]> git.ipfire.org Git - thirdparty/bind9.git/commitdiff
projects / thirdparty / bind9.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 386177e)
Fix a stack use-after-free in qpzone
authorEvan Hunt <each@isc.org>
Mon, 4 May 2026 23:10:49 +0000 (16:10 -0700)
committerEvan Hunt <each@isc.org>
Tue, 5 May 2026 23:19:30 +0000 (23:19 +0000)
In previous_closest_nsec(), a new qpreader was opened to search the NSEC
tree. It was possible for that to be used to update a QP iterator object
owned by the caller, and then be destroyed when the function returned.

This qpreader object isn't necessary anymore; since namespaces were
added to the QP trie in commit 15653c54a0, we can now just reuse the
existing reader for the main tree.

lib/dns/qpzone.c patch | blob | blame | history

diff --git a/lib/dns/qpzone.c b/lib/dns/qpzone.c
index dcfae499ff7bbbad71769256b28ab94752ca80f5..fd161e1746a6e5469af353e9abca974409abd042 100644 (file)
--- a/lib/dns/qpzone.c
+++ b/lib/dns/qpzone.c
@@ -3061,7 +3061,6 @@ previous_closest_nsec(dns_rdatatype_t type, qpz_search_t *search,
                      dns_name_t *name, qpznode_t **nodep, dns_qpiter_t *nit,
                      bool *firstp) {
        isc_result_t result;
-       dns_qpread_t qpr;
 
        REQUIRE(nodep != NULL && *nodep == NULL);
        REQUIRE(type == dns_rdatatype_nsec3 || firstp != NULL);
@@ -3074,8 +3073,6 @@ previous_closest_nsec(dns_rdatatype_t type, qpz_search_t *search,
                return result;
        }
 
-       dns_qpmulti_query(search->qpdb->tree, &qpr);
-
        for (;;) {
                qpznode_t *nsec_node = NULL;
 
@@ -3085,8 +3082,9 @@ previous_closest_nsec(dns_rdatatype_t type, qpz_search_t *search,
                         * NSEC namespace.
                         */
                        *firstp = false;
-                       result = dns_qp_lookup(&qpr, name, DNS_DBNAMESPACE_NSEC,
-                                              nit, NULL, NULL, NULL);
+                       result = dns_qp_lookup(&search->qpr, name,
+                                              DNS_DBNAMESPACE_NSEC, nit, NULL,
+                                              NULL, NULL);
 
                        INSIST(result != ISC_R_NOTFOUND);
                        if (result == ISC_R_SUCCESS) {
@@ -3153,7 +3151,6 @@ previous_closest_nsec(dns_rdatatype_t type, qpz_search_t *search,
                }
        }
 
-       dns_qpread_destroy(search->qpdb->tree, &qpr);
        return result;
 }
 
Mirror of https://gitlab.isc.org/isc-projects/bind9.git