Merge branch '4595-fix-expire-lru-headers-race-9.18' into 'v9.18.25-release'

[9.18] Do not use header_prev in expire_lru_headers

See merge request isc-projects/bind9!8776

CHANGES

@@ -1,3 +1,5 @@
+6350.	[bug]		Address use after free in expire_lru_headers. [GL #4495]
+
 	--- 9.18.24 released ---
 
 6343.	[bug]		Fix case insensitive setting for isc_ht hashtable.

doc/notes/notes-current.rst

@@ -35,7 +35,12 @@ Feature Changes
 Bug Fixes
 ~~~~~~~~~
 
-- None.
+- A use-after-free assertion might get triggered when the overmem cache
+  cleaning triggers. :gl:`#4595`
+
+  ISC would like to thank to Jinmei Tatuya from Infoblox for bringing
+  this issue to our attention.
+
 
 Known Issues
 ~~~~~~~~~~~~

lib/dns/rbtdb.c

@@ -10213,22 +10213,21 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header, isc_stdtime_t now) {
 static size_t
 expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize,
 		   bool tree_locked) {
-	rdatasetheader_t *header, *header_prev;
+	rdatasetheader_t *header;
 	size_t purged = 0;
 
 	for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
 	     header != NULL &&
 	     header->last_used <= atomic_load(&rbtdb->last_used) &&
 	     purged <= purgesize;
-	     header = header_prev)
+	     header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]))
 	{
-		header_prev = ISC_LIST_PREV(header, link);
 		/*
 		 * Unlink the entry at this point to avoid checking it
 		 * again even if it's currently used someone else and
 		 * cannot be purged at this moment.  This entry won't be
 		 * referenced any more (so unlinking is safe) since the
-		 * TTL was reset to 0.
+		 * TTL will be reset to 0.
 		 */
 		ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link);
 		size_t header_size = rdataset_size(header);