Hold a reference to the NTA table for the lifetime of each NTA

Each dns__nta_t now references its parent ntatable in nta_create() and
releases it in dns__nta_destroy().  This avoids a use-after-free in
fetch_done() and other callbacks that dereference nta->ntatable: the
ntatable could otherwise be released by view destruction while an
in-flight resolver fetch still holds a reference to the NTA.

diff --git a/lib/dns/nta.c b/lib/dns/nta.c
index b56325acd51b466ce0be1f53be8d65849e0bce96..970528173b87d8d154f1989e409701c607e7a39b 100644 (file)
--- a/lib/dns/nta.c
+++ b/lib/dns/nta.c
@@ -89,6 +89,7 @@ dns__nta_destroy(dns__nta_t *nta) {
        REQUIRE(nta->timer == NULL);
 
        nta->magic = 0;
+       dns_ntatable_detach(&nta->ntatable);
        dns_rdataset_cleanup(&nta->rdataset);
        dns_rdataset_cleanup(&nta->sigrdataset);
        if (nta->fetch != NULL) {
@@ -265,7 +266,7 @@ nta_create(dns_ntatable_t *ntatable, const dns_name_t *name,
 
        nta = isc_mem_get(ntatable->mctx, sizeof(dns__nta_t));
        *nta = (dns__nta_t){
-               .ntatable = ntatable,
+               .ntatable = dns_ntatable_ref(ntatable),
                .name = DNS_NAME_INITEMPTY,
                .magic = NTA_MAGIC,
        };