From 2ded876db257d93007ee68fe7a6e0511f0312a72 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Tue, 4 Apr 2023 08:17:45 +0000 Subject: [PATCH 1/2] Attach catzs to catz instead of doing this explicitly Instead of explicitly adding a reference to catzs (catalog zones) when calling the update callback, attach the catzs to the catz (catalog zone) object to keep it referenced for the whole time the catz exists. --- lib/dns/catz.c | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/lib/dns/catz.c b/lib/dns/catz.c index fe176c2824..70b160469f 100644 --- a/lib/dns/catz.c +++ b/lib/dns/catz.c @@ -815,11 +815,11 @@ dns_catz_new_zone(dns_catz_zones_t *catzs, dns_catz_zone_t **catzp, REQUIRE(ISC_MAGIC_VALID(name, DNS_NAME_MAGIC)); catz = isc_mem_get(catzs->mctx, sizeof(*catz)); - *catz = (dns_catz_zone_t){ .catzs = catzs, - .active = true, + *catz = (dns_catz_zone_t){ .active = true, .version = DNS_CATZ_VERSION_UNDEFINED, .magic = DNS_CATZ_ZONE_MAGIC }; + dns_catz_zones_attach(catzs, &catz->catzs); isc_mutex_init(&catz->lock); isc_refcount_init(&catz->references, 1); isc_ht_init(&catz->entries, catzs->mctx, 4, ISC_HT_CASE_SENSITIVE); @@ -871,16 +871,13 @@ dns__catz_timer_start(dns_catz_zone_t *catz) { static void dns__catz_timer_stop(void *arg) { dns_catz_zone_t *catz = arg; - dns_catz_zones_t *catzs = NULL; REQUIRE(DNS_CATZ_ZONE_VALID(catz)); isc_timer_stop(catz->updatetimer); isc_timer_destroy(&catz->updatetimer); catz->loop = NULL; - catzs = catz->catzs; dns_catz_detach_catz(&catz); - dns_catz_unref_catzs(catzs); } isc_result_t @@ -955,7 +952,6 @@ dns__catz_shutdown(dns_catz_zone_t *catz) { /* Don't wait for timer to trigger for shutdown */ INSIST(catz->loop != NULL); - dns_catz_ref_catzs(catz->catzs); isc_async_run(catz->loop, dns__catz_timer_stop, catz); } else { dns_catz_detach_catz(&catz); @@ -1028,7 +1024,7 @@ dns__catz_zone_destroy(dns_catz_zone_t *catz) { dns_catz_options_free(&catz->defoptions, mctx); dns_catz_options_free(&catz->zoneoptions, mctx); - catz->catzs = NULL; + dns_catz_zones_detach(&catz->catzs); isc_refcount_destroy(&catz->references); isc_mem_put(mctx, catz, sizeof(*catz)); @@ -2122,7 +2118,6 @@ dns__catz_timer_cb(void *arg) { isc_log_write(dns_lctx, DNS_LOGCATEGORY_GENERAL, DNS_LOGMODULE_MASTER, ISC_LOG_INFO, "catz: %s: reload start", domain); - dns_catz_ref_catzs(catz->catzs); dns_catz_ref_catz(catz); isc_work_enqueue(catz->loop, dns__catz_update_cb, dns__catz_done_cb, catz); @@ -2543,7 +2538,6 @@ dns__catz_done_cb(void *data) { isc_result_totext(catz->updateresult)); dns_catz_unref_catz(catz); - dns_catz_unref_catzs(catz->catzs); } void From 4a0bd69056966eb56f7b2a613ddf90ee1343dc4e Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Tue, 4 Apr 2023 08:24:15 +0000 Subject: [PATCH 2/2] Add a CHANGES note for [GL #3997] --- CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index 3e58efe3f8..b1ce3a727b 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +6145. [bug] Fix a possible use-after-free bug in the + dns__catz_done_cb() function. [GL #3997] + 6144. [bug] A reference counting problem (double detach) might occur when shutting down zone transfer early after switching the dns_xfrin to use dns_dispatch API.