BUG/MEDIUM: resolvers: Detach query item on response error

When a new response is parsed, it is unexpected to have an old query item
still attached to the resolution. And indeed, when the response is parsed
and validated, the query item is detached and used for a last check on its
dname. However, this is only true for a valid response. If an error is
detected, the query is not detached. This leads to undefined behavior (most
probably a crash) on the next response because the first element in the
query list is referencing an old response.

This patch must be backported as far as 2.0.

diff --git a/src/resolvers.c b/src/resolvers.c
index 852c3d53823bdeb5367cd359661405ab9a4bfdac..a583e288c77af733aa04ae6c52d9f9952c7839f4 100644 (file)
--- a/src/resolvers.c
+++ b/src/resolvers.c
@@ -1478,6 +1478,8 @@ static int resolv_validate_dns_response(unsigned char *resp, unsigned char *bufe
        cause = RSLV_RESP_INVALID;
 
  return_error:
+       if (query)
+               LIST_DEL_INIT(&query->list);
        pool_free(resolv_answer_item_pool, answer_record);
        return cause;
 }