 1841 | 1853 |