upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-04-20 21:58:03 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

validator.c:check_signer now clones val->sigrdataset

Browse source 
Spurious validation failures were traced back to check_signer looping
over val->sigrdataset directly.  Cloning val->sigrdataset prevents
check_signer from interacting with callers that are also looping
over val->sigrdataset.
This commit is contained in:
Mark Andrews 2021-11-17 13:09:03 +11:00 committed by Evan Hunt
parent 321aa313c4
commit 8aa130f253
1 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
lib/dns/validator.c
View file

@ -1874,11 +1874,14 @@ check_signer(dns_validator_t *val, dns_rdata_t *keyrdata, uint16_t keyid,
dns_rdata_rrsig_t sig;
dst_key_t *dstkey = NULL;
isc_result_t result = ISC_R_NOMORE;
dns_rdataset_t rdataset = DNS_RDATASET_INIT;
DNS_RDATASET_FOREACH (val->sigrdataset) {
dns_rdataset_clone(val->sigrdataset, &rdataset);
DNS_RDATASET_FOREACH (&rdataset) {
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_current(val->sigrdataset, &rdata);
dns_rdataset_current(&rdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &sig, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
if (keyid != sig.keyid || algorithm != sig.algorithm) {
@ -1903,6 +1906,7 @@ check_signer(dns_validator_t *val, dns_rdata_t *keyrdata, uint16_t keyid,
if (dstkey != NULL) {
dst_key_free(&dstkey);
}
dns_rdataset_disassociate(&rdataset);
return result;
}