]> git.kaiwu.me - nginx.git/commitdiff
projects / nginx.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: d9a65e9)
Merge of r4611, r4620: resolver fixes.
authorMaxim Dounin <mdounin@mdounin.ru>
Mon, 4 Jun 2012 10:15:55 +0000 (10:15 +0000)
committerMaxim Dounin <mdounin@mdounin.ru>
Mon, 4 Jun 2012 10:15:55 +0000 (10:15 +0000)
*) Fixed segmentation fault in ngx_resolver_create_name_query().

   If name passed for resolution was { 0, NULL } (e.g. as a result
   of name server returning CNAME pointing to ".") pointer wrapped
   to (void *) -1 resulting in segmentation fault on an attempt to
   dereference it.

   Reported by Lanshun Zhou.

*) Resolver: protection from duplicate responses.

   If we already had CNAME in resolver node (i.e. rn->cnlen and rn->u.cname
   set), and got additional response with A record, it resulted in rn->cnlen
   set and rn->u.cname overwritten by rn->u.addr (or rn->u.addrs), causing
   segmentation fault later in ngx_resolver_free_node() on an attempt to free
   overwritten rn->u.cname.  The opposite (i.e. CNAME got after A) might cause
   similar problems as well.

src/core/ngx_resolver.c patch | blob | history

diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
index 02c484da6941986dd5546b3ac27f40f31d115bf2..edc43dce21992da37188a1ed6cdea6561a60b30c 100644 (file)
--- a/src/core/ngx_resolver.c
+++ b/src/core/ngx_resolver.c
@@ -513,8 +513,10 @@ ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx)
 
         /* lock alloc mutex */
 
-        ngx_resolver_free_locked(r, rn->query);
-        rn->query = NULL;
+        if (rn->query) {
+            ngx_resolver_free_locked(r, rn->query);
+            rn->query = NULL;
+        }
 
         if (rn->cnlen) {
             ngx_resolver_free_locked(r, rn->u.cname);
@@ -1409,6 +1411,9 @@ ngx_resolver_process_a(ngx_resolver_t *r, u_char *buf, size_t last,
             ngx_resolver_free(r, addrs);
         }
 
+        ngx_resolver_free(r, rn->query);
+        rn->query = NULL;
+
         return;
 
     } else if (cname) {
@@ -1441,6 +1446,9 @@ ngx_resolver_process_a(ngx_resolver_t *r, u_char *buf, size_t last,
             (void) ngx_resolve_name_locked(r, ctx);
         }
 
+        ngx_resolver_free(r, rn->query);
+        rn->query = NULL;
+
         return;
     }
 
@@ -1834,6 +1842,10 @@ ngx_resolver_create_name_query(ngx_resolver_node_t *rn, ngx_resolver_ctx_t *ctx)
     p--;
     *p-- = '\0';
 
+    if (ctx->name.len == 0)  {
+        return NGX_DECLINED;
+    }
+
     for (s = ctx->name.data + ctx->name.len - 1; s >= ctx->name.data; s--) {
         if (*s != '.') {
             *p = *s;
nginx upstream