From: Ondřej Surý <ondrej@isc.org>
Date: Wed, 4 Mar 2026 16:08:50 +0000 (+0100)
Subject: Fix use-after-free in xfrin_recv_done
X-Git-Tag: v9.21.21~39^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e57245ee81a98b27f10b7b61e4cc5251a0c9f8a3;p=thirdparty%2Fbind9.git

Fix use-after-free in xfrin_recv_done

Move the LIBDNS_XFRIN_RECV_DONE probe execution before dns_xfrin_detach
in xfrin_recv_done.

Previously, dns_xfrin_detach was called before the trace probe, which
could free the xfr object.  Because the accessed member xfr->info is an
embedded array, the expression evaluates via pointer arithmetic rather
than a direct memory dereference.  Although this prevents a reliable
crash in practice, it technically remains a use-after-free issue.
Reorder the statements to ensure the transfer context is fully valid
when the probe executes.
---

diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
index feff048e9a6..902abc34d92 100644
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -2065,8 +2065,8 @@ cleanup:
 	if (msg != NULL) {
 		dns_message_detach(&msg);
 	}
-	dns_xfrin_detach(&xfr);
 	LIBDNS_XFRIN_RECV_DONE(xfr, xfr->info, result);
+	dns_xfrin_detach(&xfr);
 }
 
 static void