Merge branch '942-security-move-test-inside-lock-security-v9_14' into 'security-v9_14'

CHANGES

@@ -1,3 +1,8 @@
+5244.	[security]	Fixed a race condition in dns_dispatch_getnext()
+			that could cause an assertion failure if a
+			significant number of incoming packets were
+			rejected. (CVE-2019-6471) [GL #942]
+
 5243.	[bug]		Fix a possible race between dispatcher and socket
 			code in a high-load cold-cache resolver scenario.
 			[GL #943]

doc/arm/notes.xml

@@ -100,7 +100,15 @@
 	<para>
 	  The TCP client quota set using the <command>tcp-clients</command>
 	  option could be exceeded in some cases. This could lead to
-	  exhaustion of file descriptors. (CVE-2018-5743) [GL #615]
+	  exhaustion of file descriptors. This flaw is disclosed in
+	  CVE-2018-5743. [GL #615]
+	</para>
+      </listitem>
+      <listitem>
+	<para>
+	  A race condition could trigger an assertion failure when
+	  a large number of incoming packets were being rejected.
+	  This flaw is disclosed in CVE-2019-6471. [GL #942]
 	</para>
       </listitem>
     </itemizedlist>

lib/dns/dispatch.c

@@ -128,7 +128,7 @@ struct dns_dispentry {
 	isc_task_t		       *task;
 	isc_taskaction_t		action;
 	void			       *arg;
-	bool			item_out;
+	bool				item_out;
 	dispsocket_t			*dispsocket;
 	ISC_LIST(dns_dispatchevent_t)	items;
 	ISC_LINK(dns_dispentry_t)	link;
@@ -3273,13 +3273,14 @@ dns_dispatch_getnext(dns_dispentry_t *resp, dns_dispatchevent_t **sockevent) {
 	disp = resp->disp;
 	REQUIRE(VALID_DISPATCH(disp));
 
-	REQUIRE(resp->item_out == true);
-	resp->item_out = false;
-
 	ev = *sockevent;
 	*sockevent = NULL;
 
 	LOCK(&disp->lock);
+
+	REQUIRE(resp->item_out == true);
+	resp->item_out = false;
+
 	if (ev->buffer.base != NULL)
 		free_buffer(disp, ev->buffer.base, ev->buffer.length);
 	free_devent(disp, ev);
@@ -3424,6 +3425,9 @@ dns_dispatch_removeresponse(dns_dispentry_t **resp,
 		isc_task_send(disp->task[0], &disp->ctlevent);
 }
 
+/*
+ * disp must be locked.
+ */
 static void
 do_cancel(dns_dispatch_t *disp) {
 	dns_dispatchevent_t *ev;