Possible NULL pointer dereference in nxt_cache_wake_handler()
Max Romanov
max.romanov at gmail.com
Sat Jun 11 10:50:11 UTC 2022
Hi Andrew,
Good catch!
This is potential NULL dereference issue and it should to be fixed before nxt_cache.c added to compiled files list :)
—
Best regards,
Max
> On 11 Jun 2022, at 04:44, Andrew Clayton <andrew at digital-domain.net> wrote:
>
> So in src/nxt_cache.c we have the following function
>
> static void
> nxt_cache_wake_handler(nxt_thread_t *thr, void *obj, void *data)
> {
> nxt_cache_t *cache;
> nxt_work_handler_t handler;
> nxt_cache_query_t *q;
> nxt_cache_query_wait_t *qw;
>
> qw = obj;
> q = qw->query;
> cache = qw->cache;
>
> nxt_cache_lock(cache);
>
> handler = nxt_cache_node_test(cache, q);
>
> if (handler != NULL) {
> nxt_cache_query_wait_free(cache, qw);
>
> } else {
> /* Wait again. */
> qw->next = q->node->waiting;
> q->node->waiting = qw;
> }
>
> nxt_cache_unlock(cache);
>
> handler(thr, q, NULL);
> }
>
> We set handler then check if it's NULL. However even if it is NULL we
> still call it with
>
> handler(thr, q, NULL);
>
> Or am I missing something?
>
> Andrew
> _______________________________________________
> unit mailing list -- unit at nginx.org
> To unsubscribe send an email to unit-leave at nginx.org
More information about the unit
mailing list