[nginx] Resolver: fixed possible use-after-free while resolving PTR.

Sergey Kandaurov pluknet at nginx.com
Tue Sep 10 14:40:23 UTC 2019

details:   https://hg.nginx.org/nginx/rev/571383f75a9a
changeset: 7566:571383f75a9a
user:      Sergey Kandaurov <pluknet at nginx.com>
date:      Tue Sep 10 15:42:34 2019 +0300
Resolver: fixed possible use-after-free while resolving PTR.

Previously, if a response to the PTR request was cached, and ngx_resolver_dup()
failed to allocate memory for the resulting name, then the original node was
freed but left in expire_queue.  A subsequent address resolving would end up
in a use-after-free memory access of the node either in ngx_resolver_expire()
or ngx_resolver_process_ptr(), when accessing it through expire_queue.

The fix is to leave the resolver node intact.


 src/core/ngx_resolver.c |  3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diffs (13 lines):

diff -r fd6dcc6f8a49 -r 571383f75a9a src/core/ngx_resolver.c
--- a/src/core/ngx_resolver.c	Tue Sep 10 15:33:38 2019 +0300
+++ b/src/core/ngx_resolver.c	Tue Sep 10 15:42:34 2019 +0300
@@ -972,7 +972,8 @@ ngx_resolve_addr(ngx_resolver_ctx_t *ctx
             name = ngx_resolver_dup(r, rn->name, rn->nlen);
             if (name == NULL) {
-                goto failed;
+                ngx_resolver_free(r, ctx);
+                return NGX_ERROR;
             ctx->name.len = rn->nlen;

More information about the nginx-devel mailing list