From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Mon, 15 Jun 2026 14:34:17 +0000 (+0200)
Subject: - Fix log of an aliased qname, to not use freed region
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3129357874fe01965a7351d8fc357a5359224b9e;p=thirdparty%2Funbound.git

- Fix log of an aliased qname, to not use freed region
  memory. Thanks to Qifan Zhang, Palo Alto Networks, for
  the report.
---

diff --git a/daemon/worker.c b/daemon/worker.c
index 84e0319d9..f05aebdbf 100644
--- a/daemon/worker.c
+++ b/daemon/worker.c
@@ -1494,6 +1494,8 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	struct reply_info* partial_rep = NULL;
 	struct query_info* lookup_qinfo = &qinfo;
 	struct query_info qinfo_tmp; /* placeholder for lookup_qinfo */
+	uint8_t* alias_orig_qname = NULL; /* original qname for logs, if
+		a local_alias is used to change the qname. */
 	struct respip_client_info* cinfo = NULL, cinfo_tmp;
 	struct timeval wait_time;
 	struct check_request_result check_result = {0,0};
@@ -1928,6 +1930,11 @@ worker_handle_request(struct comm_point* c, void* arg, int error,
 	/* If we've found a local alias, replace the qname with the alias
 	 * target before resolving it. */
 	if(qinfo.local_alias) {
+		if(qinfo.local_alias->rrset &&
+			qinfo.local_alias->rrset->rk.dname)
+			/* Store the original qname, used for logs, since
+			 * local_alias can be removed by region_free_all. */
+			alias_orig_qname = qinfo.local_alias->rrset->rk.dname;
 		if(!local_alias_shallow_copy_qname(qinfo.local_alias, &qinfo.qname,
 			&qinfo.qname_len)) {
 			regional_free_all(worker->scratchpad);
@@ -2093,11 +2100,10 @@ send_reply_rc:
 	{
 		struct timeval tv;
 		memset(&tv, 0, sizeof(tv));
-		if(qinfo.local_alias && qinfo.local_alias->rrset &&
-			qinfo.local_alias->rrset->rk.dname) {
+		if(alias_orig_qname) {
 			/* log original qname, before the local alias was
 			 * used to resolve that CNAME to something else */
-			qinfo.qname = qinfo.local_alias->rrset->rk.dname;
+			qinfo.qname = alias_orig_qname;
 			log_reply_info(NO_VERBOSE, &qinfo,
 				&repinfo->client_addr, repinfo->client_addrlen,
 				tv, 1, c->buffer,
diff --git a/doc/Changelog b/doc/Changelog
index 50a9f672c..6b8fbe8d6 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -37,6 +37,9 @@
 	- Fix that fast_reload does not terminate the server for
 	  errors in config, for key files. Thanks to Qifan Zhang,
 	  Palo Alto Networks, for the report.
+	- Fix log of an aliased qname, to not use freed region
+	  memory. Thanks to Qifan Zhang, Palo Alto Networks, for
+	  the report.
 
 12 June 2026: Wouter
 	- Fix that for auth-zone and rpz zones the allow-notify