Fixing a crash after applying the wrong TLS configuration.
When an invalid TLS configuration is applied (such as the conf_commands feature), nxt_cert_store_get() creates a buffer to send a certificate request to the main process and adds its default completion handler to an asynchronous queue to free the allocated buffer. However, if configuration fails, nxt_router_conf_error() removes the memory pool used to allocate the buffer, causing a crash when the completion handler is dispatched. Assertion "src/nxt_buf.c:208 assertion failed: data == b->parent" is triggered when is NXT_DEBUG enabled in the configure script. This patch uses a reference counter to retain the memory pool and redefines the completion handler to free the buffer before releasing the memory pool.
This commit is contained in:
Andrey Suvorov
@@ -48,6 +48,7 @@ static nxt_conf_value_t *nxt_cert_name_details(nxt_mp_t *mp, X509 *x509,
|
|||||||
nxt_bool_t issuer);
|
nxt_bool_t issuer);
|
||||||
static nxt_conf_value_t *nxt_cert_alt_names_details(nxt_mp_t *mp,
|
static nxt_conf_value_t *nxt_cert_alt_names_details(nxt_mp_t *mp,
|
||||||
STACK_OF(GENERAL_NAME) *alt_names);
|
STACK_OF(GENERAL_NAME) *alt_names);
|
||||||
|
static void nxt_cert_buf_completion(nxt_task_t *task, void *obj, void *data);
|
||||||
|
|
||||||
|
|
||||||
static nxt_lvlhsh_t nxt_cert_info;
|
static nxt_lvlhsh_t nxt_cert_info;
|
||||||
@@ -1073,6 +1074,9 @@ nxt_cert_store_get(nxt_task_t *task, nxt_str_t *name, nxt_mp_t *mp,
|
|||||||
goto fail;
|
goto fail;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
nxt_mp_retain(mp);
|
||||||
|
b->completion_handler = nxt_cert_buf_completion;
|
||||||
|
|
||||||
nxt_buf_cpystr(b, name);
|
nxt_buf_cpystr(b, name);
|
||||||
*b->mem.free++ = '\0';
|
*b->mem.free++ = '\0';
|
||||||
|
|
||||||
@@ -1102,6 +1106,21 @@ fail:
|
|||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
static void
|
||||||
|
nxt_cert_buf_completion(nxt_task_t *task, void *obj, void *data)
|
||||||
|
{
|
||||||
|
nxt_mp_t *mp;
|
||||||
|
nxt_buf_t *b;
|
||||||
|
|
||||||
|
b = obj;
|
||||||
|
mp = b->data;
|
||||||
|
nxt_assert(b->next == NULL);
|
||||||
|
|
||||||
|
nxt_mp_free(mp, b);
|
||||||
|
nxt_mp_release(mp);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
void
|
void
|
||||||
nxt_cert_store_get_handler(nxt_task_t *task, nxt_port_recv_msg_t *msg)
|
nxt_cert_store_get_handler(nxt_task_t *task, nxt_port_recv_msg_t *msg)
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -773,7 +773,7 @@ fail:
|
|||||||
msg->port_msg.stream, 0, NULL);
|
msg->port_msg.stream, 0, NULL);
|
||||||
|
|
||||||
if (tmcf != NULL) {
|
if (tmcf != NULL) {
|
||||||
nxt_mp_destroy(tmcf->mem_pool);
|
nxt_mp_release(tmcf->mem_pool);
|
||||||
}
|
}
|
||||||
|
|
||||||
cleanup:
|
cleanup:
|
||||||
@@ -1061,7 +1061,7 @@ nxt_router_conf_ready(nxt_task_t *task, nxt_router_temp_conf_t *tmcf)
|
|||||||
nxt_mp_destroy(rtcf->mem_pool);
|
nxt_mp_destroy(rtcf->mem_pool);
|
||||||
}
|
}
|
||||||
|
|
||||||
nxt_mp_destroy(tmcf->mem_pool);
|
nxt_mp_release(tmcf->mem_pool);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
@@ -1120,7 +1120,7 @@ nxt_router_conf_error(nxt_task_t *task, nxt_router_temp_conf_t *tmcf)
|
|||||||
|
|
||||||
nxt_router_conf_send(task, tmcf, NXT_PORT_MSG_RPC_ERROR);
|
nxt_router_conf_send(task, tmcf, NXT_PORT_MSG_RPC_ERROR);
|
||||||
|
|
||||||
nxt_mp_destroy(tmcf->mem_pool);
|
nxt_mp_release(tmcf->mem_pool);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user