[nginx] Resolver: fixed use-after-free memory access.
Maxim Dounin
mdounin at mdounin.ru
Tue Apr 7 13:04:08 UTC 2015
details: http://hg.nginx.org/nginx/rev/0395f788b080
branches: stable-1.6
changeset: 6077:0395f788b080
user: Ruslan Ermilov <ru at nginx.com>
date: Thu Nov 20 15:24:40 2014 +0300
description:
Resolver: fixed use-after-free memory access.
In 954867a2f0a6, we switched to using resolver node as the
timer event data, so make sure we do not free resolver node
memory until the corresponding timer is deleted.
diffstat:
src/core/ngx_resolver.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diffs (39 lines):
diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
--- a/src/core/ngx_resolver.c
+++ b/src/core/ngx_resolver.c
@@ -1568,8 +1568,6 @@ ngx_resolver_process_a(ngx_resolver_t *r
ngx_rbtree_delete(&r->name_rbtree, &rn->node);
- ngx_resolver_free_node(r, rn);
-
/* unlock name mutex */
while (next) {
@@ -1580,6 +1578,8 @@ ngx_resolver_process_a(ngx_resolver_t *r
ctx->handler(ctx);
}
+ ngx_resolver_free_node(r, rn);
+
return;
}
@@ -2143,8 +2143,6 @@ valid:
ngx_rbtree_delete(tree, &rn->node);
- ngx_resolver_free_node(r, rn);
-
/* unlock addr mutex */
while (next) {
@@ -2155,6 +2153,8 @@ valid:
ctx->handler(ctx);
}
+ ngx_resolver_free_node(r, rn);
+
return;
}
More information about the nginx-devel
mailing list