More fixes for potential crash (#1562594)

Fix that auth-zone master reply with current SOA serial does not
      stop scan of masters for an updated zone.

unbound-1.7.3-rh1562594-2.patch

@@ -0,0 +1,54 @@
+From 1958d9fbd5de593738f9d4264498726e7dfac9d8 Mon Sep 17 00:00:00 2001
+From: Wouter Wijngaards <wouter@nlnetlabs.nl>
+Date: Wed, 15 Aug 2018 09:26:13 +0000
+Subject: [PATCH] - Fix segfault in auth-zone read and reorder of RRSIGs.
+
+git-svn-id: file:///svn/unbound/trunk@4853 be551aaa-1e26-0410-a405-d3ace91eadb9
+---
+ services/authzone.c | 3 ++-
+ testcode/unitauth.c | 8 +++++++-
+ 2 files changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/services/authzone.c b/services/authzone.c
+index b9576eaa..e8c99077 100644
+--- a/services/authzone.c
++++ b/services/authzone.c
+@@ -1014,7 +1014,8 @@ rrset_moveover_rrsigs(struct auth_data* node, uint16_t rr_type,
+ 	}
+ 	/* copy base values */
+ 	memcpy(sigd, sigold, sizeof(struct packed_rrset_data));
+-	sigd->rrsig_count -= sigs;
++	/* in sigd the RRSIGs are stored in the base of the RR, in count */
++	sigd->count -= sigs;
+ 	/* setup rr_len */
+ 	sigd->rr_len = (size_t*)((uint8_t*)sigd +
+ 		sizeof(struct packed_rrset_data));
+diff --git a/testcode/unitauth.c b/testcode/unitauth.c
+index 4b538ef6..19d3c4f6 100644
+--- a/testcode/unitauth.c
++++ b/testcode/unitauth.c
+@@ -131,6 +131,12 @@ static const char* zone_example_com =
+ "z9.example.com.	3600	IN	A	10.0.0.10\n"
+ "z9.example.com.	3600	IN	RRSIG	A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk=\n"
+ "z9.example.com.	3600	IN	RRSIG	A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk=\n"
++/* different covered types, first RRSIGs then, RRs, then another RRSIG */
++"z10.example.com.	3600	IN	RRSIG	AAAA 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk=\n"
++"z10.example.com.	3600	IN	RRSIG	A 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk=\n"
++"z10.example.com.	3600	IN	A	10.0.0.10\n"
++"z10.example.com.	3600	IN	RRSIG	CNAME 8 3 10200 20170612005010 20170515005010 42393 nlnetlabs.nl. NhEDrHkuIgHkjWhDRVsGOIJWZpSs+QdduilWFe5d+/ZhOheLJbaTYD5w6+ZZ3yPh1tNud+jlg+GyiOSVapLEO31swDCIarL1UfRjRSpxxDCHGag5Zu+S4hF+KURxO3cJk8jLBELMQyRuMRHoKrw/wsiLGVu1YpAyAPPMcjFBNbk=\n"
++"z10.example.com.	3600	IN	AAAA	::11\n"
+ #endif /* if0 for duplicates and reordering */
+ ;
+ 
+@@ -554,7 +560,7 @@ checkfile(char* f1, char *f2)
+ 			log_info("in files %s and %s:%d", f1, f2, line);
+ 			log_info("'%s'", buf1);
+ 			log_info("'%s'", buf2);
+-			fatal_exit("files are not eqaul");
++			fatal_exit("files are not equal");
+ 		}
+ 	}
+ 	unit_assert(feof(i1) && feof(i2));
+-- 
+2.14.4
+

unbound-1.7.3-rh1562594-3.patch

@@ -0,0 +1,27 @@
+From d967ceb98bc019d5e710fd885be14e09ed56521e Mon Sep 17 00:00:00 2001
+From: Wouter Wijngaards <wouter@nlnetlabs.nl>
+Date: Tue, 2 Oct 2018 12:32:33 +0000
+Subject: [PATCH] Remove that fix, analyzer is for debug with assertions. - Fix
+ clang analyzer for optimize compile analysis.
+
+git-svn-id: file:///svn/unbound/trunk@4929 be551aaa-1e26-0410-a405-d3ace91eadb9
+---
+ services/authzone.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/services/authzone.c b/services/authzone.c
+index 4d0dd1b5..1f29c3ae 100644
+--- a/services/authzone.c
++++ b/services/authzone.c
+@@ -2828,7 +2828,7 @@ az_generate_any_answer(struct auth_zone* z, struct regional* region,
+ 		if(!msg_add_rrset_an(z, region, msg, node, rrset)) return 0;
+ 		added++;
+ 	}
+-	if(added == 0 && node->rrsets) {
++	if(added == 0 && node && node->rrsets) {
+ 		if(!msg_add_rrset_an(z, region, msg, node,
+ 			node->rrsets)) return 0;
+ 	}
+-- 
+2.14.4
+

unbound-1.7.3-rh1562594-4.patch

@@ -0,0 +1,125 @@
+From 2e9d09b961bc7784e04ee885e1717dc233c661a4 Mon Sep 17 00:00:00 2001
+From: Wouter Wijngaards <wouter@nlnetlabs.nl>
+Date: Thu, 13 Sep 2018 12:20:41 +0000
+Subject: [PATCH] 	- initialize statistics totals for printout. 	- in
+ authzone check that node exists before adding rrset. 	- in unbound-anchor,
+ use readwrite memory BIO. 	- assertion in autotrust that packed rrset is
+ formed correctly.
+
+git-svn-id: file:///svn/unbound/trunk@4903 be551aaa-1e26-0410-a405-d3ace91eadb9
+---
+ daemon/remote.c           |  1 +
+ services/authzone.c       |  6 +++---
+ smallapp/unbound-anchor.c | 15 +++++++--------
+ validator/autotrust.c     |  1 +
+ 4 files changed, 12 insertions(+), 11 deletions(-)
+
+diff --git a/daemon/remote.c b/daemon/remote.c
+index 6a8ff4dc..3971e454 100644
+--- a/daemon/remote.c
++++ b/daemon/remote.c
+@@ -1070,6 +1070,7 @@ do_stats(RES* ssl, struct daemon_remote* rc, int reset)
+ 	struct ub_stats_info total;
+ 	struct ub_stats_info s;
+ 	int i;
++	memset(&total, 0, sizeof(total));
+ 	log_assert(daemon->num > 0);
+ 	/* gather all thread statistics in one place */
+ 	for(i=0; i<daemon->num; i++) {
+diff --git a/services/authzone.c b/services/authzone.c
+index fe56c9f8..4d0dd1b5 100644
+--- a/services/authzone.c
++++ b/services/authzone.c
+@@ -218,7 +218,7 @@ msg_add_rrset_an(struct auth_zone* z, struct regional* region,
+ {
+ 	log_assert(msg->rep->ns_numrrsets == 0);
+ 	log_assert(msg->rep->ar_numrrsets == 0);
+-	if(!rrset)
++	if(!rrset || !node)
+ 		return 1;
+ 	if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type,
+ 		z->dclass))
+@@ -242,7 +242,7 @@ msg_add_rrset_ns(struct auth_zone* z, struct regional* region,
+ 	struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset)
+ {
+ 	log_assert(msg->rep->ar_numrrsets == 0);
+-	if(!rrset)
++	if(!rrset || !node)
+ 		return 1;
+ 	if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type,
+ 		z->dclass))
+@@ -265,7 +265,7 @@ static int
+ msg_add_rrset_ar(struct auth_zone* z, struct regional* region,
+ 	struct dns_msg* msg, struct auth_data* node, struct auth_rrset* rrset)
+ {
+-	if(!rrset)
++	if(!rrset || !node)
+ 		return 1;
+ 	if(msg_rrset_duplicate(msg, node->name, node->namelen, rrset->type,
+ 		z->dclass))
+diff --git a/smallapp/unbound-anchor.c b/smallapp/unbound-anchor.c
+index cd2da149..36f82666 100644
+--- a/smallapp/unbound-anchor.c
++++ b/smallapp/unbound-anchor.c
+@@ -1097,11 +1097,14 @@ read_http_result(SSL* ssl)
+ 	}
+ 	if(!data) return NULL;
+ 	if(verb >= 4) print_data("read data", data, (int)len);
+-	m = BIO_new_mem_buf(data, (int)len);
++	m = BIO_new(BIO_s_mem());
+ 	if(!m) {
+ 		if(verb) printf("out of memory\n");
++		free(data);
+ 		exit(0);
+ 	}
++	BIO_write(m, data, (int)len);
++	free(data);
+ 	return m;
+ }
+ 
+@@ -1172,10 +1175,6 @@ https(struct ip_list* ip_list, const char* pathname, const char* urlname)
+ static void
+ free_file_bio(BIO* bio)
+ {
+-	char* pp = NULL;
+-	(void)BIO_reset(bio);
+-	(void)BIO_get_mem_data(bio, &pp);
+-	free(pp);
+ 	BIO_free(bio);
+ }
+ 
+@@ -1603,7 +1602,7 @@ xml_parse(BIO* xml, time_t now)
+ 	xml_parse_setup(parser, &data, now);
+ 
+ 	/* parse it */
+-	(void)BIO_reset(xml);
++	(void)BIO_seek(xml, 0);
+ 	len = (int)BIO_get_mem_data(xml, &pp);
+ 	if(!len || !pp) {
+ 		if(verb) printf("out of memory\n");
+@@ -1777,8 +1776,8 @@ verify_p7sig(BIO* data, BIO* p7s, STACK_OF(X509)* trust, const char* p7signer)
+ 	X509_VERIFY_PARAM_free(param);
+ #endif
+ 
+-	(void)BIO_reset(p7s);
+-	(void)BIO_reset(data);
++	(void)BIO_seek(p7s, 0);
++	(void)BIO_seek(data, 0);
+ 
+ 	/* convert p7s to p7 (the signature) */
+ 	p7 = d2i_PKCS7_bio(p7s, NULL);
+diff --git a/validator/autotrust.c b/validator/autotrust.c
+index a34a7c96..a7296730 100644
+--- a/validator/autotrust.c
++++ b/validator/autotrust.c
+@@ -718,6 +718,7 @@ packed_rrset_heap_data(int iter(struct autr_ta**, uint8_t**, size_t*,
+ 	list_i = list;
+ 	i = 0;
+ 	while(iter(&list_i, &rr, &rr_len, &dname_len)) {
++		log_assert(data->rr_data[i]);
+ 		memmove(data->rr_data[i],
+ 			sldns_wirerr_get_rdatawl(rr, rr_len, dname_len),
+ 			data->rr_len[i]);
+-- 
+2.14.4
+

unbound-1.7.3-rh1562594.patch

@@ -0,0 +1,156 @@
+From a31d45b13e2e496b2fdb6ce4715481681362472f Mon Sep 17 00:00:00 2001
+From: Wouter Wijngaards <wouter@nlnetlabs.nl>
+Date: Tue, 26 Jun 2018 13:48:36 +0000
+Subject: [PATCH] - Fix that auth-zone master reply with current SOA serial
+ does not   stop scan of masters for an updated zone.
+
+git-svn-id: file:///svn/unbound/trunk@4755 be551aaa-1e26-0410-a405-d3ace91eadb9
+---
+ services/authzone.c | 75 ++++++++++++++++++++++++++++++++++-------------------
+ services/authzone.h |  3 +++
+ 2 files changed, 52 insertions(+), 26 deletions(-)
+
+diff --git a/services/authzone.c b/services/authzone.c
+index a76b51f6..9de43b75 100644
+--- a/services/authzone.c
++++ b/services/authzone.c
+@@ -5090,7 +5090,8 @@ xfr_transfer_nexttarget_or_end(struct auth_xfer* xfr, struct module_env* env)
+ 	xfr_transfer_disown(xfr);
+ 
+ 	/* pick up the nextprobe task and wait */
+-	xfr_set_timeout(xfr, env, 1, 0);
++	if(xfr->task_nextprobe->worker == NULL)
++		xfr_set_timeout(xfr, env, 1, 0);
+ 	lock_basic_unlock(&xfr->lock);
+ }
+ 
+@@ -5547,7 +5548,8 @@ process_list_end_transfer(struct auth_xfer* xfr, struct module_env* env)
+ 			return;
+ 		} else {
+ 			/* pick up the nextprobe task and wait (normail wait time) */
+-			xfr_set_timeout(xfr, env, 0, 0);
++			if(xfr->task_nextprobe->worker == NULL)
++				xfr_set_timeout(xfr, env, 0, 0);
+ 		}
+ 		lock_basic_unlock(&xfr->lock);
+ 		return;
+@@ -5888,29 +5890,35 @@ auth_xfer_probe_udp_callback(struct comm_point* c, void* arg, int err,
+ 					return 0;
+ 
+ 				}
++				/* other tasks are running, we don't do this anymore */
++				xfr_probe_disown(xfr);
++				lock_basic_unlock(&xfr->lock);
++				/* return, we don't sent a reply to this udp packet,
++				 * and we setup the tasks to do next */
++				return 0;
+ 			} else {
+-				/* if zone not updated, start the wait timer again */
+-				verbose(VERB_ALGO, "auth_zone unchanged, new lease, wait");
+-				if(xfr->have_zone)
+-					xfr->lease_time = *env->now;
+-				if(xfr->task_nextprobe->worker == NULL)
+-					xfr_set_timeout(xfr, env, 0, 0);
++				verbose(VERB_ALGO, "auth_zone master reports unchanged soa serial");
++				/* we if cannot find updates amongst the
++				 * masters, this means we then have a new lease
++				 * on the zone */
++				xfr->task_probe->have_new_lease = 1;
++			}
++		} else {
++			if(verbosity >= VERB_ALGO) {
++				char buf[256];
++				dname_str(xfr->name, buf);
++				verbose(VERB_ALGO, "auth zone %s: bad reply to soa probe", buf);
+ 			}
+-			/* other tasks are running, we don't do this anymore */
+-			xfr_probe_disown(xfr);
+-			lock_basic_unlock(&xfr->lock);
+-			/* return, we don't sent a reply to this udp packet,
+-			 * and we setup the tasks to do next */
+-			return 0;
+ 		}
+-	}
+-	if(verbosity >= VERB_ALGO) {
+-		char buf[256];
+-		dname_str(xfr->name, buf);
+-		verbose(VERB_ALGO, "auth zone %s: soa probe failed", buf);
++	} else {
++		if(verbosity >= VERB_ALGO) {
++			char buf[256];
++			dname_str(xfr->name, buf);
++			verbose(VERB_ALGO, "auth zone %s: soa probe failed", buf);
++		}
+ 	}
+ 	
+-	/* failed lookup */
++	/* failed lookup or not an update */
+ 	/* delete commpoint so a new one is created, with a fresh port nr */
+ 	comm_point_delete(xfr->task_probe->cp);
+ 	xfr->task_probe->cp = NULL;
+@@ -6013,7 +6021,8 @@ xfr_probe_send_or_end(struct auth_xfer* xfr, struct module_env* env)
+ 		/* only wanted lookups for copy, stop probe and start wait */
+ 		xfr->task_probe->only_lookup = 0;
+ 		xfr_probe_disown(xfr);
+-		xfr_set_timeout(xfr, env, 0, 0);
++		if(xfr->task_nextprobe->worker == NULL)
++			xfr_set_timeout(xfr, env, 0, 0);
+ 		lock_basic_unlock(&xfr->lock);
+ 		return;
+ 	}
+@@ -6029,12 +6038,24 @@ xfr_probe_send_or_end(struct auth_xfer* xfr, struct module_env* env)
+ 		xfr_probe_nextmaster(xfr);
+ 	}
+ 
+-	/* we failed to send this as well, move to the wait task,
+-	 * use the shorter retry timeout */
+-	xfr_probe_disown(xfr);
++	/* done with probe sequence, wait */
++	if(xfr->task_probe->have_new_lease) {
++		/* if zone not updated, start the wait timer again */
++		verbose(VERB_ALGO, "auth_zone unchanged, new lease, wait");
++		xfr_probe_disown(xfr);
++		if(xfr->have_zone)
++			xfr->lease_time = *env->now;
++		if(xfr->task_nextprobe->worker == NULL)
++			xfr_set_timeout(xfr, env, 0, 0);
++	} else {
++		/* we failed to send this as well, move to the wait task,
++		 * use the shorter retry timeout */
++		xfr_probe_disown(xfr);
++		/* pick up the nextprobe task and wait */
++		if(xfr->task_nextprobe->worker == NULL)
++			xfr_set_timeout(xfr, env, 1, 0);
++	}
+ 
+-	/* pick up the nextprobe task and wait */
+-	xfr_set_timeout(xfr, env, 1, 0);
+ 	lock_basic_unlock(&xfr->lock);
+ }
+ 
+@@ -6168,6 +6189,8 @@ xfr_start_probe(struct auth_xfer* xfr, struct module_env* env,
+ 		xfr->task_probe->cp = NULL;
+ 
+ 		/* start the task */
++		/* have not seen a new lease yet, this scan */
++		xfr->task_probe->have_new_lease = 0;
+ 		/* if this was a timeout, no specific first master to scan */
+ 		/* otherwise, spec is nonNULL the notified master, scan
+ 		 * first and also transfer first from it */
+diff --git a/services/authzone.h b/services/authzone.h
+index 69158de2..6b25452d 100644
+--- a/services/authzone.h
++++ b/services/authzone.h
+@@ -309,6 +309,9 @@ struct auth_probe {
+ 	/** we only want to do lookups for making config work (for notify),
+ 	 * don't proceed with UDP SOA probe queries */
+ 	int only_lookup;
++	/** we have seen a new lease this scan, because one of the masters
++	 * replied with the current SOA serial version */
++	int have_new_lease;
+ 
+ 	/** once notified, or the timeout has been reached. a scan starts. */
+ 	/** the scan specific target (notify source), or NULL if none */
+-- 
+2.14.4
+

unbound-1.8.0-rh1633874.patch

@@ -0,0 +1,39 @@
+From 9be04e6fac3f4ee8fa08d3671dac41d2156d2ced Mon Sep 17 00:00:00 2001
+From: Wouter Wijngaards <wouter@nlnetlabs.nl>
+Date: Thu, 27 Sep 2018 08:19:29 +0000
+Subject: [PATCH] - Fix #4188: IPv6 forwarders without ipv6 result in SERVFAIL,
+ fixes   qname minimisation with a forwarder when connectivity has issues  
+ from rejecting responses.
+
+git-svn-id: file:///svn/unbound/trunk@4916 be551aaa-1e26-0410-a405-d3ace91eadb9
+---
+ iterator/iterator.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/iterator/iterator.c b/iterator/iterator.c
+index 7baf92b7..2f26bd33 100644
+--- a/iterator/iterator.c
++++ b/iterator/iterator.c
+@@ -2174,7 +2174,8 @@ processQueryTargets(struct module_qstate* qstate, struct iter_qstate* iq,
+ 		return 0;
+ 	}
+ 
+-	if(iq->minimisation_state == INIT_MINIMISE_STATE) {
++	if(iq->minimisation_state == INIT_MINIMISE_STATE
++		&& !(iq->chase_flags & BIT_RD)) {
+ 		/* (Re)set qinfo_out to (new) delegation point, except when
+ 		 * qinfo_out is already a subdomain of dp. This happens when
+ 		 * increasing by more than one label at once (QNAMEs with more
+@@ -2715,7 +2716,8 @@ processQueryResponse(struct module_qstate* qstate, struct iter_qstate* iq,
+ 			sock_list_insert(&qstate->reply_origin, 
+ 				&qstate->reply->addr, qstate->reply->addrlen, 
+ 				qstate->region);
+-		if(iq->minimisation_state != DONOT_MINIMISE_STATE) {
++		if(iq->minimisation_state != DONOT_MINIMISE_STATE
++			&& !(iq->chase_flags & BIT_RD)) {
+ 			if(FLAGS_GET_RCODE(iq->response->rep->flags) != 
+ 				LDNS_RCODE_NOERROR) {
+ 				if(qstate->env->cfg->qname_minimisation_strict)
+-- 
+2.14.4
+

unbound.spec

@@ -34,7 +34,7 @@
 Summary: Validating, recursive, and caching DNS(SEC) resolver
 Name: unbound
 Version: 1.7.3
-Release: 8%{?extra_version:.%{extra_version}}%{?dist}
+Release: 10%{?extra_version:.%{extra_version}}%{?dist}
 License: BSD
 Url: https://www.unbound.net/
 Source: https://www.unbound.net/downloads/%{name}-%{version}%{?extra_version}.tar.gz
@@ -59,6 +59,15 @@ Patch2: unbound-1.7.2-python3-devel.patch
 Patch3: unbound-1.7.2-python3-pkgconfig.patch
 Patch4: unbound-1.7.3-anchor-fallback.patch
 Patch5: unbound-1.7.3-host-any.patch
+Patch6: unbound-1.8.0-rh1633874.patch
+# commit a31d45b13e2e496b2fdb6ce4715481681362472f
+Patch7: unbound-1.7.3-rh1562594.patch
+# commit 1958d9fbd5de593738f9d4264498726e7dfac9d8
+Patch8: unbound-1.7.3-rh1562594-2.patch
+# commit d967ceb98bc019d5e710fd885be14e09ed56521e
+Patch9: unbound-1.7.3-rh1562594-3.patch
+# commit 2e9d09b961bc7784e04ee885e1717dc233c661a4
+Patch10: unbound-1.7.3-rh1562594-4.patch
 
 BuildRequires: gcc, make
 BuildRequires: flex, openssl-devel
@@ -158,6 +167,11 @@ pushd %{pkgname}
 %patch3 -p1 -b .python3
 %patch4 -p1 -b .anchor-fallback
 %patch5 -p1 -b .host-any
+%patch6 -p1
+%patch7 -p1 -b .rh1562594
+%patch8 -p1 -b .rh1562594
+%patch9 -p1 -b .rh1562594
+%patch10 -p1
 
 # only for snapshots
 # autoreconf -iv
@@ -429,6 +443,12 @@ popd
 %attr(0644,root,root) %config %{_sysconfdir}/%{name}/root.key
 
 %changelog
+* Tue Oct 02 2018 Petr Menšík <pemensik@redhat.com> - 1.7.3-10
+- Try to fix occasional crash (#1562594)
+
+* Mon Oct 01 2018 Petr Menšík <pemensik@redhat.com> - 1.7.3-9
+- Skip ipv6 forwarders without ipv6 support (#1633874)
+
 * Tue Jul 31 2018 Petr Menšík <pemensik@redhat.com> - 1.7.3-8
 - Release memory in unbound-host