[PATCH 07 of 10] From 71841dcedfdf46048ef5e25413fdf97a66957913 Mon Sep 17 00:00:00 2001
Maxim Dounin
mdounin at mdounin.ru
Sun May 17 00:12:40 UTC 2026
# HG changeset patch
# User Roman Arutyunyan <arut at nginx.com>
# Date 1776768701 -14400
# Tue Apr 21 14:51:41 2026 +0400
# Node ID 76599662afacdc5732fe33583cc7ed02716701a5
# Parent 01b1469ce96ce2927976ba4b9e9a532ae39de462
>From 71841dcedfdf46048ef5e25413fdf97a66957913 Mon Sep 17 00:00:00 2001
OCSP: resolve cleanup on connection close.
Previously, when a client SSL connection was terminated (typically due to a
timeout) while resolving an OCSP responder, the OCSP context was freed, but
the resolve context was not. This resulted in use-after-free on resolve
completion.
Reported by Leo Lin.
Obtained from:
https://github.com/nginx/nginx/commit/71841dcedfdf46048ef5e25413fdf97a66957913
diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c
+++ b/src/event/ngx_event_openssl_stapling.c
@@ -111,6 +111,7 @@ struct ngx_ssl_ocsp_ctx_s {
ngx_resolver_t *resolver;
ngx_msec_t resolver_timeout;
+ ngx_resolver_ctx_t *resolve;
ngx_msec_t timeout;
@@ -1303,6 +1304,10 @@ ngx_ssl_ocsp_done(ngx_ssl_ocsp_ctx_t *ct
ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0,
"ssl ocsp done");
+ if (ctx->resolve) {
+ ngx_resolve_name_done(ctx->resolve);
+ }
+
if (ctx->peer.connection) {
ngx_close_connection(ctx->peer.connection);
}
@@ -1395,7 +1400,10 @@ ngx_ssl_ocsp_request(ngx_ssl_ocsp_ctx_t
resolve->data = ctx;
resolve->timeout = ctx->resolver_timeout;
+ ctx->resolve = resolve;
+
if (ngx_resolve_name(resolve) != NGX_OK) {
+ ctx->resolve = NULL;
ngx_ssl_ocsp_error(ctx);
return;
}
@@ -1484,6 +1492,7 @@ ngx_ssl_ocsp_resolve_handler(ngx_resolve
}
ngx_resolve_name_done(resolve);
+ ctx->resolve = NULL;
ngx_ssl_ocsp_connect(ctx);
return;
@@ -1491,6 +1500,8 @@ ngx_ssl_ocsp_resolve_handler(ngx_resolve
failed:
ngx_resolve_name_done(resolve);
+ ctx->resolve = NULL;
+
ngx_ssl_ocsp_error(ctx);
}
More information about the nginx-devel
mailing list