mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-31 14:35:26 +00:00
Code Issues Releases Wiki Activity

Fix a use-after-free bug in dns_zonemgr_releasezone()

Browse Source 
The dns_zonemgr_releasezone() function makes a decision to destroy
'zmgr' (based on its references count, after decreasing it) inside
a lock, and then destroys the object outside of the lock.

This causes a race with dns_zonemgr_detach(), which could destroy
the object in the meantime.

Change dns_zonemgr_releasezone() to detach from 'zmgr' and destroy
the object (if needed) using dns_zonemgr_detach(), outside of the
lock.
This commit is contained in:
Aram Sargsyan
2023-01-05 15:01:35 +00:00
committed by Ondřej Surý
parent 6675731adf
commit c1fc212253
1 changed files with 2 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
lib/dns/zone.c
View File

@@ -18675,8 +18675,6 @@ dns_zonemgr_managezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
void
dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
bool free_now = false;
REQUIRE(DNS_ZONE_VALID(zone));
REQUIRE(DNS_ZONEMGR_VALID(zmgr));
REQUIRE(zone->zmgr == zmgr);
@@ -18691,19 +18689,13 @@ dns_zonemgr_releasezone(dns_zonemgr_t *zmgr, dns_zone_t *zone) {
ENSURE(zone->kfio == NULL);
}
/* Detach below, outside of the write lock. */
zone->zmgr = NULL;
if (isc_refcount_decrement(&zmgr->refs) == 1) {
free_now = true;
}
UNLOCK_ZONE(zone);
RWUNLOCK(&zmgr->rwlock, isc_rwlocktype_write);
if (free_now) {
zonemgr_free(zmgr);
}
ENSURE(zone->zmgr == NULL);
dns_zonemgr_detach(&zmgr);
}
void