Mercurial > hg > nginx
view src/core/ngx_inet.h @ 6351:497d0cff8ace
Resolver: fixed use-after-free memory accesses with CNAME.
When several requests were waiting for a response, then after getting
a CNAME response only the last request's context had the name updated.
Contexts of other requests had the wrong name. This name was used by
ngx_resolve_name_done() to find the node to remove the request context
from. When the name was wrong, the request could not be properly
cancelled, its context was freed but stayed linked to the node's waiting
list. This happened e.g. when the first request was aborted or timed
out before the resolving completed. When it completed, this triggered
a use-after-free memory access by calling ctx->handler of already freed
request context. The bug manifests itself by
"could not cancel <name> resolving" alerts in error_log.
When a request was responded with a CNAME, the request context kept
the pointer to the original node's rn->u.cname. If the original node
expired before the resolving timed out or completed with an error,
this would trigger a use-after-free memory access via ctx->name in
ctx->handler().
The fix is to keep ctx->name unmodified. The name from context
is no longer used by ngx_resolve_name_done(). Instead, we now keep
the pointer to resolver node to which this request is linked.
Keeping the original name intact also improves logging.
author | Roman Arutyunyan <arut@nginx.com> |
---|---|
date | Tue, 26 Jan 2016 16:46:59 +0300 |
parents | d39ef821d03e |
children | 6d3a60a909c8 |
line wrap: on
line source
/* * Copyright (C) Igor Sysoev * Copyright (C) Nginx, Inc. */ #ifndef _NGX_INET_H_INCLUDED_ #define _NGX_INET_H_INCLUDED_ #include <ngx_config.h> #include <ngx_core.h> /* * TODO: autoconfigure NGX_SOCKADDRLEN and NGX_SOCKADDR_STRLEN as * sizeof(struct sockaddr_storage) * sizeof(struct sockaddr_un) * sizeof(struct sockaddr_in6) * sizeof(struct sockaddr_in) */ #define NGX_INET_ADDRSTRLEN (sizeof("255.255.255.255") - 1) #define NGX_INET6_ADDRSTRLEN \ (sizeof("ffff:ffff:ffff:ffff:ffff:ffff:255.255.255.255") - 1) #define NGX_UNIX_ADDRSTRLEN \ (sizeof(struct sockaddr_un) - offsetof(struct sockaddr_un, sun_path)) #if (NGX_HAVE_UNIX_DOMAIN) #define NGX_SOCKADDR_STRLEN (sizeof("unix:") - 1 + NGX_UNIX_ADDRSTRLEN) #else #define NGX_SOCKADDR_STRLEN (NGX_INET6_ADDRSTRLEN + sizeof("[]:65535") - 1) #endif #if (NGX_HAVE_UNIX_DOMAIN) #define NGX_SOCKADDRLEN sizeof(struct sockaddr_un) #else #define NGX_SOCKADDRLEN 512 #endif typedef struct { in_addr_t addr; in_addr_t mask; } ngx_in_cidr_t; #if (NGX_HAVE_INET6) typedef struct { struct in6_addr addr; struct in6_addr mask; } ngx_in6_cidr_t; #endif typedef struct { ngx_uint_t family; union { ngx_in_cidr_t in; #if (NGX_HAVE_INET6) ngx_in6_cidr_t in6; #endif } u; } ngx_cidr_t; typedef struct { struct sockaddr *sockaddr; socklen_t socklen; ngx_str_t name; } ngx_addr_t; typedef struct { ngx_str_t url; ngx_str_t host; ngx_str_t port_text; ngx_str_t uri; in_port_t port; in_port_t default_port; int family; unsigned listen:1; unsigned uri_part:1; unsigned no_resolve:1; unsigned one_addr:1; /* compatibility */ unsigned no_port:1; unsigned wildcard:1; socklen_t socklen; u_char sockaddr[NGX_SOCKADDRLEN]; ngx_addr_t *addrs; ngx_uint_t naddrs; char *err; } ngx_url_t; in_addr_t ngx_inet_addr(u_char *text, size_t len); #if (NGX_HAVE_INET6) ngx_int_t ngx_inet6_addr(u_char *p, size_t len, u_char *addr); size_t ngx_inet6_ntop(u_char *p, u_char *text, size_t len); #endif size_t ngx_sock_ntop(struct sockaddr *sa, socklen_t socklen, u_char *text, size_t len, ngx_uint_t port); size_t ngx_inet_ntop(int family, void *addr, u_char *text, size_t len); ngx_int_t ngx_ptocidr(ngx_str_t *text, ngx_cidr_t *cidr); ngx_int_t ngx_parse_addr(ngx_pool_t *pool, ngx_addr_t *addr, u_char *text, size_t len); ngx_int_t ngx_parse_url(ngx_pool_t *pool, ngx_url_t *u); ngx_int_t ngx_inet_resolve_host(ngx_pool_t *pool, ngx_url_t *u); ngx_int_t ngx_cmp_sockaddr(struct sockaddr *sa1, socklen_t slen1, struct sockaddr *sa2, socklen_t slen2, ngx_uint_t cmp_port); #endif /* _NGX_INET_H_INCLUDED_ */