From 338961bf7e7a4f6dad53f805dc64b9272fe4b734 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Sat, 14 Mar 2026 12:54:50 +0100
Subject: [PATCH] Fix KASP key leaks on keystore lookup failure

In both cfg_kasp_fromconfig() and cfg_kasp_builtinconfig(), the
newly allocated KASP key was not destroyed when the keystore
lookup failed.

(cherry picked from commit df1993611bae62ad0267d8652d599b4158f3e9a9)
---
 lib/isccfg/kaspconf.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
index 58b0818fe4..09129e4298 100644
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -852,6 +852,7 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
 						    "find keystore (%s)",
 						    isc_result_totext(result));
 				}
+				dns_kasp_key_destroy(new_key);
 				goto cleanup;
 			}
 			dns_kasp_addkey(kasp, new_key);
@@ -972,6 +973,7 @@ cfg_kasp_builtinconfig(isc_mem_t *mctx, const char *name,
 					       DNS_KEYSTORE_KEYDIRECTORY,
 					       &new_key->keystore);
 		if (result != ISC_R_SUCCESS) {
+			dns_kasp_key_destroy(new_key);
 			goto cleanup;
 		}
 		dns_kasp_addkey(kasp, new_key);