mirror of
https://github.com/isc-projects/bind9.git
synced 2026-02-18 18:18:00 -05:00
fix: usr: Prevent spurious validation failures
Under rare circumstances, validation could fail if multiple clients simultaneously iterated the same set of signatures. References #3014 Merge branch '3014-validator-c-check_signer-fails-to-call-dns_rdataset_clone' into 'main' See merge request isc-projects/bind9!5578
This commit is contained in:
commit
719bb9443a
1 changed files with 6 additions and 2 deletions
|
|
@ -1874,11 +1874,14 @@ check_signer(dns_validator_t *val, dns_rdata_t *keyrdata, uint16_t keyid,
|
|||
dns_rdata_rrsig_t sig;
|
||||
dst_key_t *dstkey = NULL;
|
||||
isc_result_t result = ISC_R_NOMORE;
|
||||
dns_rdataset_t rdataset = DNS_RDATASET_INIT;
|
||||
|
||||
DNS_RDATASET_FOREACH (val->sigrdataset) {
|
||||
dns_rdataset_clone(val->sigrdataset, &rdataset);
|
||||
|
||||
DNS_RDATASET_FOREACH (&rdataset) {
|
||||
dns_rdata_t rdata = DNS_RDATA_INIT;
|
||||
|
||||
dns_rdataset_current(val->sigrdataset, &rdata);
|
||||
dns_rdataset_current(&rdataset, &rdata);
|
||||
result = dns_rdata_tostruct(&rdata, &sig, NULL);
|
||||
RUNTIME_CHECK(result == ISC_R_SUCCESS);
|
||||
if (keyid != sig.keyid || algorithm != sig.algorithm) {
|
||||
|
|
@ -1903,6 +1906,7 @@ check_signer(dns_validator_t *val, dns_rdata_t *keyrdata, uint16_t keyid,
|
|||
if (dstkey != NULL) {
|
||||
dst_key_free(&dstkey);
|
||||
}
|
||||
dns_rdataset_disassociate(&rdataset);
|
||||
|
||||
return result;
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue