mir/bind
2
0
Fork 0
mirror of https://gitlab.isc.org/isc-projects/bind9 synced 2025-08-30 05:57:52 +00:00
Code Issues Releases Wiki Activity

[9.20] fix: usr: Prevent spurious validation failures

Browse Source 
Under rare circumstances, validation could fail if multiple clients simultaneously iterated the same set of signatures.

References #3014

Backport of MR !5578

Merge branch 'backport-3014-validator-c-check_signer-fails-to-call-dns_rdataset_clone-9.20' into 'bind-9.20'

See merge request isc-projects/bind9!10815
This commit is contained in:
Mark Andrews 2025-08-02 00:12:01 +10:00
commit 3b98c7cc9d
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
lib/dns/validator.c
View File

@ -1875,14 +1875,15 @@ check_signer(dns_validator_t *val, dns_rdata_t *keyrdata, uint16_t keyid,
dns_rdata_rrsig_t sig;
dst_key_t *dstkey = NULL;
isc_result_t result;
dns_rdataset_t rdataset = DNS_RDATASET_INIT;
dns_rdataset_clone(val->sigrdataset, &rdataset);
for (result = dns_rdataset_first(val->sigrdataset);
result == ISC_R_SUCCESS;
result = dns_rdataset_next(val->sigrdataset))
for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
result = dns_rdataset_next(&rdataset))
{
dns_rdata_t rdata = DNS_RDATA_INIT;
dns_rdataset_current(val->sigrdataset, &rdata);
dns_rdataset_current(&rdataset, &rdata);
result = dns_rdata_tostruct(&rdata, &sig, NULL);
RUNTIME_CHECK(result == ISC_R_SUCCESS);
if (keyid != sig.keyid || algorithm != sig.algorithm) {
@ -1907,6 +1908,7 @@ check_signer(dns_validator_t *val, dns_rdata_t *keyrdata, uint16_t keyid,
if (dstkey != NULL) {
dst_key_free(&dstkey);
}
dns_rdataset_disassociate(&rdataset);
return result;
}