From d20dc21eeca1d5e936f7a8bfd3d865a032499c65 Mon Sep 17 00:00:00 2001 From: Emeric Brun Date: Tue, 19 Oct 2021 15:40:10 +0200 Subject: [PATCH] BUG/MAJOR: dns: tcp session can remain attached to a list after a free Using tcp, after a session release and free, the session can remain attached to the list of sessions with a response message waiting for a commit (ds->waiter). This results to a use after free of this session. Also, on some error path and after free, a session could remain attached to the lists of available idle/free sessions (ds->list). This patch ensure to remove the session from those external lists before a free. This patch should be backported to all version including the dns over tcp (2.4) --- src/dns.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/dns.c b/src/dns.c index fa6f2b9073..433b554ad7 100644 --- a/src/dns.c +++ b/src/dns.c @@ -758,6 +758,13 @@ void dns_session_free(struct dns_session *ds) dns_queries_flush(ds); + /* Ensure to remove this session from external lists + * Note: we are under the lock of dns_stream_server + * which own the heads of those lists. + */ + LIST_DEL_INIT(&ds->waiter); + LIST_DEL_INIT(&ds->list); + ds->dss->cur_conns--; /* Note: this is useless to update * max_active_conns here because -- 2.47.3