Fix crash in rbtdb after two sucessive getoriginnode() calls

Signed-off-by: Tomas Hozza <thozza@redhat.com>
2013-12-18 13:03:52 +01:00 · 2013-12-18 13:03:52 +01:00 · cfca698d2b
commit cfca698d2b
parent 7eb562bbab
2 changed files with 48 additions and 1 deletions
--- a/bind.spec
+++ b/bind.spec
@ -30,7 +30,7 @@ Summary:  The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv
 Name:     bind
 License:  ISC
 Version:  9.9.4
-Release:  10%{?PATCHVER}%{?PREVER}%{?dist}
+Release:  11%{?PATCHVER}%{?PREVER}%{?dist}
 Epoch:    32
 Url:      http://www.isc.org/products/BIND/
 Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -94,6 +94,7 @@ Patch139:bind99-ISC-Bugs-34738.patch
 Patch140:bind99-ISC-Bugs-34870-v3.patch
 # upstream applied patch for [ISC-Bugs #35073]
 Patch141:bind99-ISC-Bugs-35073.patch
+Patch142:bind99-ISC-Bugs-35080.patch

 # SDB patches
 Patch11: bind-9.3.2b2-sdbsrc.patch
@ -310,6 +311,7 @@ popd
 %patch139 -p1 -b .journal
 %patch140 -p1 -b .send_buffer
 %patch141 -p1 -b .leak_35073
+%patch142 -p1 -b .rbtdb_crash

 %if %{SDB}
 %patch101 -p1 -b .old-api
@ -922,6 +924,9 @@ rm -rf ${RPM_BUILD_ROOT}
 %endif

 %changelog
+* Wed Dec 18 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-11
+- Fix crash in rbtdb after two sucessive getoriginnode() calls
+
 * Tue Dec 17 2013 Tomas Hozza <thozza@redhat.com> 32:9.9.4-10
 - Split chroot package for named and named-sdb
 - Extract setting-up/destroying of chroot to a separate systemd service (#997030)
--- a/bind99-ISC-Bugs-35080.patch
+++ b/bind99-ISC-Bugs-35080.patch
@ -0,0 +1,42 @@
+commit 3a2ea636103eaf40404fb82f228605d384c36434
+Author: Mark Andrews <marka@isc.org>
+Date:   Tue Dec 17 09:08:59 2013 +1100
+
+    3692.   [bug]           Two calls to dns_db_getoriginnode were fatal if there
+                            was no data at the node. [RT #35080]
+    
+    (cherry picked from commit 161e803a5608956271d8120be37a1b383d14b647)
+
+diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
+index 2dd4aa0..941b77e 100644
+--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
+@@ -1638,8 +1638,11 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+ 
+ 	nodelock = &rbtdb->node_locks[bucket];
+ 
+#define KEEP_NODE(n, r) \
+	((n)->data != NULL || (n)->down != NULL || (n) == (r)->origin_node)
+
+ 	/* Handle easy and typical case first. */
+-	if (!node->dirty && (node->data != NULL || node->down != NULL)) {
+	if (!node->dirty && KEEP_NODE(node, rbtdb)) {
+ 		dns_rbtnode_refdecrement(node, &nrefs);
+ 		INSIST((int)nrefs >= 0);
+ 		if (nrefs == 0) {
+@@ -1708,12 +1711,11 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node,
+ 	isc_refcount_decrement(&nodelock->references, &refs);
+ 	INSIST((int)refs >= 0);
+ 
+-	/*
+-	 * XXXDCL should this only be done for cache zones?
+-	 */
+-	if (node->data != NULL || node->down != NULL)
+	if (KEEP_NODE(node, rbtdb))
+ 		goto restore_locks;
+ 
+#undef KEEP_NODE
+
+ 	if (write_locked) {
+ 		/*
+ 		 * We can now delete the node.