Fix a use-after-free bug in dns_xfrin_create()

'xfr' is used after detaching the only reference, which would
have destroyed the object.

Call dns_xfrin_detach() only after the final use of 'xfr'.

diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
index 99190cc385e434cdd65337779916d8ca32997413..063423b665f5c99f47bbcfacd9153acc9634ca7b 100644 (file)
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -723,6 +723,7 @@ dns_xfrin_create(dns_zone_t *zone, dns_rdatatype_t xfrtype,
        if (result != ISC_R_SUCCESS) {
                atomic_store(&xfr->shuttingdown, true);
                xfr->shutdown_result = result;
+               xfrin_log(xfr, ISC_LOG_ERROR, "zone transfer setup failed");
                dns_xfrin_detach(xfrp);
        }
 
@@ -730,10 +731,6 @@ dns_xfrin_create(dns_zone_t *zone, dns_rdatatype_t xfrtype,
                dns_db_detach(&db);
        }
 
-       if (result != ISC_R_SUCCESS) {
-               xfrin_log(xfr, ISC_LOG_ERROR, "zone transfer setup failed");
-       }
-
        return (result);
 }