upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-11 00:50:00 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Fix off-by-one in TSIG generated key eviction

Browse source 
Use pre-increment (++ring->generated) instead of post-increment
(ring->generated++) so the comparison against DNS_TSIG_MAXGENERATEDKEYS
happens after counting the new key.  With post-increment, one extra key
beyond the limit was allowed before eviction kicked in.
This commit is contained in:
Ondřej Surý 2026-03-18 00:28:04 +01:00
parent 5e10fdc295
commit 8c1fe179e3
No known key found for this signature in database
GPG key ID: 2820F37E873DEA41
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
lib/dns/tsig.c
View file

@ -1581,7 +1581,7 @@ dns_tsigkeyring_add(dns_tsigkeyring_t *ring, dns_tsigkey_t *tkey) {
if (tkey->generated) {
ISC_LIST_APPEND(ring->lru, tkey, link);
dns_tsigkey_ref(tkey);
if (ring->generated++ > DNS_TSIG_MAXGENERATEDKEYS) {
if (++ring->generated > DNS_TSIG_MAXGENERATEDKEYS) {
dns_tsigkey_t *key = ISC_LIST_HEAD(ring->lru);
rm_lru(key);
rm_hashmap(key);