From 92e5173a9fe790cecb79487a6e2860ff9c6e6833 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Wed, 27 Sep 2023 11:22:43 +0000
Subject: [PATCH 1/2] Don't use an uninitialized link on an error path

Move the block on the error path, where the link is checked, to a place
where it makes sense, to avoid accessing an unitialized link when
jumping to the 'cleanup_query' label from 4 different places. The link
is initialized only after those jumps happen.

In addition, initilize the link when creating the object, to avoid
similar errors.

(cherry picked from commit fb7bbbd1be20632db28a928f49c4082373358b64)
---
 lib/dns/resolver.c | 26 ++++++++++++++------------
 1 file changed, 14 insertions(+), 12 deletions(-)

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 66bb1ac78d..4b3d1c0b40 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -2139,10 +2139,13 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	INSIST(ISC_LIST_EMPTY(fctx->validators));
 
 	query = isc_mem_get(fctx->mctx, sizeof(*query));
-	*query = (resquery_t){ .mctx = fctx->mctx,
-			       .options = options,
-			       .addrinfo = addrinfo,
-			       .dispatchmgr = res->dispatchmgr };
+	*query = (resquery_t){
+		.mctx = fctx->mctx,
+		.options = options,
+		.addrinfo = addrinfo,
+		.dispatchmgr = res->dispatchmgr,
+		.link = ISC_LINK_INITIALIZER,
+	};
 
 	isc_refcount_init(&query->references, 1);
 
@@ -2247,7 +2250,6 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
 	}
 
 	fctx_attach(fctx, &query->fctx);
-	ISC_LINK_INIT(query, link);
 	query->magic = QUERY_MAGIC;
 
 	if ((query->options & DNS_FETCHOPT_TCP) == 0) {
@@ -2291,6 +2293,13 @@ cleanup_udpfetch:
 		}
 	}
 
+	LOCK(&res->buckets[fctx->bucketnum].lock);
+	if (ISC_LINK_LINKED(query, link)) {
+		atomic_fetch_sub_release(&fctx->nqueries, 1);
+		ISC_LIST_UNLINK(fctx->queries, query, link);
+	}
+	UNLOCK(&res->buckets[fctx->bucketnum].lock);
+
 cleanup_dispatch:
 	fctx_detach(&query->fctx);
 
@@ -2299,13 +2308,6 @@ cleanup_dispatch:
 	}
 
 cleanup_query:
-	LOCK(&res->buckets[fctx->bucketnum].lock);
-	if (ISC_LINK_LINKED(query, link)) {
-		atomic_fetch_sub_release(&fctx->nqueries, 1);
-		ISC_LIST_UNLINK(fctx->queries, query, link);
-	}
-	UNLOCK(&res->buckets[fctx->bucketnum].lock);
-
 	query->magic = 0;
 	dns_message_detach(&query->rmessage);
 	isc_mem_put(fctx->mctx, query, sizeof(*query));

From 197d032aa83db9f13fb4e32d83633cff41baf3e2 Mon Sep 17 00:00:00 2001
From: Aram Sargsyan <aram@isc.org>
Date: Wed, 27 Sep 2023 11:34:30 +0000
Subject: [PATCH 2/2] Add a CHANGES note for [GL #4331]

(cherry picked from commit 9c545c3513a1f78dc21e83a823041da790925158)
---
 CHANGES | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/CHANGES b/CHANGES
index e85aae8e22..41fde2e83c 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+6261.	[bug]		Fix a possible assertion failure on an error path in
+			resolver.c:fctx_query(), when using an uninitialized
+			link. [GL #4331]
+
 6254.	[cleanup]	Add semantic patch to do an explicit cast from char
 			to unsigned char in ctype.h class of functions.
 			[GL #4327]