From: Ondřej Surý <ondrej@isc.org>
Date: Thu, 23 Mar 2023 09:48:39 +0000 (+0100)
Subject: Properly handle ISC_R_SHUTTINGDOWN in resquery_response()
X-Git-Tag: v9.18.14~32^2
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=4bf253ffe16a9efb6dcd7fb6e52a00a96583ffc1;p=thirdparty%2Fbind9.git

Properly handle ISC_R_SHUTTINGDOWN in resquery_response()

When resquery_response() was called with ISC_R_SHUTTINDOWN, the region
argument would be NULL, but rctx_respinit() would try to pass
region->base and region->len to the isc_buffer_init() leading to
a NULL pointer dereference.  Properly handle non-ISC_R_SUCCESS by
ignoring the provided region.

(cherry picked from commit 93259812ddcb8dbc38c2f494465c74715893cbb4)
---

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 775ac724780..9545560bfaf 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -7696,7 +7696,9 @@ resquery_response(isc_result_t eresult, isc_region_t *region, void *arg) {
 
 	rctx_respinit(query, fctx, eresult, region, &rctx);
 
-	if (atomic_load_acquire(&fctx->res->exiting)) {
+	if (eresult == ISC_R_SHUTTINGDOWN ||
+	    atomic_load_acquire(&fctx->res->exiting))
+	{
 		result = ISC_R_SHUTTINGDOWN;
 		FCTXTRACE("resolver shutting down");
 		rctx.finish = NULL;
@@ -8080,8 +8082,13 @@ rctx_respinit(resquery_t *query, fetchctx_t *fctx, isc_result_t result,
 			     .fctx = fctx,
 			     .broken_type = badns_response,
 			     .retryopts = query->options };
-	isc_buffer_init(&rctx->buffer, region->base, region->length);
-	isc_buffer_add(&rctx->buffer, region->length);
+	if (result == ISC_R_SUCCESS) {
+		REQUIRE(region != NULL);
+		isc_buffer_init(&rctx->buffer, region->base, region->length);
+		isc_buffer_add(&rctx->buffer, region->length);
+	} else {
+		isc_buffer_initnull(&rctx->buffer);
+	}
 	TIME_NOW(&rctx->tnow);
 	rctx->finish = &rctx->tnow;
 	rctx->now = (isc_stdtime_t)isc_time_seconds(&rctx->tnow);