From: Ruslan Ermilov <ru@nginx.com>
Date: Thu, 20 Nov 2014 12:24:40 +0000 (+0300)
Subject: Resolver: fixed use-after-free memory access.
X-Git-Tag: release-1.7.8~11
X-Git-Url: http://www.kaiwu.me/postgresql/commit/?a=commitdiff_plain;h=d4b7b74686cdfe7488214a210a95da0af0736f8e;p=nginx.git

Resolver: fixed use-after-free memory access.

In 954867a2f0a6, we switched to using resolver node as the
timer event data, so make sure we do not free resolver node
memory until the corresponding timer is deleted.
---

diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
index a17793b13..7aa20ea67 100644
--- a/src/core/ngx_resolver.c
+++ b/src/core/ngx_resolver.c
@@ -1568,8 +1568,6 @@ ngx_resolver_process_a(ngx_resolver_t *r, u_char *buf, size_t last,
 
         ngx_rbtree_delete(&r->name_rbtree, &rn->node);
 
-        ngx_resolver_free_node(r, rn);
-
         /* unlock name mutex */
 
         while (next) {
@@ -1580,6 +1578,8 @@ ngx_resolver_process_a(ngx_resolver_t *r, u_char *buf, size_t last,
             ctx->handler(ctx);
         }
 
+        ngx_resolver_free_node(r, rn);
+
         return;
     }
 
@@ -2143,8 +2143,6 @@ valid:
 
         ngx_rbtree_delete(tree, &rn->node);
 
-        ngx_resolver_free_node(r, rn);
-
         /* unlock addr mutex */
 
         while (next) {
@@ -2155,6 +2153,8 @@ valid:
             ctx->handler(ctx);
         }
 
+        ngx_resolver_free_node(r, rn);
+
         return;
     }