Core: moved logging before freeing large blocks of pool.

This fixes use-after-free memory access with enabled debug log
when pool->log is allocated as a large block.

1 files changed, 10 insertions, 9 deletions

diff --git a/src/core/ngx_palloc.c b/src/core/ngx_palloc.c
index ef4a64771..48a76d978 100644
--- a/src/core/ngx_palloc.c
+++ b/src/core/ngx_palloc.c
@@ -56,15 +56,6 @@ ngx_destroy_pool(ngx_pool_t *pool)
         }
     }
 
-    for (l = pool->large; l; l = l->next) {
-
-        ngx_log_debug1(NGX_LOG_DEBUG_ALLOC, pool->log, 0, "free: %p", l->alloc);
-
-        if (l->alloc) {
-            ngx_free(l->alloc);
-        }
-    }
-
 #if (NGX_DEBUG)
 
     /*
@@ -72,6 +63,10 @@ ngx_destroy_pool(ngx_pool_t *pool)
      * so we cannot use this log while free()ing the pool
      */
 
+    for (l = pool->large; l; l = l->next) {
+        ngx_log_debug1(NGX_LOG_DEBUG_ALLOC, pool->log, 0, "free: %p", l->alloc);
+    }
+
     for (p = pool, n = pool->d.next; /* void */; p = n, n = n->d.next) {
         ngx_log_debug2(NGX_LOG_DEBUG_ALLOC, pool->log, 0,
                        "free: %p, unused: %uz", p, p->d.end - p->d.last);
@@ -83,6 +78,12 @@ ngx_destroy_pool(ngx_pool_t *pool)
 
 #endif
 
+    for (l = pool->large; l; l = l->next) {
+        if (l->alloc) {
+            ngx_free(l->alloc);
+        }
+    }
+
     for (p = pool, n = pool->d.next; /* void */; p = n, n = n->d.next) {
         ngx_free(p);