From: Alessio Podda <alessio@isc.org>
Date: Thu, 16 Apr 2026 11:20:50 +0000 (+0200)
Subject: Fix race condition in getsigningtime()
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0fe1d091f7c2124268796b9ae3e0a9ab3199bf04;p=thirdparty%2Fbind9.git

Fix race condition in getsigningtime()

Compute qpzone_get_lock(elem->node) into a local variable while the
heap lock is still held, rather than dereferencing the stale elem
pointer after releasing the lock. A concurrent thread running
setsigningtime() (e.g. via IXFR apply on a worker thread) could free
the top-of-heap element between the heap lock release and the
dereference, causing a use-after-free.
---

diff --git a/lib/dns/qpzone.c b/lib/dns/qpzone.c
index 47c274889a6..dcfae499ff7 100644
--- a/lib/dns/qpzone.c
+++ b/lib/dns/qpzone.c
@@ -2544,11 +2544,13 @@ again:
 	LOCK(&qpdb->heap->lock);
 	elem = isc_heap_element(qpdb->heap->heap, 1);
 
-	if (elem != NULL && qpzone_get_lock(elem->node) != nlock) {
+	isc_rwlock_t *new_nlock = (elem != NULL) ? qpzone_get_lock(elem->node)
+						 : NULL;
+	if (new_nlock != NULL && new_nlock != nlock) {
 		UNLOCK(&qpdb->heap->lock);
 		NODE_UNLOCK(nlock, &nlocktype);
 
-		nlock = qpzone_get_lock(elem->node);
+		nlock = new_nlock;
 		goto again;
 	}