From 00112618bc042f734de7b5ac86506cacb9acf36d Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Thu, 12 Dec 2013 10:38:35 +1100 Subject: [PATCH] 3687. [bug] Address null pointer dereference in zone_xfrdone. [RT #35042] --- CHANGES | 3 +++ lib/dns/zone.c | 23 ++++++++++++++++------- 2 files changed, 19 insertions(+), 7 deletions(-) diff --git a/CHANGES b/CHANGES index 00fbee8389..4047f383d9 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +3687. [bug] Address null pointer dereference in zone_xfrdone. + [RT #35042] + 3686. [func] "dnssec-signzone -Q" drops signatures from keys that are still published but no longer active. [RT #34990] diff --git a/lib/dns/zone.c b/lib/dns/zone.c index f24aa33bad..f620793156 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -11856,6 +11856,12 @@ zone_shutdown(isc_task_t *task, isc_event_t *event) { linked = ISC_TRUE; zone->statelist = NULL; } + if (zone->statelist == &zone->zmgr->xfrin_in_progress) { + ISC_LIST_UNLINK(zone->zmgr->xfrin_in_progress, zone, + statelink); + zone->statelist = NULL; + zmgr_resume_xfrs(zone->zmgr, ISC_FALSE); + } RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write); } @@ -14330,13 +14336,16 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) { * This transfer finishing freed up a transfer quota slot. * Let any other zones waiting for quota have it. */ - UNLOCK_ZONE(zone); - RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write); - ISC_LIST_UNLINK(zone->zmgr->xfrin_in_progress, zone, statelink); - zone->statelist = NULL; - zmgr_resume_xfrs(zone->zmgr, ISC_FALSE); - RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write); - LOCK_ZONE(zone); + if (zone->zmgr != NULL && + zone->statelist == &zone->zmgr->xfrin_in_progress) { + UNLOCK_ZONE(zone); + RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write); + ISC_LIST_UNLINK(zone->zmgr->xfrin_in_progress, zone, statelink); + zone->statelist = NULL; + zmgr_resume_xfrs(zone->zmgr, ISC_FALSE); + RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write); + LOCK_ZONE(zone); + } /* * Retry with a different server if necessary.