nigoroll
commented
1 year ago I believe this touches the same point as #81, which has been known for ages and is the reason why I have been pushing for director references in varnish-cache. But when we finally got them, I did not have the resources to adjust this vmod.
There is an unguarded use-after-free error here in vmod_dynamic.c. This affects all versions of
vmod_dynamic, potentially all the way back to 4.1. This is unguarded meaning there are no magic checks preventing this from happening or being exploited.Cause
Resolve a director while doing a plain DNS update where a backend is deleted. Note that without a magic check, this use-after-free is undetectable without extra memory checks.
Outcome
Nothing, a crash/panic, or you can land on a different random backend or an attacker controlled backend.
Fix
struct dynamic_ref *nextdereference in question up into the locked section. Grab a reference to the director there and return it.I will not be making a PR for this and this has not been reported anywhere else.