From 75214d0c5906327745d99b8d6d03425df9656704 Mon Sep 17 00:00:00 2001
From: Evan Hunt <each@isc.org>
Date: Mon, 4 Jan 2016 22:06:35 -0800
Subject: [PATCH] [v9_9] fix use after free on xfr timeout

4289.	[bug]		The server could crash due to memory being used
			after it was freed if a zone transfer timed out.
			[RT #41297]
---
 CHANGES           |  4 ++++
 doc/arm/notes.xml |  6 ++++++
 lib/dns/dst_api.c | 13 +++++++++----
 3 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/CHANGES b/CHANGES
index ef09d90bbb..61d9c48efc 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,7 @@
+4289.	[bug]		The server could crash due to memory being used
+			after it was freed if a zone transfer timed out.
+			[RT #41297]
+
 4288.	[bug]		Fixed a regression in resolver.c:possibly_mark()
 			which caused known-bogus servers to be queried
 			anyway. [RT #41321]
diff --git a/doc/arm/notes.xml b/doc/arm/notes.xml
index fc8420a341..c4623bb42a 100644
--- a/doc/arm/notes.xml
+++ b/doc/arm/notes.xml
@@ -108,6 +108,12 @@
   <section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
 
     <itemizedlist>
+      <listitem>
+	<para>
+	  The server could crash due to a use-after-free if a
+	  zone transfer timed out. [RT #41297]
+	</para>
+      </listitem>
       <listitem>
 	<para>
 	  Authoritative servers that were marked as bogus (e.g. blackholed
diff --git a/lib/dns/dst_api.c b/lib/dns/dst_api.c
index 680a018431..1b8166c02f 100644
--- a/lib/dns/dst_api.c
+++ b/lib/dns/dst_api.c
@@ -302,12 +302,15 @@ dst_context_create2(dst_key_t *key, isc_mem_t *mctx,
 	dctx = isc_mem_get(mctx, sizeof(dst_context_t));
 	if (dctx == NULL)
 		return (ISC_R_NOMEMORY);
-	dctx->key = key;
-	dctx->mctx = mctx;
+	memset(dctx, 0, sizeof(*dctx));
+	dst_key_attach(key, &dctx->key);
+	isc_mem_attach(mctx, &dctx->mctx);
 	dctx->category = category;
 	result = key->func->createctx(key, dctx);
 	if (result != ISC_R_SUCCESS) {
-		isc_mem_put(mctx, dctx, sizeof(dst_context_t));
+		if (dctx->key != NULL)
+			dst_key_free(&dctx->key);
+		isc_mem_putanddetach(&dctx->mctx, dctx, sizeof(dst_context_t));
 		return (result);
 	}
 	dctx->magic = CTX_MAGIC;
@@ -324,8 +327,10 @@ dst_context_destroy(dst_context_t **dctxp) {
 	dctx = *dctxp;
 	INSIST(dctx->key->func->destroyctx != NULL);
 	dctx->key->func->destroyctx(dctx);
+	if (dctx->key != NULL)
+		dst_key_free(&dctx->key);
 	dctx->magic = 0;
-	isc_mem_put(dctx->mctx, dctx, sizeof(dst_context_t));
+	isc_mem_putanddetach(&dctx->mctx, dctx, sizeof(dst_context_t));
 	*dctxp = NULL;
 }