Do not call exit() upon verifyset() errors

Replace all check_result() and fprintf() calls inside verifyset() with zoneverify_log_error() calls and error handling code. Enable verifyset() to signal errors to the caller using its return value. Modify the call site of verifyset() so that its errors are properly handled. Define buffer sizes using named constants rather than plain integers.
2025-08-31 06:25:31 +00:00 · 2018-06-15 09:59:20 +02:00
parent d782fcc638
commit 30e837f31a
1 changed files with 37 additions and 14 deletions
--- a/lib/dns/zoneverify.c
+++ b/lib/dns/zoneverify.c
@@ -723,14 +723,14 @@ verifynsec3s(const vctx_t *vctx, dns_name_t *name,
 	return (result);
 }

-static void
+static isc_result_t
 verifyset(vctx_t *vctx, dns_rdataset_t *rdataset, dns_name_t *name,
 	  dns_dbnode_t *node, dns_rdataset_t *keyrdataset)
 {
 	unsigned char set_algorithms[256];
 	char namebuf[DNS_NAME_FORMATSIZE];
-	char algbuf[80];
-	char typebuf[80];
+	char algbuf[DNS_SECALG_FORMATSIZE];
+	char typebuf[DNS_RDATATYPE_FORMATSIZE];
 	dns_rdataset_t sigrdataset;
 	dns_rdatasetiter_t *rdsiter = NULL;
 	isc_result_t result;
@@ -738,7 +738,11 @@ verifyset(vctx_t *vctx, dns_rdataset_t *rdataset, dns_name_t *name,

 	dns_rdataset_init(&sigrdataset);
 	result = dns_db_allrdatasets(vctx->db, node, vctx->ver, 0, &rdsiter);
-	check_result(result, "dns_db_allrdatasets()");
+	if (result != ISC_R_SUCCESS) {
+		zoneverify_log_error(vctx, "dns_db_allrdatasets(): %s",
+				     isc_result_totext(result));
+		return (result);
+	}
 	for (result = dns_rdatasetiter_first(rdsiter);
 	     result == ISC_R_SUCCESS;
 	     result = dns_rdatasetiter_next(rdsiter)) {
@@ -751,12 +755,13 @@ verifyset(vctx_t *vctx, dns_rdataset_t *rdataset, dns_name_t *name,
 	if (result != ISC_R_SUCCESS) {
 		dns_name_format(name, namebuf, sizeof(namebuf));
 		dns_rdatatype_format(rdataset->type, typebuf, sizeof(typebuf));
-		fprintf(stderr, "No signatures for %s/%s\n", namebuf, typebuf);
+		zoneverify_log_error(vctx, "No signatures for %s/%s",
+				     namebuf, typebuf);
 		for (i = 0; i < 256; i++)
 			if (vctx->act_algorithms[i] != 0)
 				vctx->bad_algorithms[i] = 1;
-		dns_rdatasetiter_destroy(&rdsiter);
-		return;
+		result = ISC_R_SUCCESS;
+		goto done;
 	}

 	memset(set_algorithms, 0, sizeof(set_algorithms));
@@ -773,8 +778,10 @@ verifyset(vctx_t *vctx, dns_rdataset_t *rdataset, dns_name_t *name,
 			dns_name_format(name, namebuf, sizeof(namebuf));
 			dns_rdatatype_format(rdataset->type, typebuf,
 					     sizeof(typebuf));
-			fprintf(stderr, "TTL mismatch for %s %s keytag %u\n",
-				namebuf, typebuf, sig.keyid);
+			zoneverify_log_error(vctx,
+					     "TTL mismatch for "
+					     "%s %s keytag %u",
+					     namebuf, typebuf, sig.keyid);
 			continue;
 		}
 		if ((set_algorithms[sig.algorithm] != 0) ||
@@ -783,7 +790,8 @@ verifyset(vctx_t *vctx, dns_rdataset_t *rdataset, dns_name_t *name,
 		if (goodsig(vctx, &rdata, name, keyrdataset, rdataset))
 			set_algorithms[sig.algorithm] = 1;
 	}
-	dns_rdatasetiter_destroy(&rdsiter);
+	result = ISC_R_SUCCESS;
+
 	if (memcmp(set_algorithms, vctx->act_algorithms,
 		   sizeof(set_algorithms))) {
 		dns_name_format(name, namebuf, sizeof(namebuf));
@@ -792,12 +800,21 @@ verifyset(vctx_t *vctx, dns_rdataset_t *rdataset, dns_name_t *name,
 			if ((vctx->act_algorithms[i] != 0) &&
 			    (set_algorithms[i] == 0)) {
 				dns_secalg_format(i, algbuf, sizeof(algbuf));
-				fprintf(stderr, "No correct %s signature for "
-					"%s %s\n", algbuf, namebuf, typebuf);
+				zoneverify_log_error(vctx,
+						     "No correct %s signature "
+						     "for %s %s",
+						     algbuf, namebuf, typebuf);
 				vctx->bad_algorithms[i] = 1;
 			}
 	}
-	dns_rdataset_disassociate(&sigrdataset);
+
+ done:
+	if (dns_rdataset_isassociated(&sigrdataset)) {
+		dns_rdataset_disassociate(&sigrdataset);
+	}
+	dns_rdatasetiter_destroy(&rdsiter);
+
+	return (result);
 }

 static isc_result_t
@@ -835,7 +852,13 @@ verifynode(vctx_t *vctx, dns_name_t *name, dns_dbnode_t *node,
 		    rdataset.type != dns_rdatatype_dnskey &&
 		    (!delegation || rdataset.type == dns_rdatatype_ds ||
 		     rdataset.type == dns_rdatatype_nsec)) {
-			verifyset(vctx, &rdataset, name, node, keyrdataset);
+			result = verifyset(vctx, &rdataset, name, node,
+					   keyrdataset);
+			if (result != ISC_R_SUCCESS) {
+				dns_rdataset_disassociate(&rdataset);
+				dns_rdatasetiter_destroy(&rdsiter);
+				return (result);
+			}
 			dns_nsec_setbit(types, rdataset.type, 1);
 			if (rdataset.type > maxtype)
 				maxtype = rdataset.type;