From c3bcb4d47a9d8ec07a2dd28cc180c20e8f6f7866 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 28 Aug 2019 11:34:22 +1000
Subject: [PATCH] Remove potential use after free (fctx) in rctx_resend.

---
 lib/dns/resolver.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 06787c0d64..bb33c987b7 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -9345,6 +9345,8 @@ rctx_resend(respctx_t *rctx, dns_adbaddrinfo_t *addrinfo) {
 	isc_result_t result;
 	fetchctx_t *fctx = rctx->fctx;
 	bool bucket_empty;
+	dns_resolver_t *res = fctx->res;
+	unsigned int bucketnum;
 
 	FCTXTRACE("resend");
 	inc_stats(fctx->res, dns_resstatscounter_retry);
@@ -9354,12 +9356,13 @@ rctx_resend(respctx_t *rctx, dns_adbaddrinfo_t *addrinfo) {
 		return;
 	}
 
+	bucketnum = fctx->bucketnum;
 	fctx_done(fctx, result, __LINE__);
-	LOCK(&fctx->res->buckets[fctx->bucketnum].lock);
+	LOCK(&res->buckets[bucketnum].lock);
 	bucket_empty = fctx_decreference(fctx);
-	UNLOCK(&fctx->res->buckets[fctx->bucketnum].lock);
+	UNLOCK(&res->buckets[bucketnum].lock);
 	if (bucket_empty) {
-		empty_bucket(fctx->res);
+		empty_bucket(res);
 	}
 }