Take 'env' reference before async calling perform_reopen()

The 'env' pointer is passed to an async function without taking
a reference first, which can potentially cause a use-after-free
error. Take a reference, then detach in the async function.

diff --git a/lib/dns/dnstap.c b/lib/dns/dnstap.c
index 00f073d0a95e1bd969482a8ed7b01579773fe9bc..97b903d6058095435a9bf7ae292913b4dc183902 100644 (file)
--- a/lib/dns/dnstap.c
+++ b/lib/dns/dnstap.c
@@ -682,6 +682,8 @@ perform_reopen(void *arg) {
        LOCK(&env->reopen_lock);
        env->reopen_queued = false;
        UNLOCK(&env->reopen_lock);
+
+       dns_dtenv_detach(&env);
 }
 
 /*%
@@ -713,6 +715,7 @@ check_file_size_and_maybe_reopen(dns_dtenv_t *env) {
         * Send an event to roll the output file, then disallow output file
         * rolling until the roll we queue is completed.
         */
+       dns_dtenv_ref(env);
        isc_async_run(env->loop, perform_reopen, env);
        env->reopen_queued = true;