Fix a bug in the async DNS resolver that can crash ypserv. yp_prune_dnsq()

is not sane: if the TTL on a pending but unanswered query hits 0 and the
circular queue entry is removed and free()d, the for() loop may still try
to use the entry pointer (which now points at no longer valid memory).
usually, deleting only the last entry off the end of the queue worked, but
if more than one was deleted, the server would crash. I changed things a
bit so this shouldn't happen anymore.

Also arranged to call the prune routine a bit more often.

1 files changed, 9 insertions, 4 deletions

diff --git a/usr.sbin/ypserv/yp_dnslookup.c b/usr.sbin/ypserv/yp_dnslookup.c
index a9415d7..e330e15 100644
--- a/usr.sbin/ypserv/yp_dnslookup.c
+++ b/usr.sbin/ypserv/yp_dnslookup.c
@@ -29,7 +29,7 @@
  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  * SUCH DAMAGE.
  *
- *	$Id$
+ *	$Id: yp_dnslookup.c,v 1.10 1997/02/22 16:15:10 peter Exp $
  */
 
 /*
@@ -65,7 +65,7 @@
 #include "yp_extern.h"
 
 #ifndef lint
-static const char rcsid[] = "$Id$";
+static const char rcsid[] = "$Id: yp_dnslookup.c,v 1.10 1997/02/22 16:15:10 peter Exp $";
 #endif
 
 static char *parse(hp)
@@ -315,16 +315,19 @@ static void yp_send_dns_reply(q, buf)
  */
 void yp_prune_dnsq()
 {
-	register struct circleq_dnsentry *q;
+	register struct circleq_dnsentry *q, *n;
 
-	for (q = qhead.cqh_first; q != (void *)&qhead; q = q->links.cqe_next) {
+	q = qhead.cqh_first;
+	while(q != (void *)&qhead) {
 		q->ttl--;
+		n = q->links.cqe_next;
 		if (!q->ttl) {
 			CIRCLEQ_REMOVE(&qhead, q, links);
 			free(q->name);
 			free(q);
 			pending--;
 		}
+		q = n;
 	}
 
 	if (pending < 0)
@@ -470,6 +473,7 @@ ypstat yp_async_lookup_name(rqstp, name)
 	if (debug)
 		yp_error("Queueing async DNS name lookup (%d)", q->id);
 
+	yp_prune_dnsq();
 	return(YP_TRUE);
 }
 
@@ -534,5 +538,6 @@ ypstat yp_async_lookup_addr(rqstp, addr)
 	if (debug)
 		yp_error("Queueing async DNS address lookup (%d)", q->id);
 
+	yp_prune_dnsq();
 	return(YP_TRUE);
 }