From: Ondřej Surý <ondrej@isc.org>
Date: Sat, 14 Mar 2026 11:53:03 +0000 (+0100)
Subject: Fix TSIG key and transport leaks in zone_notify() error paths
X-Git-Tag: v9.21.21~41^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1505cb1c24fcbfcf43b1a1de6957c73afacccdd1;p=thirdparty%2Fbind9.git

Fix TSIG key and transport leaks in zone_notify() error paths

Two 'goto next' paths in zone_notify() skipped detaching the TSIG
key and transport, leaking them on TLS configuration failure and
when the destination address is disabled.
---

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index b524a901890..693e048f899 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -12523,6 +12523,9 @@ zone_notify(dns_zone_t *zone, isc_time_t *now) {
 					      "could not get TLS configuration "
 					      "for zone transfer: %s",
 					      isc_result_totext(result));
+				if (key != NULL) {
+					dns_tsigkey_detach(&key);
+				}
 				goto next;
 			}
 
@@ -12536,6 +12539,12 @@ zone_notify(dns_zone_t *zone, isc_time_t *now) {
 		INSIST(isc_sockaddr_pf(&src) == isc_sockaddr_pf(&dst));
 
 		if (isc_sockaddr_disabled(&dst)) {
+			if (key != NULL) {
+				dns_tsigkey_detach(&key);
+			}
+			if (transport != NULL) {
+				dns_transport_detach(&transport);
+			}
 			goto next;
 		}