From bec50680a31834619e66cb8b97edd6d5b5f15701 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Wed, 15 Feb 2012 20:12:32 -0500 Subject: Stop crashing in evdns when nameserver probes give a weird error When a nameserver is down, we periodically try sending a "probe" message to that nameserver to see if it has come back up. If a nameserver comes up, we cancel any pending probe messages. Cancelling a probe message while handling the probe's response would result in a access-after-free or a double-free, so when we notice that we're about to call a nameserver up because of having received a probe from it, we need to check whether current response is the response from the probe. There was a case where we didn't to that, though: when the resolver gave us an unusual error response to our request that it resolve google.com. This is pretty rare, but apparently it can happen with some weird cacheing nameservers -- the one on the mikrotik router, for example. Without this patch, we would crash with a NULL pointer derefernce. Thanks to Hannes Sowa for finding this issue and helping me track it down. --- evdns.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'evdns.c') diff --git a/evdns.c b/evdns.c index b447fd91..02f5dff5 100644 --- a/evdns.c +++ b/evdns.c @@ -896,7 +896,12 @@ reply_handle(struct request *const req, u16 flags, u32 ttl, struct reply *reply) addrbuf, sizeof(addrbuf))); break; default: - /* we got a good reply from the nameserver */ + /* we got a good reply from the nameserver: it is up. */ + if (req->handle == req->ns->probe_request) { + /* Avoid double-free */ + req->ns->probe_request = NULL; + } + nameserver_up(req->ns); } -- cgit v1.2.1