Fixed crash in ngx_resolver_cleanup_tree().

If sending a DNS request fails with an error (e.g., when mistakenly trying
to send it to a local IP broadcast), such a request is not deleted if there
are clients waiting on it.  However, it was still erroneously removed from
the queue.  Later ngx_resolver_cleanup_tree() attempted to remove it from
the queue again that resulted in a NULL pointer dereference.

diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
index 2b0e41a5ee96ee506cb67997a50899713f0feee2..53fbbf92ad01a777cfcb3d954c0a0b5ea57ca174 100644 (file)
--- a/src/core/ngx_resolver.c
+++ b/src/core/ngx_resolver.c
@@ -977,12 +977,11 @@ ngx_resolver_resend(ngx_resolver_t *r, ngx_rbtree_t *tree, ngx_queue_t *queue)
 
         if (rn->waiting) {
 
-            if (ngx_resolver_send_query(r, rn) == NGX_OK) {
+            (void) ngx_resolver_send_query(r, rn);
 
-                rn->expire = now + r->resend_timeout;
+            rn->expire = now + r->resend_timeout;
 
-                ngx_queue_insert_head(queue, &rn->queue);
-            }
+            ngx_queue_insert_head(queue, q);
 
             continue;
         }