Resolver: fixed use-after-free memory access. In 954867a2f0a6, we switched to using resolver node as the timer event data, so make sure we do not free resolver node memory until the corresponding timer is deleted.

commit: d4b7b74686cdfe7488214a210a95da0af0736f8e [log] [tgz]
author: Ruslan Ermilov <ru@nginx.com> Thu Nov 20 15:24:40 2014 +0300
committer: Ruslan Ermilov <ru@nginx.com> Thu Nov 20 15:24:40 2014 +0300
tree: ed5f0bb3c2f29e71236298bc4e84eccc35be46c9
parent: 96a62f139603573c9bcf0399d9e261c8a63ca5ce [diff]
diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
index a17793b..7aa20ea 100644
--- a/src/core/ngx_resolver.c
+++ b/src/core/ngx_resolver.c

@@ -1568,8 +1568,6 @@
 
         ngx_rbtree_delete(&r->name_rbtree, &rn->node);
 
-        ngx_resolver_free_node(r, rn);
-
         /* unlock name mutex */
 
         while (next) {
@@ -1580,6 +1578,8 @@
             ctx->handler(ctx);
         }
 
+        ngx_resolver_free_node(r, rn);
+
         return;
     }
 
@@ -2143,8 +2143,6 @@
 
         ngx_rbtree_delete(tree, &rn->node);
 
-        ngx_resolver_free_node(r, rn);
-
         /* unlock addr mutex */
 
         while (next) {
@@ -2155,6 +2153,8 @@
             ctx->handler(ctx);
         }
 
+        ngx_resolver_free_node(r, rn);
+
         return;
     }
commit	d4b7b74686cdfe7488214a210a95da0af0736f8e	[log] [tgz]
author	Ruslan Ermilov <ru@nginx.com>	Thu Nov 20 15:24:40 2014 +0300
committer	Ruslan Ermilov <ru@nginx.com>	Thu Nov 20 15:24:40 2014 +0300
tree	ed5f0bb3c2f29e71236298bc4e84eccc35be46c9
parent	96a62f139603573c9bcf0399d9e261c8a63ca5ce [diff]