From f2822b6fabc1917331a91b53519f2f1aaa67ce04 Mon Sep 17 00:00:00 2001
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Thu, 1 Dec 2016 01:28:13 +0000
Subject: [PATCH] globalsystemfailure: Do not tangle our lists

If a globalsystemfailure happens, we must remove each query from its
corresponding list, since adns__query_fail will try to remove it and
then put it on some other list.

Previously, any globalsystemfailure was likely to lead to an assertion
failure.  This doesn't seem to me to be a security problem.

Found by AFL.

Signed-off-by: Ian Jackson <ijackson@chiark.greenend.org.uk>
---
 src/event.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/src/event.c b/src/event.c
index b36288d..8cfaef5 100644
--- a/src/event.c
+++ b/src/event.c
@@ -625,8 +625,19 @@ xit:
 void adns_globalsystemfailure(adns_state ads) {
   adns__consistency(ads,0,cc_entex);
 
-  while (ads->udpw.head) adns__query_fail(ads->udpw.head, adns_s_systemfail);
-  while (ads->tcpw.head) adns__query_fail(ads->tcpw.head, adns_s_systemfail);
+  for (;;) {
+    adns_query qu;
+#define GSF_QQ(QQ)				\
+    if ((qu= ads->QQ.head)) {			\
+      LIST_UNLINK(ads->QQ,qu);			\
+      adns__query_fail(qu, adns_s_systemfail);	\
+      continue;					\
+    }
+    GSF_QQ(udpw);
+    GSF_QQ(tcpw);
+#undef GSF_QQ
+    break;
+  }
   
   switch (ads->tcpstate) {
   case server_connecting:
-- 
2.30.2