From: Ondřej Surý <ondrej@isc.org>
Date: Sat, 7 Feb 2026 04:19:48 +0000 (+0100)
Subject: Fix NULL Pointer Dereference in QP-trie Cache add()
X-Git-Tag: v9.21.19~32^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=53b2bddd65aba4ac2e06f9102bea5498dbd35c87;p=thirdparty%2Fbind9.git

Fix NULL Pointer Dereference in QP-trie Cache add()

When RRSIG(rdtype) was independently cached before the RDATA for the
rdtype itself, named would crash on the subsequent query for the RDATA
itself.  This has been fixed.

ISC would like to thank Vitaly Simonovich for bringing this
vulnerability to our attention.
---

diff --git a/lib/dns/qpcache.c b/lib/dns/qpcache.c
index 94a7c8aed5f..dd164066598 100644
--- a/lib/dns/qpcache.c
+++ b/lib/dns/qpcache.c
@@ -2964,8 +2964,8 @@ add(qpcache_t *qpdb, qpcnode_t *qpnode, dns_slabheader_t *newheader,
 	if (EXISTS(newheader) && NEGATIVE(newheader) &&
 	    !dns_rdatatype_issig(rdtype) && related != NULL)
 	{
-		dns_slabheader_t *oldsigheader = first_header(oldtop->related);
-		mark_ancient(oldsigheader);
+		dns_slabheader_t *relatedheader = first_header(related);
+		mark_ancient(relatedheader);
 	}
 
 	bindrdataset(qpdb, qpnode, newheader, now, nlocktype, tlocktype,