From 99b583592efe0bd4aecc5028bb2528db8447ad68 Mon Sep 17 00:00:00 2001 From: Aram Sargsyan Date: Tue, 17 Mar 2026 11:23:22 +0000 Subject: [PATCH] Take 'env' reference before async calling perform_reopen() The 'env' pointer is passed to an async function without taking a reference first, which can potentially cause a use-after-free error. Take a reference, then detach in the async function. (cherry picked from commit 48d7401f0db66cbe9f6fcdffb549488e28110ad8) --- lib/dns/dnstap.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/lib/dns/dnstap.c b/lib/dns/dnstap.c index aaa83d6b43..4addc77a9c 100644 --- a/lib/dns/dnstap.c +++ b/lib/dns/dnstap.c @@ -685,6 +685,8 @@ perform_reopen(void *arg) { LOCK(&env->reopen_lock); env->reopen_queued = false; UNLOCK(&env->reopen_lock); + + dns_dtenv_detach(&env); } /*% @@ -716,6 +718,7 @@ check_file_size_and_maybe_reopen(dns_dtenv_t *env) { * Send an event to roll the output file, then disallow output file * rolling until the roll we queue is completed. */ + dns_dtenv_ref(env); isc_async_run(env->loop, perform_reopen, env); env->reopen_queued = true;