← Signals
- c-ares
- uaf
- dns
- exploitarium
news
c-ares TCP ares_getaddrinfo() UAF Calc PoC
Loopback DNS-over-TCP EDNS retry sequence leaves stale skip-list state; cleanup reaches attacker-shaped destructor — calc proof on main and v1.34.6.
Summary
Loopback DNS-over-TCP EDNS retry sequence leaves stale skip-list state; cleanup reaches attacker-shaped destructor — calc proof on main and v1.34.6. This proof-of-concept is one of 30 folders in the Exploitarium collection. OFFSITE.DARK summarizes the upstream README and PoC design; we did not discover or weaponize this flaw.
Key Findings
| Finding | Detail |
|---|---|
| Product / target | c-ares main @ c93e50f3 and release v1.34.6 |
| Primitive | TCP DNS double-response + connection reset → UAF in query cleanup |
| Impact | Controlled code execution in harness linking affected c-ares (not universal app exploit). |
Attack Chain
ares_getaddrinfo(EDNS|USEVC) → FORMERR then success → TCP reset → shaped allocator → proof_marker()
Mitigation
Track c-ares advisories; isolate resolver in separate process where feasible.