mirror of
https://github.com/nginx/nginx.git
synced 2025-06-11 12:22:41 +08:00
Resolver: protection from duplicate responses.
If we already had CNAME in resolver node (i.e. rn->cnlen and rn->u.cname set), and got additional response with A record, it resulted in rn->cnlen set and rn->u.cname overwritten by rn->u.addr (or rn->u.addrs), causing segmentation fault later in ngx_resolver_free_node() on an attempt to free overwritten rn->u.cname. The opposite (i.e. CNAME got after A) might cause similar problems as well.
This commit is contained in:
Maxim Dounin
parent
0e3b423dc6
commit
7d863c0181
@ -513,8 +513,10 @@ ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx)
|
|||||||
|
|
||||||
/* lock alloc mutex */
|
/* lock alloc mutex */
|
||||||
|
|
||||||
ngx_resolver_free_locked(r, rn->query);
|
if (rn->query) {
|
||||||
rn->query = NULL;
|
ngx_resolver_free_locked(r, rn->query);
|
||||||
|
rn->query = NULL;
|
||||||
|
}
|
||||||
|
|
||||||
if (rn->cnlen) {
|
if (rn->cnlen) {
|
||||||
ngx_resolver_free_locked(r, rn->u.cname);
|
ngx_resolver_free_locked(r, rn->u.cname);
|
||||||
@ -1409,6 +1411,9 @@ ngx_resolver_process_a(ngx_resolver_t *r, u_char *buf, size_t last,
|
|||||||
ngx_resolver_free(r, addrs);
|
ngx_resolver_free(r, addrs);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ngx_resolver_free(r, rn->query);
|
||||||
|
rn->query = NULL;
|
||||||
|
|
||||||
return;
|
return;
|
||||||
|
|
||||||
} else if (cname) {
|
} else if (cname) {
|
||||||
@ -1441,6 +1446,9 @@ ngx_resolver_process_a(ngx_resolver_t *r, u_char *buf, size_t last,
|
|||||||
(void) ngx_resolve_name_locked(r, ctx);
|
(void) ngx_resolve_name_locked(r, ctx);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
ngx_resolver_free(r, rn->query);
|
||||||
|
rn->query = NULL;
|
||||||
|
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user