bugfix: fixed double free issues in the new init_cycle_pool_release patch for the nginx core.

This commit is contained in:
Yichun Zhang (agentzh) 2017-12-17 00:03:29 -08:00
parent f721f66b4e
commit 84734aa1f9
1 changed files with 30 additions and 15 deletions

View File

@ -1,7 +1,7 @@
diff -ur nginx-1.13.6/src/core/nginx.c nginx-1.13.6-patched/src/core/nginx.c
--- nginx-1.13.6/src/core/nginx.c 2017-12-16 12:04:13.923270925 -0800
+++ nginx-1.13.6-patched/src/core/nginx.c 2017-12-16 12:03:55.013934545 -0800
@@ -198,6 +198,7 @@
diff -rup nginx-1.13.6/src/core/nginx.c nginx-1.13.6-patched/src/core/nginx.c
--- nginx-1.13.6/src/core/nginx.c 2017-12-17 00:00:38.136470108 -0800
+++ nginx-1.13.6-patched/src/core/nginx.c 2017-12-16 23:59:51.680958322 -0800
@@ -186,6 +186,7 @@ static u_char *ngx_prefix;
static u_char *ngx_conf_file;
static u_char *ngx_conf_params;
static char *ngx_signal;
@ -9,7 +9,7 @@ diff -ur nginx-1.13.6/src/core/nginx.c nginx-1.13.6-patched/src/core/nginx.c
static char **ngx_os_environ;
@@ -265,6 +266,8 @@
@@ -253,6 +254,8 @@ main(int argc, char *const *argv)
return 1;
}
@ -18,27 +18,42 @@ diff -ur nginx-1.13.6/src/core/nginx.c nginx-1.13.6-patched/src/core/nginx.c
if (ngx_save_argv(&init_cycle, argc, argv) != NGX_OK) {
return 1;
}
diff -ur nginx-1.13.6/src/core/ngx_core.h nginx-1.13.6-patched/src/core/ngx_core.h
diff -rup nginx-1.13.6/src/core/ngx_core.h nginx-1.13.6-patched/src/core/ngx_core.h
--- nginx-1.13.6/src/core/ngx_core.h 2017-10-10 08:22:51.000000000 -0700
+++ nginx-1.13.6-patched/src/core/ngx_core.h 2017-12-16 12:03:55.013934545 -0800
@@ -108,4 +108,6 @@
+++ nginx-1.13.6-patched/src/core/ngx_core.h 2017-12-16 23:59:51.679958370 -0800
@@ -108,4 +108,6 @@ void ngx_cpuinfo(void);
#define NGX_DISABLE_SYMLINKS_NOTOWNER 2
#endif
+extern ngx_pool_t *saved_init_cycle_pool;
+
#endif /* _NGX_CORE_H_INCLUDED_ */
diff -ur nginx-1.13.6/src/os/unix/ngx_process_cycle.c nginx-1.13.6-patched/src/os/unix/ngx_process_cycle.c
--- nginx-1.13.6/src/os/unix/ngx_process_cycle.c 2017-12-16 12:04:13.901271675 -0800
+++ nginx-1.13.6-patched/src/os/unix/ngx_process_cycle.c 2017-12-16 12:03:55.027933951 -0800
@@ -785,6 +785,10 @@
diff -rup nginx-1.13.6/src/core/ngx_cycle.c nginx-1.13.6-patched/src/core/ngx_cycle.c
--- nginx-1.13.6/src/core/ngx_cycle.c 2017-10-10 08:22:51.000000000 -0700
+++ nginx-1.13.6-patched/src/core/ngx_cycle.c 2017-12-16 23:59:51.678958419 -0800
@@ -748,6 +748,10 @@ old_shm_zone_done:
ngx_destroy_pool(cycle->pool);
if (ngx_process == NGX_PROCESS_MASTER || ngx_is_init_cycle(old_cycle)) {
+ if (ngx_is_init_cycle(old_cycle)) {
+ saved_init_cycle_pool = NULL;
+ }
+
ngx_destroy_pool(old_cycle->pool);
cycle->old_cycle = NULL;
diff -rup nginx-1.13.6/src/os/unix/ngx_process_cycle.c nginx-1.13.6-patched/src/os/unix/ngx_process_cycle.c
--- nginx-1.13.6/src/os/unix/ngx_process_cycle.c 2017-12-17 00:00:38.142469762 -0800
+++ nginx-1.13.6-patched/src/os/unix/ngx_process_cycle.c 2017-12-16 23:59:51.691957791 -0800
@@ -783,6 +783,11 @@ ngx_master_process_exit(ngx_cycle_t *cyc
ngx_exit_cycle.files_n = ngx_cycle->files_n;
ngx_cycle = &ngx_exit_cycle;
+ if (saved_init_cycle_pool != NULL && saved_init_cycle_pool != cycle->pool) {
+ ngx_destroy_pool(saved_init_cycle_pool);
+ saved_init_cycle_pool = NULL;
+ }
+
exit(0);
}
ngx_destroy_pool(cycle->pool);
exit(0);