upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-09 07:52:15 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

[9.20] fix: dev: Fix crash in resolver when SIG(0)-signed responses are received under load

Browse source 
A resolver could crash when handling a SIG(0)-signed response if the
matching client query was cancelled while signature verification was
still in progress — for example, when the recursive-clients quota
was exhausted. This has been fixed.

Closes isc-projects/bind9#5819

Merge branch 'backport-5819-fix-heap-use-after-free-in-resquery_response_continue-9.20' into 'security-bind-9.20'

See merge request isc-private/bind9!1001
This commit is contained in:
Ondřej Surý 2026-05-01 08:32:14 +02:00 committed by Michał Kępień
commit f6d193147a
No known key found for this signature in database
1 changed files with 3 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
lib/dns/resolver.c
View file

@ -7632,6 +7632,7 @@ resquery_response(isc_result_t eresult, isc_region_t *region, void *arg) {
return;
cleanup:
resquery_detach(&rctx->query);
isc_mem_putanddetach(&rctx->mctx, rctx, sizeof(*rctx));
}
@ -7981,6 +7982,7 @@ resquery_response_continue(void *arg, isc_result_t result) {
rctx_done(rctx, result);
cleanup:
resquery_detach(&rctx->query);
isc_mem_putanddetach(&rctx->mctx, rctx, sizeof(*rctx));
}
@ -7994,7 +7996,7 @@ static void
rctx_respinit(resquery_t *query, fetchctx_t *fctx, isc_result_t result,
isc_region_t *region, respctx_t *rctx) {
*rctx = (respctx_t){ .result = result,
.query = query,
.query = resquery_ref(query),
.fctx = fctx,
.broken_type = badns_response,
.retryopts = query->options };