Merge branch '3244-dig-use-after-free' into 'main'

Resolve "use-after-free in dighost.c/dig.c" Closes #3244 See merge request isc-projects/bind9!6052
2025-08-29 13:38:26 +00:00 · 2022-04-05 11:52:00 +00:00 · 2022-04-05 11:52:00 +00:00 · 0130ff96d5
commit 0130ff96d5
parent 04e9b6060c ef9bd8533a
3 changed files with 20 additions and 7 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+5853.	[bug]		When using both the `+qr` and `+y` options `dig` could
+			crash if the connection to the first server was not
+			successful. [GL #3244]
+
 5852.	[func]		Add new "load-balance-socket" option to
 			enable/disable load balancing of sockets. [GL #3249]

--- a/bin/dig/dighost.c
+++ b/bin/dig/dighost.c
@ -3080,10 +3080,9 @@ send_udp(dig_query_t *query) {
 	debug("sendcount=%" PRIuFAST32, isc_refcount_current(&sendcount));

 	/* XXX qrflag, print_query, etc... */
-	if (!ISC_LIST_EMPTY(query->lookup->q) && query->lookup->qr) {
+	if (query->lookup->qr) {
 		extrabytes = 0;
-		dighost_printmessage(ISC_LIST_HEAD(query->lookup->q),
-				     &query->lookup->renderbuf,
+		dighost_printmessage(query, &query->lookup->renderbuf,
 				     query->lookup->sendmsg, true);
 		if (query->lookup->stats) {
 			print_query_size(query);
@ -3136,7 +3135,7 @@ udp_ready(isc_nmhandle_t *handle, isc_result_t eresult, void *arg) {
 	query_attach(query, &readquery);

 	debug("recving with lookup=%p, query=%p, handle=%p", query->lookup,
-	      query, query->handle);
+	      query, handle);

 	query->handle = handle;
 	isc_nmhandle_attach(handle, &query->readhandle);
@ -3426,10 +3425,10 @@ launch_next_query(dig_query_t *query) {
 		      isc_refcount_current(&sendcount));

 		/* XXX qrflag, print_query, etc... */
-		if (!ISC_LIST_EMPTY(l->q) && l->qr) {
+		if (l->qr) {
 			extrabytes = 0;
-			dighost_printmessage(ISC_LIST_HEAD(l->q), &l->renderbuf,
-					     l->sendmsg, true);
+			dighost_printmessage(query, &l->renderbuf, l->sendmsg,
+					     true);
 			if (l->stats) {
 				print_query_size(query);
 			}
@ -3845,6 +3844,7 @@ recv_done(isc_nmhandle_t *handle, isc_result_t eresult, isc_region_t *region,
 		}
 		query_detach(&query);
 		lookup_detach(&l);
+		clear_current_lookup();
 		UNLOCK_LOOKUP;
 		return;
 	}
--- a/bin/tests/system/digdelv/tests.sh
+++ b/bin/tests/system/digdelv/tests.sh
@ -1081,6 +1081,15 @@ if [ -x "$DIG" ] ; then
  grep -F ";; No acceptable nameservers" dig.out.test$n > /dev/null || ret=1
  if [ $ret -ne 0 ]; then echo_i "failed"; fi
  status=$((status+ret))
+
+  # See [GL #3244] for more information
+  n=$((n+1))
+  echo_i "check that dig handles printing query information with +qr and +y when multiple queries are involved (including a failed query) ($n)"
+  ret=0
+  dig_with_opts +timeout=1 +qr +y @127.0.0.1 @10.53.0.3 a.example > dig.out.test$n 2>&1 || ret=1
+  grep -F "IN A 10.0.0.1" dig.out.test$n > /dev/null || ret=1
+  if [ $ret -ne 0 ]; then echo_i "failed"; fi
+  status=$((status+ret))
 else
  echo_i "$DIG is needed, so skipping these dig tests"
 fi