From d7e5c23a8103971bb6720f7997df2093906a94e7 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Wed, 3 Aug 2022 22:21:46 +0000 Subject: [PATCH] DiG: fix lookup reference counting bug When DiG finishes its work with a lookup (due to success or error), it calls the clear_current_lookup() function, which decreases the lookup's reference count. That decrease action is the counterpart of the initial creation of the reference counter, so this function was designed in such a way that it should decrease the reference count only once, when there are no more active queries in the lookup. The way it checks whether there are any active queries is by looking at the queries list of the lookup object - if it's NULL then there are no active queries. But that is not always true - the cancel_lookup() function, when canceling the queries one by one, also removes them from the lookup's list, but in NSSEARCH mode, when the queries are working in parallel, some of those queries can be still active. And when their recv_done() callback gets called, it sees that the lookup has been canceled, calls clear_current_lookup(), which decreases the reference count every time for each query that was still active (because ISC_LIST_HEAD(lookup->q) is NULL) and results in a reference counting error. Fix the issue by introducing a new "cleared" property for the lookup, which will ensure that the clear_current_lookup() function does its job only once per lookup. --- bin/dig/dighost.c | 8 ++++++++ bin/dig/dighost.h | 2 +- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index 3d174e4d73..221af39f91 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -1824,11 +1824,19 @@ clear_current_lookup(void) { return; } + if (lookup->cleared) { + debug("current_lookup is already cleared"); + return; + } + if (ISC_LIST_HEAD(lookup->q) != NULL) { debug("still have a worker"); return; } + lookup->cleared = true; + debug("lookup cleared"); + lookup_detach(&lookup); } diff --git a/bin/dig/dighost.h b/bin/dig/dighost.h index e9da8f618e..00158ac6f9 100644 --- a/bin/dig/dighost.h +++ b/bin/dig/dighost.h @@ -105,7 +105,7 @@ typedef struct dig_searchlist dig_searchlist_t; struct dig_lookup { unsigned int magic; isc_refcount_t references; - bool aaonly, adflag, badcookie, besteffort, cdflag, comments, + bool aaonly, adflag, badcookie, besteffort, cdflag, cleared, comments, dns64prefix, dnssec, doing_xfr, done_as_is, ednsneg, expandaaaa, expire, header_only, identify, /*%< Append an "on server " message */