From f78430bb7414659735e82f120b83e0e403095a49 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Wed, 17 Nov 2021 13:09:03 +1100
Subject: [PATCH] validator.c:check_signer now clones val->sigrdataset

Spurious validation failures were traced back to check_signer looping
over val->sigrdataset directly.  Cloning val->sigrdataset prevents
check_signer from interacting with callers that are also looping
over val->sigrdataset.

(cherry picked from commit 8aa130f253b11e61d87dadea576e2c1430ce8dcc)
---
 lib/dns/validator.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index dea8128832..1f7c7154e8 100644
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1875,14 +1875,15 @@ check_signer(dns_validator_t *val, dns_rdata_t *keyrdata, uint16_t keyid,
 	dns_rdata_rrsig_t sig;
 	dst_key_t *dstkey = NULL;
 	isc_result_t result;
+	dns_rdataset_t rdataset = DNS_RDATASET_INIT;
+	dns_rdataset_clone(val->sigrdataset, &rdataset);
 
-	for (result = dns_rdataset_first(val->sigrdataset);
-	     result == ISC_R_SUCCESS;
-	     result = dns_rdataset_next(val->sigrdataset))
+	for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+	     result = dns_rdataset_next(&rdataset))
 	{
 		dns_rdata_t rdata = DNS_RDATA_INIT;
 
-		dns_rdataset_current(val->sigrdataset, &rdata);
+		dns_rdataset_current(&rdataset, &rdata);
 		result = dns_rdata_tostruct(&rdata, &sig, NULL);
 		RUNTIME_CHECK(result == ISC_R_SUCCESS);
 		if (keyid != sig.keyid || algorithm != sig.algorithm) {
@@ -1907,6 +1908,7 @@ check_signer(dns_validator_t *val, dns_rdata_t *keyrdata, uint16_t keyid,
 	if (dstkey != NULL) {
 		dst_key_free(&dstkey);
 	}
+	dns_rdataset_disassociate(&rdataset);
 
 	return result;
 }