- Fix #3817: core dump happens in libunbound delete, when queued

  servfail hits deleted message queue.

git-svn-id: file:///svn/unbound/trunk@4587 be551aaa-1e26-0410-a405-d3ace91eadb9

diff --git a/doc/Changelog b/doc/Changelog
index 0d0123f93f6e4c2df01515dd44144f683831d132..6432a3471373b11fdcbc0a3365753f14a72808ca 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -5,6 +5,8 @@
          And unbound should be built with both --enable-cachedb and
          --with-libhiredis[=PATH] (where $PATH/include/hiredis/hiredis.h
          should exist).  Patch from Jinmei Tatuya (Infoblox).
+       - Fix #3817: core dump happens in libunbound delete, when queued
+         servfail hits deleted message queue.
 
 13 March 2018: Wouter
        - Fix typo in documentation.

diff --git a/libunbound/libworker.c b/libunbound/libworker.c
index 2c7b2cf072acf80065a6150279b8fe039c434251..155f987de25095692667cd15f8dba99afadc015d 100644 (file)
--- a/libunbound/libworker.c
+++ b/libunbound/libworker.c
@@ -365,6 +365,7 @@ libworker_dobg(void* arg)
 
        /* cleanup */
        m = UB_LIBCMD_QUIT;
+       w->want_quit = 1;
        tube_remove_bg_listen(w->ctx->qq_pipe);
        tube_remove_bg_write(w->ctx->rr_pipe);
        libworker_delete(w);
@@ -713,6 +714,10 @@ add_bg_result(struct libworker* w, struct ctx_query* q, sldns_buffer* pkt,
        uint8_t* msg = NULL;
        uint32_t len = 0;
 
+       if(w->want_quit) {
+               context_query_delete(q);
+               return;
+       }
        /* serialize and delete unneeded q */
        if(w->is_bg_thread) {
                lock_basic_lock(&w->ctx->cfglock);

diff --git a/libunbound/libworker.h b/libunbound/libworker.h
index b546e89f2ca56e5aea97f83c5830da2da564850d..42aa5bae3567868a5c0e263d1050d6e0257bcc12 100644 (file)
--- a/libunbound/libworker.h
+++ b/libunbound/libworker.h
@@ -75,6 +75,8 @@ struct libworker {
        int is_bg;
        /** is this a bg worker that is threaded (not forked)? */
        int is_bg_thread;
+       /** want to quit, stop handling new content */
+       int want_quit;
 
        /** copy of the module environment with worker local entries. */
        struct module_env* env;

diff --git a/util/tube.c b/util/tube.c
index f42d22cb3f200baa7f31b939e677f5d69cbe74af..dc6e3c2e7f7821c8d5ef33e5798809c88e435dd5 100644 (file)
--- a/util/tube.c
+++ b/util/tube.c
@@ -454,8 +454,9 @@ int tube_setup_bg_write(struct tube* tube, struct comm_base* base)
 
 int tube_queue_item(struct tube* tube, uint8_t* msg, size_t len)
 {
-       struct tube_res_list* item = 
-               (struct tube_res_list*)malloc(sizeof(*item));
+       struct tube_res_list* item;
+       if(!tube || !tube->res_com) return 0;
+       item = (struct tube_res_list*)malloc(sizeof(*item));
        if(!item) {
                free(msg);
                log_err("out of memory for async answer");
@@ -687,8 +688,9 @@ int tube_setup_bg_write(struct tube* ATTR_UNUSED(tube),
 
 int tube_queue_item(struct tube* tube, uint8_t* msg, size_t len)
 {
-       struct tube_res_list* item = 
-               (struct tube_res_list*)malloc(sizeof(*item));
+       struct tube_res_list* item;
+       if(!tube) return 0;
+       item = (struct tube_res_list*)malloc(sizeof(*item));
        verbose(VERB_ALGO, "tube queue_item len %d", (int)len);
        if(!item) {
                free(msg);