From 9135b71a7aca1a2dca994e959fad2e4f22e3f983 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Fri, 20 Feb 2026 11:58:13 +0100 Subject: [PATCH] Fix read UAF in BIND9 dns_client_resolve() via DNAME Response An attacker controlling a malicious DNS server returns a DNAME record, and the we stores a pointer to resp->foundname, frees the response structure, then uses the dangling pointer in dns_name_fullcompare() possibly causing invalid match. Only the `delv`is affected. This has been fixed. --- lib/dns/client.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/lib/dns/client.c b/lib/dns/client.c index 2097fa3ec5..6027c0d081 100644 --- a/lib/dns/client.c +++ b/lib/dns/client.c @@ -490,7 +490,7 @@ client_resfind(resctx_t *rctx, dns_fetchresponse_t *resp) { name = dns_fixedname_name(&rctx->name); do { - dns_name_t *fname = NULL; + dns_name_t *fname = dns_fixedname_initname(&foundname); dns_name_t *ansname = NULL; dns_db_t *db = NULL; dns_dbnode_t *node = NULL; @@ -499,7 +499,6 @@ client_resfind(resctx_t *rctx, dns_fetchresponse_t *resp) { want_restart = false; if (resp == NULL) { - fname = dns_fixedname_initname(&foundname); INSIST(!dns_rdataset_isassociated(rctx->rdataset)); INSIST(rctx->sigrdataset == NULL || !dns_rdataset_isassociated(rctx->sigrdataset)); @@ -528,14 +527,13 @@ client_resfind(resctx_t *rctx, dns_fetchresponse_t *resp) { goto done; } } else { - INSIST(resp != NULL); INSIST(resp->fetch == rctx->fetch); dns_resolver_destroyfetch(&rctx->fetch); db = resp->cache; node = resp->node; result = resp->result; vresult = resp->vresult; - fname = resp->foundname; + dns_name_copy(resp->foundname, fname); INSIST(resp->rdataset == rctx->rdataset); INSIST(resp->sigrdataset == rctx->sigrdataset); dns_resolver_freefresp(&resp);