From 0fe1d091f7c2124268796b9ae3e0a9ab3199bf04 Mon Sep 17 00:00:00 2001 From: Alessio Podda Date: Thu, 16 Apr 2026 13:20:50 +0200 Subject: [PATCH] Fix race condition in getsigningtime() Compute qpzone_get_lock(elem->node) into a local variable while the heap lock is still held, rather than dereferencing the stale elem pointer after releasing the lock. A concurrent thread running setsigningtime() (e.g. via IXFR apply on a worker thread) could free the top-of-heap element between the heap lock release and the dereference, causing a use-after-free. --- lib/dns/qpzone.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/lib/dns/qpzone.c b/lib/dns/qpzone.c index 47c274889a..dcfae499ff 100644 --- a/lib/dns/qpzone.c +++ b/lib/dns/qpzone.c @@ -2544,11 +2544,13 @@ again: LOCK(&qpdb->heap->lock); elem = isc_heap_element(qpdb->heap->heap, 1); - if (elem != NULL && qpzone_get_lock(elem->node) != nlock) { + isc_rwlock_t *new_nlock = (elem != NULL) ? qpzone_get_lock(elem->node) + : NULL; + if (new_nlock != NULL && new_nlock != nlock) { UNLOCK(&qpdb->heap->lock); NODE_UNLOCK(nlock, &nlocktype); - nlock = qpzone_get_lock(elem->node); + nlock = new_nlock; goto again; }