From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Fri, 15 Nov 2019 12:22:11 +0000 (+0100)
Subject: daemon/udp_queue: add a ref-unref pair
X-Git-Tag: v4.3.0~11^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b98f0c095d921d0aae5263745db92b46b3b5788c;p=thirdparty%2Fknot-resolver.git

daemon/udp_queue: add a ref-unref pair

I must admit I don't really understand why we had a rare case
of use-after-free in the sendmmsg call, but this change should avoid
that without affecting anything else.
---

diff --git a/daemon/udp_queue.c b/daemon/udp_queue.c
index 586f64d97..df8acc975 100644
--- a/daemon/udp_queue.c
+++ b/daemon/udp_queue.c
@@ -103,6 +103,7 @@ static void udp_queue_send(int fd)
 	}
 	for (int i = 0; i < q->len; ++i) {
 		qr_task_on_send(q->items[i].task, NULL, i < sent_len ? 0 : err);
+		worker_task_unref(q->items[i].task);
 	}
 	q->len = 0;
 }
@@ -129,6 +130,7 @@ void udp_queue_push(int fd, struct kr_request *req, struct qr_task *task)
 		kr_log_error("ERROR: called udp_queue_push(fd = %d, ...)\n", fd);
 		abort();
 	}
+	worker_task_ref(task);
 	/* Get a valid correct queue. */
 	if (fd >= state.udp_queues_len) {
 		const int new_len = fd + 1;