From: Ondřej Surý Date: Fri, 10 Apr 2026 16:25:18 +0000 (+0200) Subject: Tidy up cleanup path in check_signer() X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=dac6a57215dfc399fc3d8a51b3d0664e9dd19232;p=thirdparty%2Fbind9.git Tidy up cleanup path in check_signer() The cloned signature rdataset was not disassociated on the early return taken when dns_dnssec_keyfromrdata() fails to parse the DNSKEY public-key data. In every current caller val->sigrdataset reaches check_signer() rdatalist-backed, so dns_rdataset_clone() copies the struct without taking any reference and dns_rdataset_disassociate() is a no-op -- no memory is actually leaked today. Hoist the key parse out of the per-RRSIG loop and let the function fall through to a single cleanup path, so the parse and the iteration cannot diverge again. Assisted-by: Claude:claude-opus-4-7 (cherry picked from commit 19f44a0aa376bace89d8ffaece546e1fc891a763) --- diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 3ea4a640aec..44ff5a2094c 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -1730,6 +1730,12 @@ check_signer(dns_validator_t *val, dns_rdata_t *keyrdata, uint16_t keyid, isc_result_t result; dns_rdataset_t rdataset = DNS_RDATASET_INIT; + result = dns_dnssec_keyfromrdata(val->event->name, keyrdata, + val->view->mctx, &dstkey); + if (result != ISC_R_SUCCESS) { + return result; + } + dns_rdataset_clone(val->event->sigrdataset, &rdataset); for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS; @@ -1743,23 +1749,14 @@ check_signer(dns_validator_t *val, dns_rdata_t *keyrdata, uint16_t keyid, if (keyid != sig.keyid || algorithm != sig.algorithm) { continue; } - if (dstkey == NULL) { - result = dns_dnssec_keyfromrdata( - val->event->name, keyrdata, val->view->mctx, - &dstkey); - if (result != ISC_R_SUCCESS) { - return result; - } - } + result = verify(val, dstkey, &rdata, sig.keyid); if (result == ISC_R_SUCCESS) { break; } } - if (dstkey != NULL) { - dst_key_free(&dstkey); - } + dst_key_free(&dstkey); dns_rdataset_disassociate(&rdataset); return result;