Mercurial > hg > nginx

diff src/core/ngx_resolver.c @ 6077:0395f788b080 stable-1.6

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Resolver: fixed use-after-free memory access. In 954867a2f0a6, we switched to using resolver node as the timer event data, so make sure we do not free resolver node memory until the corresponding timer is deleted.
author Ruslan Ermilov <ru@nginx.com>
date Thu, 20 Nov 2014 15:24:40 +0300
parents 60d2cb03faee
children
line wrap: on
line diff
--- a/src/core/ngx_resolver.c
+++ b/src/core/ngx_resolver.c
@@ -1568,8 +1568,6 @@ ngx_resolver_process_a(ngx_resolver_t *r
 
         ngx_rbtree_delete(&r->name_rbtree, &rn->node);
 
-        ngx_resolver_free_node(r, rn);
-
         /* unlock name mutex */
 
         while (next) {
@@ -1580,6 +1578,8 @@ ngx_resolver_process_a(ngx_resolver_t *r
             ctx->handler(ctx);
         }
 
+        ngx_resolver_free_node(r, rn);
+
         return;
     }
 
@@ -2143,8 +2143,6 @@ valid:
 
         ngx_rbtree_delete(tree, &rn->node);
 
-        ngx_resolver_free_node(r, rn);
-
         /* unlock addr mutex */
 
         while (next) {
@@ -2155,6 +2153,8 @@ valid:
             ctx->handler(ctx);
         }
 
+        ngx_resolver_free_node(r, rn);
+
         return;
     }