[nginx] Core: moved logging before freeing large blocks of pool.
Valentin Bartenev
vbart at nginx.com
Wed Mar 23 14:45:36 UTC 2016
details: http://hg.nginx.org/nginx/rev/6be7e59fdd2c
branches:
changeset: 6452:6be7e59fdd2c
user: Valentin Bartenev <vbart at nginx.com>
date: Wed Mar 23 17:44:04 2016 +0300
description:
Core: moved logging before freeing large blocks of pool.
This fixes use-after-free memory access with enabled debug log
when pool->log is allocated as a large block.
diffstat:
src/core/ngx_palloc.c | 19 ++++++++++---------
1 files changed, 10 insertions(+), 9 deletions(-)
diffs (43 lines):
diff -r 155871d773cc -r 6be7e59fdd2c src/core/ngx_palloc.c
--- a/src/core/ngx_palloc.c Tue Mar 22 16:58:38 2016 +0300
+++ b/src/core/ngx_palloc.c Wed Mar 23 17:44:04 2016 +0300
@@ -56,15 +56,6 @@ ngx_destroy_pool(ngx_pool_t *pool)
}
}
- for (l = pool->large; l; l = l->next) {
-
- ngx_log_debug1(NGX_LOG_DEBUG_ALLOC, pool->log, 0, "free: %p", l->alloc);
-
- if (l->alloc) {
- ngx_free(l->alloc);
- }
- }
-
#if (NGX_DEBUG)
/*
@@ -72,6 +63,10 @@ ngx_destroy_pool(ngx_pool_t *pool)
* so we cannot use this log while free()ing the pool
*/
+ for (l = pool->large; l; l = l->next) {
+ ngx_log_debug1(NGX_LOG_DEBUG_ALLOC, pool->log, 0, "free: %p", l->alloc);
+ }
+
for (p = pool, n = pool->d.next; /* void */; p = n, n = n->d.next) {
ngx_log_debug2(NGX_LOG_DEBUG_ALLOC, pool->log, 0,
"free: %p, unused: %uz", p, p->d.end - p->d.last);
@@ -83,6 +78,12 @@ ngx_destroy_pool(ngx_pool_t *pool)
#endif
+ for (l = pool->large; l; l = l->next) {
+ if (l->alloc) {
+ ngx_free(l->alloc);
+ }
+ }
+
for (p = pool, n = pool->d.next; /* void */; p = n, n = n->d.next) {
ngx_free(p);
More information about the nginx-devel
mailing list