From 5cd5ebf592e4ff39336a218ac5206f913adebde1 Mon Sep 17 00:00:00 2001 From: Dmitry Volyntsev Date: Mon, 20 Apr 2026 18:47:05 -0700 Subject: [PATCH] Fixed allocator mismatch in drain/drop. njs_chb_destroy() frees chain nodes through chain->free() and guards against a NULL free callback. njs_chb_drain() and the tail-freeing path of njs_chb_drop() called njs_mp_free() directly, which is wrong for chains initialized with NJS_CHB_CTX_INIT() where chain->free is js_free(), and unsafe for NGX_CHB_CTX_INIT() chains where chain->free is NULL. Both paths now route through chain->free() with the same NULL guard as njs_chb_destroy(). --- src/njs_chb.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/njs_chb.c b/src/njs_chb.c index ac88c0bd..e7bf7685 100644 --- a/src/njs_chb.c +++ b/src/njs_chb.c @@ -129,7 +129,10 @@ njs_chb_drain(njs_chb_t *chain, size_t drain) drain -= njs_chb_node_size(n); chain->nodes = n->next; - njs_mp_free(chain->pool, n); + if (chain->free != NULL) { + chain->free(chain->pool, n); + } + n = chain->nodes; } @@ -184,7 +187,11 @@ njs_chb_drop(njs_chb_t *chain, size_t drop) while (n != NULL) { next = n->next; - njs_mp_free(chain->pool, n); + + if (chain->free != NULL) { + chain->free(chain->pool, n); + } + n = next; } } -- 2.47.3