Bug 3237: seq fault in free() from rfc1035RRDestroy

diff --git a/lib/rfc1035.c b/lib/rfc1035.c
index 55901189ddf63b21b4e1b5c4a32a4550cc03907a..898d37be6ec8c809dc98e1b7b9fad79bc4fc643e 100644 (file)
--- a/lib/rfc1035.c
+++ b/lib/rfc1035.c
@@ -519,11 +519,11 @@ rfc1035ErrorMessage(int n)
 void
 rfc1035RRDestroy(rfc1035_rr ** rr, int n)
 {
-    if (*rr == NULL || n < 1) {
+    if (*rr == NULL) {
         return;
     }
 
-    while (n--) {
+    while (n-- > 0) {
         if ((*rr)[n].rdata)
             xfree((*rr)[n].rdata);
     }

diff --git a/src/dns_internal.cc b/src/dns_internal.cc
index 0919df26824109422bf86d0f8b4b35cf4f529654..b2841871ba138e2678b605394cb1ee335062b2a0 100644 (file)
--- a/src/dns_internal.cc
+++ b/src/dns_internal.cc
@@ -1226,16 +1226,17 @@ idnsGrokReply(const char *buf, size_t sz, int from_ns)
         /* free the RR object without freeing its child strings (they are now taken by the copy above) */
         safe_free(message->answer);
 
-        message->answer = result;
-        message->ancount += q->initial_AAAA.count;
         n += q->initial_AAAA.count;
-        q->initial_AAAA.count=0;
+        q->initial_AAAA.count = 0;
+        message->answer = result;
+        message->ancount = n;
     } else if (q->initial_AAAA.count > 0 && n <= 0) {
         /* initial of dual queries was the only result set. */
         debugs(78, 6, HERE << "Merging DNS results " << q->name << " AAAA has " << q->initial_AAAA.count << " RR, A has " << n << " RR");
         rfc1035RRDestroy(&(message->answer), n);
         message->answer = q->initial_AAAA.answers;
         n = q->initial_AAAA.count;
+        message->ancount = n;
     }
     /* else initial results were empty. just use the final set as authoritative */