resolve: fix potential memleak and use-after-free

When stub stream is closed early, then queries associated to the stream
are freed. Previously, the timer event source for queries may not be
disabled, hence may be triggered with already freed query.
See also dns_stub_stream_complete().

Note that we usually not set NULL or zero when freeing simple objects.
But, here DnsQuery is large and complicated object, and the element may
be referenced in subsequent freeing process in the future. Hence, for
safety, let's set NULL to the pointer.

diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c
index 3b5e456db2e06fb8a6e2e7da25b92f983d96f820..192bfd3bf5682bf90719a6a144a98efd83079c0a 100644 (file)
--- a/src/resolve/resolved-dns-query.c
+++ b/src/resolve/resolved-dns-query.c
@@ -381,6 +381,8 @@ DnsQuery *dns_query_free(DnsQuery *q) {
         if (!q)
                 return NULL;
 
+        q->timeout_event_source = sd_event_source_disable_unref(q->timeout_event_source);
+
         while (q->auxiliary_queries)
                 dns_query_free(q->auxiliary_queries);