From: Remi Gacogne Date: Mon, 3 May 2021 08:22:08 +0000 (+0200) Subject: dnsdist: Fix missing locks in DNSCrypt certificates management X-Git-Tag: dnsdist-1.6.0-rc2^2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fpull%2F10346%2Fhead;p=thirdparty%2Fpdns.git dnsdist: Fix missing locks in DNSCrypt certificates management In theory these functions should already be protected by the Lua lock but better safe than sorry. Found while working on the migration to LockGuarded. --- diff --git a/pdns/dnscrypt.cc b/pdns/dnscrypt.cc index 4a0abe5656..d728a5c32e 100644 --- a/pdns/dnscrypt.cc +++ b/pdns/dnscrypt.cc @@ -327,14 +327,22 @@ void DNSCryptContext::loadNewCertificate(const std::string& certFile, const std: auto newPair = DNSCryptContext::loadCertificatePair(certFile, keyFile); newPair->active = active; addNewCertificate(newPair, reload); - d_certKeyPaths.push_back({certFile, keyFile}); + { + WriteLock w(&d_lock); + d_certKeyPaths.push_back({certFile, keyFile}); + } } void DNSCryptContext::reloadCertificates() { std::vector> newCerts; - for (const auto& pair : d_certKeyPaths) { - newCerts.push_back(DNSCryptContext::loadCertificatePair(pair.cert, pair.key)); + + { + ReadLock rl(&d_lock); + newCerts.reserve(d_certKeyPaths.size()); + for (const auto& pair : d_certKeyPaths) { + newCerts.push_back(DNSCryptContext::loadCertificatePair(pair.cert, pair.key)); + } } { @@ -343,6 +351,16 @@ void DNSCryptContext::reloadCertificates() } } +std::vector> DNSCryptContext::getCertificates() { + std::vector> ret; + { + ReadLock w(&d_lock); + ret = d_certs; + } + + return ret; +}; + void DNSCryptContext::markActive(uint32_t serial) { WriteLock w(&d_lock); diff --git a/pdns/dnscrypt.hh b/pdns/dnscrypt.hh index 8139e281e5..0dec4c2883 100644 --- a/pdns/dnscrypt.hh +++ b/pdns/dnscrypt.hh @@ -278,7 +278,7 @@ public: void markActive(uint32_t serial); void markInactive(uint32_t serial); void removeInactiveCertificate(uint32_t serial); - std::vector> getCertificates() { return d_certs; }; + std::vector> getCertificates(); const DNSName& getProviderName() const { return providerName; } int encryptQuery(PacketBuffer& query, size_t maximumSize, const unsigned char clientPublicKey[DNSCRYPT_PUBLIC_KEY_SIZE], const DNSCryptPrivateKey& clientPrivateKey, const unsigned char clientNonce[DNSCRYPT_NONCE_SIZE / 2], bool tcp, const std::shared_ptr& cert) const;