From 2c4d5faf7fa490aa537efa36b1ba26d0cd80e442 Mon Sep 17 00:00:00 2001
From: Mukund Sivaraman <muks@isc.org>
Date: Mon, 13 Apr 2015 15:03:12 +0530
Subject: [PATCH] Don't use query->sendevent after it's been destroyed (#39132)

---
 CHANGES            | 3 +++
 lib/dns/resolver.c | 6 +++++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/CHANGES b/CHANGES
index 5c43c010b8..def085614e 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4096.	[bug]		Fix a use after free of query->sendevent.
+			[RT #39132]
+
 4095.	[bug]		zone->options2 was not being properly initalized.
 			[RT #39228]
 
diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index aaa58846a5..3318b61b73 100644
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -1276,6 +1276,7 @@ fctx_done(fetchctx_t *fctx, isc_result_t result, int line) {
 static void
 process_sendevent(resquery_t *query, isc_event_t *event) {
 	isc_socketevent_t *sevent = (isc_socketevent_t *)event;
+	isc_boolean_t destroy_query = ISC_FALSE;
 	isc_boolean_t retry = ISC_FALSE;
 	isc_result_t result;
 	fetchctx_t *fctx;
@@ -1290,7 +1291,7 @@ process_sendevent(resquery_t *query, isc_event_t *event) {
 			 */
 			if (query->tcpsocket != NULL)
 				isc_socket_detach(&query->tcpsocket);
-			resquery_destroy(&query);
+			destroy_query = ISC_TRUE;
 		}
 	} else {
 		switch (sevent->result) {
@@ -1340,6 +1341,9 @@ process_sendevent(resquery_t *query, isc_event_t *event) {
 		else
 			fctx_try(fctx, ISC_TRUE, ISC_FALSE);
 	}
+
+	if (destroy_query)
+		resquery_destroy(&query);
 }
 
 static void