3192. [bug] A query structure could be used after being freed.

                        [RT #22208]

diff --git a/CHANGES b/CHANGES
index e15211d77d1dceeda2f0cdfcabd9ff1f53234257..dc9eff98066ae5f591bd9b74e2d7b1a4ddb0d232 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3192.  [bug]           A query structure could be used after being freed.
+                       [RT #22208]
+
 3191.  [bug]           Print NULL records using "unknown" format. [RT #26392]
 
 3190.  [bug]           Underflow in error handling in isc_mutexblock_init.

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 82b2479df69ac601391ea131a7bfcbe77929ddcd..46f2503ebd665e83e60988765ea265eeb6b70756 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.384.14.34 2011/10/12 01:40:32 marka Exp $ */
+/* $Id: resolver.c,v 1.384.14.35 2011/11/02 23:48:41 marka Exp $ */
 
 /*! \file */
 
@@ -1551,9 +1551,11 @@ fctx_query(fetchctx_t *fctx, dns_adbaddrinfo_t *addrinfo,
                dns_dispatch_detach(&query->dispatch);
 
  cleanup_query:
-       query->magic = 0;
-       isc_mem_put(res->buckets[fctx->bucketnum].mctx,
-                   query, sizeof(*query));
+       if (query->connects == 0) {
+               query->magic = 0;
+               isc_mem_put(res->buckets[fctx->bucketnum].mctx,
+                           query, sizeof(*query));
+       }
 
  stop_idle_timer:
        RUNTIME_CHECK(fctx_stopidletimer(fctx) == ISC_R_SUCCESS);
@@ -1671,6 +1673,7 @@ resquery_send(resquery_t *query) {
        dns_compress_t cctx;
        isc_boolean_t cleanup_cctx = ISC_FALSE;
        isc_boolean_t secure_domain;
+       isc_boolean_t connecting = ISC_FALSE;
 
        fctx = query->fctx;
        QTRACE("send");
@@ -1962,6 +1965,7 @@ resquery_send(resquery_t *query) {
                                                    query);
                        if (result != ISC_R_SUCCESS)
                                goto cleanup_message;
+                       connecting = ISC_TRUE;
                        query->connects++;
                }
        }
@@ -1973,8 +1977,19 @@ resquery_send(resquery_t *query) {
         */
        result = isc_socket_sendto(socket, &r, task, resquery_senddone,
                                   query, address, NULL);
-       if (result != ISC_R_SUCCESS)
+       if (result != ISC_R_SUCCESS) {
+               if (connecting) {
+                       /*
+                        * This query is still connecting.
+                        * Mark it as canceled so that it will just be
+                        * cleaned up when the connected event is received.
+                        * Keep fctx around until the event is processed.
+                        */
+                       query->fctx->nqueries++;
+                       query->attributes |= RESQUERY_ATTR_CANCELED;
+               }
                goto cleanup_message;
+       }
 
        query->sends++;