[nginx] Resolver: fixed use-after-free memory access.

Ruslan Ermilov ru at nginx.com
Thu Nov 20 12:38:15 UTC 2014


details:   http://hg.nginx.org/nginx/rev/7420068c4d4b
branches:  
changeset: 5920:7420068c4d4b
user:      Ruslan Ermilov <ru at nginx.com>
date:      Thu Nov 20 15:24:40 2014 +0300
description:
Resolver: fixed use-after-free memory access.

In 954867a2f0a6, we switched to using resolver node as the
timer event data, so make sure we do not free resolver node
memory until the corresponding timer is deleted.

diffstat:

 src/core/ngx_resolver.c |  8 ++++----
 1 files changed, 4 insertions(+), 4 deletions(-)

diffs (39 lines):

diff -r fddc6bed1e6e -r 7420068c4d4b src/core/ngx_resolver.c
--- a/src/core/ngx_resolver.c	Wed Nov 19 21:46:01 2014 +0300
+++ b/src/core/ngx_resolver.c	Thu Nov 20 15:24:40 2014 +0300
@@ -1568,8 +1568,6 @@ ngx_resolver_process_a(ngx_resolver_t *r
 
         ngx_rbtree_delete(&r->name_rbtree, &rn->node);
 
-        ngx_resolver_free_node(r, rn);
-
         /* unlock name mutex */
 
         while (next) {
@@ -1580,6 +1578,8 @@ ngx_resolver_process_a(ngx_resolver_t *r
             ctx->handler(ctx);
         }
 
+        ngx_resolver_free_node(r, rn);
+
         return;
     }
 
@@ -2143,8 +2143,6 @@ valid:
 
         ngx_rbtree_delete(tree, &rn->node);
 
-        ngx_resolver_free_node(r, rn);
-
         /* unlock addr mutex */
 
         while (next) {
@@ -2155,6 +2153,8 @@ valid:
             ctx->handler(ctx);
         }
 
+        ngx_resolver_free_node(r, rn);
+
         return;
     }
 



More information about the nginx-devel mailing list