Fix NULL Pointer Dereference in QP-trie Cache add()

When RRSIG(rdtype) was independently cached before the RDATA for the
rdtype itself, named would crash on the subsequent query for the RDATA
itself.  This has been fixed.

ISC would like to thank Vitaly Simonovich for bringing this
vulnerability to our attention.

diff --git a/lib/dns/qpcache.c b/lib/dns/qpcache.c
index 94a7c8aed5ffddcdfaab7e77dd857f1f20a5b86c..dd16406659832ac17f3178c9d30d74af21406521 100644 (file)
--- a/lib/dns/qpcache.c
+++ b/lib/dns/qpcache.c
@@ -2964,8 +2964,8 @@ add(qpcache_t *qpdb, qpcnode_t *qpnode, dns_slabheader_t *newheader,
        if (EXISTS(newheader) && NEGATIVE(newheader) &&
            !dns_rdatatype_issig(rdtype) && related != NULL)
        {
-               dns_slabheader_t *oldsigheader = first_header(oldtop->related);
-               mark_ancient(oldsigheader);
+               dns_slabheader_t *relatedheader = first_header(related);
+               mark_ancient(relatedheader);
        }
 
        bindrdataset(qpdb, qpnode, newheader, now, nlocktype, tlocktype,