Welcome! Log In Create A New Profile

Advanced

[nginx] Resolver: fixed possible use-after-free while resolving PTR.

Sergey Kandaurov
September 10, 2019 10:42AM
details: https://hg.nginx.org/nginx/rev/571383f75a9a
branches:
changeset: 7566:571383f75a9a
user: Sergey Kandaurov <pluknet@nginx.com>
date: Tue Sep 10 15:42:34 2019 +0300
description:
Resolver: fixed possible use-after-free while resolving PTR.

Previously, if a response to the PTR request was cached, and ngx_resolver_dup()
failed to allocate memory for the resulting name, then the original node was
freed but left in expire_queue. A subsequent address resolving would end up
in a use-after-free memory access of the node either in ngx_resolver_expire()
or ngx_resolver_process_ptr(), when accessing it through expire_queue.

The fix is to leave the resolver node intact.

diffstat:

src/core/ngx_resolver.c | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)

diffs (13 lines):

diff -r fd6dcc6f8a49 -r 571383f75a9a src/core/ngx_resolver.c
--- a/src/core/ngx_resolver.c Tue Sep 10 15:33:38 2019 +0300
+++ b/src/core/ngx_resolver.c Tue Sep 10 15:42:34 2019 +0300
@@ -972,7 +972,8 @@ ngx_resolve_addr(ngx_resolver_ctx_t *ctx

name = ngx_resolver_dup(r, rn->name, rn->nlen);
if (name == NULL) {
- goto failed;
+ ngx_resolver_free(r, ctx);
+ return NGX_ERROR;
}

ctx->name.len = rn->nlen;
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[nginx] Resolver: fixed possible use-after-free while resolving PTR.

Sergey Kandaurov 91 September 10, 2019 10:42AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 84
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready