Fix use-after-free on duplicate async DNS response

google-labs-jules[bot] · lws-team · commit c45738b370d5 · 2025-08-18T06:31:47.000+01:00
When a duplicate async DNS response packet is received, the code would
jump to the `fail_out` label, which destroys the query object `q`.

This is incorrect if the query is still waiting for other responses
(eg, AAAA after getting a duplicate A response). The destruction of `q`
leads to a use-after-free when the next response for the same query
arrives, causing memory corruption and sporadic crashes.

The fix is to simply return when a duplicate packet is detected,
ignoring it, without destroying the query object.
diff --git a/lib/system/async-dns/async-dns-parse.c b/lib/system/async-dns/async-dns-parse.c
@@ -575,7 +575,7 @@ lws_adns_parse_udp(lws_async_dns_t *dns, const uint8_t *pkt, size_t len)
 	n = 1 << (lws_ser_ru16be(pkt + DHO_TID) & 1);
 	if (q->responded & n) {
 		lwsl_notice("%s: dup\n", __func__);
-		goto fail_out;
+		return;
 	}
 
 	q->responded = (uint8_t)(q->responded | n);

Original file line number	Diff line number	Diff line change
`@@ -575,7 +575,7 @@ lws_adns_parse_udp(lws_async_dns_t dns, const uint8_t pkt, size_t len)`
`575`	`575`	`n = 1 << (lws_ser_ru16be(pkt + DHO_TID) & 1);`
`576`	`576`	`if (q->responded & n) {`
`577`	`577`	`lwsl_notice("%s: dup\n", __func__);`
`578`		`- goto fail_out;`
	`578`	`+ return;`
`579`	`579`	`}`
`580`	`580`
`581`	`581`	`q->responded = (uint8_t)(q->responded \| n);`