From: Ondřej Surý <ondrej@isc.org>
Date: Mon, 16 Mar 2026 10:06:28 +0000 (+0100)
Subject: fix: dev: Fix use-after-free in xfrin_recv_done
X-Git-Tag: v9.21.21~39
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3df0f7fb9c00e88f2ed110365ef44110d0bb9ffb;p=thirdparty%2Fbind9.git

fix: dev: Fix use-after-free in xfrin_recv_done

Move the LIBDNS_XFRIN_RECV_DONE probe execution before dns_xfrin_detach
in xfrin_recv_done.

Previously, dns_xfrin_detach was called before the trace probe, which
could free the xfr object.  Because the accessed member xfr->info is an
embedded array, the expression evaluates via pointer arithmetic rather
than a direct memory dereference.  Although this prevents a reliable
crash in practice, it technically remains a use-after-free issue.
Reorder the statements to ensure the transfer context is fully valid
when the probe executes.

Closes #5786

Merge branch '5786-fix-dtrace-after-free' into 'main'

See merge request isc-projects/bind9!11632
---

3df0f7fb9c00e88f2ed110365ef44110d0bb9ffb