# HG changeset patch
# User Ruslan Ermilov <ru@nginx.com>
# Date 1416486280 -10800
# Node ID 7420068c4d4b94539c3616b2833c7dbccfb43d95
# Parent  fddc6bed1e6ee57e334b039fe1ba99690b14030c
Resolver: fixed use-after-free memory access.

In 954867a2f0a6, we switched to using resolver node as the
timer event data, so make sure we do not free resolver node
memory until the corresponding timer is deleted.

diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
--- a/src/core/ngx_resolver.c
+++ b/src/core/ngx_resolver.c
@@ -1568,8 +1568,6 @@ ngx_resolver_process_a(ngx_resolver_t *r
 
         ngx_rbtree_delete(&r->name_rbtree, &rn->node);
 
-        ngx_resolver_free_node(r, rn);
-
         /* unlock name mutex */
 
         while (next) {
@@ -1580,6 +1578,8 @@ ngx_resolver_process_a(ngx_resolver_t *r
             ctx->handler(ctx);
         }
 
+        ngx_resolver_free_node(r, rn);
+
         return;
     }
 
@@ -2143,8 +2143,6 @@ valid:
 
         ngx_rbtree_delete(tree, &rn->node);
 
-        ngx_resolver_free_node(r, rn);
-
         /* unlock addr mutex */
 
         while (next) {
@@ -2155,6 +2153,8 @@ valid:
             ctx->handler(ctx);
         }
 
+        ngx_resolver_free_node(r, rn);
+
         return;
     }