There is a heap-use-after-free in resolved in on_mdns_packet #23873
Description
systemd version the issue has been seen with
Steps to reproduce the problem
I'm not sure how to reproduce it reliably yet
Additional program output to the terminal or log subsystem illustrating the issue
Received mdns UDP packet of size 179, ifindex=15, ttl=255, fragsize=0, sender=192.168.89.22, destination=224.0.0.251
Got mDNS reply packet
Checking for conflicts...
Processing incoming packet of size 179 on transaction 36300 (rcode=SUCCESS).
Regular transaction 36300 for <C._qotd._tcp.local IN TXT> on scope mdns on ve-root/INET now complete with <success> from network (unsigned; non-confidential).
Freeing transaction 63428.
Freeing transaction 40232.
Freeing transaction 15344.
Looking up RR for C.local IN A.
Looking up RR for C.local IN AAAA.
Cache miss for C.local IN AAAA
Firing regular transaction 48789 for <C.local IN AAAA> scope mdns on ve-root/INET6 (validate=yes).
Delaying mdns transaction 48789 for 110065us.
Cache miss for C.local IN A
Firing regular transaction 58320 for <C.local IN A> scope mdns on ve-root/INET (validate=yes).
Delaying mdns transaction 58320 for 74143us.
Freeing transaction 36300.
=================================================================
==983858==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000690ea8 at pc 0x000000539601 bp 0x7ffda15d9f50 sp 0x7ffda15d9f48
READ of size 8 at 0x612000690ea8 thread T0
#0 0x539600 in on_mdns_packet ../src/resolve/resolved-mdns.c:413
#1 0x7f156cbb40a7 (/home/vagrant/systemd/build/src/shared/libsystemd-shared-251.so+0x11b40a7)
#2 0x7f156cbbc95c (/home/vagrant/systemd/build/src/shared/libsystemd-shared-251.so+0x11bc95c)
#3 0x7f156cbbdac0 (/home/vagrant/systemd/build/src/shared/libsystemd-shared-251.so+0x11bdac0)
#4 0x7f156cbbde41 (/home/vagrant/systemd/build/src/shared/libsystemd-shared-251.so+0x11bde41)
#5 0x553402 in run ../src/resolve/resolved.c:92
#6 0x55369c in main ../src/resolve/resolved.c:99
#7 0x7f156a64043f in __libc_start_call_main (/lib64/libc.so.6+0x4043f)
#8 0x7f156a6404ef in __libc_start_main@@GLIBC_2.34 (/lib64/libc.so.6+0x404ef)
#9 0x40c0a4 in _start (/home/vagrant/systemd/build/systemd-resolved+0x40c0a4)
0x612000690ea8 is located 232 bytes inside of 280-byte region [0x612000690dc0,0x612000690ed8)
freed by thread T0 here:
#0 0x7f156daae627 in free (/lib64/libasan.so.6+0xae627)
#1 0x4a40ca in dns_transaction_free ../src/resolve/resolved-dns-transaction.c:161
#2 0x4a4628 in dns_transaction_gc ../src/resolve/resolved-dns-transaction.c:180
#3 0x43a930 in dns_query_candidate_stop ../src/resolve/resolved-dns-query.c:56
#4 0x43eaec in dns_query_stop ../src/resolve/resolved-dns-query.c:354
#5 0x44389a in dns_query_complete ../src/resolve/resolved-dns-query.c:588
#6 0x448bcc in dns_query_accept ../src/resolve/resolved-dns-query.c:925
#7 0x448f6b in dns_query_ready ../src/resolve/resolved-dns-query.c:957
#8 0x43e7db in dns_query_candidate_notify ../src/resolve/resolved-dns-query.c:340
#9 0x4a9b08 in dns_transaction_complete ../src/resolve/resolved-dns-transaction.c:436
#10 0x4b1a94 in dns_transaction_process_dnssec ../src/resolve/resolved-dns-transaction.c:975
#11 0x4b600f in dns_transaction_process_reply ../src/resolve/resolved-dns-transaction.c:1398
#12 0x539567 in on_mdns_packet ../src/resolve/resolved-mdns.c:418
#11 0x7f156c9f54c0 (/home/vagrant/systemd/build/src/shared/libsystemd-shared-251.so+0xff54c0)
#12 0x7f156c9f59d7 (/home/vagrant/systemd/build/src/shared/libsystemd-shared-251.so+0xff59d7)
#13 0x7f156c9f8838 (/home/vagrant/systemd/build/src/shared/libsystemd-shared-251.so+0xff8838)
#14 0x7f156c9f89d2 (/home/vagrant/systemd/build/src/shared/libsystemd-shared-251.so+0xff89d2)
#15 0x7f156c9fc0d3 (/home/vagrant/systemd/build/src/shared/libsystemd-shared-251.so+0xffc0d3)
#16 0x7f156cbb40a7 (/home/vagrant/systemd/build/src/shared/libsystemd-shared-251.so+0x11b40a7)
#17 0x7f156cbbc95c (/home/vagrant/systemd/build/src/shared/libsystemd-shared-251.so+0x11bc95c)
#18 0x7f156cbbdac0 (/home/vagrant/systemd/build/src/shared/libsystemd-shared-251.so+0x11bdac0)
#19 0x7f156cbbde41 (/home/vagrant/systemd/build/src/shared/libsystemd-shared-251.so+0x11bde41)
#20 0x553402 in run ../src/resolve/resolved.c:92
#21 0x55369c in main ../src/resolve/resolved.c:99
#22 0x7f156a64043f in __libc_start_call_main (/lib64/libc.so.6+0x4043f)
SUMMARY: AddressSanitizer: heap-use-after-free ../src/resolve/resolved-mdns.c:413 in on_mdns_packet
Shadow bytes around the buggy address:
0x0c24800ca180: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c24800ca190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c24800ca1a0: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
0x0c24800ca1b0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c24800ca1c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c24800ca1d0: fd fd fd fd fd[fd]fd fd fd fd fd fa fa fa fa fa
0x0c24800ca1e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c24800ca1f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c24800ca200: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
0x0c24800ca210: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c24800ca220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==983858==ABORTING