Merge branch '4595-fix-expire-lru-headers-race' into 'main'

Do not use header_prev in expire_lru_headers

Closes #4595

See merge request isc-projects/bind9!8773

CHANGES

@@ -1,3 +1,5 @@
+6350.	[bug]		Address use after free in expire_lru_headers. [GL #4495]
+
 6349.	[placeholder]
 
 6348.	[bug]		BIND could previously abort when trying to

doc/notes/notes-current.rst

@@ -64,6 +64,13 @@ Bug Fixes
   ISC would like to thank Thomas Amgarten for bringing this issue to
   our attention. :gl:`#4518`, :gl:`#4528`
 
+- A use-after-free assertion might get triggered when the overmem cache
+  cleaning triggers. :gl:`#4595`
+
+  ISC would like to thank to Jinmei Tatuya from Infoblox for bringing
+  this issue to our attention.
+
+
 Known Issues
 ~~~~~~~~~~~~
 

lib/dns/rbt-cachedb.c

@@ -1643,23 +1643,22 @@ static size_t
 expire_lru_headers(dns_rbtdb_t *rbtdb, unsigned int locknum,
 		   isc_rwlocktype_t *tlocktypep,
 		   size_t purgesize DNS__DB_FLARG) {
-	dns_slabheader_t *header = NULL, *header_prev = NULL;
+	dns_slabheader_t *header = NULL;
 	size_t purged = 0;
 
 	for (header = ISC_LIST_TAIL(rbtdb->lru[locknum]);
 	     header != NULL && header->last_used <= rbtdb->last_used &&
 	     purged <= purgesize;
-	     header = header_prev)
+	     header = ISC_LIST_TAIL(rbtdb->lru[locknum]))
 	{
 		size_t header_size = rdataset_size(header);
-		header_prev = ISC_LIST_PREV(header, link);
 
 		/*
 		 * Unlink the entry at this point to avoid checking it
 		 * again even if it's currently used someone else and
 		 * cannot be purged at this moment.  This entry won't be
 		 * referenced any more (so unlinking is safe) since the
-		 * TTL was reset to 0.
+		 * TTL will be reset to 0.
 		 */
 		ISC_LIST_UNLINK(rbtdb->lru[locknum], header, link);
 		dns__cacherbt_expireheader(header, tlocktypep,