Fix crash caused by race condition in timer creation

The race condition is the timer elapses before isc__timer_create()
returns the pointer to the caller.  Assigning the return pointer before
enabling the timer will fix it.

(cherry picked from commit 21966423cd7101a60ddfb3cf11f04f71c9fdd7b7)

diff --git a/lib/isc/timer.c b/lib/isc/timer.c
index 714ae591ac0c2ae34a2703184142913b825115c8..2baa9e6ea10e277cfe836b4d7e676c2b7c150d65 100644 (file)
--- a/lib/isc/timer.c
+++ b/lib/isc/timer.c
@@ -474,8 +474,10 @@ isc__timer_create(isc_timermgr_t *manager0, isc_timertype_t type,
                result = schedule(timer, &now, true);
        else
                result = ISC_R_SUCCESS;
-       if (result == ISC_R_SUCCESS)
+       if (result == ISC_R_SUCCESS) {
+               *timerp = (isc_timer_t *)timer;
                APPEND(manager->timers, timer, link);
+       }
 
        UNLOCK(&manager->lock);
 
@@ -488,8 +490,6 @@ isc__timer_create(isc_timermgr_t *manager0, isc_timertype_t type,
                return (result);
        }
 
-       *timerp = (isc_timer_t *)timer;
-
        return (ISC_R_SUCCESS);
 }