Fix use-after-free in xfrin_recv_done

Move the LIBDNS_XFRIN_RECV_DONE probe execution before dns_xfrin_detach
in xfrin_recv_done.

Previously, dns_xfrin_detach was called before the trace probe, which
could free the xfr object.  Because the accessed member xfr->info is an
embedded array, the expression evaluates via pointer arithmetic rather
than a direct memory dereference.  Although this prevents a reliable
crash in practice, it technically remains a use-after-free issue.
Reorder the statements to ensure the transfer context is fully valid
when the probe executes.

diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
index feff048e9a6b3a67fb9d94f20a77b0ca2b498476..902abc34d925b47850b836d2c094bc7d3cc8b8d6 100644 (file)
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -2065,8 +2065,8 @@ cleanup:
        if (msg != NULL) {
                dns_message_detach(&msg);
        }
-       dns_xfrin_detach(&xfr);
        LIBDNS_XFRIN_RECV_DONE(xfr, xfr->info, result);
+       dns_xfrin_detach(&xfr);
 }
 
 static void