]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
Fix crash caused by race condition in timer creation
authorZhaolong Zhang <zhangzl2013@126.com>
Mon, 17 Sep 2018 02:57:08 +0000 (19:57 -0700)
committerMichał Kępień <michal@isc.org>
Thu, 27 Sep 2018 13:17:52 +0000 (15:17 +0200)
The race condition is the timer elapses before isc__timer_create()
returns the pointer to the caller.  Assigning the return pointer before
enabling the timer will fix it.

lib/isc/timer.c

index 65b72b882be3fb3f74c20f23413930bb8ff798f1..628b9221e2f6198a72bc2d1e54a916505f908fec 100644 (file)
@@ -398,8 +398,10 @@ isc__timer_create(isc_timermgr_t *manager0, isc_timertype_t type,
                result = schedule(timer, &now, true);
        else
                result = ISC_R_SUCCESS;
-       if (result == ISC_R_SUCCESS)
+       if (result == ISC_R_SUCCESS) {
+               *timerp = (isc_timer_t *)timer;
                APPEND(manager->timers, timer, link);
+       }
 
        UNLOCK(&manager->lock);
 
@@ -412,8 +414,6 @@ isc__timer_create(isc_timermgr_t *manager0, isc_timertype_t type,
                return (result);
        }
 
-       *timerp = (isc_timer_t *)timer;
-
        return (ISC_R_SUCCESS);
 }