Stop crashing in evdns when nameserver probes give a weird error

When a nameserver is down, we periodically try sending a "probe" message to that nameserver to see if it has come back up. If a nameserver comes up, we cancel any pending probe messages. Cancelling a probe message while handling the probe's response would result in a access-after-free or a double-free, so when we notice that we're about to call a nameserver up because of having received a probe from it, we need to check whether current response is the response from the probe. There was a case where we didn't to that, though: when the resolver gave us an unusual error response to our request that it resolve google.com. This is pretty rare, but apparently it can happen with some weird cacheing nameservers -- the one on the mikrotik router, for example. Without this patch, we would crash with a NULL pointer derefernce. Thanks to Hannes Sowa for finding this issue and helping me track it down.
2025-09-08 11:53:00 -04:00 · 2012-02-15 20:12:32 -05:00 · 2012-02-15 20:12:32 -05:00 · bec50680a3
commit bec50680a3
parent 2d67b63853
1 changed files with 6 additions and 1 deletions
--- a/evdns.c
+++ b/evdns.c
@ -896,7 +896,12 @@ reply_handle(struct request *const req, u16 flags, u32 ttl, struct reply *reply)
 				    addrbuf, sizeof(addrbuf)));
 			break;
 		default:
-			/* we got a good reply from the nameserver */
+			/* we got a good reply from the nameserver: it is up. */
+			if (req->handle == req->ns->probe_request) {
+				/* Avoid double-free */
+				req->ns->probe_request = NULL;
+			}
+
 			nameserver_up(req->ns);
 		}