From: Aram Sargsyan <aram@isc.org>
Date: Thu, 13 Apr 2023 14:42:29 +0000 (+0000)
Subject: Fix a use-after-free bug in dns_xfrin_create()
X-Git-Tag: v9.19.13~35^2~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d8a207bd00bee66bb8e6cec56048f3b501267e0d;p=thirdparty%2Fbind9.git

Fix a use-after-free bug in dns_xfrin_create()

'xfr' is used after detaching the only reference, which would
have destroyed the object.

Call dns_xfrin_detach() only after the final use of 'xfr'.
---

diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
index 99190cc385e..063423b665f 100644
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -723,6 +723,7 @@ dns_xfrin_create(dns_zone_t *zone, dns_rdatatype_t xfrtype,
 	if (result != ISC_R_SUCCESS) {
 		atomic_store(&xfr->shuttingdown, true);
 		xfr->shutdown_result = result;
+		xfrin_log(xfr, ISC_LOG_ERROR, "zone transfer setup failed");
 		dns_xfrin_detach(xfrp);
 	}
 
@@ -730,10 +731,6 @@ dns_xfrin_create(dns_zone_t *zone, dns_rdatatype_t xfrtype,
 		dns_db_detach(&db);
 	}
 
-	if (result != ISC_R_SUCCESS) {
-		xfrin_log(xfr, ISC_LOG_ERROR, "zone transfer setup failed");
-	}
-
 	return (result);
 }