DNS bug report

彭谦(研六 福州) pengqian at ruijie.com.cn
Fri Apr 12 07:38:46 UTC 2013


Hi all,

Recently, we have tested the NGX reverse proxy by TestCenter and found a segmentation fault in DNS module.

BUG condition:
1. The rn link two(or more) ctxs, As we know the end ctx get a timeout event.
2. When rn recive a CNAME type response, it will create a new rn node.
3. The new rn link the same ctxs and send a query. Although the first ctx->name point the cname, the end ctx->name remain to point the original name.
4. The end ctx timeout occours, but it can't del from the new rn link for ctx->name point the original name.
5. The new rn recvice the response(code 2), it will call all ctx->handle. Unfortunately the end ctx has been freed, then the segmentation fault occurs.

svn diff
Index: ngx_resolver.c
===================================================================
--- ngx_resolver.c      (revision 5170)
+++ ngx_resolver.c   (working copy)
@@ -607,6 +607,7 @@
     rn->waiting = ctx;

     ctx->state = NGX_AGAIN;
+    ctx->next = NULL;

     return NGX_AGAIN;



Thanks
Pengqian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20130412/f93b7fe9/attachment.html>


More information about the nginx-devel mailing list