dns-packet: move p->more unref into the free path

dns_packet_unref() unconditionally unrefs p->more on every call,
even when n_ref > 1. But dns_packet_ref() doesn't ref p->more.
This means if a packet with a ->more chain gets ref'd and unref'd
multiple times, the chain gets freed too early while the parent
still holds a dangling pointer.

Move the p->more unref into the n_ref == 1 block so the chain
only gets cleaned up when the packet is actually being freed.

diff --git a/src/shared/dns-packet.c b/src/shared/dns-packet.c
index 04178e5df2b5ca24c1b0d4055de736579e0dc5e4..cdd56d513fabae946488e4f2d42964698421472a 100644 (file)
--- a/src/shared/dns-packet.c
+++ b/src/shared/dns-packet.c
@@ -284,11 +284,10 @@ DnsPacket *dns_packet_unref(DnsPacket *p) {
 
         assert(p->n_ref > 0);
 
-        dns_packet_unref(p->more);
-
-        if (p->n_ref == 1)
+        if (p->n_ref == 1) {
+                dns_packet_unref(p->more);
                 dns_packet_free(p);
-        else
+        } else
                 p->n_ref--;
 
         return NULL;