Commit 02d000c
authored
[dns-client] fix double-free of mSavedResponse on duplicate response (openthread#13060)
Fix a double-free of `mSavedResponse` in `Dns::Client` when processing
duplicate DNS responses matching an active query.
When an SRV/TXT query needs to resolve a host address (AAAA), the DNS
client allocates a chained `newQuery` to handle it. If duplicate
responses are processed before the query chain is finalized, they
trigger multiple AAAA resolution allocations for the same parent query.
Because the new query inherits `mSavedResponse` from the parent query's
`QueryInfo`, multiple chained queries end up aliasing/sharing the same
cloned `mSavedResponse` message. During finalization, `FreeQuery`
walks the chain and frees `mSavedResponse` for each query, leading to
a double-free of the shared `Message` and free-list/heap corruption.
This commit resolves the issue by:
1. Rejecting duplicate responses early in `ParseResponse` if a response
has already been received and saved for the query
(`info.mSavedResponse != nullptr`), returning `kErrorDrop`.
2. Initializing the `mSavedResponse` field of the `QueryInfo` struct
to `nullptr` before allocating the host resolution query (`newQuery`)
to prevent it from inheriting a potentially non-null saved response
from its parent.1 parent 7e646d1 commit 02d000c
1 file changed
Lines changed: 2 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1497 | 1497 | | |
1498 | 1498 | | |
1499 | 1499 | | |
| 1500 | + | |
1500 | 1501 | | |
1501 | 1502 | | |
1502 | 1503 | | |
| |||
1872 | 1873 | | |
1873 | 1874 | | |
1874 | 1875 | | |
| 1876 | + | |
1875 | 1877 | | |
1876 | 1878 | | |
1877 | 1879 | | |
| |||
0 commit comments