From ffd17aca387e886dc3b0a035cb42e737be4ea501 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 2 Nov 2012 15:57:56 +1100
Subject: [PATCH]  move memory accounting to before free of memory to avoid
 "using" a pointer after it is freed

---
 lib/isc/mem.c | 59 +++++++++++++++++++++++++--------------------------
 1 file changed, 29 insertions(+), 30 deletions(-)

diff --git a/lib/isc/mem.c b/lib/isc/mem.c
index b2e18d2802..be05138dda 100644
--- a/lib/isc/mem.c
+++ b/lib/isc/mem.c
@@ -1215,16 +1215,17 @@ isc___mem_putanddetach(isc_mem_t **ctxp, void *ptr, size_t size FLARG) {
 		return;
 	}
 
-	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
-		MCTXLOCK(ctx, &ctx->lock);
-		mem_putunlocked(ctx, ptr, size);
-	} else {
-		mem_put(ctx, ptr, size);
-		MCTXLOCK(ctx, &ctx->lock);
-		mem_putstats(ctx, ptr, size);
-	}
+	MCTXLOCK(ctx, &ctx->lock);
 
 	DELETE_TRACE(ctx, ptr, size, file, line);
+
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		mem_putunlocked(ctx, ptr, size);
+	} else {
+		mem_putstats(ctx, ptr, size);
+		mem_put(ctx, ptr, size);
+	}
+
 	INSIST(ctx->references > 0);
 	ctx->references--;
 	if (ctx->references == 0)
@@ -1342,17 +1343,17 @@ isc___mem_put(isc_mem_t *ctx0, void *ptr, size_t size FLARG) {
 		return;
 	}
 
-	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
-		MCTXLOCK(ctx, &ctx->lock);
-		mem_putunlocked(ctx, ptr, size);
-	} else {
-		mem_put(ctx, ptr, size);
-		MCTXLOCK(ctx, &ctx->lock);
-		mem_putstats(ctx, ptr, size);
-	}
+	MCTXLOCK(ctx, &ctx->lock);
 
 	DELETE_TRACE(ctx, ptr, size, file, line);
 
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		mem_putunlocked(ctx, ptr, size);
+	} else {
+		mem_putstats(ctx, ptr, size);
+		mem_put(ctx, ptr, size);
+	}
+
 	/*
 	 * The check against ctx->lo_water == 0 is for the condition
 	 * when the context was pushed over hi_water but then had
@@ -1641,17 +1642,17 @@ isc___mem_free(isc_mem_t *ctx0, void *ptr FLARG) {
 		size = si->u.size;
 	}
 
-	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
-		MCTXLOCK(ctx, &ctx->lock);
-		mem_putunlocked(ctx, si, size);
-	} else {
-		mem_put(ctx, si, size);
-		MCTXLOCK(ctx, &ctx->lock);
-		mem_putstats(ctx, si, size);
-	}
+	MCTXLOCK(ctx, &ctx->lock);
 
 	DELETE_TRACE(ctx, ptr, size, file, line);
 
+	if ((ctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
+		mem_putunlocked(ctx, si, size);
+	} else {
+		mem_putstats(ctx, si, size);
+		mem_put(ctx, si, size);
+	}
+
 	/*
 	 * The check against ctx->lo_water == 0 is for the condition
 	 * when the context was pushed over hi_water but then had
@@ -1980,8 +1981,8 @@ isc__mempool_destroy(isc_mempool_t **mpctxp) {
 		if ((mctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
 			mem_putunlocked(mctx, item, mpctx->size);
 		} else {
-			mem_put(mctx, item, mpctx->size);
 			mem_putstats(mctx, item, mpctx->size);
+			mem_put(mctx, item, mpctx->size);
 		}
 	}
 	MCTXUNLOCK(mctx, &mctx->lock);
@@ -2126,16 +2127,14 @@ isc___mempool_put(isc_mempool_t *mpctx0, void *mem FLARG) {
 	 * If our free list is full, return this to the mctx directly.
 	 */
 	if (mpctx->freecount >= mpctx->freemax) {
+		MCTXLOCK(mctx, &mctx->lock);
 		if ((mctx->flags & ISC_MEMFLAG_INTERNAL) != 0) {
-			MCTXLOCK(mctx, &mctx->lock);
 			mem_putunlocked(mctx, mem, mpctx->size);
-			MCTXUNLOCK(mctx, &mctx->lock);
 		} else {
-			mem_put(mctx, mem, mpctx->size);
-			MCTXLOCK(mctx, &mctx->lock);
 			mem_putstats(mctx, mem, mpctx->size);
-			MCTXUNLOCK(mctx, &mctx->lock);
+			mem_put(mctx, mem, mpctx->size);
 		}
+		MCTXUNLOCK(mctx, &mctx->lock);
 		if (mpctx->lock != NULL)
 			UNLOCK(mpctx->lock);
 		return;