From 1505cb1c24fcbfcf43b1a1de6957c73afacccdd1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Sat, 14 Mar 2026 12:53:03 +0100
Subject: [PATCH] Fix TSIG key and transport leaks in zone_notify() error paths

Two 'goto next' paths in zone_notify() skipped detaching the TSIG
key and transport, leaking them on TLS configuration failure and
when the destination address is disabled.
---
 lib/dns/zone.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index b524a90189..693e048f89 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -12523,6 +12523,9 @@ zone_notify(dns_zone_t *zone, isc_time_t *now) {
 					      "could not get TLS configuration "
 					      "for zone transfer: %s",
 					      isc_result_totext(result));
+				if (key != NULL) {
+					dns_tsigkey_detach(&key);
+				}
 				goto next;
 			}
 
@@ -12536,6 +12539,12 @@ zone_notify(dns_zone_t *zone, isc_time_t *now) {
 		INSIST(isc_sockaddr_pf(&src) == isc_sockaddr_pf(&dst));
 
 		if (isc_sockaddr_disabled(&dst)) {
+			if (key != NULL) {
+				dns_tsigkey_detach(&key);
+			}
+			if (transport != NULL) {
+				dns_transport_detach(&transport);
+			}
 			goto next;
 		}