upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-02-18 18:18:00 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

fix: usr: Prevent spurious validation failures

Browse source 
Under rare circumstances, validation could fail if multiple clients simultaneously iterated the same set of signatures.

References #3014

Merge branch '3014-validator-c-check_signer-fails-to-call-dns_rdataset_clone' into 'main'

See merge request isc-projects/bind9!5578
This commit is contained in:
Mark Andrews 2025-08-01 21:17:46 +10:00
commit 719bb9443a
1 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
lib/dns/validator.c
View file

@ -1874,11 +1874,14 @@ check_signer(dns_validator_t *val, dns_rdata_t *keyrdata, uint16_t keyid,
dns_rdata_rrsig_t sig;
dst_key_t *dstkey = NULL;
isc_result_t result = ISC_R_NOMORE;
dns_rdataset_t rdataset = DNS_RDATASET_INIT;
DNS_RDATASET_FOREACH (val->sigrdataset) {
dns_rdataset_clone(val->sigrdataset, &rdataset);
DNS_RDATASET_FOREACH (&rdataset) {
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_current(val->sigrdataset, &rdata);
dns_rdataset_current(&rdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &sig, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
if (keyid != sig.keyid || algorithm != sig.algorithm) {
@ -1903,6 +1906,7 @@ check_signer(dns_validator_t *val, dns_rdata_t *keyrdata, uint16_t keyid,
if (dstkey != NULL) {
dst_key_free(&dstkey);
}
dns_rdataset_disassociate(&rdataset);
return result;
}