For SIG(0)-signed requests, view matching is offloaded and the request
is finished asynchronously from ns_client_request_continue(), which
passes client->inner.buffer to dns_dt_send(). That buffer aliases the
network manager's receive buffer, only valid during the read callback,
so it may already be freed and reused, producing garbage dnstap frames
(e.g. the "upforwd" sig0-over-DoT test fails with UQ=0).
Copy the request message when entering async mode and reference the
copy, freeing it in ns__client_reset_cb().
Assisted-by: Claude:claude-opus-4-8
Closes #6139
Merge branch '6139-dnstap-sig0-request-buffer-uaf' into 'main'
See merge request isc-projects/bind9!12189
projects / thirdparty / bind9.git / commitdiff
