nginx.git, branch release-1.8.1 nginx nginx-1.8.1-RELEASE 2016-01-26T14:39:30+00:00 Maxim Dounin mdounin@mdounin.ru 2016-01-26T14:39:30+00:00 759af1a42404d87a2ba51dc94e902b7a5ea5491e 






Resolver: limited CNAME recursion.
2016-01-26T13:47:14+00:00

Ruslan Ermilov
ru@nginx.com

2016-01-26T13:47:14+00:00

13b6b5b9fd23f454eebdda215c8184cafc7baf52

Previously, the recursion was only limited for cached responses.





Previously, the recursion was only limited for cached responses.







Resolver: fixed use-after-free memory accesses with CNAME.
2016-01-26T13:46:59+00:00

Roman Arutyunyan
arut@nginx.com

2016-01-26T13:46:59+00:00

70f485cba630c4f8ed6b9f89370a2bc530e3c4a1

When several requests were waiting for a response, then after getting
a CNAME response only the last request's context had the name updated.
Contexts of other requests had the wrong name.  This name was used by
ngx_resolve_name_done() to find the node to remove the request context
from.  When the name was wrong, the request could not be properly
cancelled, its context was freed but stayed linked to the node's waiting
list.  This happened e.g. when the first request was aborted or timed
out before the resolving completed.  When it completed, this triggered
a use-after-free memory access by calling ctx->handler of already freed
request context.  The bug manifests itself by
"could not cancel <name> resolving" alerts in error_log.

When a request was responded with a CNAME, the request context kept
the pointer to the original node's rn->u.cname.  If the original node
expired before the resolving timed out or completed with an error,
this would trigger a use-after-free memory access via ctx->name in
ctx->handler().

The fix is to keep ctx->name unmodified.  The name from context
is no longer used by ngx_resolve_name_done().  Instead, we now keep
the pointer to resolver node to which this request is linked.
Keeping the original name intact also improves logging.





When several requests were waiting for a response, then after getting
a CNAME response only the last request's context had the name updated.
Contexts of other requests had the wrong name.  This name was used by
ngx_resolve_name_done() to find the node to remove the request context
from.  When the name was wrong, the request could not be properly
cancelled, its context was freed but stayed linked to the node's waiting
list.  This happened e.g. when the first request was aborted or timed
out before the resolving completed.  When it completed, this triggered
a use-after-free memory access by calling ctx->handler of already freed
request context.  The bug manifests itself by
"could not cancel <name> resolving" alerts in error_log.

When a request was responded with a CNAME, the request context kept
the pointer to the original node's rn->u.cname.  If the original node
expired before the resolving timed out or completed with an error,
this would trigger a use-after-free memory access via ctx->name in
ctx->handler().

The fix is to keep ctx->name unmodified.  The name from context
is no longer used by ngx_resolve_name_done().  Instead, we now keep
the pointer to resolver node to which this request is linked.
Keeping the original name intact also improves logging.







Resolver: changed the ngx_resolver_create_*_query() arguments.
2016-01-26T13:46:48+00:00

Roman Arutyunyan
arut@nginx.com

2016-01-26T13:46:48+00:00

5f37bd485f1f5e7d569e197e7eb341d0042a38f4

No functional changes.

This is needed by the following change.





No functional changes.

This is needed by the following change.







Resolver: fixed CNAME processing for several requests.
2016-01-26T13:46:38+00:00

Ruslan Ermilov
ru@nginx.com

2016-01-26T13:46:38+00:00

dd9cfd7345adb384a2cff7c281a592b213594f1d

When several requests were waiting for a response, then after getting
a CNAME response only the last request was properly processed, while
others were left waiting.





When several requests were waiting for a response, then after getting
a CNAME response only the last request was properly processed, while
others were left waiting.







Resolver: fixed crashes in timeout handler.
2016-01-26T13:46:31+00:00

Ruslan Ermilov
ru@nginx.com

2016-01-26T13:46:31+00:00

84ae282f938068fa5c09f7c157ea0086b2ab760b

If one or more requests were waiting for a response, then after
getting a CNAME response, the timeout event on the first request
remained active, pointing to the wrong node with an empty
rn->waiting list, and that could cause either null pointer
dereference or use-after-free memory access if this timeout
expired.

If several requests were waiting for a response, and the first
request terminated (e.g., due to client closing a connection),
other requests were left without a timeout and could potentially
wait indefinitely.

This is fixed by introducing per-request independent timeouts.
This change also reverts 954867a2f0a6 and 5004210e8c78.





If one or more requests were waiting for a response, then after
getting a CNAME response, the timeout event on the first request
remained active, pointing to the wrong node with an empty
rn->waiting list, and that could cause either null pointer
dereference or use-after-free memory access if this timeout
expired.

If several requests were waiting for a response, and the first
request terminated (e.g., due to client closing a connection),
other requests were left without a timeout and could potentially
wait indefinitely.

This is fixed by introducing per-request independent timeouts.
This change also reverts 954867a2f0a6 and 5004210e8c78.







Resolver: fixed possible segmentation fault on DNS format error.
2016-01-26T13:46:18+00:00

Roman Arutyunyan
arut@nginx.com

2016-01-26T13:46:18+00:00

717f65a5072d67e851c5e2f755eb7179a343c112












Updated OpenSSL and PCRE used for win32 builds.
2016-01-25T18:58:21+00:00

Maxim Dounin
mdounin@mdounin.ru

2016-01-25T18:58:21+00:00

793b877e35ff52de7e6e2ff56768a9d1931d3562












SSL: only select SPDY using NPN if "spdy" is enabled.
2015-11-05T12:01:09+00:00

Valentin Bartenev
vbart@nginx.com

2015-11-05T12:01:09+00:00

43e9607fdf44d66a870db798f1e13031c7511679

OpenSSL doesn't check if the negotiated protocol has been announced.
As a result, the client might force using SPDY even if it wasn't
enabled in configuration.





OpenSSL doesn't check if the negotiated protocol has been announced.
As a result, the client might force using SPDY even if it wasn't
enabled in configuration.







Fixed ngx_parse_time() out of bounds access (ticket #821).
2015-10-30T18:43:30+00:00

Maxim Dounin
mdounin@mdounin.ru

2015-10-30T18:43:30+00:00

d4cd59c17b003dfbc121e48473dd2604e76c7fdf

The code failed to ensure that "s" is within the buffer passed for
parsing when checking for "ms", and this resulted in unexpected errors when
parsing non-null-terminated strings with trailing "m".  The bug manifested
itself when the expires directive was used with variables.

Found by Roman Arutyunyan.





The code failed to ensure that "s" is within the buffer passed for
parsing when checking for "ms", and this resulted in unexpected errors when
parsing non-null-terminated strings with trailing "m".  The bug manifested
itself when the expires directive was used with variables.

Found by Roman Arutyunyan.