mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-07 01:12:40 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Core: moved logging before freeing large blocks of pool.

Browse Source 
This fixes use-after-free memory access with enabled debug log
when pool->log is allocated as a large block.
This commit is contained in:
Valentin Bartenev 2016-03-23 17:44:04 +03:00
parent 890ba54497
commit b94eb1dfe6
1 changed files with 10 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
src/core/ngx_palloc.c
View File

@ -56,15 +56,6 @@ ngx_destroy_pool(ngx_pool_t *pool)
}
}
for (l = pool->large; l; l = l->next) {
ngx_log_debug1(NGX_LOG_DEBUG_ALLOC, pool->log, 0, "free: %p", l->alloc);
if (l->alloc) {
ngx_free(l->alloc);
}
}
#if (NGX_DEBUG)
/*
@ -72,6 +63,10 @@ ngx_destroy_pool(ngx_pool_t *pool)
* so we cannot use this log while free()ing the pool
*/
for (l = pool->large; l; l = l->next) {
ngx_log_debug1(NGX_LOG_DEBUG_ALLOC, pool->log, 0, "free: %p", l->alloc);
}
for (p = pool, n = pool->d.next; /* void */; p = n, n = n->d.next) {
ngx_log_debug2(NGX_LOG_DEBUG_ALLOC, pool->log, 0,
"free: %p, unused: %uz", p, p->d.end - p->d.last);
@ -83,6 +78,12 @@ ngx_destroy_pool(ngx_pool_t *pool)
#endif
for (l = pool->large; l; l = l->next) {
if (l->alloc) {
ngx_free(l->alloc);
}
}
for (p = pool, n = pool->d.next; /* void */; p = n, n = n->d.next) {
ngx_free(p);