From: Ondřej Surý <ondrej@sury.org>
Date: Wed, 18 Mar 2026 00:01:34 +0000 (+0100)
Subject: Fix GSS context leak on error paths in process_gsstkey()
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c0a6f3bf659f7385ed8b4e7de7d12d71847bf065;p=thirdparty%2Fbind9.git

Fix GSS context leak on error paths in process_gsstkey()

After gss_accept_sec_context() succeeds, the GSS context is passed
to dst_key_fromgssapi() which transfers ownership to the dst_key.
If a subsequent operation fails (dst_key_fromgssapi itself,
dns_tsigkey_createfromkey, or dns_tsigkeyring_add), the cleanup
label frees the dst_key but only if it was created.  If the failure
happened before dst_key_fromgssapi, the GSS context was orphaned.

Delete the GSS context in the cleanup path when it was not
transferred to a dst_key.
---

diff --git a/lib/dns/tkey.c b/lib/dns/tkey.c
index 03615f07e5c..a65661670f1 100644
--- a/lib/dns/tkey.c
+++ b/lib/dns/tkey.c
@@ -265,6 +265,14 @@ process_gsstkey(dns_message_t *msg, dns_name_t *name, dns_rdata_tkey_t *tkeyin,
 	return ISC_R_SUCCESS;
 
 cleanup:
+	/*
+	 * If dstkey was created, the GSS context was transferred to it
+	 * and will be freed when dstkey is freed.  Otherwise, we must
+	 * delete the GSS context directly to prevent a leak.
+	 */
+	if (dstkey == NULL && gss_ctx != NULL) {
+		dst_gssapi_deletectx(tctx->mctx, &gss_ctx);
+	}
 	if (tsigkey != NULL) {
 		dns_tsigkey_detach(&tsigkey);
 	}