Fix race condition in getsigningtime()

Compute qpzone_get_lock(elem->node) into a local variable while the
heap lock is still held, rather than dereferencing the stale elem
pointer after releasing the lock. A concurrent thread running
setsigningtime() (e.g. via IXFR apply on a worker thread) could free
the top-of-heap element between the heap lock release and the
dereference, causing a use-after-free.

diff --git a/lib/dns/qpzone.c b/lib/dns/qpzone.c
index 47c274889a6d7f16ca5bb8ad2ba21ce52e952708..dcfae499ff7bbbad71769256b28ab94752ca80f5 100644 (file)
--- a/lib/dns/qpzone.c
+++ b/lib/dns/qpzone.c
@@ -2544,11 +2544,13 @@ again:
        LOCK(&qpdb->heap->lock);
        elem = isc_heap_element(qpdb->heap->heap, 1);
 
-       if (elem != NULL && qpzone_get_lock(elem->node) != nlock) {
+       isc_rwlock_t *new_nlock = (elem != NULL) ? qpzone_get_lock(elem->node)
+                                                : NULL;
+       if (new_nlock != NULL && new_nlock != nlock) {
                UNLOCK(&qpdb->heap->lock);
                NODE_UNLOCK(nlock, &nlocktype);
 
-               nlock = qpzone_get_lock(elem->node);
+               nlock = new_nlock;
                goto again;
        }