From: Joerg Lehrke <jlehrke@noc.de>
Date: Sun, 9 Oct 2011 05:16:18 +0000 (-0600)
Subject: Bug 3237: seq fault in free() from rfc1035RRDestroy
X-Git-Tag: BumpSslServerFirst.take01~115
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=ec6a1b90a6aecc39ac7f1452bbcd34cd1897ae46;p=thirdparty%2Fsquid.git

Bug 3237: seq fault in free() from rfc1035RRDestroy
---

diff --git a/lib/rfc1035.c b/lib/rfc1035.c
index 55901189dd..898d37be6e 100644
--- a/lib/rfc1035.c
+++ b/lib/rfc1035.c
@@ -519,11 +519,11 @@ rfc1035ErrorMessage(int n)
 void
 rfc1035RRDestroy(rfc1035_rr ** rr, int n)
 {
-    if (*rr == NULL || n < 1) {
+    if (*rr == NULL) {
         return;
     }
 
-    while (n--) {
+    while (n-- > 0) {
         if ((*rr)[n].rdata)
             xfree((*rr)[n].rdata);
     }
diff --git a/src/dns_internal.cc b/src/dns_internal.cc
index 0919df2682..b2841871ba 100644
--- a/src/dns_internal.cc
+++ b/src/dns_internal.cc
@@ -1226,16 +1226,17 @@ idnsGrokReply(const char *buf, size_t sz, int from_ns)
         /* free the RR object without freeing its child strings (they are now taken by the copy above) */
         safe_free(message->answer);
 
-        message->answer = result;
-        message->ancount += q->initial_AAAA.count;
         n += q->initial_AAAA.count;
-        q->initial_AAAA.count=0;
+        q->initial_AAAA.count = 0;
+        message->answer = result;
+        message->ancount = n;
     } else if (q->initial_AAAA.count > 0 && n <= 0) {
         /* initial of dual queries was the only result set. */
         debugs(78, 6, HERE << "Merging DNS results " << q->name << " AAAA has " << q->initial_AAAA.count << " RR, A has " << n << " RR");
         rfc1035RRDestroy(&(message->answer), n);
         message->answer = q->initial_AAAA.answers;
         n = q->initial_AAAA.count;
+        message->ancount = n;
     }
     /* else initial results were empty. just use the final set as authoritative */