Welcome! Log In Create A New Profile

Advanced

[nginx] svn commit: r4659 - in branches/stable-1.2: . src/core

Previous Message Next Message
Forum List Message List New Topic Print View
Anonymous User
June 04, 2012 06:16AM
Author: mdounin
Date: 2012-06-04 10:15:55 +0000 (Mon, 04 Jun 2012)
New Revision: 4659
URL: http://trac.nginx.org/nginx/changeset/4659/nginx

Log:
Merge of r4611, r4620: resolver fixes.

*) Fixed segmentation fault in ngx_resolver_create_name_query().

If name passed for resolution was { 0, NULL } (e.g. as a result
of name server returning CNAME pointing to ".") pointer wrapped
to (void *) -1 resulting in segmentation fault on an attempt to
dereference it.

Reported by Lanshun Zhou.

*) Resolver: protection from duplicate responses.

If we already had CNAME in resolver node (i.e. rn->cnlen and rn->u.cname
set), and got additional response with A record, it resulted in rn->cnlen
set and rn->u.cname overwritten by rn->u.addr (or rn->u.addrs), causing
segmentation fault later in ngx_resolver_free_node() on an attempt to free
overwritten rn->u.cname. The opposite (i.e. CNAME got after A) might cause
similar problems as well.


Modified:
branches/stable-1.2/
branches/stable-1.2/src/core/ngx_resolver.c

Index: branches/stable-1.2
===================================================================
--- branches/stable-1.2 2012-06-04 10:00:39 UTC (rev 4658)
+++ branches/stable-1.2 2012-06-04 10:15:55 UTC (rev 4659)

Property changes on: branches/stable-1.2
___________________________________________________________________
Added: svn:mergeinfo
## -0,0 +1 ##
+/trunk:4611,4620
\ No newline at end of property
Modified: branches/stable-1.2/src/core/ngx_resolver.c
===================================================================
--- branches/stable-1.2/src/core/ngx_resolver.c 2012-06-04 10:00:39 UTC (rev 4658)
+++ branches/stable-1.2/src/core/ngx_resolver.c 2012-06-04 10:15:55 UTC (rev 4659)
@@ -513,8 +513,10 @@

/* lock alloc mutex */

- ngx_resolver_free_locked(r, rn->query);
- rn->query = NULL;
+ if (rn->query) {
+ ngx_resolver_free_locked(r, rn->query);
+ rn->query = NULL;
+ }

if (rn->cnlen) {
ngx_resolver_free_locked(r, rn->u.cname);
@@ -1409,6 +1411,9 @@
ngx_resolver_free(r, addrs);
}

+ ngx_resolver_free(r, rn->query);
+ rn->query = NULL;
+
return;

} else if (cname) {
@@ -1441,6 +1446,9 @@
(void) ngx_resolve_name_locked(r, ctx);
}

+ ngx_resolver_free(r, rn->query);
+ rn->query = NULL;
+
return;
}

@@ -1834,6 +1842,10 @@
p--;
*p-- = '\0';

+ if (ctx->name.len == 0) {
+ return NGX_DECLINED;
+ }
+
for (s = ctx->name.data + ctx->name.len - 1; s >= ctx->name.data; s--) {
if (*s != '.') {
*p = *s;

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

[nginx] svn commit: r4659 - in branches/stable-1.2: . src/core

Anonymous User 906 June 04, 2012 06:16AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 191
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready