Possible memory leak in filter-aaaa.so
Title
Possible memory leak in filter-aaaa.so
may be the same issue as seen in #1041 (closed)
Customer reports:
I've noticed the filter-aaaa plugin can (seemingly) leak memory if its internal type-A query is canceled (e.g., due to recursion quota). I've only confirmed it by applying the attached diff to quickly emulate the situation, but I believe that can happen without it.
With this diff, the corresponding "client_state" leaks since on resuming from recursion fetch_callback() returns query_error instead of query_resume (in which the filter-aaaa hook is called and the state is freed). you can see the leak on shutdown as an assertion failure:
02-Sep-2020 16:56:17.187 stopping command channel on 127.0.0.1#9053
02-Sep-2020 16:56:17.196 mem.c:1675: unexpected error:
02-Sep-2020 16:56:17.196 isc_mempool_destroy(): mempool leaked memory
02-Sep-2020 16:56:17.196 mem.c:1681: REQUIRE(mpctx->allocated == 0) failed, back trace
You may also want to consider it to be a sensitive (security) bug, because, if I understand it correctly, it could be triggered by someone who can send a AAAA query causing recursion and control the target zone (delaying answering the A queries while sending other queries so some of the A queries are canceled due to recursion quota). The attack wouldn't be easy, though.
diff --git a/bind-9.16/bin/plugins/filter-aaaa.c b/bind-9.16/bin/plugins/filter-aaaa.c
index e787b43..fee2847 100644
--- a/bind-9.16/bin/plugins/filter-aaaa.c
+++ b/bind-9.16/bin/plugins/filter-aaaa.c
@@ -790,6 +790,7 @@ filter_respond_begin(void *arg, void *cbdata, isc_result_t *resp) {
qctx->client->query.attributes |=
NS_QUERYATTR_RECURSING;
}
+ ns_query_cancel(qctx->client); /* XXX for testing */
}
} else if (qctx->qtype == dns_rdatatype_a &&
(client_state->flags & FILTER_AAAA_RECURSING) != 0)
RT #17073.