From 48d7401f0db66cbe9f6fcdffb549488e28110ad8 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Tue, 17 Mar 2026 11:23:22 +0000 Subject: [PATCH] Take 'env' reference before async calling perform_reopen() The 'env' pointer is passed to an async function without taking a reference first, which can potentially cause a use-after-free error. Take a reference, then detach in the async function. --- lib/dns/dnstap.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/dns/dnstap.c b/lib/dns/dnstap.c index 00f073d0a9..97b903d605 100644 --- a/lib/dns/dnstap.c +++ b/lib/dns/dnstap.c @@ -682,6 +682,8 @@ perform_reopen(void *arg) { LOCK(&env->reopen_lock); env->reopen_queued = false; UNLOCK(&env->reopen_lock); + + dns_dtenv_detach(&env); } /*% @@ -713,6 +715,7 @@ check_file_size_and_maybe_reopen(dns_dtenv_t *env) { * Send an event to roll the output file, then disallow output file * rolling until the roll we queue is completed. */ + dns_dtenv_ref(env); isc_async_run(env->loop, perform_reopen, env); env->reopen_queued = true;