a2a915
From 66c074b707318005d50f14910678ba451877a7a6 Mon Sep 17 00:00:00 2001
a2a915
From: Petr Mensik <pemensik@redhat.com>
a2a915
Date: Wed, 19 Jun 2019 12:28:08 +0200
a2a915
Subject: [PATCH] Fix CVE-2019-6471
a2a915
a2a915
5244.	[security]	Fixed a race condition in dns_dispatch_getnext()
a2a915
			that could cause an assertion failure if a
a2a915
			significant number of incoming packets were
a2a915
			rejected. (CVE-2019-6471) [GL #942]
a2a915
---
a2a915
 lib/dns/dispatch.c | 10 +++++++---
a2a915
 1 file changed, 7 insertions(+), 3 deletions(-)
a2a915
a2a915
diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
a2a915
index 321459ebcb..ae5c9c0fc7 100644
a2a915
--- a/lib/dns/dispatch.c
a2a915
+++ b/lib/dns/dispatch.c
a2a915
@@ -3419,13 +3419,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) {
a2a915
 	disp = resp->disp;
a2a915
 	REQUIRE(VALID_DISPATCH(disp));
a2a915
 
a2a915
-	REQUIRE(resp->item_out == ISC_TRUE);
a2a915
-	resp->item_out = ISC_FALSE;
a2a915
-
a2a915
 	ev = *sockevent;
a2a915
 	*sockevent = NULL;
a2a915
 
a2a915
 	LOCK(&disp->lock);
a2a915
+
a2a915
+	REQUIRE(resp->item_out == ISC_TRUE);
a2a915
+	resp->item_out = ISC_FALSE;
a2a915
+
a2a915
 	if (ev->buffer.base != NULL)
a2a915
 		free_buffer(disp, ev->buffer.base, ev->buffer.length);
a2a915
 	free_devent(disp, ev);
a2a915
@@ -3570,6 +3571,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp,
a2a915
 		isc_task_send(disp->task[0], &disp->ctlevent);
a2a915
 }
a2a915
 
a2a915
+/*
a2a915
+ * disp must be locked.
a2a915
+ */
a2a915
 static void
a2a915
 do_cancel(dns_dispatch_t *disp) {
a2a915
 	dns_dispatchevent_t *ev;
a2a915
-- 
a2a915
2.20.1
a2a915