Google Git
Sign in
nginx/nginx/d4b7b74686cdfe7488214a210a95da0af0736f8e^!/.
commit
d4b7b74686cdfe7488214a210a95da0af0736f8e
[log]
author
Ruslan Ermilov <ru@nginx.com>
Thu Nov 20 15:24:40 2014 +0300
committer
Ruslan Ermilov <ru@nginx.com>
Thu Nov 20 15:24:40 2014 +0300
tree
ed5f0bb3c2f29e71236298bc4e84eccc35be46c9
parent
96a62f139603573c9bcf0399d9e261c8a63ca5ce [diff]
Resolver: fixed use-after-free memory access.

In 954867a2f0a6, we switched to using resolver node as the
timer event data, so make sure we do not free resolver node
memory until the corresponding timer is deleted.

diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
index a17793b..7aa20ea 100644
--- a/src/core/ngx_resolver.c
+++ b/src/core/ngx_resolver.c

@@ -1568,8 +1568,6 @@
 
         ngx_rbtree_delete(&r->name_rbtree, &rn->node);
 
-        ngx_resolver_free_node(r, rn);
-
         /* unlock name mutex */
 
         while (next) {
@@ -1580,6 +1578,8 @@
             ctx->handler(ctx);
         }
 
+        ngx_resolver_free_node(r, rn);
+
         return;
     }
 
@@ -2143,8 +2143,6 @@
 
         ngx_rbtree_delete(tree, &rn->node);
 
-        ngx_resolver_free_node(r, rn);
-
         /* unlock addr mutex */
 
         while (next) {
@@ -2155,6 +2153,8 @@
             ctx->handler(ctx);
         }
 
+        ngx_resolver_free_node(r, rn);
+
         return;
     }