From ec481aa08a8c1bce9f3943fd26a52aeea61d699c Mon Sep 17 00:00:00 2001
From: rmg-x <git@rmgx.io>
Date: Mon, 10 Feb 2025 18:11:19 -0600
Subject: [PATCH] LibDNS+RequestServer: Fix UAF in lookup() by changing Span ->
 Vector

Co-authored-by: Ali Mohammad Pur <ali.mpfard@gmail.com>
---
 Libraries/LibDNS/Resolver.h                     | 4 ++--
 Services/RequestServer/ConnectionFromClient.cpp | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/Libraries/LibDNS/Resolver.h b/Libraries/LibDNS/Resolver.h
index 6200ef86427..cc3ef6260db 100644
--- a/Libraries/LibDNS/Resolver.h
+++ b/Libraries/LibDNS/Resolver.h
@@ -213,10 +213,10 @@ public:
 
     NonnullRefPtr<Core::Promise<NonnullRefPtr<LookupResult const>>> lookup(ByteString name, Messages::Class class_ = Messages::Class::IN)
     {
-        return lookup(move(name), class_, Array { Messages::ResourceType::A, Messages::ResourceType::AAAA });
+        return lookup(move(name), class_, { Messages::ResourceType::A, Messages::ResourceType::AAAA });
     }
 
-    NonnullRefPtr<Core::Promise<NonnullRefPtr<LookupResult const>>> lookup(ByteString name, Messages::Class class_, Span<Messages::ResourceType const> desired_types, PendingLookup* repeating_lookup = nullptr)
+    NonnullRefPtr<Core::Promise<NonnullRefPtr<LookupResult const>>> lookup(ByteString name, Messages::Class class_, Vector<Messages::ResourceType> desired_types, PendingLookup* repeating_lookup = nullptr)
     {
         flush_cache();
 
diff --git a/Services/RequestServer/ConnectionFromClient.cpp b/Services/RequestServer/ConnectionFromClient.cpp
index df8bf1adfad..c81a1a66112 100644
--- a/Services/RequestServer/ConnectionFromClient.cpp
+++ b/Services/RequestServer/ConnectionFromClient.cpp
@@ -344,7 +344,7 @@ void ConnectionFromClient::start_request(i32 request_id, ByteString const& metho
     }
 
     auto host = url.serialized_host().to_byte_string();
-    m_resolver->dns.lookup(host, DNS::Messages::Class::IN, Array { DNS::Messages::ResourceType::A, DNS::Messages::ResourceType::AAAA }.span())
+    m_resolver->dns.lookup(host, DNS::Messages::Class::IN, { DNS::Messages::ResourceType::A, DNS::Messages::ResourceType::AAAA })
         ->when_rejected([this, request_id](auto const& error) {
             dbgln("StartRequest: DNS lookup failed: {}", error);
             async_request_finished(request_id, 0, Requests::NetworkError::UnableToResolveHost);
@@ -604,7 +604,7 @@ void ConnectionFromClient::ensure_connection(URL::URL const& url, ::RequestServe
     }
 
     if (cache_level == CacheLevel::ResolveOnly) {
-        [[maybe_unused]] auto promise = m_resolver->dns.lookup(url.serialized_host().to_byte_string(), DNS::Messages::Class::IN, Array { DNS::Messages::ResourceType::A, DNS::Messages::ResourceType::AAAA }.span());
+        [[maybe_unused]] auto promise = m_resolver->dns.lookup(url.serialized_host().to_byte_string(), DNS::Messages::Class::IN, { DNS::Messages::ResourceType::A, DNS::Messages::ResourceType::AAAA });
         if constexpr (REQUESTSERVER_DEBUG) {
             Core::ElapsedTimer timer;
             timer.start();