From 74f7505974836f633c955dbce7514f12f78ddc5b Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Sun, 23 Nov 2025 14:42:59 +0100
Subject: [PATCH] asyn-ares: remove hostname free on OOM

The freeing of the already allocated hostname is done by
Curl_async_shutdown(). This extra free in the RR code path made a
double-free.

Presumably not detected because the CI torture tests don't run HTTPS-RR
enabled?

Follow-up to 8d0bfe74fb
Closes #19658
---
 lib/asyn-ares.c | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/lib/asyn-ares.c b/lib/asyn-ares.c
index ad9147a01c..e01f7ba3d2 100644
--- a/lib/asyn-ares.c
+++ b/lib/asyn-ares.c
@@ -748,10 +748,8 @@ struct Curl_addrinfo *Curl_async_getaddrinfo(struct Curl_easy *data,
 #ifdef USE_HTTPSRR
   if(port != 443) {
     rrname = curl_maprintf("_%d_.https.%s", port, hostname);
-    if(!rrname) {
-      free(data->state.async.hostname);
+    if(!rrname)
       return NULL;
-    }
   }
 #endif
 
-- 
2.47.3