Unguarded use-after-free in dynamic_resolve

[rezan]

There is an unguarded use-after-free error here in vmod_dynamic.c. This affects all versions of vmod_dynamic, potentially all the way back to 4.1. This is unguarded meaning there are no magic checks preventing this from happening or being exploited.

Cause

Resolve a director while doing a plain DNS update where a backend is deleted. Note that without a magic check, this use-after-free is undetectable without extra memory checks.

Outcome

Nothing, a crash/panic, or you can land on a different random backend or an attacker controlled backend.

Fix

• Add magic checks to all dynamic structs. This is how the bug was uncovered.
• Move the struct dynamic_ref *next dereference in question up into the locked section. Grab a reference to the director there and return it.

I will not be making a PR for this and this has not been reported anywhere else.