dns: fix nameserver OOB read in IPv6-disabled fallback

In __res_msend_rc(), the IPv6-disabled fallback check uses conf->ns[nns] inside a loop controlled by i, so it tests a fixed slot instead of walking configured nameservers. This reads one past the array's size. Use conf->ns[i] so the loop correctly detects whether all configured nameservers are IPv6-only.
author: Liam Wachter <liam@asymmetric.re> 2026-03-20 12:19:40 -0400
committer: Rich Felker <dalias@aerifal.cx> 2026-03-20 12:19:40 -0400
commit: 6f6bd4a1896ba0be19168abc1346c8c7e3851709 (patch)
tree: d5283a4ebe8d44ddb95708ca11e4c9b689fa1ffe /src
parent: 9fa28ece75d8a2191de7c5bb53bed224c5947417 (diff)
download: musl-6f6bd4a1896ba0be19168abc1346c8c7e3851709.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/src/network/res_msend.c b/src/network/res_msend.c
index fcb52513..51d42ecb 100644
--- a/src/network/res_msend.c
+++ b/src/network/res_msend.c
@@ -124,7 +124,7 @@ int __res_msend_rc(int nqueries, const unsigned char *const *queries,
 
 	/* Handle case where system lacks IPv6 support */
 	if (fd < 0 && family == AF_INET6 && errno == EAFNOSUPPORT) {
-		for (i=0; i<nns && conf->ns[nns].family == AF_INET6; i++);
+		for (i=0; i<nns && conf->ns[i].family == AF_INET6; i++);
 		if (i==nns) {
 			pthread_setcancelstate(cs, 0);
 			return -1;
author	Liam Wachter <liam@asymmetric.re>	2026-03-20 12:19:40 -0400
committer	Rich Felker <dalias@aerifal.cx>	2026-03-20 12:19:40 -0400
commit	6f6bd4a1896ba0be19168abc1346c8c7e3851709 (patch)
tree	d5283a4ebe8d44ddb95708ca11e4c9b689fa1ffe /src
parent	9fa28ece75d8a2191de7c5bb53bed224c5947417 (diff)
download	musl-6f6bd4a1896ba0be19168abc1346c8c7e3851709.tar.gz