diff --git a/glibc-rh2255506.patch b/glibc-rh2255506.patch
new file mode 100644
index 0000000..0b7fa16
--- /dev/null
+++ b/glibc-rh2255506.patch
@@ -0,0 +1,139 @@
+commit 3e0853ab9a1609707ec8de453891b3c79ea556bc
+Author: Florian Weimer <fweimer@redhat.com>
+Date:   Wed Jan 3 16:40:32 2024 +0100
+
+    Revert "resolve: Remove __res_context_query alloca usage"
+    
+    This reverts commit 40c0add7d48739f5d89ebba255c1df26629a76e2.
+    The change causes an infinite loop with malformed domain
+    names.
+
+diff --git a/resolv/res_query.c b/resolv/res_query.c
+index 1b148a2a05b8641c..049de91b95a2bd0c 100644
+--- a/resolv/res_query.c
++++ b/resolv/res_query.c
+@@ -80,7 +80,6 @@
+ #include <stdlib.h>
+ #include <string.h>
+ #include <shlib-compat.h>
+-#include <scratch_buffer.h>
+ 
+ #if PACKETSZ > 65536
+ #define MAXPACKET	PACKETSZ
+@@ -115,14 +114,11 @@ __res_context_query (struct resolv_context *ctx, const char *name,
+ 	struct __res_state *statp = ctx->resp;
+ 	UHEADER *hp = (UHEADER *) answer;
+ 	UHEADER *hp2;
+-	int n;
+-
+-	/* It requires 2 times QUERYSIZE for type == T_QUERY_A_AND_AAAA.  */
+-	struct scratch_buffer buf;
+-	scratch_buffer_init (&buf);
+-	_Static_assert (2 * QUERYSIZE <= sizeof (buf.__space.__c),
+-			"scratch_buffer too small");
+-	u_char *query1 = buf.data;
++	int n, use_malloc = 0;
++
++	size_t bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * QUERYSIZE;
++	u_char *buf = alloca (bufsize);
++	u_char *query1 = buf;
+ 	int nquery1 = -1;
+ 	u_char *query2 = NULL;
+ 	int nquery2 = 0;
+@@ -133,28 +129,37 @@ __res_context_query (struct resolv_context *ctx, const char *name,
+ 	if (type == T_QUERY_A_AND_AAAA)
+ 	  {
+ 	    n = __res_context_mkquery (ctx, QUERY, name, class, T_A, NULL,
+-				       query1, buf.length);
++				       query1, bufsize);
+ 	    if (n > 0)
+ 	      {
+ 		if ((statp->options & (RES_USE_EDNS0|RES_USE_DNSSEC)) != 0)
+ 		  {
+ 		    /* Use RESOLV_EDNS_BUFFER_SIZE because the receive
+ 		       buffer can be reallocated.  */
+-		    n = __res_nopt (ctx, n, query1, buf.length,
++		    n = __res_nopt (ctx, n, query1, bufsize,
+ 				    RESOLV_EDNS_BUFFER_SIZE);
+ 		    if (n < 0)
+ 		      goto unspec_nomem;
+ 		  }
+ 
+ 		nquery1 = n;
+-		query2 = buf.data + n;
++		/* Align the buffer.  */
++		int npad = ((nquery1 + __alignof__ (HEADER) - 1)
++			    & ~(__alignof__ (HEADER) - 1)) - nquery1;
++		if (n > bufsize - npad)
++		  {
++		    n = -1;
++		    goto unspec_nomem;
++		  }
++		int nused = n + npad;
++		query2 = buf + nused;
+ 		n = __res_context_mkquery (ctx, QUERY, name, class, T_AAAA,
+-					   NULL, query2, buf.length - n);
++					   NULL, query2, bufsize - nused);
+ 		if (n > 0
+ 		    && (statp->options & (RES_USE_EDNS0|RES_USE_DNSSEC)) != 0)
+ 		  /* Use RESOLV_EDNS_BUFFER_SIZE because the receive
+ 		     buffer can be reallocated.  */
+-		  n = __res_nopt (ctx, n, query2, buf.length,
++		  n = __res_nopt (ctx, n, query2, bufsize,
+ 				  RESOLV_EDNS_BUFFER_SIZE);
+ 		nquery2 = n;
+ 	      }
+@@ -164,7 +169,7 @@ __res_context_query (struct resolv_context *ctx, const char *name,
+ 	else
+ 	  {
+ 	    n = __res_context_mkquery (ctx, QUERY, name, class, type, NULL,
+-				       query1, buf.length);
++				       query1, bufsize);
+ 
+ 	    if (n > 0
+ 		&& (statp->options & (RES_USE_EDNS0|RES_USE_DNSSEC)) != 0)
+@@ -176,25 +181,27 @@ __res_context_query (struct resolv_context *ctx, const char *name,
+ 		  advertise = anslen;
+ 		else
+ 		  advertise = RESOLV_EDNS_BUFFER_SIZE;
+-		n = __res_nopt (ctx, n, query1, buf.length, advertise);
++		n = __res_nopt (ctx, n, query1, bufsize, advertise);
+ 	      }
+ 
+ 	    nquery1 = n;
+ 	  }
+ 
+-	if (__glibc_unlikely (n <= 0)) {
++	if (__glibc_unlikely (n <= 0) && !use_malloc) {
+ 		/* Retry just in case res_nmkquery failed because of too
+ 		   short buffer.  Shouldn't happen.  */
+-		if (scratch_buffer_set_array_size (&buf,
+-						   T_QUERY_A_AND_AAAA ? 2 : 1,
+-						   MAXPACKET)) {
+-			query1 = buf.data;
++		bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * MAXPACKET;
++		buf = malloc (bufsize);
++		if (buf != NULL) {
++			query1 = buf;
++			use_malloc = 1;
+ 			goto again;
+ 		}
+ 	}
+ 	if (__glibc_unlikely (n <= 0))       {
+ 		RES_SET_H_ERRNO(statp, NO_RECOVERY);
+-		scratch_buffer_free (&buf);
++		if (use_malloc)
++			free (buf);
+ 		return (n);
+ 	}
+ 
+@@ -217,7 +224,8 @@ __res_context_query (struct resolv_context *ctx, const char *name,
+ 				    answerp2_malloced);
+ 	  }
+ 
+-	scratch_buffer_free (&buf);
++	if (use_malloc)
++		free (buf);
+ 	if (n < 0) {
+ 		RES_SET_H_ERRNO(statp, TRY_AGAIN);
+ 		return (n);
diff --git a/glibc.spec b/glibc.spec
index 86aa9f5..1255700 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -171,7 +171,7 @@ Version: %{glibcversion}
 # - It allows using the Release number without the %%dist tag in the dependency
 #   generator to make the generated requires interchangeable between Rawhide
 #   and ELN (.elnYY < .fcXX).
-%global baserelease 29
+%global baserelease 30
 Release: %{baserelease}%{?dist}
 
 # In general, GPLv2+ is used by programs, LGPLv2+ is used for
@@ -242,6 +242,7 @@ Patch9: glibc-rh827510.patch
 Patch13: glibc-fedora-localedata-rh61908.patch
 Patch17: glibc-cs-path.patch
 Patch23: glibc-python3.patch
+Patch24: glibc-rh2255506.patch
 
 ##############################################################################
 # Continued list of core "glibc" package information:
@@ -2212,6 +2213,9 @@ update_gconv_modules_cache ()
 %files -f compat-libpthread-nonshared.filelist -n compat-libpthread-nonshared
 
 %changelog
+* Wed Jan  3 2024 Florian Weimer <fweimer@redhat.com> - 2.38.9000-30
+- Infinite loop in res_mkquery with malformed domain name (#2255506)
+
 * Fri Dec 22 2023 Florian Weimer <fweimer@redhat.com> - 2.38.9000-29
 - Auto-sync with upstream branch master,
   commit 61bac1a9d2ab80ebcbc51484722e6ea43414bec7: