From: Christopher Faulet <cfaulet@haproxy.com>
Date: Wed, 1 Dec 2021 09:18:08 +0000 (+0100)
Subject: BUG/MEDIUM: resolvers: Detach query item on response error
X-Git-Tag: v2.6-dev1~334
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=80b2e34b18b805d28a9569d8157c7bcf088eef8f;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: resolvers: Detach query item on response error

When a new response is parsed, it is unexpected to have an old query item
still attached to the resolution. And indeed, when the response is parsed
and validated, the query item is detached and used for a last check on its
dname. However, this is only true for a valid response. If an error is
detected, the query is not detached. This leads to undefined behavior (most
probably a crash) on the next response because the first element in the
query list is referencing an old response.

This patch must be backported as far as 2.0.
---

diff --git a/src/resolvers.c b/src/resolvers.c
index 852c3d5382..a583e288c7 100644
--- a/src/resolvers.c
+++ b/src/resolvers.c
@@ -1478,6 +1478,8 @@ static int resolv_validate_dns_response(unsigned char *resp, unsigned char *bufe
 	cause = RSLV_RESP_INVALID;
 
  return_error:
+	if (query)
+		LIST_DEL_INIT(&query->list);
 	pool_free(resolv_answer_item_pool, answer_record);
 	return cause;
 }