From 7dc6e021f4701db3fcf777f4b3320b8f83383581 Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Wed, 7 Apr 2021 12:08:59 +0200
Subject: [PATCH] dnsdist: Prevent a race when reloading TLS certificates

---
 pdns/dnsdistdist/doh.cc |  4 ++--
 pdns/tcpiohandler.cc    | 12 ++++++++----
 pdns/tcpiohandler.hh    |  6 +++---
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/pdns/dnsdistdist/doh.cc b/pdns/dnsdistdist/doh.cc
index 08bf9376fa..eba0a9082c 100644
--- a/pdns/dnsdistdist/doh.cc
+++ b/pdns/dnsdistdist/doh.cc
@@ -1195,7 +1195,7 @@ static void on_accept(h2o_socket_t *listener, const char *err)
 
   gettimeofday(&conn.d_connectionStartTime, nullptr);
   conn.d_nbQueries = 0;
-  conn.d_acceptCtx = dsc->accept_ctx;
+  conn.d_acceptCtx = std::atomic_load_explicit(&dsc->accept_ctx, std::memory_order_acquire);
   conn.d_desc = descriptor;
 
   sock->on_close.cb = on_socketclose;
@@ -1350,7 +1350,7 @@ void DOHFrontend::reloadCertificates()
 {
   auto newAcceptContext = std::make_shared<DOHAcceptContext>();
   setupAcceptContext(*newAcceptContext, *d_dsc, true);
-  d_dsc->accept_ctx = newAcceptContext;
+  std::atomic_store_explicit(&d_dsc->accept_ctx, newAcceptContext, std::memory_order_release);
 }
 
 void DOHFrontend::setup()
diff --git a/pdns/tcpiohandler.cc b/pdns/tcpiohandler.cc
index 7a2989c316..2449e482cf 100644
--- a/pdns/tcpiohandler.cc
+++ b/pdns/tcpiohandler.cc
@@ -1220,29 +1220,33 @@ private:
 bool TLSFrontend::setupTLS()
 {
 #ifdef HAVE_DNS_OVER_TLS
+  std::shared_ptr<TLSCtx> newCtx{nullptr};
   /* get the "best" available provider */
   if (!d_provider.empty()) {
 #ifdef HAVE_GNUTLS
     if (d_provider == "gnutls") {
-      d_ctx = std::make_shared<GnuTLSIOCtx>(*this);
+      newCtx = std::make_shared<GnuTLSIOCtx>(*this);
+      std::atomic_store_explicit(&d_ctx, newCtx, std::memory_order_release);
       return true;
     }
 #endif /* HAVE_GNUTLS */
 #ifdef HAVE_LIBSSL
     if (d_provider == "openssl") {
-      d_ctx = std::make_shared<OpenSSLTLSIOCtx>(*this);
+      newCtx = std::make_shared<OpenSSLTLSIOCtx>(*this);
+      std::atomic_store_explicit(&d_ctx, newCtx, std::memory_order_release);
       return true;
     }
 #endif /* HAVE_LIBSSL */
   }
 #ifdef HAVE_LIBSSL
-  d_ctx = std::make_shared<OpenSSLTLSIOCtx>(*this);
+  newCtx = std::make_shared<OpenSSLTLSIOCtx>(*this);
 #else /* HAVE_LIBSSL */
 #ifdef HAVE_GNUTLS
-  d_ctx = std::make_shared<GnuTLSIOCtx>(*this);
+  newCtx = std::make_shared<GnuTLSIOCtx>(*this);
 #endif /* HAVE_GNUTLS */
 #endif /* HAVE_LIBSSL */
 
+  std::atomic_store_explicit(&d_ctx, newCtx, std::memory_order_release);
 #endif /* HAVE_DNS_OVER_TLS */
   return true;
 }
diff --git a/pdns/tcpiohandler.hh b/pdns/tcpiohandler.hh
index d15daa8caf..cfb7056bb1 100644
--- a/pdns/tcpiohandler.hh
+++ b/pdns/tcpiohandler.hh
@@ -101,8 +101,8 @@ public:
 
 protected:
   std::atomic_flag d_rotatingTicketsKey;
+  std::atomic<time_t> d_ticketsKeyNextRotation{0};
   time_t d_ticketsKeyRotationDelay{0};
-  time_t d_ticketsKeyNextRotation{0};
 };
 
 class TLSFrontend
@@ -132,9 +132,9 @@ public:
     }
   }
 
-  std::shared_ptr<TLSCtx>& getContext()
+  std::shared_ptr<TLSCtx> getContext()
   {
-    return d_ctx;
+    return std::atomic_load_explicit(&d_ctx, std::memory_order_acquire);
   }
 
   void cleanup()
-- 
2.47.2