Fix use-after-free in xfrin_recv_done

Move the LIBDNS_XFRIN_RECV_DONE probe execution before dns_xfrin_detach
in xfrin_recv_done.

Previously, dns_xfrin_detach was called before the trace probe, which
could free the xfr object.  Because the accessed member xfr->info is an
embedded array, the expression evaluates via pointer arithmetic rather
than a direct memory dereference.  Although this prevents a reliable
crash in practice, it technically remains a use-after-free issue.
Reorder the statements to ensure the transfer context is fully valid
when the probe executes.

(cherry picked from commit e57245ee81a98b27f10b7b61e4cc5251a0c9f8a3)

diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
index e7c4847c1e8728fae5307b727229677481e9c26e..964205d700ecf40f92b21def2ca6a61795d6f385 100644 (file)
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -2071,8 +2071,8 @@ cleanup:
        if (msg != NULL) {
                dns_message_detach(&msg);
        }
-       dns_xfrin_detach(&xfr);
        LIBDNS_XFRIN_RECV_DONE(xfr, xfr->info, result);
+       dns_xfrin_detach(&xfr);
 }
 
 static void