From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Tue, 16 Jun 2026 08:56:36 +0000 (+0200)
Subject: - Fix incorrect cleanup after an allocation failure for
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=bebc8d516b39f5fec44fbee32600af1a753110fb;p=thirdparty%2Funbound.git

- Fix incorrect cleanup after an allocation failure for
  a delegation point in a region. Thanks to Qifan Zhang,
  Palo Alto Networks, for the report.
---

diff --git a/doc/Changelog b/doc/Changelog
index be8b53778..a20fbc534 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -53,6 +53,9 @@
 	- Fix that after shared memory cannot be created, from
 	  `shm-enable`, the server does not crash. Thanks to Qifan
 	  Zhang, Palo Alto Networks, for the report.
+	- Fix incorrect cleanup after an allocation failure for
+	  a delegation point in a region. Thanks to Qifan Zhang,
+	  Palo Alto Networks, for the report.
 
 15 June 2026: Wouter
 	- Fix to add `max-transfer-size` and `max-transfer-time` that
diff --git a/iterator/iter_delegpt.c b/iterator/iter_delegpt.c
index 7f3bef943..6ba12c443 100644
--- a/iterator/iter_delegpt.c
+++ b/iterator/iter_delegpt.c
@@ -118,10 +118,10 @@ delegpt_add_ns(struct delegpt* dp, struct regional* region, uint8_t* name,
 		sizeof(struct delegpt_ns));
 	if(!ns)
 		return 0;
-	ns->next = dp->nslist;
 	ns->namelen = len;
-	dp->nslist = ns;
 	ns->name = regional_alloc_init(region, name, ns->namelen);
+	if(!ns->name)
+		return 0;
 	ns->cache_lookup_count = 0;
 	ns->resolved = 0;
 	ns->got4 = 0;
@@ -137,7 +137,9 @@ delegpt_add_ns(struct delegpt* dp, struct regional* region, uint8_t* name,
 	} else {
 		ns->tls_auth_name = NULL;
 	}
-	return ns->name != 0;
+	ns->next = dp->nslist;
+	dp->nslist = ns;
+	return 1;
 }
 
 struct delegpt_ns*
@@ -223,11 +225,7 @@ delegpt_add_addr(struct delegpt* dp, struct regional* region,
 		sizeof(struct delegpt_addr));
 	if(!a)
 		return 0;
-	a->next_target = dp->target_list;
-	dp->target_list = a;
 	a->next_result = 0;
-	a->next_usable = dp->usable_list;
-	dp->usable_list = a;
 	memcpy(&a->addr, addr, addrlen);
 	a->addrlen = addrlen;
 	a->attempts = 0;
@@ -241,6 +239,10 @@ delegpt_add_addr(struct delegpt* dp, struct regional* region,
 	} else {
 		a->tls_auth_name = NULL;
 	}
+	a->next_target = dp->target_list;
+	dp->target_list = a;
+	a->next_usable = dp->usable_list;
+	dp->usable_list = a;
 	return 1;
 }
 
diff --git a/services/cache/dns.c b/services/cache/dns.c
index 79a23a775..9731ff1fa 100644
--- a/services/cache/dns.c
+++ b/services/cache/dns.c
@@ -584,8 +584,11 @@ dns_cache_find_delegation(struct module_env* env, uint8_t* qname,
 			return NULL;
 		}
 	}
-	if(!delegpt_rrset_add_ns(dp, region, nskey, 0))
+	if(!delegpt_rrset_add_ns(dp, region, nskey, 0)) {
+		lock_rw_unlock(&nskey->entry.lock);
 		log_err("find_delegation: addns out of memory");
+		return NULL;
+	}
 	lock_rw_unlock(&nskey->entry.lock); /* first unlock before next lookup*/
 	/* find and add DS/NSEC (if any) */
 	if(msg)