From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Thu, 17 Feb 2022 10:22:44 +0000 (+0100)
Subject: dnsdist: Fix a use-after-free in case of a network error in the middle of a XFR query
X-Git-Tag: rec-4.7.0-alpha1~6^2~1
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=76a72b6b57397d15a217eae0d9936e704b3f4cf2;p=thirdparty%2Fpdns.git

dnsdist: Fix a use-after-free in case of a network error in the middle of a XFR query
---

diff --git a/pdns/dnsdistdist/dnsdist-tcp-downstream.cc b/pdns/dnsdistdist/dnsdist-tcp-downstream.cc
index 9c636d227c..e9879687d6 100644
--- a/pdns/dnsdistdist/dnsdist-tcp-downstream.cc
+++ b/pdns/dnsdistdist/dnsdist-tcp-downstream.cc
@@ -355,7 +355,10 @@ void TCPConnectionToBackend::handleIO(std::shared_ptr<TCPConnectionToBackend>& c
               conn->d_currentQuery = std::move(query);
             }
 
-            for (auto& pending : conn->d_pendingResponses) {
+            /* if we notify the sender it might terminate us so we need to move these first */
+            auto pendingResponses = std::move(conn->d_pendingResponses);
+            conn->d_pendingResponses.clear();
+            for (auto& pending : pendingResponses) {
               --conn->d_ds->outstanding;
 
               if (pending.second.d_query.isXFR() && pending.second.d_query.d_xfrStarted) {
@@ -375,7 +378,6 @@ void TCPConnectionToBackend::handleIO(std::shared_ptr<TCPConnectionToBackend>& c
                 conn->d_pendingQueries.push_back(std::move(pending.second));
               }
             }
-            conn->d_pendingResponses.clear();
             conn->d_currentPos = 0;
 
             if (conn->d_state == State::sendingQueryToBackend) {