From: Aram Sargsyan <aram@isc.org>
Date: Tue, 17 Mar 2026 11:23:22 +0000 (+0000)
Subject: Take 'env' reference before async calling perform_reopen()
X-Git-Tag: v9.21.21~28^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=48d7401f0db66cbe9f6fcdffb549488e28110ad8;p=thirdparty%2Fbind9.git

Take 'env' reference before async calling perform_reopen()

The 'env' pointer is passed to an async function without taking
a reference first, which can potentially cause a use-after-free
error. Take a reference, then detach in the async function.
---

diff --git a/lib/dns/dnstap.c b/lib/dns/dnstap.c
index 00f073d0a95..97b903d6058 100644
--- a/lib/dns/dnstap.c
+++ b/lib/dns/dnstap.c
@@ -682,6 +682,8 @@ perform_reopen(void *arg) {
 	LOCK(&env->reopen_lock);
 	env->reopen_queued = false;
 	UNLOCK(&env->reopen_lock);
+
+	dns_dtenv_detach(&env);
 }
 
 /*%
@@ -713,6 +715,7 @@ check_file_size_and_maybe_reopen(dns_dtenv_t *env) {
 	 * Send an event to roll the output file, then disallow output file
 	 * rolling until the roll we queue is completed.
 	 */
+	dns_dtenv_ref(env);
 	isc_async_run(env->loop, perform_reopen, env);
 	env->reopen_queued = true;