From: Ondřej Surý <ondrej@sury.org>
Date: Tue, 17 Mar 2026 23:28:04 +0000 (+0100)
Subject: Fix off-by-one in TSIG generated key eviction
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8c1fe179e321ec993e29eb5a92f8054abdfbd470;p=thirdparty%2Fbind9.git

Fix off-by-one in TSIG generated key eviction

Use pre-increment (++ring->generated) instead of post-increment
(ring->generated++) so the comparison against DNS_TSIG_MAXGENERATEDKEYS
happens after counting the new key.  With post-increment, one extra key
beyond the limit was allowed before eviction kicked in.
---

diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index 03bcc37a4c1..24f51d75da8 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -1581,7 +1581,7 @@ dns_tsigkeyring_add(dns_tsigkeyring_t *ring, dns_tsigkey_t *tkey) {
 		if (tkey->generated) {
 			ISC_LIST_APPEND(ring->lru, tkey, link);
 			dns_tsigkey_ref(tkey);
-			if (ring->generated++ > DNS_TSIG_MAXGENERATEDKEYS) {
+			if (++ring->generated > DNS_TSIG_MAXGENERATEDKEYS) {
 				dns_tsigkey_t *key = ISC_LIST_HEAD(ring->lru);
 				rm_lru(key);
 				rm_hashmap(key);