upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 00:30:00 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

sec: usr: Fix race condition in getsigningtime()

Browse source 
Compute qpzone_get_lock(elem->node) into a local variable while the
heap lock is still held, rather than dereferencing the stale elem
pointer after releasing the lock. A concurrent thread running
setsigningtime() (e.g. via IXFR apply on a worker thread) could free
the top-of-heap element between the heap lock release and the
dereference, causing a use-after-free.

Closes #5883

Merge branch '5883-getsigningtime-race-fix' into 'main'

See merge request isc-projects/bind9!11875
This commit is contained in:
Alessio Podda 2026-04-27 17:15:00 +00:00
commit d35a527ffb
1 changed files with 4 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
lib/dns/qpzone.c
View file

@ -2544,11 +2544,13 @@ again:
LOCK(&qpdb->heap->lock);
elem = isc_heap_element(qpdb->heap->heap, 1);
if (elem != NULL && qpzone_get_lock(elem->node) != nlock) {
isc_rwlock_t *new_nlock = (elem != NULL) ? qpzone_get_lock(elem->node)
: NULL;
if (new_nlock != NULL && new_nlock != nlock) {
UNLOCK(&qpdb->heap->lock);
NODE_UNLOCK(nlock, &nlocktype);
nlock = qpzone_get_lock(elem->node);
nlock = new_nlock;
goto again;
}