diff options
| author | Dmitry Volyntsev <xeioex@nginx.com> | 2024-05-30 22:22:48 -0700 |
|---|---|---|
| committer | Dmitry Volyntsev <xeioexception@gmail.com> | 2024-06-12 15:09:21 -0700 |
| commit | d34fcb03cf2378a644a3c7366d58cbddc2771cbd (patch) | |
| tree | aa69f1f10e9276133e16d5ddd9a0ba759a1ab8a6 /nginx/ngx_http_js_module.c | |
| parent | 558de1e14d9c9a6542bc0512b9fff51167ef6f3a (diff) | |
| download | njs-d34fcb03cf2378a644a3c7366d58cbddc2771cbd.tar.gz njs-d34fcb03cf2378a644a3c7366d58cbddc2771cbd.zip | |
HTTP: fixed r.subrequest() error handling.
Previously, when at least 2 subrequests were scheduled they both
succeed, but the callback for the second threw an exception
heap-use-after-free happened: a nested chain of
ngx_http_run_posted_requests() calls and terminating request in the
inner call left outer calls with already freed request pointer.
The issue was introduced in 0.8.1 (4cb8e873e8c6).
Diffstat (limited to 'nginx/ngx_http_js_module.c')
| -rw-r--r-- | nginx/ngx_http_js_module.c | 27 |
1 files changed, 18 insertions, 9 deletions
diff --git a/nginx/ngx_http_js_module.c b/nginx/ngx_http_js_module.c index fd3c1742..5c8c0480 100644 --- a/nginx/ngx_http_js_module.c +++ b/nginx/ngx_http_js_module.c @@ -276,8 +276,8 @@ static void ngx_http_js_event_finalize(ngx_http_request_t *r, ngx_int_t rc); static ngx_js_ctx_t *ngx_http_js_ctx(njs_vm_t *vm, ngx_http_request_t *r); static void ngx_http_js_periodic_handler(ngx_event_t *ev); -static void ngx_http_js_periodic_write_event_handler(ngx_http_request_t *r); static void ngx_http_js_periodic_shutdown_handler(ngx_event_t *ev); +static void ngx_http_js_periodic_write_handler(ngx_event_t *ev); static void ngx_http_js_periodic_finalize(ngx_http_request_t *r, ngx_int_t rc); static void ngx_http_js_periodic_destroy(ngx_http_request_t *r, ngx_js_periodic_t *periodic); @@ -4220,7 +4220,10 @@ ngx_http_js_periodic_handler(ngx_event_t *ev) c->data = r; c->destroyed = 0; c->pool = r->pool; + c->read->log = &periodic->log; c->read->handler = ngx_http_js_periodic_shutdown_handler; + c->write->log = &periodic->log; + c->write->handler = ngx_http_js_periodic_write_handler; periodic->connection = c; periodic->log_ctx.request = r; @@ -4234,7 +4237,6 @@ ngx_http_js_periodic_handler(ngx_event_t *ev) r->valid_unparsed_uri = 1; r->health_check = 1; - r->write_event_handler = ngx_http_js_periodic_write_event_handler; rc = ngx_http_js_init_vm(r, ngx_http_js_periodic_session_proto_id); @@ -4263,12 +4265,17 @@ ngx_http_js_periodic_handler(ngx_event_t *ev) static void -ngx_http_js_periodic_write_event_handler(ngx_http_request_t *r) +ngx_http_js_periodic_write_handler(ngx_event_t *ev) { - ngx_http_js_ctx_t *ctx; + ngx_connection_t *c; + ngx_http_js_ctx_t *ctx; + ngx_http_request_t *r; - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "http js periodic write event handler"); + c = ev->data; + r = c->data; + + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, + "http js periodic write handler"); ctx = ngx_http_get_module_ctx(r, ngx_http_js_module); @@ -4340,6 +4347,10 @@ ngx_http_js_periodic_destroy(ngx_http_request_t *r, ngx_js_periodic_t *periodic) c->fd = (ngx_socket_t) -1; c->pool = NULL; c->destroyed = 1; + + if (c->write->posted) { + ngx_delete_posted_event(c->write); + } } @@ -4451,10 +4462,8 @@ ngx_http_js_event_finalize(ngx_http_request_t *r, ngx_int_t rc) } if (rc == NGX_OK) { - ngx_http_post_request(r, NULL); + ngx_post_event(r->connection->write, &ngx_posted_events); } - - ngx_http_run_posted_requests(r->connection); } |