nginxtra 1.8.0.11 → 1.8.1.12

data/lib/nginxtra/version.rb

@@ -2,11 +2,11 @@ module Nginxtra
   class Version
     class << self
       def to_a
-        to_s.split(".").map &:to_i
+        to_s.split(".").map(&:to_i)
       end
 
       def to_s
-        "1.8.0.11"
+        "1.8.1.12"
       end
     end
   end

data/templates/partials/nginx.conf/rails.rb

@@ -1,11 +1,11 @@
 rails_server = yield(:server) || :passenger
 ssl_details = yield :ssl
 
-if ssl_details
-  default_port = 443
-else
-  default_port = 80
-end
+default_port = if ssl_details
+                 443
+               else
+                 80
+               end
 
 if rails_server == :passenger && !@passenger_requirements_done
   @config.require_passenger!

data/vendor/nginx/CHANGES

@@ -1,4 +1,51 @@
 
+Changes with nginx 1.8.1                                         26 Jan 2016
+
+    *) Security: invalid pointer dereference might occur during DNS server
+       response processing if the "resolver" directive was used, allowing an
+       attacker who is able to forge UDP packets from the DNS server to
+       cause segmentation fault in a worker process (CVE-2016-0742).
+
+    *) Security: use-after-free condition might occur during CNAME response
+       processing if the "resolver" directive was used, allowing an attacker
+       who is able to trigger name resolution to cause segmentation fault in
+       a worker process, or might have potential other impact
+       (CVE-2016-0746).
+
+    *) Security: CNAME resolution was insufficiently limited if the
+       "resolver" directive was used, allowing an attacker who is able to
+       trigger arbitrary name resolution to cause excessive resource
+       consumption in worker processes (CVE-2016-0747).
+
+    *) Bugfix: the "proxy_protocol" parameter of the "listen" directive did
+       not work if not specified in the first "listen" directive for a
+       listen socket.
+
+    *) Bugfix: nginx might fail to start on some old Linux variants; the bug
+       had appeared in 1.7.11.
+
+    *) Bugfix: a segmentation fault might occur in a worker process if the
+       "try_files" and "alias" directives were used inside a location given
+       by a regular expression; the bug had appeared in 1.7.1.
+
+    *) Bugfix: the "try_files" directive inside a nested location given by a
+       regular expression worked incorrectly if the "alias" directive was
+       used in the outer location.
+
+    *) Bugfix: "header already sent" alerts might appear in logs when using
+       cache; the bug had appeared in 1.7.5.
+
+    *) Bugfix: a segmentation fault might occur in a worker process if
+       different ssl_session_cache settings were used in different virtual
+       servers.
+
+    *) Bugfix: the "expires" directive might not work when using variables.
+
+    *) Bugfix: if nginx was built with the ngx_http_spdy_module it was
+       possible to use the SPDY protocol even if the "spdy" parameter of the
+       "listen" directive was not specified.
+
+
 Changes with nginx 1.8.0                                         21 Apr 2015
 
     *) 1.8.x stable branch.

data/vendor/nginx/CHANGES.ru

@@ -1,4 +1,56 @@
 
+Изменения в nginx 1.8.1                                           26.01.2016
+
+    *) Безопасность: при использовании директивы resolver во время обработки
+       ответов DNS-сервера могло происходить разыменование некорректного
+       адреса, что позволяло атакующему, имеющему возможность подделывать
+       UDP-пакеты от DNS-сервера, вызвать segmentation fault в рабочем
+       процессе (CVE-2016-0742).
+
+    *) Безопасность: при использовании директивы resolver во время обработки
+       CNAME-записей могло произойти обращение к ранее освобождённой памяти,
+       что позволяло атакующему, имеющему возможность инициировать
+       преобразование произвольных имён в адреса, вызвать segmentation fault
+       в рабочем процессе, а также потенциально могло иметь другие
+       последствия (CVE-2016-0746).
+
+    *) Безопасность: при использовании директивы resolver во время обработки
+       CNAME-записей не во всех случаях проверялось ограничение на
+       максимальное количество записей в цепочке, что позволяло атакующему,
+       имеющему возможность инициировать преобразование произвольных имён в
+       адреса, вызвать чрезмерное потребление ресурсов рабочими процессами
+       (CVE-2016-0747).
+
+    *) Исправление: параметр proxy_protocol директивы listen не работал,
+       если не был указан в первой директиве listen для данного
+       listen-сокета.
+
+    *) Исправление: nginx мог не запускаться на некоторых старых версиях
+       Linux; ошибка появилась в 1.7.11.
+
+    *) Исправление: при совместном использовании директив try_files и alias
+       внутри location'а, заданного регулярным выражением, в рабочем
+       процессе мог произойти segmentation fault; ошибка появилась в 1.7.1.
+
+    *) Исправление: директива try_files внутри вложенного location'а,
+       заданного регулярным выражением, работала неправильно, если во
+       внешнем location'е использовалась директива alias.
+
+    *) Исправление: при использовании кэша в логах могли появляться
+       сообщения "header already sent"; ошибка появилась в 1.7.5.
+
+    *) Исправление: при использовании различных настроек ssl_session_cache в
+       разных виртуальных серверах в рабочем процессе мог произойти
+       segmentation fault.
+
+    *) Исправление: директива expires могла не срабатывать при использовании
+       переменных.
+
+    *) Исправление: если nginx был собран с модулем ngx_http_spdy_module,
+       протокол SPDY мог быть использован клиентом, даже если не был указан
+       параметр spdy директивы listen.
+
+
 Изменения в nginx 1.8.0                                           21.04.2015
 
     *) Стабильная ветка 1.8.x.

data/vendor/nginx/src/core/nginx.h

@@ -9,8 +9,8 @@
 #define _NGINX_H_INCLUDED_
 
 
-#define nginx_version      1008000
-#define NGINX_VERSION      "1.8.0"
+#define nginx_version      1008001
+#define NGINX_VERSION      "1.8.1"
 #define NGINX_VER          "nginx/" NGINX_VERSION
 
 #ifdef NGX_BUILD

data/vendor/nginx/src/core/ngx_parse.c

@@ -188,7 +188,7 @@ ngx_parse_time(ngx_str_t *line, ngx_uint_t is_sec)
             break;
 
         case 'm':
-            if (*p == 's') {
+            if (p < last && *p == 's') {
                 if (is_sec || step >= st_msec) {
                     return NGX_ERROR;
                 }

data/vendor/nginx/src/core/ngx_resolver.c

@@ -59,15 +59,15 @@ ngx_int_t ngx_udp_connect(ngx_udp_connection_t *uc);
 static void ngx_resolver_cleanup(void *data);
 static void ngx_resolver_cleanup_tree(ngx_resolver_t *r, ngx_rbtree_t *tree);
 static ngx_int_t ngx_resolve_name_locked(ngx_resolver_t *r,
-    ngx_resolver_ctx_t *ctx);
+    ngx_resolver_ctx_t *ctx, ngx_str_t *name);
 static void ngx_resolver_expire(ngx_resolver_t *r, ngx_rbtree_t *tree,
     ngx_queue_t *queue);
 static ngx_int_t ngx_resolver_send_query(ngx_resolver_t *r,
     ngx_resolver_node_t *rn);
-static ngx_int_t ngx_resolver_create_name_query(ngx_resolver_node_t *rn,
-    ngx_resolver_ctx_t *ctx);
-static ngx_int_t ngx_resolver_create_addr_query(ngx_resolver_node_t *rn,
-    ngx_resolver_ctx_t *ctx);
+static ngx_int_t ngx_resolver_create_name_query(ngx_resolver_t *r,
+    ngx_resolver_node_t *rn, ngx_str_t *name);
+static ngx_int_t ngx_resolver_create_addr_query(ngx_resolver_t *r,
+    ngx_resolver_node_t *rn, ngx_addr_t *addr);
 static void ngx_resolver_resend_handler(ngx_event_t *ev);
 static time_t ngx_resolver_resend(ngx_resolver_t *r, ngx_rbtree_t *tree,
     ngx_queue_t *queue);
@@ -375,7 +375,7 @@ ngx_resolve_name(ngx_resolver_ctx_t *ctx)
 
     /* lock name mutex */
 
-    rc = ngx_resolve_name_locked(r, ctx);
+    rc = ngx_resolve_name_locked(r, ctx, &ctx->name);
 
     if (rc == NGX_OK) {
         return NGX_OK;
@@ -402,7 +402,6 @@ ngx_resolve_name(ngx_resolver_ctx_t *ctx)
 void
 ngx_resolve_name_done(ngx_resolver_ctx_t *ctx)
 {
-    uint32_t              hash;
     ngx_resolver_t       *r;
     ngx_resolver_ctx_t   *w, **p;
     ngx_resolver_node_t  *rn;
@@ -422,11 +421,9 @@ ngx_resolve_name_done(ngx_resolver_ctx_t *ctx)
 
     /* lock name mutex */
 
-    if (ctx->state == NGX_AGAIN) {
-
-        hash = ngx_crc32_short(ctx->name.data, ctx->name.len);
+    if (ctx->state == NGX_AGAIN || ctx->state == NGX_RESOLVE_TIMEDOUT) {
 
-        rn = ngx_resolver_lookup_name(r, &ctx->name, hash);
+        rn = ctx->node;
 
         if (rn) {
             p = &rn->waiting;
@@ -467,23 +464,28 @@ done:
 
 
 static ngx_int_t
-ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx)
+ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx,
+    ngx_str_t *name)
 {
     uint32_t              hash;
     ngx_int_t             rc;
+    ngx_str_t             cname;
     ngx_uint_t            naddrs;
     ngx_addr_t           *addrs;
-    ngx_resolver_ctx_t   *next;
+    ngx_resolver_ctx_t   *next, *last;
     ngx_resolver_node_t  *rn;
 
-    ngx_strlow(ctx->name.data, ctx->name.data, ctx->name.len);
+    ngx_strlow(name->data, name->data, name->len);
 
-    hash = ngx_crc32_short(ctx->name.data, ctx->name.len);
+    hash = ngx_crc32_short(name->data, name->len);
 
-    rn = ngx_resolver_lookup_name(r, &ctx->name, hash);
+    rn = ngx_resolver_lookup_name(r, name, hash);
 
     if (rn) {
 
+        /* ctx can be a list after NGX_RESOLVE_CNAME */
+        for (last = ctx; last->next; last = last->next);
+
         if (rn->valid >= ngx_time()) {
 
             ngx_log_debug0(NGX_LOG_DEBUG_CORE, r->log, 0, "resolve cached");
@@ -511,7 +513,7 @@ ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx)
                     }
                 }
 
-                ctx->next = rn->waiting;
+                last->next = rn->waiting;
                 rn->waiting = NULL;
 
                 /* unlock name mutex */
@@ -551,13 +553,13 @@ ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx)
 
             if (ctx->recursion++ < NGX_RESOLVER_MAX_RECURSION) {
 
-                ctx->name.len = rn->cnlen;
-                ctx->name.data = rn->u.cname;
+                cname.len = rn->cnlen;
+                cname.data = rn->u.cname;
 
-                return ngx_resolve_name_locked(r, ctx);
+                return ngx_resolve_name_locked(r, ctx, &cname);
             }
 
-            ctx->next = rn->waiting;
+            last->next = rn->waiting;
             rn->waiting = NULL;
 
             /* unlock name mutex */
@@ -576,10 +578,29 @@ ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx)
 
         if (rn->waiting) {
 
-            ctx->next = rn->waiting;
+            if (ctx->event == NULL) {
+                ctx->event = ngx_resolver_calloc(r, sizeof(ngx_event_t));
+                if (ctx->event == NULL) {
+                    return NGX_ERROR;
+                }
+
+                ctx->event->handler = ngx_resolver_timeout_handler;
+                ctx->event->data = ctx;
+                ctx->event->log = r->log;
+                ctx->ident = -1;
+
+                ngx_add_timer(ctx->event, ctx->timeout);
+            }
+
+            last->next = rn->waiting;
             rn->waiting = ctx;
             ctx->state = NGX_AGAIN;
 
+            do {
+                ctx->node = rn;
+                ctx = ctx->next;
+            } while (ctx);
+
             return NGX_AGAIN;
         }
 
@@ -618,14 +639,14 @@ ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx)
             return NGX_ERROR;
         }
 
-        rn->name = ngx_resolver_dup(r, ctx->name.data, ctx->name.len);
+        rn->name = ngx_resolver_dup(r, name->data, name->len);
         if (rn->name == NULL) {
             ngx_resolver_free(r, rn);
             return NGX_ERROR;
         }
 
         rn->node.key = hash;
-        rn->nlen = (u_short) ctx->name.len;
+        rn->nlen = (u_short) name->len;
         rn->query = NULL;
 #if (NGX_HAVE_INET6)
         rn->query6 = NULL;
@@ -634,7 +655,7 @@ ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx)
         ngx_rbtree_insert(&r->name_rbtree, &rn->node);
     }
 
-    rc = ngx_resolver_create_name_query(rn, ctx);
+    rc = ngx_resolver_create_name_query(r, rn, name);
 
     if (rc == NGX_ERROR) {
         goto failed;
@@ -647,8 +668,14 @@ ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx)
         ngx_resolver_free(r, rn->name);
         ngx_resolver_free(r, rn);
 
-        ctx->state = NGX_RESOLVE_NXDOMAIN;
-        ctx->handler(ctx);
+        do {
+            ctx->state = NGX_RESOLVE_NXDOMAIN;
+            next = ctx->next;
+
+            ctx->handler(ctx);
+
+            ctx = next;
+        } while (ctx);
 
         return NGX_OK;
     }
@@ -669,9 +696,9 @@ ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx)
         }
 
         ctx->event->handler = ngx_resolver_timeout_handler;
-        ctx->event->data = rn;
+        ctx->event->data = ctx;
         ctx->event->log = r->log;
-        rn->ident = -1;
+        ctx->ident = -1;
 
         ngx_add_timer(ctx->event, ctx->timeout);
     }
@@ -692,6 +719,11 @@ ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx)
 
     ctx->state = NGX_AGAIN;
 
+    do {
+        ctx->node = rn;
+        ctx = ctx->next;
+    } while (ctx);
+
     return NGX_AGAIN;
 
 failed:
@@ -799,9 +831,22 @@ ngx_resolve_addr(ngx_resolver_ctx_t *ctx)
 
         if (rn->waiting) {
 
+            ctx->event = ngx_resolver_calloc(r, sizeof(ngx_event_t));
+            if (ctx->event == NULL) {
+                return NGX_ERROR;
+            }
+
+            ctx->event->handler = ngx_resolver_timeout_handler;
+            ctx->event->data = ctx;
+            ctx->event->log = r->log;
+            ctx->ident = -1;
+
+            ngx_add_timer(ctx->event, ctx->timeout);
+
             ctx->next = rn->waiting;
             rn->waiting = ctx;
             ctx->state = NGX_AGAIN;
+            ctx->node = rn;
 
             /* unlock addr mutex */
 
@@ -843,7 +888,7 @@ ngx_resolve_addr(ngx_resolver_ctx_t *ctx)
         ngx_rbtree_insert(tree, &rn->node);
     }
 
-    if (ngx_resolver_create_addr_query(rn, ctx) != NGX_OK) {
+    if (ngx_resolver_create_addr_query(r, rn, &ctx->addr) != NGX_OK) {
         goto failed;
     }
 
@@ -862,9 +907,9 @@ ngx_resolve_addr(ngx_resolver_ctx_t *ctx)
     }
 
     ctx->event->handler = ngx_resolver_timeout_handler;
-    ctx->event->data = rn;
+    ctx->event->data = ctx;
     ctx->event->log = r->log;
-    rn->ident = -1;
+    ctx->ident = -1;
 
     ngx_add_timer(ctx->event, ctx->timeout);
 
@@ -887,6 +932,7 @@ ngx_resolve_addr(ngx_resolver_ctx_t *ctx)
     /* unlock addr mutex */
 
     ctx->state = NGX_AGAIN;
+    ctx->node = rn;
 
     return NGX_OK;
 
@@ -917,17 +963,11 @@ failed:
 void
 ngx_resolve_addr_done(ngx_resolver_ctx_t *ctx)
 {
-    in_addr_t             addr;
     ngx_queue_t          *expire_queue;
     ngx_rbtree_t         *tree;
     ngx_resolver_t       *r;
     ngx_resolver_ctx_t   *w, **p;
-    struct sockaddr_in   *sin;
     ngx_resolver_node_t  *rn;
-#if (NGX_HAVE_INET6)
-    uint32_t              hash;
-    struct sockaddr_in6  *sin6;
-#endif
 
     r = ctx->resolver;
 
@@ -954,23 +994,9 @@ ngx_resolve_addr_done(ngx_resolver_ctx_t *ctx)
 
     /* lock addr mutex */
 
-    if (ctx->state == NGX_AGAIN) {
+    if (ctx->state == NGX_AGAIN || ctx->state == NGX_RESOLVE_TIMEDOUT) {
 
-        switch (ctx->addr.sockaddr->sa_family) {
-
-#if (NGX_HAVE_INET6)
-        case AF_INET6:
-            sin6 = (struct sockaddr_in6 *) ctx->addr.sockaddr;
-            hash = ngx_crc32_short(sin6->sin6_addr.s6_addr, 16);
-            rn = ngx_resolver_lookup_addr6(r, &sin6->sin6_addr, hash);
-            break;
-#endif
-
-        default: /* AF_INET */
-            sin = (struct sockaddr_in *) ctx->addr.sockaddr;
-            addr = ntohl(sin->sin_addr.s_addr);
-            rn = ngx_resolver_lookup_addr(r, addr);
-        }
+        rn = ctx->node;
 
         if (rn) {
             p = &rn->waiting;
@@ -1292,7 +1318,7 @@ ngx_resolver_process_response(ngx_resolver_t *r, u_char *buf, size_t n)
         times = 0;
 
         for (q = ngx_queue_head(&r->name_resend_queue);
-             q != ngx_queue_sentinel(&r->name_resend_queue) || times++ < 100;
+             q != ngx_queue_sentinel(&r->name_resend_queue) && times++ < 100;
              q = ngx_queue_next(q))
         {
             rn = ngx_queue_data(q, ngx_resolver_node_t, queue);
@@ -1955,20 +1981,39 @@ ngx_resolver_process_a(ngx_resolver_t *r, u_char *buf, size_t last,
 
         ngx_queue_insert_head(&r->name_expire_queue, &rn->queue);
 
+        ngx_resolver_free(r, rn->query);
+        rn->query = NULL;
+#if (NGX_HAVE_INET6)
+        rn->query6 = NULL;
+#endif
+
         ctx = rn->waiting;
         rn->waiting = NULL;
 
         if (ctx) {
-            ctx->name = name;
 
-            (void) ngx_resolve_name_locked(r, ctx);
-        }
+            if (ctx->recursion++ >= NGX_RESOLVER_MAX_RECURSION) {
 
-        ngx_resolver_free(r, rn->query);
-        rn->query = NULL;
-#if (NGX_HAVE_INET6)
-        rn->query6 = NULL;
-#endif
+                /* unlock name mutex */
+
+                do {
+                    ctx->state = NGX_RESOLVE_NXDOMAIN;
+                    next = ctx->next;
+
+                    ctx->handler(ctx);
+
+                    ctx = next;
+                } while (ctx);
+
+                return;
+            }
+
+            for (next = ctx; next; next = next->next) {
+                next->node = NULL;
+            }
+
+            (void) ngx_resolve_name_locked(r, ctx, &name);
+        }
 
         /* unlock name mutex */
 
@@ -2476,27 +2521,23 @@ ngx_resolver_rbtree_insert_addr6_value(ngx_rbtree_node_t *temp,
 
 
 static ngx_int_t
-ngx_resolver_create_name_query(ngx_resolver_node_t *rn, ngx_resolver_ctx_t *ctx)
+ngx_resolver_create_name_query(ngx_resolver_t *r, ngx_resolver_node_t *rn,
+    ngx_str_t *name)
 {
     u_char              *p, *s;
     size_t               len, nlen;
     ngx_uint_t           ident;
-#if (NGX_HAVE_INET6)
-    ngx_resolver_t      *r;
-#endif
     ngx_resolver_qs_t   *qs;
     ngx_resolver_hdr_t  *query;
 
-    nlen = ctx->name.len ? (1 + ctx->name.len + 1) : 1;
+    nlen = name->len ? (1 + name->len + 1) : 1;
 
     len = sizeof(ngx_resolver_hdr_t) + nlen + sizeof(ngx_resolver_qs_t);
 
 #if (NGX_HAVE_INET6)
-    r = ctx->resolver;
-
-    p = ngx_resolver_alloc(ctx->resolver, r->ipv6 ? len * 2 : len);
+    p = ngx_resolver_alloc(r, r->ipv6 ? len * 2 : len);
 #else
-    p = ngx_resolver_alloc(ctx->resolver, len);
+    p = ngx_resolver_alloc(r, len);
 #endif
     if (p == NULL) {
         return NGX_ERROR;
@@ -2515,8 +2556,8 @@ ngx_resolver_create_name_query(ngx_resolver_node_t *rn, ngx_resolver_ctx_t *ctx)
 
     ident = ngx_random();
 
-    ngx_log_debug2(NGX_LOG_DEBUG_CORE, ctx->resolver->log, 0,
-                   "resolve: \"%V\" A %i", &ctx->name, ident & 0xffff);
+    ngx_log_debug2(NGX_LOG_DEBUG_CORE, r->log, 0,
+                   "resolve: \"%V\" A %i", name, ident & 0xffff);
 
     query->ident_hi = (u_char) ((ident >> 8) & 0xff);
     query->ident_lo = (u_char) (ident & 0xff);
@@ -2546,11 +2587,11 @@ ngx_resolver_create_name_query(ngx_resolver_node_t *rn, ngx_resolver_ctx_t *ctx)
     p--;
     *p-- = '\0';
 
-    if (ctx->name.len == 0)  {
+    if (name->len == 0)  {
         return NGX_DECLINED;
     }
 
-    for (s = ctx->name.data + ctx->name.len - 1; s >= ctx->name.data; s--) {
+    for (s = name->data + name->len - 1; s >= name->data; s--) {
         if (*s != '.') {
             *p = *s;
             len++;
@@ -2586,8 +2627,8 @@ ngx_resolver_create_name_query(ngx_resolver_node_t *rn, ngx_resolver_ctx_t *ctx)
 
     ident = ngx_random();
 
-    ngx_log_debug2(NGX_LOG_DEBUG_CORE, ctx->resolver->log, 0,
-                   "resolve: \"%V\" AAAA %i", &ctx->name, ident & 0xffff);
+    ngx_log_debug2(NGX_LOG_DEBUG_CORE, r->log, 0,
+                   "resolve: \"%V\" AAAA %i", name, ident & 0xffff);
 
     query->ident_hi = (u_char) ((ident >> 8) & 0xff);
     query->ident_lo = (u_char) (ident & 0xff);
@@ -2604,11 +2645,12 @@ ngx_resolver_create_name_query(ngx_resolver_node_t *rn, ngx_resolver_ctx_t *ctx)
 
 
 static ngx_int_t
-ngx_resolver_create_addr_query(ngx_resolver_node_t *rn, ngx_resolver_ctx_t *ctx)
+ngx_resolver_create_addr_query(ngx_resolver_t *r, ngx_resolver_node_t *rn,
+    ngx_addr_t *addr)
 {
     u_char               *p, *d;
     size_t                len;
-    in_addr_t             addr;
+    in_addr_t             inaddr;
     ngx_int_t             n;
     ngx_uint_t            ident;
     ngx_resolver_hdr_t   *query;
@@ -2617,7 +2659,7 @@ ngx_resolver_create_addr_query(ngx_resolver_node_t *rn, ngx_resolver_ctx_t *ctx)
     struct sockaddr_in6  *sin6;
 #endif
 
-    switch (ctx->addr.sockaddr->sa_family) {
+    switch (addr->sockaddr->sa_family) {
 
 #if (NGX_HAVE_INET6)
     case AF_INET6:
@@ -2634,7 +2676,7 @@ ngx_resolver_create_addr_query(ngx_resolver_node_t *rn, ngx_resolver_ctx_t *ctx)
               + sizeof(ngx_resolver_qs_t);
     }
 
-    p = ngx_resolver_alloc(ctx->resolver, len);
+    p = ngx_resolver_alloc(r, len);
     if (p == NULL) {
         return NGX_ERROR;
     }
@@ -2658,11 +2700,11 @@ ngx_resolver_create_addr_query(ngx_resolver_node_t *rn, ngx_resolver_ctx_t *ctx)
 
     p += sizeof(ngx_resolver_hdr_t);
 
-    switch (ctx->addr.sockaddr->sa_family) {
+    switch (addr->sockaddr->sa_family) {
 
 #if (NGX_HAVE_INET6)
     case AF_INET6:
-        sin6 = (struct sockaddr_in6 *) ctx->addr.sockaddr;
+        sin6 = (struct sockaddr_in6 *) addr->sockaddr;
 
         for (n = 15; n >= 0; n--) {
             p = ngx_sprintf(p, "\1%xd\1%xd",
@@ -2677,11 +2719,11 @@ ngx_resolver_create_addr_query(ngx_resolver_node_t *rn, ngx_resolver_ctx_t *ctx)
 
     default: /* AF_INET */
 
-        sin = (struct sockaddr_in *) ctx->addr.sockaddr;
-        addr = ntohl(sin->sin_addr.s_addr);
+        sin = (struct sockaddr_in *) addr->sockaddr;
+        inaddr = ntohl(sin->sin_addr.s_addr);
 
         for (n = 0; n < 32; n += 8) {
-            d = ngx_sprintf(&p[1], "%ud", (addr >> n) & 0xff);
+            d = ngx_sprintf(&p[1], "%ud", (inaddr >> n) & 0xff);
             *p = (u_char) (d - &p[1]);
             p = d;
         }
@@ -2795,21 +2837,13 @@ done:
 static void
 ngx_resolver_timeout_handler(ngx_event_t *ev)
 {
-    ngx_resolver_ctx_t   *ctx, *next;
-    ngx_resolver_node_t  *rn;
+    ngx_resolver_ctx_t  *ctx;
 
-    rn = ev->data;
-    ctx = rn->waiting;
-    rn->waiting = NULL;
+    ctx = ev->data;
 
-    do {
-        ctx->state = NGX_RESOLVE_TIMEDOUT;
-        next = ctx->next;
-
-        ctx->handler(ctx);
+    ctx->state = NGX_RESOLVE_TIMEDOUT;
 
-        ctx = next;
-    } while (ctx);
+    ctx->handler(ctx);
 }