From 7ab4e1537a19c148f8090e397cfaf9dfe654ec07 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 8 Dec 2023 13:57:14 +1100
Subject: [PATCH] Obtain a client->handle reference when calling async_restart

otherwise client may be freed before async_restart is called.
---
 lib/ns/include/ns/client.h | 11 ++++++-----
 lib/ns/query.c             |  6 ++++++
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/lib/ns/include/ns/client.h b/lib/ns/include/ns/client.h
index db938bc4f56..345f5e77824 100644
--- a/lib/ns/include/ns/client.h
+++ b/lib/ns/include/ns/client.h
@@ -169,11 +169,12 @@ struct ns_client {
 	unsigned int	 attributes;
 	dns_view_t	*view;
 	dns_dispatch_t	*dispatch;
-	isc_nmhandle_t	*handle;      /* Permanent pointer to handle */
-	isc_nmhandle_t	*sendhandle;  /* Waiting for send callback */
-	isc_nmhandle_t	*reqhandle;   /* Waiting for request callback
-					 (query, update, notify) */
-	isc_nmhandle_t *updatehandle; /* Waiting for update callback */
+	isc_nmhandle_t	*handle;       /* Permanent pointer to handle */
+	isc_nmhandle_t	*sendhandle;   /* Waiting for send callback */
+	isc_nmhandle_t	*reqhandle;    /* Waiting for request callback
+					  (query, update, notify) */
+	isc_nmhandle_t *updatehandle;  /* Waiting for update callback */
+	isc_nmhandle_t *restarthandle; /* Waiting for restart callback */
 	unsigned char  *tcpbuf;
 	size_t		tcpbuf_size;
 	dns_message_t  *message;
diff --git a/lib/ns/query.c b/lib/ns/query.c
index ff8856127f9..34e47e2b1e0 100644
--- a/lib/ns/query.c
+++ b/lib/ns/query.c
@@ -5834,6 +5834,9 @@ static void
 async_restart(void *arg) {
 	query_ctx_t *qctx = arg;
 	ns_client_t *client = qctx->client;
+	isc_nmhandle_t *handle = client->restarthandle;
+
+	client->restarthandle = NULL;
 
 	ns__query_start(qctx);
 
@@ -5841,6 +5844,7 @@ async_restart(void *arg) {
 	qctx_freedata(qctx);
 	qctx_destroy(qctx);
 	isc_mem_put(client->manager->mctx, qctx, sizeof(*qctx));
+	isc_nmhandle_detach(&handle);
 }
 
 /*
@@ -11642,6 +11646,8 @@ ns_query_done(query_ctx_t *qctx) {
 		saved_qctx = isc_mem_get(qctx->client->manager->mctx,
 					 sizeof(*saved_qctx));
 		qctx_save(qctx, saved_qctx);
+		isc_nmhandle_attach(qctx->client->handle,
+				    &qctx->client->restarthandle);
 		isc_async_run(qctx->client->manager->loop, async_restart,
 			      saved_qctx);
 		return (DNS_R_CONTINUE);
-- 
2.47.3