Mercurial > hg > nginx

diff src/core/ngx_resolver.h @ 6348:7316c57e4fe7

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Resolver: fixed crashes in timeout handler. If one or more requests were waiting for a response, then after getting a CNAME response, the timeout event on the first request remained active, pointing to the wrong node with an empty rn->waiting list, and that could cause either null pointer dereference or use-after-free memory access if this timeout expired. If several requests were waiting for a response, and the first request terminated (e.g., due to client closing a connection), other requests were left without a timeout and could potentially wait indefinitely. This is fixed by introducing per-request independent timeouts. This change also reverts 954867a2f0a6 and 5004210e8c78.
author Ruslan Ermilov <ru@nginx.com>
date Tue, 26 Jan 2016 16:46:31 +0300
parents 5004210e8c78
children 497d0cff8ace
line wrap: on
line diff
--- a/src/core/ngx_resolver.h
+++ b/src/core/ngx_resolver.h
@@ -51,15 +51,11 @@ typedef void (*ngx_resolver_handler_pt)(
 
 
 typedef struct {
-    /* PTR: resolved name, A: name to resolve */
-    u_char                   *name;
-
+    ngx_rbtree_node_t         node;
     ngx_queue_t               queue;
 
-    /* event ident must be after 3 pointers as in ngx_connection_t */
-    ngx_int_t                 ident;
-
-    ngx_rbtree_node_t         node;
+    /* PTR: resolved name, A: name to resolve */
+    u_char                   *name;
 
 #if (NGX_HAVE_INET6)
     /* PTR: IPv6 address to resolve (IPv4 address is in rbtree node key) */
@@ -147,6 +143,9 @@ struct ngx_resolver_ctx_s {
     ngx_resolver_t           *resolver;
     ngx_udp_connection_t     *udp_connection;
 
+    /* event ident must be after 3 pointers as in ngx_connection_t */
+    ngx_int_t                 ident;
+
     ngx_int_t                 state;
     ngx_str_t                 name;