From 7ce2e86024f022decb2678963538515ca39ab4ab Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 23 Feb 2024 10:12:47 +1100
Subject: [PATCH 1/2] Do not use header_prev in expire_lru_headers

dns__cacherbt_expireheader can unlink / free header_prev underneath
it.  Use ISC_LIST_TAIL after calling dns__cacherbt_expireheader
instead to get the next pointer to be processed.
---
 lib/dns/rbt-cachedb.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/lib/dns/rbt-cachedb.c b/lib/dns/rbt-cachedb.c
index 55fe3540e4..08775be8bd 100644
--- a/lib/dns/rbt-cachedb.c
+++ b/lib/dns/rbt-cachedb.c
@@ -1643,23 +1643,22 @@ static size_t
 expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum,
 		   isc_rwlocktype_t *tlocktypep,
 		   size_t purgesize DNS__DB_FLARG) {
-	dns_slabheader_t *header = NULL, *header_prev = NULL;
+	dns_slabheader_t *header = NULL;
 	size_t purged = 0;
 
 	for (header = ISC_LIST_TAIL(rbtdb->lru[locknum]);
 	     header != NULL && header->last_used <= rbtdb->last_used &&
 	     purged <= purgesize;
-	     header = header_prev)
+	     header = ISC_LIST_TAIL(rbtdb->lru[locknum]))
 	{
 		size_t header_size = rdataset_size(header);
-		header_prev = ISC_LIST_PREV(header, link);
 
 		/*
 		 * Unlink the entry at this point to avoid checking it
 		 * again even if it's currently used someone else and
 		 * cannot be purged at this moment.  This entry won't be
 		 * referenced any more (so unlinking is safe) since the
-		 * TTL was reset to 0.
+		 * TTL will be reset to 0.
 		 */
 		ISC_LIST_UNLINK(rbtdb->lru[locknum], header, link);
 		dns__cacherbt_expireheader(header, tlocktypep,

From 4f8539ac23011c9d8bb31028c0a993967dac4628 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 23 Feb 2024 13:38:19 +1100
Subject: [PATCH 2/2] Add CHANGES and release note for [GL #4495]

---
 CHANGES                     | 2 ++
 doc/notes/notes-current.rst | 7 +++++++
 2 files changed, 9 insertions(+)

diff --git a/CHANGES b/CHANGES
index b4d26873bd..58b87afa06 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+6350.	[bug]		Address use after free in expire_lru_headers. [GL #4495]
+
 6349.	[placeholder]
 
 6348.	[bug]		BIND could previously abort when trying to
diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst
index 246466be7c..2705e7bc27 100644
--- a/doc/notes/notes-current.rst
+++ b/doc/notes/notes-current.rst
@@ -64,6 +64,13 @@ Bug Fixes
   ISC would like to thank Thomas Amgarten for bringing this issue to
   our attention. :gl:`#4518`, :gl:`#4528`
 
+- A use-after-free assertion might get triggered when the overmem cache
+  cleaning triggers. :gl:`#4595`
+
+  ISC would like to thank to Jinmei Tatuya from Infoblox for bringing
+  this issue to our attention.
+
+
 Known Issues
 ~~~~~~~~~~~~