| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| |
|
|
| |
Previously, the recursion was only limited for cached responses.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When several requests were waiting for a response, then after getting
a CNAME response only the last request's context had the name updated.
Contexts of other requests had the wrong name. This name was used by
ngx_resolve_name_done() to find the node to remove the request context
from. When the name was wrong, the request could not be properly
cancelled, its context was freed but stayed linked to the node's waiting
list. This happened e.g. when the first request was aborted or timed
out before the resolving completed. When it completed, this triggered
a use-after-free memory access by calling ctx->handler of already freed
request context. The bug manifests itself by
"could not cancel <name> resolving" alerts in error_log.
When a request was responded with a CNAME, the request context kept
the pointer to the original node's rn->u.cname. If the original node
expired before the resolving timed out or completed with an error,
this would trigger a use-after-free memory access via ctx->name in
ctx->handler().
The fix is to keep ctx->name unmodified. The name from context
is no longer used by ngx_resolve_name_done(). Instead, we now keep
the pointer to resolver node to which this request is linked.
Keeping the original name intact also improves logging.
|
| |
|
|
|
|
| |
No functional changes.
This is needed by the following change.
|
| |
|
|
|
|
| |
When several requests were waiting for a response, then after getting
a CNAME response only the last request was properly processed, while
others were left waiting.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If one or more requests were waiting for a response, then after
getting a CNAME response, the timeout event on the first request
remained active, pointing to the wrong node with an empty
rn->waiting list, and that could cause either null pointer
dereference or use-after-free memory access if this timeout
expired.
If several requests were waiting for a response, and the first
request terminated (e.g., due to client closing a connection),
other requests were left without a timeout and could potentially
wait indefinitely.
This is fixed by introducing per-request independent timeouts.
This change also reverts 954867a2f0a6 and 5004210e8c78.
|
| | |
|
| |
|
|
| |
This is specifically useful on graceful shutdown.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
In 954867a2f0a6, we switched to using resolver node as the timer event data.
This broke debug event logging.
Replaced now unused ngx_resolver_ctx_t.ident with ngx_resolver_node_t.ident
so that ngx_event_ident() extracts something sensible when accessing
ngx_resolver_node_t as ngx_connection_t.
|
| |
|
|
|
|
| |
In 954867a2f0a6, we switched to using resolver node as the
timer event data, so make sure we do not free resolver node
memory until the corresponding timer is deleted.
|
| |
|
|
|
| |
It's mostly dead code. And the idea of thread support for this task has
been deprecated.
|
| |
|
|
|
| |
If a "resolver_timeout" occurs, only the first waiting request
was notified. Other requests may hang forever.
|
| |
|
|
|
|
| |
DNS request resend on malformed responses was broken in 98876ce2a7fd (1.5.8).
Reported by Pramod Korathota.
|
| | |
|
| | |
|
| |
|
|
|
| |
If initial attempt to connect() the UDP socket failed, e.g.
due to network unreachable, no further attempts were made.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
When set to "off", only IPv4 addresses will be resolved,
and no AAAA queries are ever sent.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Verify that class of RR is "IN".
Verify that RR data length is non-zero.
|
| |
|
|
|
|
| |
Verify that class of RR is "IN".
Verify that RR data length is exactly four octets.
Correctly shift to the next RR if RR type is unknown.
|
| |
|
|
|
|
|
| |
Stricten response header checks: ensure that reserved bits are zeroes,
and that the opcode is "standard query".
Fixed the "zero-length domain name in DNS response" condition.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Renamed ngx_resolver_query_t to ngx_resolver_hdr_t as it describes
the header that is common to DNS queries and answers.
Replaced the magic number 12 by the size of the header structure.
The other changes are self-explanatory.
|
| |
|
|
|
|
|
|
|
| |
Several warnings silenced, notably (ngx_socket_t) -1 is now checked
on socket operations instead of -1, as ngx_socket_t is unsigned on win32
and gcc complains on comparison.
With this patch, it's now possible to compile nginx using mingw gcc,
with options we normally compile on win32.
|
| | |
|
| |
|
|
|
|
|
| |
This ensures balancing when working with dynamically resolved upstream
servers with multiple addresses.
Based on patch by Anton Jouline.
|
| |
|
|
| |
Found by Coverity.
|
| |
|
|
| |
resolved address was used. Now all addresses will be used.
|
| |
|
|
|
|
|
|
| |
If sending a DNS request fails with an error (e.g., when mistakenly trying
to send it to a local IP broadcast), such a request is not deleted if there
are clients waiting on it. However, it was still erroneously removed from
the queue. Later ngx_resolver_cleanup_tree() attempted to remove it from
the queue again that resulted in a NULL pointer dereference.
|
| | |
|
| |
|
|
| |
Patch by Yichun Zhang (agentzh).
|
| |
|
|
| |
While here, improved error message.
|
| |
|
|
|
|
|
|
|
| |
If we already had CNAME in resolver node (i.e. rn->cnlen and rn->u.cname
set), and got additional response with A record, it resulted in rn->cnlen
set and rn->u.cname overwritten by rn->u.addr (or rn->u.addrs), causing
segmentation fault later in ngx_resolver_free_node() on an attempt to free
overwritten rn->u.cname. The opposite (i.e. CNAME got after A) might cause
similar problems as well.
|
| |
|
|
|
|
|
|
|
| |
If name passed for resolution was { 0, NULL } (e.g. as a result
of name server returning CNAME pointing to ".") pointer wrapped
to (void *) -1 resulting in segmentation fault on an attempt to
dereference it.
Reported by Lanshun Zhou.
|
| |
|
|
| |
Found by Veracode.
|
| |
|
|
|
|
|
| |
Previous code incorrectly assumed that nodes with identical keys are linked
together. This might not be true after tree rebalance.
Patch by Lanshun Zhou.
|
| |
|
|
|
|
|
|
| |
The cycle->new_log.file may not be set before config parsing finished if
there are no error_log directive defined at global level. Fix is to
copy it after config parsing.
Patch by Roman Arutyunyan.
|
| |
|
|
|
|
|
| |
Nuke NGX_PARSE_LARGE_TIME, it's not used since 0.6.30. The only error
ngx_parse_time() can currently return is NGX_ERROR, check it explicitly
and make sure to cast it to appropriate type (either time_t or ngx_msec_t)
to avoid signedness warnings on platforms with unsigned time_t (notably QNX).
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
Previously it used a hardcoded value of 300 seconds. Also added the
"valid=" parameter to the "resolver" directive that can be used to
override the cache validity time.
Patch by Kirill A. Korinskiy with minor changes.
|
| |
|
|
| |
Thanks to Ben Hawkes.
|
| |
|
|
| |
Patch by Kirill A. Korinskiy.
|
