bind/SOURCES/bind-9.11-CVE-2023-2828-fixup.patch

47 lines
1.7 KiB
Diff

From 6c26ede8edcb700caca12c501c6c129801989526 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 23 Feb 2024 10:12:47 +1100
Subject: [PATCH] Do not use header_prev in expire_lru_headers
dns__cacherbt_expireheader can unlink / free header_prev underneath
it. Use ISC_LIST_TAIL after calling dns__cacherbt_expireheader
instead to get the next pointer to be processed.
(cherry picked from commit 7ce2e86024f022decb2678963538515ca39ab4ab)
(cherry picked from commit f88f21b7d890eb80097f4bd434fedb29c2f9ff63)
---
lib/dns/rbtdb.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index cc40eaec60..ee59c1b18b 100644
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -10667,19 +10667,19 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
static size_t
expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize,
bool tree_locked) {
- rdatasetheader_t *header, *header_prev;
+ rdatasetheader_t *header;
size_t purged = 0;
for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
- header != NULL && purged <= purgesize; header = header_prev)
+ header != NULL && purged <= purgesize;
+ header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]))
{
- header_prev = ISC_LIST_PREV(header, link);
/*
* Unlink the entry at this point to avoid checking it
* again even if it's currently used someone else and
* cannot be purged at this moment. This entry won't be
* referenced any more (so unlinking is safe) since the
- * TTL was reset to 0.
+ * TTL will be reset to 0.
*/
ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link);
size_t header_size = rdataset_size(header);
--
2.43.2