From: Grigorii Demidov <grigorii.demidov@nic.cz>
Date: Thu, 16 Nov 2017 12:10:31 +0000 (+0100)
Subject: daemon/worker: bugfix, avoid access to deallocated task
X-Git-Tag: v2.0.0~43^2~19
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=eb644b2692970d808b8d46e56adfec5917aefcae;p=thirdparty%2Fknot-resolver.git

daemon/worker: bugfix, avoid access to deallocated task
---

diff --git a/daemon/worker.c b/daemon/worker.c
index a63644fd6..63c4ba8c3 100644
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -1807,24 +1807,25 @@ int worker_process_tcp(struct worker_ctx *worker, uv_stream_t *handle,
 		while (session->waiting.len > 0) {
 			struct qr_task *task = session->waiting.at[0];
 			array_del(session->waiting, 0);
+			assert(task->refs > 1);
 			qr_task_unref(task);
-			session_del_tasks(session, task);
 			if (session->outgoing) {
 				qr_task_step(task, task->addrlist, NULL);
 			} else {
 				assert(task->ctx->source.session == session);
 				task->ctx->source.session = NULL;
 			}
+			session_del_tasks(session, task);
 		}
 		while (session->tasks.len > 0) {
 			struct qr_task *task = session->tasks.at[0];
-			session_del_tasks(session, task);
 			if (session->outgoing) {
 				qr_task_step(task, task->addrlist, NULL);
 			} else {
 				assert(task->ctx->source.session == session);
 				task->ctx->source.session = NULL;
 			}
+			session_del_tasks(session, task);
 		}
 		session_close(session);
 		return kr_error(ECONNRESET);
@@ -1973,6 +1974,7 @@ int worker_process_tcp(struct worker_ctx *worker, uv_stream_t *handle,
 	/* Message is too long, can't process it. */
 	ssize_t to_read = MIN(len, task->bytes_remaining);
 	if (pkt_buf->size + to_read > pkt_buf->max_size) {
+		// TODO reallocate pkt_buf
 		pkt_buf->size = 0;
 		session->bytes_to_skip = task->bytes_remaining - to_read;
 		task->bytes_remaining = 0;