Fix UAF in ccmsg.c when reading stopped before sending

When shutting down the whole server, the reading could stop and detach
from controlconnection before sending is done.  If send callback then
detaches from the last controlconnection handle, the ccmsg would be
invalidated after the send callback and thus we must not access ccmsg
after calling the send_cb().

diff --git a/lib/isccc/ccmsg.c b/lib/isccc/ccmsg.c
index 4c033dd975a680f599f3a094ad9928b25570e614..4c5ff61e5f49e87ec2314f0f50fca0107ce5737e 100644 (file)
--- a/lib/isccc/ccmsg.c
+++ b/lib/isccc/ccmsg.c
@@ -150,11 +150,13 @@ ccmsg_senddone(isc_nmhandle_t *handle, isc_result_t eresult, void *arg) {
        isccc_ccmsg_t *ccmsg = arg;
 
        REQUIRE(VALID_CCMSG(ccmsg));
+       REQUIRE(ccmsg->send_cb != NULL);
 
-       INSIST(ccmsg->send_cb != NULL);
-       ccmsg->send_cb(handle, eresult, ccmsg->send_cbarg);
+       isc_nm_cb_t send_cb = ccmsg->send_cb;
        ccmsg->send_cb = NULL;
 
+       send_cb(handle, eresult, ccmsg->send_cbarg);
+
        isc_nmhandle_detach(&handle);
 }