Hi,

On Fri, Apr 12, 2013 at 07:38:46AM +0000, 彭谦(研六 福州) wrote:
> Hi all,
>
> Recently, we have tested the NGX reverse proxy by TestCenter and found a segmentation fault in DNS module.
>
> BUG condition:
> 1. The rn link two(or more) ctxs, As we know the end ctx get a timeout event.
> 2. When rn recive a CNAME type response, it will create a new rn node.
> 3. The new rn link the same ctxs and send a query. Although the first ctx->name point the cname, the end ctx->name remain to point the original name.
> 4. The end ctx timeout occours, but it can't del from the new rn link for ctx->name point the original name.
> 5. The new rn recvice the response(code 2), it will call all ctx->handle. Unfortunately the end ctx has been freed, then the segmentation fault occurs.
>
> svn diff
> Index: ngx_resolver.c
> ===================================================================
> --- ngx_resolver.c (revision 5170)
> +++ ngx_resolver.c (working copy)
> @@ -607,6 +607,7 @@
> rn->waiting = ctx;
>
> ctx->state = NGX_AGAIN;
> + ctx->next = NULL;
>
> return NGX_AGAIN;
>
>
>
> Thanks
> Pengqian

Thanks for your report.

However, we have difficulty trying to understand your description.

Could you please provide steps on how to reproduce the problem
without going to ngx_resolver.c internals? What name nginx tries
to resolve, what it gets in a reply from the DNS server, what
happens next, etc.

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel