From 7f5bdf7f4063c2fefb18900468d2c851f8de7816 Mon Sep 17 00:00:00 2001

From: Evan Hunt <each@isc.org>

Date: Tue, 18 Feb 2014 23:32:02 -0800

Subject: [PATCH] [master] fix dns_resolver_destroyfetch race

3747.	[bug]		A race condition could lead to a core dump when

			destroying a resolver fetch object. [RT #35385]

---

 lib/dns/resolver.c | 7 +++++--

 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c

index fa188c1..66ab41f 100644

--- a/lib/dns/resolver.c

+++ b/lib/dns/resolver.c

@@ -357,6 +357,7 @@ typedef struct {

 struct dns_fetch {

 	unsigned int			magic;

+	isc_mem_t *			mctx;

 	fetchctx_t *			private;

 };

@@ -8561,6 +8562,8 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name,

 	fetch = isc_mem_get(res->mctx, sizeof(*fetch));

 	if (fetch == NULL)

 		return (ISC_R_NOMEMORY);

+	fetch->mctx = NULL;

+	isc_mem_attach(res->mctx, &fetch->mctx);

 	bucketnum = dns_name_fullhash(name, ISC_FALSE) % res->nbuckets;

@@ -8651,7 +8654,7 @@ dns_resolver_createfetch2(dns_resolver_t *res, dns_name_t *name,

 		FTRACE("created");

 		*fetchp = fetch;

 	} else

-		isc_mem_put(res->mctx, fetch, sizeof(*fetch));

+		isc_mem_putanddetach(&fetch->mctx, fetch, sizeof(*fetch));

 	return (result);

 }

@@ -8742,7 +8745,7 @@ dns_resolver_destroyfetch(dns_fetch_t **fetchp) {

 	UNLOCK(&res->buckets[bucketnum].lock);

-	isc_mem_put(res->mctx, fetch, sizeof(*fetch));

+	isc_mem_putanddetach(&fetch->mctx, fetch, sizeof(*fetch));

 	*fetchp = NULL;

 	if (bucket_empty)

-- 

1.9.0