fix: usr: Fix the assertion failure in the selfsigned DNSKEY handling

The selfsigned_dnskey() function can now return all the return codes that dns_dnssec_keyfromrdata() can return and this would cause an assertion failure as we were not expecting new isc_result_t codes. Closes isc-projects/bind9#5343 Merge branch 'ondrej/security-fix-crash-in-selfsigned-key-handling' into 'v9.21.14-release' See merge request isc-private/bind9!865
2026-05-28 04:34:54 -04:00 · 2025-10-18 09:39:35 +02:00 · 2025-10-18 09:39:35 +02:00 · a78f847fc8
commit a78f847fc8
parent 3be0cd8196 7b26176c46
1 changed files with 30 additions and 12 deletions
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@ -1324,6 +1324,7 @@ selfsigned_dnskey(dns_validator_t *val) {
 	dns_name_t *name = val->name;
 	isc_result_t result;
 	isc_mem_t *mctx = val->view->mctx;
+	bool match = false;

 	if (rdataset->type != dns_rdatatype_dnskey) {
 		return DNS_R_NOKEYMATCH;
@ -1357,17 +1358,16 @@ selfsigned_dnskey(dns_validator_t *val) {

 			/*
 			 * If the REVOKE bit is not set we have a
-			 * theoretically self signed DNSKEY RRset.
-			 * This will be verified later.
+			 * theoretically self-signed DNSKEY RRset;
+			 * this will be verified later.
+			 *
+			 * We don't return the answer yet, though,
+			 * because we need to check the remaining keys
+			 * and possbly remove them if they're revoked.
 			 */
 			if ((key.flags & DNS_KEYFLAG_REVOKE) == 0) {
-				return ISC_R_SUCCESS;
-			}
-
-			result = dns_dnssec_keyfromrdata(name, &keyrdata, mctx,
-							 &dstkey);
-			if (result != ISC_R_SUCCESS) {
-				return result;
+				match = true;
+				break;
 			}

 			/*
@ -1377,6 +1377,20 @@ selfsigned_dnskey(dns_validator_t *val) {
 			if (DNS_TRUST_PENDING(rdataset->trust) &&
 			    dns_view_istrusted(val->view, name, &key))
 			{
+				result = dns_dnssec_keyfromrdata(
+					name, &keyrdata, mctx, &dstkey);
+				if (result == DST_R_UNSUPPORTEDALG) {
+					/* don't count towards max fails */
+					break; /* continue with next key */
+				} else if (result != ISC_R_SUCCESS) {
+					consume_validation(val);
+					if (over_max_fails(val)) {
+						return ISC_R_QUOTA;
+					}
+					consume_validation_fail(val);
+					break; /* continue with next key */
+				}
+
 				if (over_max_validations(val)) {
 					dst_key_free(&dstkey);
 					return ISC_R_QUOTA;
@ -1410,6 +1424,8 @@ selfsigned_dnskey(dns_validator_t *val) {
 					consume_validation_fail(val);
 					break;
 				}
+
+				dst_key_free(&dstkey);
 			} else if (rdataset->trust >= dns_trust_secure) {
 				/*
 				 * We trust this RRset so if the key is
@ -1417,12 +1433,14 @@ selfsigned_dnskey(dns_validator_t *val) {
 				 */
 				dns_view_untrust(val->view, name, &key);
 			}
-
-			dst_key_free(&dstkey);
 		}
 	}

-	return DNS_R_NOKEYMATCH;
+	if (!match) {
+		return DNS_R_NOKEYMATCH;
+	}
+
+	return ISC_R_SUCCESS;
 }

 /*%