From: Ondřej Surý <ondrej@isc.org>
Date: Fri, 20 Feb 2026 11:51:41 +0000 (+0100)
Subject: fix: usr: Fix read UAF in BIND9 dns_client_resolve() via DNAME Response
X-Git-Tag: v9.21.19~17
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=254d41f733d94dfb17c2c60006b4fbf6d17b4f96;p=thirdparty%2Fbind9.git

fix: usr: Fix read UAF in BIND9 dns_client_resolve() via DNAME Response

An attacker controlling a malicious DNS server returns a DNAME record,
and the we stores a pointer to resp->foundname, frees the response
structure, then uses the dangling pointer in dns_name_fullcompare()
possibly causing invalid match.  Only the `delv`is affected.  This has
been fixed.

Closes #5728

Merge branch '5728-heap-uaf-in-bind9-dns_client_resolve-via-dname-response' into 'main'

See merge request isc-projects/bind9!11570
---

254d41f733d94dfb17c2c60006b4fbf6d17b4f96