1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
|
From: Mark Andrews <marka@isc.org>
Date: Tue, 19 Mar 2019 14:14:21 +1100
Subject: move item_out test inside lock in dns_dispatch_getnext()
Origin: https://gitlab.isc.org/isc-projects/bind9/commit/3a9c7bb80d4a609b86427406d9dd783199920b5b
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-6471
Bug-Debian: https://bugs.debian.org/930746
(cherry picked from commit 60c42f849d520564ed42e5ed0ba46b4b69c07712)
---
lib/dns/dispatch.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c
index d1e4c16..b5a8f74 100644
--- a/lib/dns/dispatch.c
+++ b/lib/dns/dispatch.c
@@ -134,7 +134,7 @@ struct dns_dispentry {
isc_task_t *task;
isc_taskaction_t action;
void *arg;
- bool item_out;
+ bool item_out;
dispsocket_t *dispsocket;
ISC_LIST(dns_dispatchevent_t) items;
ISC_LINK(dns_dispentry_t) link;
@@ -3422,13 +3422,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) {
disp = resp->disp;
REQUIRE(VALID_DISPATCH(disp));
- REQUIRE(resp->item_out == true);
- resp->item_out = false;
-
ev = *sockevent;
*sockevent = NULL;
LOCK(&disp->lock);
+
+ REQUIRE(resp->item_out == true);
+ resp->item_out = false;
+
if (ev->buffer.base != NULL)
free_buffer(disp, ev->buffer.base, ev->buffer.length);
free_devent(disp, ev);
@@ -3573,6 +3574,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp,
isc_task_send(disp->task[0], &disp->ctlevent);
}
+/*
+ * disp must be locked.
+ */
static void
do_cancel(dns_dispatch_t *disp) {
dns_dispatchevent_t *ev;
|
