From: Ondřej Surý <ondrej@isc.org>
Date: Fri, 20 Feb 2026 10:58:13 +0000 (+0100)
Subject: Fix read UAF in BIND9 dns_client_resolve() via DNAME Response
X-Git-Tag: v9.21.19~17^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9135b71a7aca1a2dca994e959fad2e4f22e3f983;p=thirdparty%2Fbind9.git

Fix read UAF in BIND9 dns_client_resolve() via DNAME Response

An attacker controlling a malicious DNS server returns a DNAME record,
and the we stores a pointer to resp->foundname, frees the response
structure, then uses the dangling pointer in dns_name_fullcompare()
possibly causing invalid match.  Only the `delv`is affected.  This has
been fixed.
---

diff --git a/lib/dns/client.c b/lib/dns/client.c
index 2097fa3ec58..6027c0d0810 100644
--- a/lib/dns/client.c
+++ b/lib/dns/client.c
@@ -490,7 +490,7 @@ client_resfind(resctx_t *rctx, dns_fetchresponse_t *resp) {
 	name = dns_fixedname_name(&rctx->name);
 
 	do {
-		dns_name_t *fname = NULL;
+		dns_name_t *fname = dns_fixedname_initname(&foundname);
 		dns_name_t *ansname = NULL;
 		dns_db_t *db = NULL;
 		dns_dbnode_t *node = NULL;
@@ -499,7 +499,6 @@ client_resfind(resctx_t *rctx, dns_fetchresponse_t *resp) {
 		want_restart = false;
 
 		if (resp == NULL) {
-			fname = dns_fixedname_initname(&foundname);
 			INSIST(!dns_rdataset_isassociated(rctx->rdataset));
 			INSIST(rctx->sigrdataset == NULL ||
 			       !dns_rdataset_isassociated(rctx->sigrdataset));
@@ -528,14 +527,13 @@ client_resfind(resctx_t *rctx, dns_fetchresponse_t *resp) {
 				goto done;
 			}
 		} else {
-			INSIST(resp != NULL);
 			INSIST(resp->fetch == rctx->fetch);
 			dns_resolver_destroyfetch(&rctx->fetch);
 			db = resp->cache;
 			node = resp->node;
 			result = resp->result;
 			vresult = resp->vresult;
-			fname = resp->foundname;
+			dns_name_copy(resp->foundname, fname);
 			INSIST(resp->rdataset == rctx->rdataset);
 			INSIST(resp->sigrdataset == rctx->sigrdataset);
 			dns_resolver_freefresp(&resp);