From: Joerg Lehrke <jlehrke@noc.de>
Date: Tue, 11 Oct 2011 02:08:18 +0000 (-0600)
Subject: Bug 3237: seq fault in free() from rfc1035RRDestroy
X-Git-Tag: SQUID_3_1_16~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=852c7174edbceb0c13a46c1887846b6729bb6a8d;p=thirdparty%2Fsquid.git

Bug 3237: seq fault in free() from rfc1035RRDestroy
---

diff --git a/lib/rfc1035.c b/lib/rfc1035.c
index fb5635d21c..29fefd4448 100644
--- a/lib/rfc1035.c
+++ b/lib/rfc1035.c
@@ -479,11 +479,11 @@ rfc1035SetErrno(int n)
 void
 rfc1035RRDestroy(rfc1035_rr ** rr, int n)
 {
-    if (*rr == NULL || n < 1) {
+    if (*rr == NULL) {
         return;
     }
 
-    while (n--) {
+    while (n-- > 0) {
         if ((*rr)[n].rdata)
             xfree((*rr)[n].rdata);
     }
diff --git a/src/dns_internal.cc b/src/dns_internal.cc
index 998bb6b61e..0e13c64387 100644
--- a/src/dns_internal.cc
+++ b/src/dns_internal.cc
@@ -1126,16 +1126,17 @@ idnsGrokReply(const char *buf, size_t sz)
         /* free the RR object without freeing its child strings (they are now taken by the copy above) */
         safe_free(message->answer);
 
-        message->answer = result;
-        message->ancount += q->initial_AAAA.count;
         n += q->initial_AAAA.count;
-        q->initial_AAAA.count=0;
+        q->initial_AAAA.count = 0;
+        message->answer = result;
+        message->ancount = n;
     } else if (q->initial_AAAA.count > 0 && n <= 0) {
         /* initial of dual queries was the only result set. */
         debugs(78, 6, HERE << "Merging DNS results " << q->name << " AAAA has " << q->initial_AAAA.count << " RR, A has " << n << " RR");
         rfc1035RRDestroy(&(message->answer), n);
         message->answer = q->initial_AAAA.answers;
         n = q->initial_AAAA.count;
+        message->ancount = n;
     }
     /* else initial results were empty. just use the final set as authoritative */