From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 9 Apr 2026 11:06:41 +0000 (+0200)
Subject: BUG/MINOR: resolvers: fix memory leak on AAAA additional records
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=b63cae7f9bda0fd5af0cde04aa5965df0130f53c;p=thirdparty%2Fhaproxy.git

BUG/MINOR: resolvers: fix memory leak on AAAA additional records

Commit c84c15d3938a ("BUG/MINOR: resolvers: Apply dns-accept-family
setting on additional records") converted a switch statement to an
if/else chain but left the break; in the AAAA branch. In the new
form, break exits the surrounding for loop instead of a switch case.

For every AAAA additional record in an SRV response:
  - answer_record allocated at line 1460 is never freed and never
    inserted into answer_tree -> ~580 bytes leaked per response
  - all subsequent additional records in the response are silently
    discarded

A DNS server controlling SRV responses for haproxy service discovery
can leak memory at MB/min rates given default resolution intervals.
Also breaks IPv6 SRV target resolution outright since the AAAA record
is leaked rather than attached to its SRV entry.
---

diff --git a/src/resolvers.c b/src/resolvers.c
index 1b17b11e0..30b0cf796 100644
--- a/src/resolvers.c
+++ b/src/resolvers.c
@@ -1527,7 +1527,6 @@ static int resolv_validate_dns_response(unsigned char *resp, unsigned char *bufe
 				goto invalid_resp;
 			answer_record->data.in6.sin6_family = AF_INET6;
 			memcpy(&answer_record->data.in6.sin6_addr, reader, answer_record->data_len);
-			break;
 		}
 		else {
 			pool_free(resolv_answer_item_pool, answer_record);