| CC: | Tomas Hozza <thozza@redhat.com> |
| Subject: | crash in rbtdb after two sucessive getoriginnode() calls |
| Date: | Fri, 29 Nov 2013 16:03:07 +0100 |
| To: | bind9-bugs@isc.org |
| From: | Petr Spacek <pspacek@redhat.com> |
Hello,
I have encountered a weird behavior in RBTDB implementation in BIND bind-9.9.3-P2.
It seems that RBTDB gets corrupted if I do
dns_db_getoriginnode(rbtdb, &node);
dns_db_detachnode(rbtdb, &node);
and then again:
dns_db_getoriginnode(rbtdb, &node);
dns_db_detachnode(rbtdb, &node);
Specifically, the second call to dns_db_getoriginnode() dies with:
INSIST(!((void *)((node)->deadlink.prev) != (void *)(-1))) failed
Note that this happens only if the origin_node in RBTDB is empty at the moment
of first dns_db_detachnode() call.
The attached file reproducer_minimal.c demonstrates it.
The attached file reproducer_soa.c demonstrates that RBTDB works if some
record is added to the RBTDB origin_node before second dns_db_getoriginnode()
call. Please see comments in the file.
I'm not 100 % sure, but my guess is that empty RBT nodes are destroyed and
that reference counter for origin_node doesn't count the pointer
rbtdb->origin_node in RBTDB structure. The other problem is that
rbtdb->origin_node is not overwritten with NULL when the old origin_node is
deallocated.
Does it mean that I can't call dns_db_detachnode() if the origin_node is
empty? Is it a bug or a 'feature'?
Thank you very much for your time.
--
Petr Spacek
Red Hat
Message body is not shown because sender requested not to inline it.
Message body is not shown because sender requested not to inline it.