From e57245ee81a98b27f10b7b61e4cc5251a0c9f8a3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Wed, 4 Mar 2026 17:08:50 +0100 Subject: [PATCH] Fix use-after-free in xfrin_recv_done Move the LIBDNS_XFRIN_RECV_DONE probe execution before dns_xfrin_detach in xfrin_recv_done. Previously, dns_xfrin_detach was called before the trace probe, which could free the xfr object. Because the accessed member xfr->info is an embedded array, the expression evaluates via pointer arithmetic rather than a direct memory dereference. Although this prevents a reliable crash in practice, it technically remains a use-after-free issue. Reorder the statements to ensure the transfer context is fully valid when the probe executes. --- lib/dns/xfrin.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c index feff048e9a..902abc34d9 100644 --- a/lib/dns/xfrin.c +++ b/lib/dns/xfrin.c @@ -2065,8 +2065,8 @@ cleanup: if (msg != NULL) { dns_message_detach(&msg); } - dns_xfrin_detach(&xfr); LIBDNS_XFRIN_RECV_DONE(xfr, xfr->info, result); + dns_xfrin_detach(&xfr); } static void