Fix off-by-one in TSIG generated key eviction

Use pre-increment (++ring->generated) instead of post-increment
(ring->generated++) so the comparison against DNS_TSIG_MAXGENERATEDKEYS
happens after counting the new key.  With post-increment, one extra key
beyond the limit was allowed before eviction kicked in.

diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index 03bcc37a4c12ed31e395c9e1711f61962b09a123..24f51d75da84d5b6fed2c4339e5f7c823779f57f 100644 (file)
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -1581,7 +1581,7 @@ dns_tsigkeyring_add(dns_tsigkeyring_t *ring, dns_tsigkey_t *tkey) {
                if (tkey->generated) {
                        ISC_LIST_APPEND(ring->lru, tkey, link);
                        dns_tsigkey_ref(tkey);
-                       if (ring->generated++ > DNS_TSIG_MAXGENERATEDKEYS) {
+                       if (++ring->generated > DNS_TSIG_MAXGENERATEDKEYS) {
                                dns_tsigkey_t *key = ISC_LIST_HEAD(ring->lru);
                                rm_lru(key);
                                rm_hashmap(key);