CVE-2025-31498
Impact
Use after free() in read_answers() when process_answer() may re-enqueue
a query either due to a DNS Cookie Failure or when the upstream server
does not properly support EDNS, or possibly on TCP queries if the remote
closed the connection immediately after a response. If there was an
issue trying to put that new transaction on the wire, it would close the
connection handle, but read_answers() was still expecting the connection
handle to be available to possibly dequeue other responses.
In theory a remote attacker might be able to trigger this by flooding
the target with ICMP UNREACHABLE packets if they also control the
upstream nameserver and can return a result with one of those
conditions, this has been untested. Otherwise only a local attacker
might be able to change system behavior to make send()/write() return a
failure condition.
Patches
Versions 1.32.3 - 1.34.4 are affected. Patch in 1.34.5.
Workarounds
None
References
c-ares started handling UDP write failures in 1.32.3 in PR#821
<https://github.com/c-ares/c-ares/pull/821>whereas they were previously
ignored, thus uncovering this particular issue.
https://github.com/c-ares/c-ares/releases/tag/v1.34.5
Credit
Reported by Erik Lax
