Backport patch to fix CVE-2019-6471. Ref: https://security-tracker.debian.org/tracker/CVE-2019-6471 CVE: CVE-2019-6471 Upstream-Status: Backport [https://gitlab.isc.org/isc-projects/bind9/commit/3a9c7bb] Signed-off-by: Kai Kang From 3a9c7bb80d4a609b86427406d9dd783199920b5b Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 19 Mar 2019 14:14:21 +1100 Subject: [PATCH] move item_out test inside lock in dns_dispatch_getnext() (cherry picked from commit 60c42f849d520564ed42e5ed0ba46b4b69c07712) --- lib/dns/dispatch.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/lib/dns/dispatch.c b/lib/dns/dispatch.c index 408beda367..3278db4a07 100644 --- a/lib/dns/dispatch.c +++ b/lib/dns/dispatch.c @@ -134,7 +134,7 @@ struct dns_dispentry { isc_task_t *task; isc_taskaction_t action; void *arg; - bool item_out; + bool item_out; dispsocket_t *dispsocket; ISC_LIST(dns_dispatchevent_t) items; ISC_LINK(dns_dispentry_t) link; @@ -3422,13 +3422,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) { disp = resp->disp; REQUIRE(VALID_DISPATCH(disp)); - REQUIRE(resp->item_out == true); - resp->item_out = false; - ev = *sockevent; *sockevent = NULL; LOCK(&disp->lock); + + REQUIRE(resp->item_out == true); + resp->item_out = false; + if (ev->buffer.base != NULL) free_buffer(disp, ev->buffer.base, ev->buffer.length); free_devent(disp, ev); @@ -3573,6 +3574,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp, isc_task_send(disp->task[0], &disp->ctlevent); } +/* + * disp must be locked. + */ static void do_cancel(dns_dispatch_t *disp) { dns_dispatchevent_t *ev; -- 2.20.1