Bug 3237: seq fault in free() from rfc1035RRDestroy

diff --git a/lib/rfc1035.c b/lib/rfc1035.c
index fb5635d21c870f083972767d0dae794b5c7db494..29fefd4448821834728ff918775d2449dcafe066 100644 (file)
--- a/lib/rfc1035.c
+++ b/lib/rfc1035.c
@@ -479,11 +479,11 @@ rfc1035SetErrno(int n)
 void
 rfc1035RRDestroy(rfc1035_rr ** rr, int n)
 {
-    if (*rr == NULL || n < 1) {
+    if (*rr == NULL) {
         return;
     }
 
-    while (n--) {
+    while (n-- > 0) {
         if ((*rr)[n].rdata)
             xfree((*rr)[n].rdata);
     }

diff --git a/src/dns_internal.cc b/src/dns_internal.cc
index 998bb6b61eaa6b6b9c78b6df5341f73f98c9f8a2..0e13c64387905bc3f02c241f43418a6abe73dc11 100644 (file)
--- a/src/dns_internal.cc
+++ b/src/dns_internal.cc
@@ -1126,16 +1126,17 @@ idnsGrokReply(const char *buf, size_t sz)
         /* free the RR object without freeing its child strings (they are now taken by the copy above) */
         safe_free(message->answer);
 
-        message->answer = result;
-        message->ancount += q->initial_AAAA.count;
         n += q->initial_AAAA.count;
-        q->initial_AAAA.count=0;
+        q->initial_AAAA.count = 0;
+        message->answer = result;
+        message->ancount = n;
     } else if (q->initial_AAAA.count > 0 && n <= 0) {
         /* initial of dual queries was the only result set. */
         debugs(78, 6, HERE << "Merging DNS results " << q->name << " AAAA has " << q->initial_AAAA.count << " RR, A has " << n << " RR");
         rfc1035RRDestroy(&(message->answer), n);
         message->answer = q->initial_AAAA.answers;
         n = q->initial_AAAA.count;
+        message->ancount = n;
     }
     /* else initial results were empty. just use the final set as authoritative */