diff --git a/CHANGES b/CHANGES index e85aae8e22..41fde2e83c 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +6261. [bug] Fix a possible assertion failure on an error path in + resolver.c:fctx_query(), when using an uninitialized + link. [GL #4331] + 6254. [cleanup] Add semantic patch to do an explicit cast from char to unsigned char in ctype.h class of functions. [GL #4327] diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 66bb1ac78d..4b3d1c0b40 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -2139,10 +2139,13 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, INSIST(ISC_LIST_EMPTY(fctx->validators)); query = isc_mem_get(fctx->mctx, sizeof(*query)); - *query = (resquery_t){ .mctx = fctx->mctx, - .options = options, - .addrinfo = addrinfo, - .dispatchmgr = res->dispatchmgr }; + *query = (resquery_t){ + .mctx = fctx->mctx, + .options = options, + .addrinfo = addrinfo, + .dispatchmgr = res->dispatchmgr, + .link = ISC_LINK_INITIALIZER, + }; isc_refcount_init(&query->references, 1); @@ -2247,7 +2250,6 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo, } fctx_attach(fctx, &query->fctx); - ISC_LINK_INIT(query, link); query->magic = QUERY_MAGIC; if ((query->options & DNS_FETCHOPT_TCP) == 0) { @@ -2291,6 +2293,13 @@ cleanup_udpfetch: } } + LOCK(&res->buckets[fctx->bucketnum].lock); + if (ISC_LINK_LINKED(query, link)) { + atomic_fetch_sub_release(&fctx->nqueries, 1); + ISC_LIST_UNLINK(fctx->queries, query, link); + } + UNLOCK(&res->buckets[fctx->bucketnum].lock); + cleanup_dispatch: fctx_detach(&query->fctx); @@ -2299,13 +2308,6 @@ cleanup_dispatch: } cleanup_query: - LOCK(&res->buckets[fctx->bucketnum].lock); - if (ISC_LINK_LINKED(query, link)) { - atomic_fetch_sub_release(&fctx->nqueries, 1); - ISC_LIST_UNLINK(fctx->queries, query, link); - } - UNLOCK(&res->buckets[fctx->bucketnum].lock); - query->magic = 0; dns_message_detach(&query->rmessage); isc_mem_put(fctx->mctx, query, sizeof(*query));