From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Mon, 28 Apr 2025 10:41:00 +0000 (+0200)
Subject: dnsdist: Fix a crash when processing timeouts for incoming DoH queries
X-Git-Tag: dnsdist-2.0.0-alpha2~47^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=954eb1921699147b16f8bcd08029e37da3e789b9;p=thirdparty%2Fpdns.git

dnsdist: Fix a crash when processing timeouts for incoming DoH queries

This commit fixes a double-free triggered by an exception being raised
while we are processing a timeout for an incoming DoH query. The exception
bypasses the call releasing the smart pointer, and thus the destructor
is called when we reach the end of the function since we own the smart
pointer, but unfortunately it has already been destroyed by the function
that raised the exception. The fix is to release the pointer first,
then call the function, so even if an exception is raised we no longer
own the pointer, and it's clear that the function has taken ownership of it.
---

diff --git a/pdns/dnsdistdist/dnsdist-doh-common.hh b/pdns/dnsdistdist/dnsdist-doh-common.hh
index 41849056be..d485e7a5d4 100644
--- a/pdns/dnsdistdist/dnsdist-doh-common.hh
+++ b/pdns/dnsdistdist/dnsdist-doh-common.hh
@@ -245,16 +245,16 @@ struct DOHUnitInterface
   static void handleTimeout(std::unique_ptr<DOHUnitInterface> unit)
   {
     if (unit) {
-      unit->handleTimeout();
-      unit.release();
+      auto* ptr = unit.release();
+      ptr->handleTimeout();
     }
   }
 
   static void handleUDPResponse(std::unique_ptr<DOHUnitInterface> unit, PacketBuffer&& response, InternalQueryState&& state, const std::shared_ptr<DownstreamState>& ds)
   {
     if (unit) {
-      unit->handleUDPResponse(std::move(response), std::move(state), ds);
-      unit.release();
+      auto* ptr = unit.release();
+      ptr->handleUDPResponse(std::move(response), std::move(state), ds);
     }
   }