From b275b9171d3fcf272d6b3fc94b8c5b2af478939e Mon Sep 17 00:00:00 2001
From: Remi Gacogne <remi.gacogne@powerdns.com>
Date: Mon, 2 May 2016 17:24:08 +0200
Subject: [PATCH] rec: Fix a memory leak in DNSSEC validation

`DNSCryptoKeyEngine::makeFromPublicKeyString()` returns a naked
pointer to a new object.
---
 pdns/validate.cc | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/pdns/validate.cc b/pdns/validate.cc
index e479e7c3a1..8d85b4e370 100644
--- a/pdns/validate.cc
+++ b/pdns/validate.cc
@@ -103,8 +103,10 @@ void validateWithKeySet(const cspmap_t& rrsets, cspmap_t& validated, const keyse
 	bool isValid = false;
 	try {
 	  unsigned int now=time(0);
-	  if(signature->d_siginception < now && signature->d_sigexpire > now)
-	    isValid = DNSCryptoKeyEngine::makeFromPublicKeyString(l.d_algorithm, l.d_key)->verify(msg, signature->d_signature);
+	  if(signature->d_siginception < now && signature->d_sigexpire > now) {
+	    std::shared_ptr<DNSCryptoKeyEngine> dke = shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::makeFromPublicKeyString(l.d_algorithm, l.d_key));
+	    isValid = dke->verify(msg, signature->d_signature);
+	  }
 	  else {
 	    LOG("signature is expired/not yet valid"<<endl);
           }
@@ -273,8 +275,10 @@ vState getKeysFor(DNSRecordOracle& dro, const DNSName& zone, keyset_t &keyset)
           bool isValid = false;
 	  try {
 	    unsigned int now = time(0);
-	    if(i->d_siginception < now && i->d_sigexpire > now)
-	      isValid = DNSCryptoKeyEngine::makeFromPublicKeyString(j.d_algorithm, j.d_key)->verify(msg, i->d_signature);
+	    if(i->d_siginception < now && i->d_sigexpire > now) {
+	      std::shared_ptr<DNSCryptoKeyEngine> dke = shared_ptr<DNSCryptoKeyEngine>(DNSCryptoKeyEngine::makeFromPublicKeyString(j.d_algorithm, j.d_key));
+	      isValid = dke->verify(msg, i->d_signature);
+	    }
 	  }
 	  catch(std::exception& e) {
 	    //	    cerr<<"Could not make a validator for signature: "<<e.what()<<endl;
-- 
2.47.2