From 2a39e764b4af591e401c326fd48a1d7e9cc50c7e Mon Sep 17 00:00:00 2001 From: Tomas Hozza Date: Dec 18 2013 12:06:14 +0000 Subject: Fix crash in rbtdb after two sucessive getoriginnode() calls Signed-off-by: Tomas Hozza --- diff --git a/bind.spec b/bind.spec index 576f320..e2ea728 100644 --- a/bind.spec +++ b/bind.spec @@ -27,7 +27,7 @@ Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) serv Name: bind License: ISC Version: 9.9.4 -Release: 9%{?PATCHVER}%{?PREVER}%{?dist} +Release: 10%{?PATCHVER}%{?PREVER}%{?dist} Epoch: 32 Url: http://www.isc.org/products/BIND/ Buildroot:%{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -88,6 +88,7 @@ Patch139:bind99-ISC-Bugs-34738.patch Patch140:bind99-ISC-Bugs-34870-v3.patch # upstream applied patch for [ISC-Bugs #35073] Patch141:bind99-ISC-Bugs-35073.patch +Patch142:bind99-ISC-Bugs-35080.patch # SDB patches Patch11: bind-9.3.2b2-sdbsrc.patch @@ -289,6 +290,7 @@ popd %patch139 -p1 -b .journal %patch140 -p1 -b .send_buffer %patch141 -p1 -b .leak_35073 +%patch142 -p1 -b .rbtdb_crash %if %{SDB} %patch101 -p1 -b .old-api @@ -807,6 +809,9 @@ rm -rf ${RPM_BUILD_ROOT} %endif %changelog +* Wed Dec 18 2013 Tomas Hozza 32:9.9.4-10 +- Fix crash in rbtdb after two sucessive getoriginnode() calls + * Thu Nov 28 2013 Tomas Hozza 32:9.9.4-9 - Fixed memory leak in nsupdate if 'realm' was used multiple times (#984687) diff --git a/bind99-ISC-Bugs-35080.patch b/bind99-ISC-Bugs-35080.patch new file mode 100644 index 0000000..14c383f --- /dev/null +++ b/bind99-ISC-Bugs-35080.patch @@ -0,0 +1,42 @@ +commit 3a2ea636103eaf40404fb82f228605d384c36434 +Author: Mark Andrews +Date: Tue Dec 17 09:08:59 2013 +1100 + + 3692. [bug] Two calls to dns_db_getoriginnode were fatal if there + was no data at the node. [RT #35080] + + (cherry picked from commit 161e803a5608956271d8120be37a1b383d14b647) + +diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c +index 2dd4aa0..941b77e 100644 +--- a/lib/dns/rbtdb.c ++++ b/lib/dns/rbtdb.c +@@ -1638,8 +1638,11 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, + + nodelock = &rbtdb->node_locks[bucket]; + ++#define KEEP_NODE(n, r) \ ++ ((n)->data != NULL || (n)->down != NULL || (n) == (r)->origin_node) ++ + /* Handle easy and typical case first. */ +- if (!node->dirty && (node->data != NULL || node->down != NULL)) { ++ if (!node->dirty && KEEP_NODE(node, rbtdb)) { + dns_rbtnode_refdecrement(node, &nrefs); + INSIST((int)nrefs >= 0); + if (nrefs == 0) { +@@ -1708,12 +1711,11 @@ decrement_reference(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node, + isc_refcount_decrement(&nodelock->references, &refs); + INSIST((int)refs >= 0); + +- /* +- * XXXDCL should this only be done for cache zones? +- */ +- if (node->data != NULL || node->down != NULL) ++ if (KEEP_NODE(node, rbtdb)) + goto restore_locks; + ++#undef KEEP_NODE ++ + if (write_locked) { + /* + * We can now delete the node.