diff options
author | Andrey Suvorov <a.suvorov@f5.com> | 2021-05-17 14:28:38 -0700 |
---|---|---|
committer | Andrey Suvorov <a.suvorov@f5.com> | 2021-05-17 14:28:38 -0700 |
commit | 19dfeba86b9dda6f1960ba9b3dba4708565d27ad (patch) | |
tree | 416fa0e00149f6eb25b073d51f9ef868671c2d9b /src | |
parent | 1198118b3b987930c508d78d90af909eec1835db (diff) | |
download | unit-19dfeba86b9dda6f1960ba9b3dba4708565d27ad.tar.gz unit-19dfeba86b9dda6f1960ba9b3dba4708565d27ad.tar.bz2 |
Fixing a crash after applying the wrong TLS configuration.
When an invalid TLS configuration is applied (such as the conf_commands
feature), nxt_cert_store_get() creates a buffer to send a certificate request
to the main process and adds its default completion handler to an asynchronous
queue to free the allocated buffer. However, if configuration fails,
nxt_router_conf_error() removes the memory pool used to allocate the buffer,
causing a crash when the completion handler is dispatched.
Assertion "src/nxt_buf.c:208 assertion failed: data == b->parent" is triggered
when is NXT_DEBUG enabled in the configure script.
This patch uses a reference counter to retain the memory pool and redefines the
completion handler to free the buffer before releasing the memory pool.
Diffstat (limited to 'src')
-rw-r--r-- | src/nxt_cert.c | 19 | ||||
-rw-r--r-- | src/nxt_router.c | 6 |
2 files changed, 22 insertions, 3 deletions
diff --git a/src/nxt_cert.c b/src/nxt_cert.c index 3cdb69c1..1806bc19 100644 --- a/src/nxt_cert.c +++ b/src/nxt_cert.c @@ -48,6 +48,7 @@ static nxt_conf_value_t *nxt_cert_name_details(nxt_mp_t *mp, X509 *x509, nxt_bool_t issuer); static nxt_conf_value_t *nxt_cert_alt_names_details(nxt_mp_t *mp, STACK_OF(GENERAL_NAME) *alt_names); +static void nxt_cert_buf_completion(nxt_task_t *task, void *obj, void *data); static nxt_lvlhsh_t nxt_cert_info; @@ -1073,6 +1074,9 @@ nxt_cert_store_get(nxt_task_t *task, nxt_str_t *name, nxt_mp_t *mp, goto fail; } + nxt_mp_retain(mp); + b->completion_handler = nxt_cert_buf_completion; + nxt_buf_cpystr(b, name); *b->mem.free++ = '\0'; @@ -1102,6 +1106,21 @@ fail: } +static void +nxt_cert_buf_completion(nxt_task_t *task, void *obj, void *data) +{ + nxt_mp_t *mp; + nxt_buf_t *b; + + b = obj; + mp = b->data; + nxt_assert(b->next == NULL); + + nxt_mp_free(mp, b); + nxt_mp_release(mp); +} + + void nxt_cert_store_get_handler(nxt_task_t *task, nxt_port_recv_msg_t *msg) { diff --git a/src/nxt_router.c b/src/nxt_router.c index da38aac0..2bbe87b8 100644 --- a/src/nxt_router.c +++ b/src/nxt_router.c @@ -773,7 +773,7 @@ fail: msg->port_msg.stream, 0, NULL); if (tmcf != NULL) { - nxt_mp_destroy(tmcf->mem_pool); + nxt_mp_release(tmcf->mem_pool); } cleanup: @@ -1061,7 +1061,7 @@ nxt_router_conf_ready(nxt_task_t *task, nxt_router_temp_conf_t *tmcf) nxt_mp_destroy(rtcf->mem_pool); } - nxt_mp_destroy(tmcf->mem_pool); + nxt_mp_release(tmcf->mem_pool); } @@ -1120,7 +1120,7 @@ nxt_router_conf_error(nxt_task_t *task, nxt_router_temp_conf_t *tmcf) nxt_router_conf_send(task, tmcf, NXT_PORT_MSG_RPC_ERROR); - nxt_mp_destroy(tmcf->mem_pool); + nxt_mp_release(tmcf->mem_pool); } |