[9.20] fix: usr: Prevent a crash when using both dns64 and filter-aaaa

An assertion failure could be triggered if both `dns64` and the `filter-aaaa` plugin were in use simultaneously. This happened if the plugin triggered a second recursion process, which then attempted to store DNS64 state information in a pointer that had already been set by the original recursion process. This has been fixed. Closes #5854 Backport of MR !11949 Merge branch 'backport-5854-dns64-aaaaok-9.20' into 'bind-9.20' See merge request isc-projects/bind9!11967
2026-05-28 04:34:54 -04:00 · 2026-05-06 07:53:51 +02:00 · 2026-05-06 07:53:51 +02:00 · ddcacbc5a8
commit ddcacbc5a8
parent ddea991c07 d42b3e7b91
5 changed files with 21 additions and 3 deletions
--- a/bin/tests/system/filters/ns1/unsigned.db
+++ b/bin/tests/system/filters/ns1/unsigned.db
@ -23,3 +23,8 @@ dual		A	1.0.0.6
 dual 		AAAA	2001:db8::6
 mx		A	1.0.0.3
 mx 		AAAA	2001:db8::3
+
+; one of these AAAA addresses is excluded in named.conf
+excludeone	A	1.0.0.6
+excludeone	AAAA	::1
+excludeone	AAAA	2001:db8::6
--- a/bin/tests/system/filters/ns4/unsigned.db
+++ b/bin/tests/system/filters/ns4/unsigned.db
@ -23,3 +23,8 @@ dual		A	1.0.0.6
 dual 		AAAA	2001:db8::6
 mx		A	1.0.0.3
 mx 		AAAA	2001:db8::3
+
+; one of these AAAA addresses is excluded in named.conf
+excludeone	A	1.0.0.6
+excludeone	AAAA	::1
+excludeone	AAAA	2001:db8::6
--- a/bin/tests/system/filters/ns5/named.conf.j2
+++ b/bin/tests/system/filters/ns5/named.conf.j2
@ -23,9 +23,9 @@ options {
 	dnssec-validation no;
 	notify yes;
 	dns64 64:ff9b::/96 {
-			    clients { any; };
-			    exclude { any; };
-			    mapped { any; };
+		clients { any; };
+		exclude { ::1/128; };
+		mapped { any; };
 	};
 	minimal-responses no;
 };
--- a/bin/tests/system/filters/tests_filter_dns64.py
+++ b/bin/tests/system/filters/tests_filter_dns64.py
@ -25,3 +25,7 @@ def test_filter_dns64():
    msg = isctest.query.create("aaaa-only.unsigned", "aaaa")
    res = isctest.query.tcp(msg, "10.53.0.5")
    isctest.check.noerror(res)
+
+    msg = isctest.query.create("excludeone.unsigned", "aaaa")
+    res = isctest.query.tcp(msg, "10.53.0.5")
+    isctest.check.noerror(res)
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@ -8250,6 +8250,10 @@ query_addanswer(query_ctx_t *qctx) {
 	} else if (qctx->client->query.dns64_aaaaok != NULL) {
 		query_filter64(qctx);
 		ns_client_putrdataset(qctx->client, &qctx->rdataset);
+		isc_mem_cput(qctx->client->manager->mctx,
+			     qctx->client->query.dns64_aaaaok,
+			     qctx->client->query.dns64_aaaaoklen, sizeof(bool));
+		qctx->client->query.dns64_aaaaoklen = 0;
 	} else {
 		if (!qctx->is_zone && RECURSIONOK(qctx->client)) {
 			query_prefetch(qctx->client, qctx->fname,