Klaus Demo nginx / 4cd1dd2
Resolver: fixed possible use-after-free while resolving PTR. Previously, if a response to the PTR request was cached, and ngx_resolver_dup() failed to allocate memory for the resulting name, then the original node was freed but left in expire_queue. A subsequent address resolving would end up in a use-after-free memory access of the node either in ngx_resolver_expire() or ngx_resolver_process_ptr(), when accessing it through expire_queue. The fix is to leave the resolver node intact. Sergey Kandaurov 2 years ago
1 changed file(s) with 2 addition(s) and 1 deletion(s). Raw diff Collapse all Expand all
972972 name = ngx_resolver_dup(r, rn->name, rn->nlen);
973973 if (name == NULL) {
974 goto failed;
974 ngx_resolver_free(r, ctx);
975 return NGX_ERROR;
975976 }
977978 ctx->name.len = rn->nlen;