upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-05-28 04:34:54 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch '4182-confidential-fix-races-in-dns-tsigkey-find' into 'v9.19.20-release'

Browse source 
Address races in dns_tsigkey_find()

See merge request isc-private/bind9!548
This commit is contained in:
Michał Kępień 2024-01-05 10:18:28 +00:00
commit e087391a96
2 changed files with 17 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
CHANGES
View file

@ -8,7 +8,8 @@
6315. [placeholder]
6314. [placeholder]
6314. [bug] Address race conditions in dns_tsigkey_find().
[GL #4182]
6313. [bug] When dnssec-policy is in effect the DNSKEY's TTLs in
the zone where not being updated to match the policy.

24
lib/dns/tsig.c
View file

@ -1539,38 +1539,44 @@ isc_result_t
dns_tsigkey_find(dns_tsigkey_t **tsigkey, const dns_name_t *name,
const dns_name_t *algorithm, dns_tsigkeyring_t *ring) {
dns_tsigkey_t *key = NULL;
isc_stdtime_t now = isc_stdtime_now();
isc_result_t result;
isc_rwlocktype_t locktype = isc_rwlocktype_read;
isc_stdtime_t now = isc_stdtime_now();
REQUIRE(name != NULL);
REQUIRE(VALID_TSIGKEYRING(ring));
REQUIRE(tsigkey != NULL && *tsigkey == NULL);
RWLOCK(&ring->lock, isc_rwlocktype_read);
again:
RWLOCK(&ring->lock, locktype);
result = isc_hashmap_find(ring->keys, dns_name_hash(name), tkey_match,
name, (void **)&key);
if (result == ISC_R_NOTFOUND) {
RWUNLOCK(&ring->lock, isc_rwlocktype_read);
RWUNLOCK(&ring->lock, locktype);
return (result);
}
if (algorithm != NULL && !dns_name_equal(key->algorithm, algorithm)) {
RWUNLOCK(&ring->lock, isc_rwlocktype_read);
RWUNLOCK(&ring->lock, locktype);
return (ISC_R_NOTFOUND);
}
if (key->inception != key->expire && isc_serial_lt(key->expire, now)) {
/*
* The key has expired.
*/
RWUNLOCK(&ring->lock, isc_rwlocktype_read);
RWLOCK(&ring->lock, isc_rwlocktype_write);
if (locktype == isc_rwlocktype_read) {
RWUNLOCK(&ring->lock, locktype);
locktype = isc_rwlocktype_write;
key = NULL;
goto again;
}
rm_lru(key);
rm_hashmap(key);
RWUNLOCK(&ring->lock, isc_rwlocktype_write);
RWUNLOCK(&ring->lock, locktype);
return (ISC_R_NOTFOUND);
}
RWUNLOCK(&ring->lock, isc_rwlocktype_read);
adjust_lru(key);
dns_tsigkey_ref(key);
RWUNLOCK(&ring->lock, locktype);
adjust_lru(key);
*tsigkey = key;
return (ISC_R_SUCCESS);
}