From b9c9fc066f582f0dd5abbe86a27f2d3079b1c0f9 Mon Sep 17 00:00:00 2001
From: Ralph Dolmans <ralph@nlnetlabs.nl>
Date: Thu, 30 Jan 2020 14:46:39 +0100
Subject: [PATCH] - Fix RPZ locking issues on error conditions

---
 respip/respip.c | 2 +-
 services/rpz.c  | 6 ++++++
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/respip/respip.c b/respip/respip.c
index 5f4ddf2ae..7147a051c 100644
--- a/respip/respip.c
+++ b/respip/respip.c
@@ -957,6 +957,7 @@ respip_rewrite_reply(const struct query_info* qinfo,
 					region, &rpz_used)) {
 					log_err("out of memory");
 					lock_rw_unlock(&raddr->lock);
+					lock_rw_unlock(&az->rpz_lock);
 					return 0;
 				}
 				if(!rpz_used) {
@@ -1099,7 +1100,6 @@ respip_operate(struct module_qstate* qstate, enum module_ev event, int id,
 			if (actinfo.action == respip_always_deny ||
 				(new_rep == qstate->return_msg->rep &&
 				(actinfo.action == respip_deny ||
-				actinfo.action == respip_deny ||
 				actinfo.action == respip_inform_deny))) {
 				/* for deny-variant actions (unless response-ip
 				 * data is applied), mark the query state so
diff --git a/services/rpz.c b/services/rpz.c
index ca3f1bfe6..1047852ad 100644
--- a/services/rpz.c
+++ b/services/rpz.c
@@ -681,11 +681,17 @@ rpz_find_zone(struct rpz* r, uint8_t* qname, size_t qname_len, uint16_t qclass,
 	ce = dname_get_shared_topdomain(z->name, qname);
 	if(!ce /* should not happen */ || !*ce /* root */) {
 		lock_rw_unlock(&z->lock);
+		if(zones_keep_lock) {
+			lock_rw_unlock(&r->local_zones->lock);
+		}
 		return NULL;
 	}
 	ce_labs = dname_count_size_labels(ce, &ce_len);
 	if(ce_len+2 > sizeof(wc)) {
 		lock_rw_unlock(&z->lock);
+		if(zones_keep_lock) {
+			lock_rw_unlock(&r->local_zones->lock);
+		}
 		return NULL;
 	}
 	wc[0] = 1; /* length of wildcard label */
-- 
2.47.2