Author: mdounin
Date: 2012-05-14 09:13:45 +0000 (Mon, 14 May 2012)
New Revision: 4620
URL: http://trac.nginx.org/nginx/changeset/4620/nginx

Log:
Resolver: protection from duplicate responses.

If we already had CNAME in resolver node (i.e. rn->cnlen and rn->u.cname
set), and got additional response with A record, it resulted in rn->cnlen
set and rn->u.cname overwritten by rn->u.addr (or rn->u.addrs), causing
segmentation fault later in ngx_resolver_free_node() on an attempt to free
overwritten rn->u.cname. The opposite (i.e. CNAME got after A) might cause
similar problems as well.


Modified:
trunk/src/core/ngx_resolver.c

Modified: trunk/src/core/ngx_resolver.c
===================================================================
--- trunk/src/core/ngx_resolver.c 2012-05-11 13:33:06 UTC (rev 4619)
+++ trunk/src/core/ngx_resolver.c 2012-05-14 09:13:45 UTC (rev 4620)
@@ -513,8 +513,10 @@

/* lock alloc mutex */

- ngx_resolver_free_locked(r, rn->query);
- rn->query = NULL;
+ if (rn->query) {
+ ngx_resolver_free_locked(r, rn->query);
+ rn->query = NULL;
+ }

if (rn->cnlen) {
ngx_resolver_free_locked(r, rn->u.cname);
@@ -1409,6 +1411,9 @@
ngx_resolver_free(r, addrs);
}

+ ngx_resolver_free(r, rn->query);
+ rn->query = NULL;
+
return;

} else if (cname) {
@@ -1441,6 +1446,9 @@
(void) ngx_resolve_name_locked(r, ctx);
}

+ ngx_resolver_free(r, rn->query);
+ rn->query = NULL;
+
return;
}


_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel