Fix handling of TAT sending failures

dns_view_zonecut() may associate the dns_rdataset_t structure passed to it even if it returns a result different then ISC_R_SUCCESS. Not handling this properly may cause a reference leak. Fix by ensuring 'nameservers' is cleaned up in all relevant failure modes.
2026-04-21 14:17:27 -04:00 · 2018-07-19 17:43:58 +02:00 · 2018-07-19 17:43:58 +02:00 · 8666f8d28f
commit 8666f8d28f
parent 2975f37f1c
2 changed files with 28 additions and 15 deletions
--- a/bin/named/server.c
+++ b/bin/named/server.c
@ -6646,25 +6646,32 @@ dotat(dns_keytable_t *keytable, dns_keynode_t *keynode, void *arg) {
 	dns_rdataset_init(&nameservers);
 	result = dns_view_findzonecut(view, origin, domain, 0, 0, ISC_TRUE,
 				      ISC_TRUE, &nameservers, NULL);
-	if (result != ISC_R_SUCCESS) {
-		goto done;
+	if (result == ISC_R_SUCCESS) {
+		result = dns_resolver_createfetch(view->resolver, tatname,
+						  dns_rdatatype_null, domain,
+						  &nameservers, NULL, NULL, 0,
+						  0, 0, NULL, tat->task,
+						  tat_done, tat,
+						  &tat->rdataset,
+						  &tat->sigrdataset,
+						  &tat->fetch);
 	}

-	result = dns_resolver_createfetch(view->resolver, tatname,
-					  dns_rdatatype_null, domain,
-					  &nameservers, NULL, NULL, 0, 0, 0,
-					  NULL, tat->task, tat_done, tat,
-					  &tat->rdataset, &tat->sigrdataset,
-					  &tat->fetch);
-
 	/*
-	 * dns_resolver_createfetch() creates its own copies of 'domain' and
-	 * 'nameservers'; clean up the latter (the former points into a
-	 * dst_key_t structure and thus must not be freed).
+	 * 'domain' holds the dns_name_t pointer inside a dst_key_t structure.
+	 * dns_resolver_createfetch() creates its own copy of 'domain' if it
+	 * succeeds.  Thus, 'domain' is not freed here.
+	 *
+	 * Even if dns_view_findzonecut() returned something else than
+	 * ISC_R_SUCCESS, it still could have associated 'nameservers'.
+	 * dns_resolver_createfetch() creates its own copy of 'nameservers' if
+	 * it succeeds.  Thus, we need to check whether 'nameservers' is
+	 * associated and release it if it is.
 	 */
-	dns_rdataset_disassociate(&nameservers);
+	if (dns_rdataset_isassociated(&nameservers)) {
+		dns_rdataset_disassociate(&nameservers);
+	}

- done:
 	if (result != ISC_R_SUCCESS) {
 		isc_task_detach(&tat->task);
 		isc_mem_putanddetach(&tat->mctx, tat, sizeof(*tat));
--- a/bin/tests/system/mirror/ns1/sign.sh
+++ b/bin/tests/system/mirror/ns1/sign.sh
@ -27,4 +27,10 @@ cat $infile $keyname1.key $keyname2.key > $zonefile

 $SIGNER -P -g -o $zone $zonefile > /dev/null

-keyfile_to_trusted_keys $keyname1 > trusted.conf
+# Add a trust anchor for a name whose non-existence can be securely proved
+# without recursing when the root zone is mirrored.  This will exercise code
+# attempting to send TAT queries for such names (in ns3).  Key data is
+# irrelevant here, so just reuse the root zone key generated above.
+sed "s/^\./nonexistent./;" $keyname1.key > $keyname1.modified.key
+
+keyfile_to_trusted_keys $keyname1 $keyname1.modified > trusted.conf