From 2e22f903da490cefb98e0c8b14ac66b466cfe1d9 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Tue, 27 Nov 2012 16:03:36 +1100
Subject: [PATCH] 3425.   [bug]           "acacheentry" reference counting was
 broken resulting                         in use after free. [RT #31908]

---
 CHANGES         | 3 +++
 lib/dns/rbtdb.c | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index 0cf816fc94..2164138ad3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3425.	[bug]		"acacheentry" reference counting was broken resulting
+			in use after free. [RT #31908]
+
 3424.	[func]		dnssec-dsfromkey now emits the hash without spaces.
 			[RT #31951]
 
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 48ab600341..f2ad8c75bc 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -9371,11 +9371,10 @@ acache_callback(dns_acacheentry_t *entry, void **arg) {
 		INSIST(acarray[count].cbarg == cbarg);
 		isc_mem_put(rbtdb->common.mctx, cbarg, sizeof(acache_cbarg_t));
 		acarray[count].cbarg = NULL;
+		dns_acache_detachentry(&entry);
 	} else
 		isc_mem_put(rbtdb->common.mctx, cbarg, sizeof(acache_cbarg_t));
 
-	dns_acache_detachentry(&entry);
-
 	NODE_UNLOCK(nodelock, isc_rwlocktype_write);
 
 	dns_db_detachnode((dns_db_t *)rbtdb, (dns_dbnode_t **)(void*)&rbtnode);
@@ -9467,6 +9466,7 @@ rdataset_setadditional(dns_rdataset_t *rdataset, dns_rdatasetadditional_t type,
 					acache_callback, newcbarg, &newentry);
 	if (result != ISC_R_SUCCESS)
 		goto fail;
+
 	/* Set cache data in the new entry. */
 	result = dns_acache_setentry(acache, newentry, zone, db,
 				     version, node, fname);