mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-08 02:02:38 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Resolver: fixed crashes in timeout handler.

Browse Source 
If one or more requests were waiting for a response, then after
getting a CNAME response, the timeout event on the first request
remained active, pointing to the wrong node with an empty
rn->waiting list, and that could cause either null pointer
dereference or use-after-free memory access if this timeout
expired.

If several requests were waiting for a response, and the first
request terminated (e.g., due to client closing a connection),
other requests were left without a timeout and could potentially
wait indefinitely.

This is fixed by introducing per-request independent timeouts.
This change also reverts 954867a2f0a6 and 5004210e8c78.
This commit is contained in:
Ruslan Ermilov 2016-01-26 16:46:31 +03:00
parent c44fd4e837
commit 4b581a7c21
2 changed files with 42 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

50
src/core/ngx_resolver.c
View File

@ -423,7 +423,7 @@ ngx_resolve_name_done(ngx_resolver_ctx_t *ctx)
/* lock name mutex */ /* lock name mutex */
if (ctx->state == NGX_AGAIN) { if (ctx->state == NGX_AGAIN || ctx->state == NGX_RESOLVE_TIMEDOUT) {
hash = ngx_crc32_short(ctx->name.data, ctx->name.len); hash = ngx_crc32_short(ctx->name.data, ctx->name.len);
@ -581,6 +581,20 @@ ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx)
if (rn->waiting) { if (rn->waiting) {
if (ctx->event == NULL) {
ctx->event = ngx_resolver_calloc(r, sizeof(ngx_event_t));
if (ctx->event == NULL) {
return NGX_ERROR;
}
ctx->event->handler = ngx_resolver_timeout_handler;
ctx->event->data = ctx;
ctx->event->log = r->log;
ctx->ident = -1;
ngx_add_timer(ctx->event, ctx->timeout);
}
ctx->next = rn->waiting; ctx->next = rn->waiting;
rn->waiting = ctx; rn->waiting = ctx;
ctx->state = NGX_AGAIN; ctx->state = NGX_AGAIN;
@ -674,9 +688,9 @@ ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx)
} }
ctx->event->handler = ngx_resolver_timeout_handler; ctx->event->handler = ngx_resolver_timeout_handler;
ctx->event->data = rn; ctx->event->data = ctx;
ctx->event->log = r->log; ctx->event->log = r->log;
rn->ident = -1; ctx->ident = -1;
ngx_add_timer(ctx->event, ctx->timeout); ngx_add_timer(ctx->event, ctx->timeout);
} }
@ -804,6 +818,18 @@ ngx_resolve_addr(ngx_resolver_ctx_t *ctx)
if (rn->waiting) { if (rn->waiting) {
ctx->event = ngx_resolver_calloc(r, sizeof(ngx_event_t));
if (ctx->event == NULL) {
return NGX_ERROR;
}
ctx->event->handler = ngx_resolver_timeout_handler;
ctx->event->data = ctx;
ctx->event->log = r->log;
ctx->ident = -1;
ngx_add_timer(ctx->event, ctx->timeout);
ctx->next = rn->waiting; ctx->next = rn->waiting;
rn->waiting = ctx; rn->waiting = ctx;
ctx->state = NGX_AGAIN; ctx->state = NGX_AGAIN;
@ -867,9 +893,9 @@ ngx_resolve_addr(ngx_resolver_ctx_t *ctx)
} }
ctx->event->handler = ngx_resolver_timeout_handler; ctx->event->handler = ngx_resolver_timeout_handler;
ctx->event->data = rn; ctx->event->data = ctx;
ctx->event->log = r->log; ctx->event->log = r->log;
rn->ident = -1; ctx->ident = -1;
ngx_add_timer(ctx->event, ctx->timeout); ngx_add_timer(ctx->event, ctx->timeout);
@ -959,7 +985,7 @@ ngx_resolve_addr_done(ngx_resolver_ctx_t *ctx)
/* lock addr mutex */ /* lock addr mutex */
if (ctx->state == NGX_AGAIN) { if (ctx->state == NGX_AGAIN || ctx->state == NGX_RESOLVE_TIMEDOUT) {
switch (ctx->addr.sockaddr->sa_family) { switch (ctx->addr.sockaddr->sa_family) {
@ -2815,21 +2841,13 @@ done:
static void static void
ngx_resolver_timeout_handler(ngx_event_t *ev) ngx_resolver_timeout_handler(ngx_event_t *ev)
{ {
ngx_resolver_ctx_t *ctx, *next; ngx_resolver_ctx_t *ctx;
ngx_resolver_node_t *rn;
rn = ev->data; ctx = ev->data;
ctx = rn->waiting;
rn->waiting = NULL;
do {
ctx->state = NGX_RESOLVE_TIMEDOUT; ctx->state = NGX_RESOLVE_TIMEDOUT;
next = ctx->next;
ctx->handler(ctx); ctx->handler(ctx);
ctx = next;
} while (ctx);
} }

13
src/core/ngx_resolver.h
View File

@ -51,15 +51,11 @@ typedef void (*ngx_resolver_handler_pt)(ngx_resolver_ctx_t *ctx);
typedef struct { typedef struct {
/* PTR: resolved name, A: name to resolve */ ngx_rbtree_node_t node;
u_char *name;
ngx_queue_t queue; ngx_queue_t queue;
/* event ident must be after 3 pointers as in ngx_connection_t */ /* PTR: resolved name, A: name to resolve */
ngx_int_t ident; u_char *name;
ngx_rbtree_node_t node;
#if (NGX_HAVE_INET6) #if (NGX_HAVE_INET6)
/* PTR: IPv6 address to resolve (IPv4 address is in rbtree node key) */ /* PTR: IPv6 address to resolve (IPv4 address is in rbtree node key) */
@ -147,6 +143,9 @@ struct ngx_resolver_ctx_s {
ngx_resolver_t *resolver; ngx_resolver_t *resolver;
ngx_udp_connection_t *udp_connection; ngx_udp_connection_t *udp_connection;
/* event ident must be after 3 pointers as in ngx_connection_t */
ngx_int_t ident;
ngx_int_t state; ngx_int_t state;
ngx_str_t name; ngx_str_t name;