5bfe51e649
dns__cacherbt_expireheader can unlink / free header_prev underneath it. Use ISC_LIST_TAIL after calling dns__cacherbt_expireheader instead to get the next pointer to be processed. (cherry picked from commit 7ce2e86024f022decb2678963538515ca39ab4ab) (cherry picked from commit f88f21b7d890eb80097f4bd434fedb29c2f9ff63) This is related to CVE-2023-2828 fix change and fixes small part of it. ; Related: CVE-2023-4408 Related: RHEL-25691
47 lines
1.7 KiB
Diff
47 lines
1.7 KiB
Diff
From 6c26ede8edcb700caca12c501c6c129801989526 Mon Sep 17 00:00:00 2001
|
|
From: Mark Andrews <marka@isc.org>
|
|
Date: Fri, 23 Feb 2024 10:12:47 +1100
|
|
Subject: [PATCH] Do not use header_prev in expire_lru_headers
|
|
|
|
dns__cacherbt_expireheader can unlink / free header_prev underneath
|
|
it. Use ISC_LIST_TAIL after calling dns__cacherbt_expireheader
|
|
instead to get the next pointer to be processed.
|
|
|
|
(cherry picked from commit 7ce2e86024f022decb2678963538515ca39ab4ab)
|
|
(cherry picked from commit f88f21b7d890eb80097f4bd434fedb29c2f9ff63)
|
|
---
|
|
lib/dns/rbtdb.c | 8 ++++----
|
|
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
|
|
diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
|
|
index cc40eaec60..ee59c1b18b 100644
|
|
--- a/lib/dns/rbtdb.c
|
|
+++ b/lib/dns/rbtdb.c
|
|
@@ -10667,19 +10667,19 @@ update_header(dns_rbtdb_t *rbtdb, rdatasetheader_t *header,
|
|
static size_t
|
|
expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum, size_t purgesize,
|
|
bool tree_locked) {
|
|
- rdatasetheader_t *header, *header_prev;
|
|
+ rdatasetheader_t *header;
|
|
size_t purged = 0;
|
|
|
|
for (header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]);
|
|
- header != NULL && purged <= purgesize; header = header_prev)
|
|
+ header != NULL && purged <= purgesize;
|
|
+ header = ISC_LIST_TAIL(rbtdb->rdatasets[locknum]))
|
|
{
|
|
- header_prev = ISC_LIST_PREV(header, link);
|
|
/*
|
|
* Unlink the entry at this point to avoid checking it
|
|
* again even if it's currently used someone else and
|
|
* cannot be purged at this moment. This entry won't be
|
|
* referenced any more (so unlinking is safe) since the
|
|
- * TTL was reset to 0.
|
|
+ * TTL will be reset to 0.
|
|
*/
|
|
ISC_LIST_UNLINK(rbtdb->rdatasets[locknum], header, link);
|
|
size_t header_size = rdataset_size(header);
|
|
--
|
|
2.43.2
|
|
|