Mercurial > hg > nginx

diff src/core/ngx_resolver.c @ 5920:7420068c4d4b

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Resolver: fixed use-after-free memory access. In 954867a2f0a6, we switched to using resolver node as the timer event data, so make sure we do not free resolver node memory until the corresponding timer is deleted.
author Ruslan Ermilov <ru@nginx.com>
date Thu, 20 Nov 2014 15:24:40 +0300
parents 3377f9459e99
children 5004210e8c78
line wrap: on
line diff
--- a/src/core/ngx_resolver.c
+++ b/src/core/ngx_resolver.c
@@ -1568,8 +1568,6 @@ ngx_resolver_process_a(ngx_resolver_t *r
 
         ngx_rbtree_delete(&r->name_rbtree, &rn->node);
 
-        ngx_resolver_free_node(r, rn);
-
         /* unlock name mutex */
 
         while (next) {
@@ -1580,6 +1578,8 @@ ngx_resolver_process_a(ngx_resolver_t *r
             ctx->handler(ctx);
         }
 
+        ngx_resolver_free_node(r, rn);
+
         return;
     }
 
@@ -2143,8 +2143,6 @@ valid:
 
         ngx_rbtree_delete(tree, &rn->node);
 
-        ngx_resolver_free_node(r, rn);
-
         /* unlock addr mutex */
 
         while (next) {
@@ -2155,6 +2153,8 @@ valid:
             ctx->handler(ctx);
         }
 
+        ngx_resolver_free_node(r, rn);
+
         return;
     }