BUG/MAJOR: dns: tcp session can remain attached to a list after a free

Using tcp, after a session release and free, the session can remain
attached to the list of sessions with a response message waiting for
a commit (ds->waiter). This results to a use after free of this
session.

Also, on some error path and after free, a session could remain attached
to the lists of available idle/free sessions (ds->list).

This patch ensure to remove the session from those external lists
before a free.

This patch should be backported to all version including
the dns over tcp (2.4)

diff --git a/src/dns.c b/src/dns.c
index fa6f2b907363f324403fca3d577270bdf37dcbcb..433b554ad72e391d9843aafc23dff712d31ad7d0 100644 (file)
--- a/src/dns.c
+++ b/src/dns.c
@@ -758,6 +758,13 @@ void dns_session_free(struct dns_session *ds)
 
        dns_queries_flush(ds);
 
+       /* Ensure to remove this session from external lists
+        * Note: we are under the lock of dns_stream_server
+        * which own the heads of those lists.
+        */
+       LIST_DEL_INIT(&ds->waiter);
+       LIST_DEL_INIT(&ds->list);
+
        ds->dss->cur_conns--;
        /* Note: this is useless to update
         * max_active_conns here because