3687. [bug] Address null pointer dereference in zone_xfrdone.

                        [RT #35042]

diff --git a/CHANGES b/CHANGES
index 00fbee83899e86d000bde7a0d75bd4fb862f059c..4047f383d96ff87e338aaa42c82a1d2538b90c88 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3687.  [bug]           Address null pointer dereference in zone_xfrdone.
+                       [RT #35042]
+
 3686.  [func]          "dnssec-signzone -Q" drops signatures from keys
                        that are still published but no longer active.
                        [RT #34990]

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index f24aa33bad94efb30e3f836ce686ee45084bdeb6..f62079315609215b13bcdea222d9868bb1bb6a45 100644 (file)
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -11856,6 +11856,12 @@ zone_shutdown(isc_task_t *task, isc_event_t *event) {
                        linked = ISC_TRUE;
                        zone->statelist = NULL;
                }
+               if (zone->statelist == &zone->zmgr->xfrin_in_progress) {
+                       ISC_LIST_UNLINK(zone->zmgr->xfrin_in_progress, zone,
+                                       statelink);
+                       zone->statelist = NULL;
+                       zmgr_resume_xfrs(zone->zmgr, ISC_FALSE);
+               }
                RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
        }
 
@@ -14330,13 +14336,16 @@ zone_xfrdone(dns_zone_t *zone, isc_result_t result) {
         * This transfer finishing freed up a transfer quota slot.
         * Let any other zones waiting for quota have it.
         */
-       UNLOCK_ZONE(zone);
-       RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
-       ISC_LIST_UNLINK(zone->zmgr->xfrin_in_progress, zone, statelink);
-       zone->statelist = NULL;
-       zmgr_resume_xfrs(zone->zmgr, ISC_FALSE);
-       RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
-       LOCK_ZONE(zone);
+       if (zone->zmgr != NULL &&
+           zone->statelist == &zone->zmgr->xfrin_in_progress) {
+               UNLOCK_ZONE(zone);
+               RWLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
+               ISC_LIST_UNLINK(zone->zmgr->xfrin_in_progress, zone, statelink);
+               zone->statelist = NULL;
+               zmgr_resume_xfrs(zone->zmgr, ISC_FALSE);
+               RWUNLOCK(&zone->zmgr->rwlock, isc_rwlocktype_write);
+               LOCK_ZONE(zone);
+       }
 
        /*
         * Retry with a different server if necessary.