DMARC: fix use-after-free in dmarc_dns_lookup

This fixes a use-after-free in dmarc_dns_lookup where the result
of dns_lookup in dnsa is freed before the required data is copied out.

Fixes: 9258363 ("DNS: explicit alloc/free of workspace")

diff --git a/src/src/dmarc.c b/src/src/dmarc.c
index ad0c26c91829a40d2c7cd3480d88a3b89b72fb2b..53c2752ac6cd347183847ed7032d39f7e4470aa5 100644 (file)
--- a/src/src/dmarc.c
+++ b/src/src/dmarc.c
@@ -230,8 +230,9 @@ if (rc == DNS_SUCCEED)
        rr = dns_next_rr(dnsa, &dnss, RESET_NEXT))
     if (rr->type == T_TXT && rr->size > 3)
       {
+      uschar *record = string_copyn_taint(US rr->data, rr->size, GET_TAINTED);
       store_free_dns_answer(dnsa);
-      return string_copyn_taint(US rr->data, rr->size, GET_TAINTED);
+      return record;
       }
 store_free_dns_answer(dnsa);
 return NULL;