Mercurial > hg > nginx
view auto/summary @ 6359:dac6eda40475 stable-1.8
Resolver: fixed use-after-free memory accesses with CNAME.
When several requests were waiting for a response, then after getting
a CNAME response only the last request's context had the name updated.
Contexts of other requests had the wrong name. This name was used by
ngx_resolve_name_done() to find the node to remove the request context
from. When the name was wrong, the request could not be properly
cancelled, its context was freed but stayed linked to the node's waiting
list. This happened e.g. when the first request was aborted or timed
out before the resolving completed. When it completed, this triggered
a use-after-free memory access by calling ctx->handler of already freed
request context. The bug manifests itself by
"could not cancel <name> resolving" alerts in error_log.
When a request was responded with a CNAME, the request context kept
the pointer to the original node's rn->u.cname. If the original node
expired before the resolving timed out or completed with an error,
this would trigger a use-after-free memory access via ctx->name in
ctx->handler().
The fix is to keep ctx->name unmodified. The name from context
is no longer used by ngx_resolve_name_done(). Instead, we now keep
the pointer to resolver node to which this request is linked.
Keeping the original name intact also improves logging.
| author | Roman Arutyunyan <arut@nginx.com> |
|---|---|
| date | Tue, 26 Jan 2016 16:46:59 +0300 |
| parents | 466bd63b63d1 |
| children | 85dea406e18f |
line wrap: on
line source
# Copyright (C) Igor Sysoev # Copyright (C) Nginx, Inc. echo echo "Configuration summary" if [ $USE_THREADS = YES ]; then echo " + using threads" fi if [ $USE_PCRE = DISABLED ]; then echo " + PCRE library is disabled" else case $PCRE in YES) echo " + using system PCRE library" ;; NONE) echo " + PCRE library is not used" ;; *) echo " + using PCRE library: $PCRE" ;; esac fi case $OPENSSL in YES) echo " + using system OpenSSL library" ;; NONE) echo " + OpenSSL library is not used" ;; *) echo " + using OpenSSL library: $OPENSSL" ;; esac case $MD5 in YES) echo " + md5: using $MD5_LIB library" ;; NONE) echo " + md5 library is not used" ;; NO) echo " + using builtin md5 code" ;; *) echo " + using md5 library: $MD5" ;; esac case $SHA1 in YES) echo " + sha1: using $SHA1_LIB library" ;; NONE) echo " + sha1 library is not used" ;; NO) echo " + sha1 library is not found" ;; *) echo " + using sha1 library: $SHA1" ;; esac case $ZLIB in YES) echo " + using system zlib library" ;; NONE) echo " + zlib library is not used" ;; *) echo " + using zlib library: $ZLIB" ;; esac case $NGX_LIBATOMIC in YES) echo " + using system libatomic_ops library" ;; NO) ;; # not used *) echo " + using libatomic_ops library: $NGX_LIBATOMIC" ;; esac echo cat << END nginx path prefix: "$NGX_PREFIX" nginx binary file: "$NGX_SBIN_PATH" nginx configuration prefix: "$NGX_CONF_PREFIX" nginx configuration file: "$NGX_CONF_PATH" nginx pid file: "$NGX_PID_PATH" END if test -n "$NGX_ERROR_LOG_PATH"; then echo " nginx error log file: \"$NGX_ERROR_LOG_PATH\"" else echo " nginx logs errors to stderr" fi cat << END nginx http access log file: "$NGX_HTTP_LOG_PATH" nginx http client request body temporary files: "$NGX_HTTP_CLIENT_TEMP_PATH" END if [ $HTTP_PROXY = YES ]; then echo " nginx http proxy temporary files: \"$NGX_HTTP_PROXY_TEMP_PATH\"" fi if [ $HTTP_FASTCGI = YES ]; then echo " nginx http fastcgi temporary files: \"$NGX_HTTP_FASTCGI_TEMP_PATH\"" fi if [ $HTTP_UWSGI = YES ]; then echo " nginx http uwsgi temporary files: \"$NGX_HTTP_UWSGI_TEMP_PATH\"" fi if [ $HTTP_SCGI = YES ]; then echo " nginx http scgi temporary files: \"$NGX_HTTP_SCGI_TEMP_PATH\"" fi echo "$NGX_POST_CONF_MSG"