From 53b2bddd65aba4ac2e06f9102bea5498dbd35c87 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Sat, 7 Feb 2026 05:19:48 +0100 Subject: [PATCH] Fix NULL Pointer Dereference in QP-trie Cache add() When RRSIG(rdtype) was independently cached before the RDATA for the rdtype itself, named would crash on the subsequent query for the RDATA itself. This has been fixed. ISC would like to thank Vitaly Simonovich for bringing this vulnerability to our attention. --- lib/dns/qpcache.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/dns/qpcache.c b/lib/dns/qpcache.c index 94a7c8aed5..dd16406659 100644 --- a/lib/dns/qpcache.c +++ b/lib/dns/qpcache.c @@ -2964,8 +2964,8 @@ add(qpcache_t *qpdb, qpcnode_t *qpnode, dns_slabheader_t *newheader, if (EXISTS(newheader) && NEGATIVE(newheader) && !dns_rdatatype_issig(rdtype) && related != NULL) { - dns_slabheader_t *oldsigheader = first_header(oldtop->related); - mark_ancient(oldsigheader); + dns_slabheader_t *relatedheader = first_header(related); + mark_ancient(relatedheader); } bindrdataset(qpdb, qpnode, newheader, now, nlocktype, tlocktype,