From: Evan Hunt <each@isc.org>
Date: Mon, 4 May 2026 07:05:27 +0000 (-0700)
Subject: Hold a reference to the NTA table for the lifetime of each NTA
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=26c895cc9281d5cc36447d4a2c5464ad31137f76;p=thirdparty%2Fbind9.git

Hold a reference to the NTA table for the lifetime of each NTA

Each dns__nta_t now references its parent ntatable in nta_create() and
releases it in dns__nta_destroy().  This avoids a use-after-free in
fetch_done() and other callbacks that dereference nta->ntatable: the
ntatable could otherwise be released by view destruction while an
in-flight resolver fetch still holds a reference to the NTA.
---

diff --git a/lib/dns/nta.c b/lib/dns/nta.c
index b56325acd51..970528173b8 100644
--- a/lib/dns/nta.c
+++ b/lib/dns/nta.c
@@ -89,6 +89,7 @@ dns__nta_destroy(dns__nta_t *nta) {
 	REQUIRE(nta->timer == NULL);
 
 	nta->magic = 0;
+	dns_ntatable_detach(&nta->ntatable);
 	dns_rdataset_cleanup(&nta->rdataset);
 	dns_rdataset_cleanup(&nta->sigrdataset);
 	if (nta->fetch != NULL) {
@@ -265,7 +266,7 @@ nta_create(dns_ntatable_t *ntatable, const dns_name_t *name,
 
 	nta = isc_mem_get(ntatable->mctx, sizeof(dns__nta_t));
 	*nta = (dns__nta_t){
-		.ntatable = ntatable,
+		.ntatable = dns_ntatable_ref(ntatable),
 		.name = DNS_NAME_INITEMPTY,
 		.magic = NTA_MAGIC,
 	};