resolved: do not keep dns_server to dns_stream ref if tls connection failed (#9855)

The references to the dns_server are now setup after the tls connection is setup.
This ensures that the stream got fully stopped when the initial tls setup failed
instead of having the unref being blocked by the reference to the stream by the server.
Therefore on_stream_io would no longer be called with a half setup encrypted connection.

Fixes the issue reported in #9838.

diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index db30997d04e8ea30a71ebcfe7633e1fec6d6e0a2..fbc4735855f6968af45301acd877033a17ec0b5d 100644 (file)
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -628,12 +628,6 @@ static int dns_transaction_emit_tcp(DnsTransaction *t) {
 
                 fd = -1;
 
-                if (t->server) {
-                        dns_stream_unref(t->server->stream);
-                        t->server->stream = dns_stream_ref(s);
-                        s->server = dns_server_ref(t->server);
-                }
-
 #if ENABLE_DNS_OVER_TLS
                 if (DNS_SERVER_FEATURE_LEVEL_IS_TLS(t->current_feature_level)) {
                         assert(t->server);
@@ -643,6 +637,12 @@ static int dns_transaction_emit_tcp(DnsTransaction *t) {
                 }
 #endif
 
+                if (t->server) {
+                        dns_stream_unref(t->server->stream);
+                        t->server->stream = dns_stream_ref(s);
+                        s->server = dns_server_ref(t->server);
+                }
+
                 s->complete = on_stream_complete;
                 s->on_packet = dns_stream_on_packet;