Don't allow recursion on staleonly lookups

Fix a crash that can happen in the following scenario:

A client request is received. There is no data for it in the cache,
(not even stale data). A resolver fetch is created as part of
recursion.

Some time later, the fetch still hasn't completed, and
stale-answer-client-timeout is triggered. A staleonly lookup is
started. It will also find no data in the cache.

So 'query_lookup()' will call 'query_gotanswer()' with ISC_R_NOTFOUND,
so this will call 'query_notfound()' and this will start recursion.

We will eventually end up in 'ns_query_recurse()' and that requires
the client query fetch to be NULL:

    REQUIRE(client->query.fetch == NULL);

If the previously started fetch is still running this assertion
fails.

The crash is easily prevented by not requiring recursion for
staleonly lookups.

Also remove a redundant setting of the staleonly flag at the end of
'query_lookup_staleonly()' before destroying the query context.

Add a system test to catch this case.

(cherry picked from commit 9e061faaae81d1cae79331351d10ac9129d75024)

diff --git a/bin/tests/system/serve-stale/tests.sh b/bin/tests/system/serve-stale/tests.sh
index 532473544bd6cff5781022837c663f99ca39c5f0..73b4c2865ec32fef7a06b23954fad79644aa1afd 100755 (executable)
--- a/bin/tests/system/serve-stale/tests.sh
+++ b/bin/tests/system/serve-stale/tests.sh
@@ -1073,7 +1073,8 @@ echo_i "sending queries for tests $((n+1))-$((n+4))..."
 $DIG -p ${PORT} @10.53.0.3 data.example TXT > dig.out.test$((n+1)) &
 $DIG -p ${PORT} @10.53.0.3 othertype.example CAA > dig.out.test$((n+2)) &
 $DIG -p ${PORT} @10.53.0.3 nodata.example TXT > dig.out.test$((n+3)) &
-$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT > dig.out.test$((n+4))
+$DIG -p ${PORT} @10.53.0.3 nxdomain.example TXT > dig.out.test$((n+4)) &
+$DIG -p ${PORT} @10.53.0.3 notfound.example TXT > dig.out.test$((n+5))
 
 wait
 
@@ -1113,6 +1114,16 @@ grep "example\..*30.*IN.*SOA" dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
+# The notfound.example check is different than nxdomain.example because
+# we didn't send a prime query to add notfound.example to the cache.
+n=$((n+1))
+echo_i "check notfound.example (max-stale-ttl default) ($n)"
+ret=0
+grep "status: SERVFAIL" dig.out.test$n > /dev/null || ret=1
+grep "ANSWER: 0," dig.out.test$n > /dev/null || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
 #
 # Now test server with serve-stale answers disabled.
 #

diff --git a/lib/ns/query.c b/lib/ns/query.c
index 6cdf7e901df6d0141c5844dcc36805ce74990360..9ff1d215345e86efd77a4a6ad22b30d376510768 100644 (file)
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5952,13 +5952,13 @@ query_lookup_staleonly(ns_client_t *client) {
 
        qctx_init(client, NULL, client->query.qtype, &qctx);
        dns_db_attach(client->view->cachedb, &qctx.db);
+       client->query.attributes &= ~NS_QUERYATTR_RECURSIONOK;
        client->query.dboptions |= DNS_DBFIND_STALEONLY;
        (void)query_lookup(&qctx);
        if (qctx.node != NULL) {
                dns_db_detachnode(qctx.db, &qctx.node);
        }
        qctx_freedata(&qctx);
-       client->query.dboptions &= ~DNS_DBFIND_STALEONLY;
        qctx_destroy(&qctx);
 }