Hello,

I have encountered a weird behavior in RBTDB implementation in BIND bind-9.9.3-P2.

It seems that RBTDB gets corrupted if I do

dns_db_getoriginnode(rbtdb, &node);
dns_db_detachnode(rbtdb, &node);

and then again:

dns_db_getoriginnode(rbtdb, &node);
dns_db_detachnode(rbtdb, &node);

Specifically, the second call to dns_db_getoriginnode() dies with:
INSIST(!((void *)((node)->deadlink.prev) != (void *)(-1))) failed

Note that this happens only if the origin_node in RBTDB is empty at the moment 
of first dns_db_detachnode() call.

The attached file reproducer_minimal.c demonstrates it.


The attached file reproducer_soa.c demonstrates that RBTDB works if some 
record is added to the RBTDB origin_node before second dns_db_getoriginnode() 
call. Please see comments in the file.


I'm not 100 % sure, but my guess is that empty RBT nodes are destroyed and 
that reference counter for origin_node doesn't count the pointer 
rbtdb->origin_node in RBTDB structure. The other problem is that 
rbtdb->origin_node is not overwritten with NULL when the old origin_node is 
deallocated.


Does it mean that I can't call dns_db_detachnode() if the origin_node is 
empty? Is it a bug or a 'feature'?

Thank you very much for your time.

-- 
Petr Spacek
Red Hat