From: Ondřej Surý <ondrej@isc.org>
Date: Fri, 20 Feb 2026 18:18:35 +0000 (+0100)
Subject: [9.20] fix: usr: Fix read UAF in BIND9 dns_client_resolve() via DNAME Response
X-Git-Tag: v9.20.20~14
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c0c4bf526a175a3fdc016d51c74e40754857aac6;p=thirdparty%2Fbind9.git

[9.20] fix: usr: Fix read UAF in BIND9 dns_client_resolve() via DNAME Response

An attacker controlling a malicious DNS server returns a DNAME record,
and the we stores a pointer to resp->foundname, frees the response
structure, then uses the dangling pointer in dns_name_fullcompare()
possibly causing invalid match.  Only the `delv`is affected.  This has
been fixed.

Closes #5728

Backport of MR !11570

Merge branch 'backport-5728-heap-uaf-in-bind9-dns_client_resolve-via-dname-response-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!11571
---

c0c4bf526a175a3fdc016d51c74e40754857aac6