From 954eb1921699147b16f8bcd08029e37da3e789b9 Mon Sep 17 00:00:00 2001 From: Remi Gacogne Date: Mon, 28 Apr 2025 12:41:00 +0200 Subject: [PATCH] dnsdist: Fix a crash when processing timeouts for incoming DoH queries This commit fixes a double-free triggered by an exception being raised while we are processing a timeout for an incoming DoH query. The exception bypasses the call releasing the smart pointer, and thus the destructor is called when we reach the end of the function since we own the smart pointer, but unfortunately it has already been destroyed by the function that raised the exception. The fix is to release the pointer first, then call the function, so even if an exception is raised we no longer own the pointer, and it's clear that the function has taken ownership of it. --- pdns/dnsdistdist/dnsdist-doh-common.hh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pdns/dnsdistdist/dnsdist-doh-common.hh b/pdns/dnsdistdist/dnsdist-doh-common.hh index 41849056be..d485e7a5d4 100644 --- a/pdns/dnsdistdist/dnsdist-doh-common.hh +++ b/pdns/dnsdistdist/dnsdist-doh-common.hh @@ -245,16 +245,16 @@ struct DOHUnitInterface static void handleTimeout(std::unique_ptr unit) { if (unit) { - unit->handleTimeout(); - unit.release(); + auto* ptr = unit.release(); + ptr->handleTimeout(); } } static void handleUDPResponse(std::unique_ptr unit, PacketBuffer&& response, InternalQueryState&& state, const std::shared_ptr& ds) { if (unit) { - unit->handleUDPResponse(std::move(response), std::move(state), ds); - unit.release(); + auto* ptr = unit.release(); + ptr->handleUDPResponse(std::move(response), std::move(state), ds); } } -- 2.47.2