From c03fe78ef59b2373233db1a7b568cc2000d6d3b4 Mon Sep 17 00:00:00 2001 From: Evan Hunt Date: Wed, 15 Apr 2015 15:38:14 -0700 Subject: [PATCH] [master] use after free in resquery_destroy() 4102. [bug] Fix a use after free bug introduced in change #4094. [RT #39281] --- CHANGES | 3 +++ lib/dns/resolver.c | 6 ++++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/CHANGES b/CHANGES index dd0e4f22de..dc9bd37e35 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +4102. [bug] Fix a use after free bug introduced in change + #4094. [RT #39281] + 4101. [bug] dig: the +split and +rrcomments options didn't work with +short. [RT #39291] diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c index 3318b61b73..821d53dd71 100644 --- a/lib/dns/resolver.c +++ b/lib/dns/resolver.c @@ -823,6 +823,7 @@ resquery_destroy(resquery_t **queryp) { isc_boolean_t empty; resquery_t *query; fetchctx_t *fctx; + unsigned int bucket; REQUIRE(queryp != NULL); query = *queryp; @@ -832,12 +833,13 @@ resquery_destroy(resquery_t **queryp) { fctx = query->fctx; res = fctx->res; + bucket = fctx->bucketnum; fctx->nqueries--; - LOCK(&res->buckets[fctx->bucketnum].lock); + LOCK(&res->buckets[bucket].lock); empty = fctx_decreference(query->fctx); - UNLOCK(&res->buckets[fctx->bucketnum].lock); + UNLOCK(&res->buckets[bucket].lock); query->magic = 0; isc_mem_put(query->mctx, query, sizeof(*query));