Commit e3f66e16 authored by Mark Andrews's avatar Mark Andrews
Browse files

2124. [bug] It was possible to dereference a freed fetch

                        context. [RT #16584]
parent edf8e792
2124. [bug] It was possible to dereference a freed fetch
context. [RT #16584]
--- 9.5.0a1 released ---
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: resolver.c,v 1.337 2006/12/07 06:47:36 marka Exp $ */
/* $Id: resolver.c,v 1.338 2007/01/04 04:11:03 marka Exp $ */
/*! \file */
......@@ -223,6 +223,11 @@ struct fetchctx {
dns_name_t nsname;
dns_fetch_t * nsfetch;
dns_rdataset_t nsrrset;
/*%
* Number of queries that reference this context.
*/
unsigned int nqueries;
};
#define FCTX_MAGIC ISC_MAGIC('F', '!', '!', '!')
......@@ -362,6 +367,7 @@ static isc_result_t ncache_adderesult(dns_message_t *message,
dns_rdataset_t *ardataset,
isc_result_t *eresultp);
static void validated(isc_task_t *task, isc_event_t *event);
static void maybe_destroy(fetchctx_t *fctx);
static isc_result_t
valcreate(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, dns_name_t *name,
......@@ -528,6 +534,9 @@ resquery_destroy(resquery_t **queryp) {
INSIST(query->tcpsocket == NULL);
query->fctx->nqueries--;
if (SHUTTINGDOWN(query->fctx))
maybe_destroy(query->fctx); /* Locks bucket. */
query->magic = 0;
isc_mem_put(query->mctx, query, sizeof(*query));
*queryp = NULL;
......@@ -1180,6 +1189,7 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
}
ISC_LIST_APPEND(fctx->queries, query, link);
query->fctx->nqueries++;
return (ISC_R_SUCCESS);
......@@ -1720,7 +1730,7 @@ fctx_finddone(isc_task_t *task, isc_event_t *event) {
want_done = ISC_TRUE;
}
} else if (SHUTTINGDOWN(fctx) && fctx->pending == 0 &&
ISC_LIST_EMPTY(fctx->validators)) {
fctx->nqueries == 0 && ISC_LIST_EMPTY(fctx->validators)) {
bucketnum = fctx->bucketnum;
LOCK(&res->buckets[bucketnum].lock);
/*
......@@ -2550,8 +2560,8 @@ fctx_destroy(fetchctx_t *fctx) {
REQUIRE(ISC_LIST_EMPTY(fctx->finds));
REQUIRE(ISC_LIST_EMPTY(fctx->altfinds));
REQUIRE(fctx->pending == 0);
REQUIRE(ISC_LIST_EMPTY(fctx->validators));
REQUIRE(fctx->references == 0);
REQUIRE(ISC_LIST_EMPTY(fctx->validators));
FCTXTRACE("destroy");
......@@ -2741,7 +2751,7 @@ fctx_doshutdown(isc_task_t *task, isc_event_t *event) {
}
if (fctx->references == 0 && fctx->pending == 0 &&
ISC_LIST_EMPTY(fctx->validators))
fctx->nqueries == 0 && ISC_LIST_EMPTY(fctx->validators))
bucket_empty = fctx_destroy(fctx);
UNLOCK(&res->buckets[bucketnum].lock);
......@@ -2782,6 +2792,7 @@ fctx_start(isc_task_t *task, isc_event_t *event) {
* pending ADB finds and no pending validations.
*/
INSIST(fctx->pending == 0);
INSIST(fctx->nqueries == 0);
INSIST(ISC_LIST_EMPTY(fctx->validators));
if (fctx->references == 0) {
/*
......@@ -2948,6 +2959,7 @@ fctx_create(dns_resolver_t *res, dns_name_t *name, dns_rdatatype_t type,
fctx->timeouts = 0;
fctx->attributes = 0;
fctx->spilled = ISC_FALSE;
fctx->nqueries = 0;
dns_name_init(&fctx->nsname, NULL);
fctx->nsfetch = NULL;
......@@ -3281,7 +3293,8 @@ maybe_destroy(fetchctx_t *fctx) {
REQUIRE(SHUTTINGDOWN(fctx));
if (fctx->pending != 0 || !ISC_LIST_EMPTY(fctx->validators))
if (fctx->pending != 0 || fctx->nqueries != 0 ||
!ISC_LIST_EMPTY(fctx->validators))
return;
bucketnum = fctx->bucketnum;
......@@ -6728,7 +6741,8 @@ dns_resolver_destroyfetch(dns_fetch_t **fetchp) {
/*
* No one cares about the result of this fetch anymore.
*/
if (fctx->pending == 0 && ISC_LIST_EMPTY(fctx->validators) &&
if (fctx->pending == 0 && fctx->nqueries == 0 &&
ISC_LIST_EMPTY(fctx->validators) &&
SHUTTINGDOWN(fctx)) {
/*
* This fctx is already shutdown; we were just
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment