Use dns_name_copynf() with dns_message_gettempname() when needed (!5083) · Merge requests · ISC Open Source Projects / BIND

Ondřej Surý requested to merge 2713-intermittent-crashes-in-the-tkey-system-test-caused-by-broken-dns_name_t-structures-v9_16 into v9_16 May 22, 2021

dns_message_gettempname() returns an initialized name with a dedicated buffer, associated with a dns_fixedname object. Using dns_name_copynf() to write a name into this object will actually copy the name data from a source name. dns_name_clone() merely points target->ndata to source->ndata, so it is faster, but it can lead to a use-after-free if the source is freed before the target object is released via dns_message_puttempname().

In a few places, clone was being used where copynf should have been; this is now fixed.

As a side note, no memory was lost, because the ndata buffer used in the dns_fixedname_t is internal to the structure, and is freed when the dns_fixedname_t is freed regardless of the .ndata contents.

(cherry picked from commit ce3e1abc)

Closes #2713 (closed)

Use dns_name_copynf() with dns_message_gettempname() when needed

Merge request reports