From: Willem Toorop <willem@nlnetlabs.nl>
Date: Sat, 25 Jan 2025 21:15:04 +0000 (+0100)
Subject: Address the memory leaks in ldns-verify-zone
X-Git-Tag: 1.9.0-rc.1~25^2~8
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=de835b64751e0ab2a16ee5820d6c85e547c9106b;p=thirdparty%2Fldns.git

Address the memory leaks in ldns-verify-zone

As reported by CI
---

diff --git a/dnssec_zone.c b/dnssec_zone.c
index 013517f4..773a0239 100644
--- a/dnssec_zone.c
+++ b/dnssec_zone.c
@@ -71,8 +71,9 @@ ldns_dnssec_rrs_add_rr(ldns_dnssec_rrs *rrs, ldns_rr *rr)
 		new_rrs->next = rrs->next;
 		rrs->rr = rr;
 		rrs->next = new_rrs;
-	}
-	/* Silently ignore equal rr's */
+	} else
+		return LDNS_STATUS_EQUAL_RR;
+
 	return LDNS_STATUS_OK;
 }
 
@@ -732,25 +733,37 @@ ldns_dnssec_zone_new_frm_fp_l(ldns_dnssec_zone** z, FILE* fp, const ldns_rdf* or
 				 */
 				ldns_rr_set_ttl(cur_rr, ldns_rr_ttl(prev_rr));
 
-			prev_rr = cur_rr;
 #endif
 			status = ldns_dnssec_zone_add_rr(newzone, cur_rr);
-			if (status ==
-				LDNS_STATUS_DNSSEC_NSEC3_ORIGINAL_NOT_FOUND) {
-
+			switch(status) {
+			case LDNS_STATUS_DNSSEC_NSEC3_ORIGINAL_NOT_FOUND:
 				if (rr_is_rrsig_covering(cur_rr,
 							LDNS_RR_TYPE_NSEC3)){
 					ldns_rr_list_push_rr(todo_nsec3_rrsigs,
 							cur_rr);
 				} else {
 					ldns_rr_list_push_rr(todo_nsec3s,
-						       	cur_rr);
+							cur_rr);
 				}
 				status = LDNS_STATUS_OK;
-
-			} else if (status != LDNS_STATUS_OK)
+				break;
+			case LDNS_STATUS_EQUAL_RR:
+				ldns_rr_free(cur_rr);
+#ifndef FASTER_DNSSEC_ZONE_NEW_FRM_FP
+				cur_rr = prev_rr;
+#else
+				cur_rr = NULL;
+#endif
+				status = LDNS_STATUS_OK;
+				break;
+			case LDNS_STATUS_OK:
+				break;
+			default:
 				goto error;
-
+			}
+#ifndef FASTER_DNSSEC_ZONE_NEW_FRM_FP
+			prev_rr = cur_rr;
+#endif
 			break;
 
 		case LDNS_STATUS_SYNTAX_TTL:	/* the ttl was set*/
diff --git a/error.c b/error.c
index 50cdc630..5723aea9 100644
--- a/error.c
+++ b/error.c
@@ -189,6 +189,8 @@ ldns_lookup_table ldns_error_str[] = {
 	{ LDNS_STATUS_EDE_OPTION_MALFORMED,
 		"The extended error code option is malformed, expected "
 		"at least 2 bytes of option data" },
+	{ LDNS_STATUS_EQUAL_RR,
+		"An identical RR already existed in the zone" },
 	{ 0, NULL }
 };
 
diff --git a/examples/ldns-verify-zone.c b/examples/ldns-verify-zone.c
index ac076cd1..f4ad62fa 100644
--- a/examples/ldns-verify-zone.c
+++ b/examples/ldns-verify-zone.c
@@ -766,6 +766,7 @@ main(int argc, char **argv)
                         break;
 		case 'h':
 			print_usage(stdout, progname);
+			ldns_rr_list_deep_free(keys);
 			exit(EXIT_SUCCESS);
 			break;
 		case 'e':
@@ -779,6 +780,7 @@ main(int argc, char **argv)
 						"P[n]Y[n]M[n]DT[n]H[n]M[n]S\n"
 						);
 				}
+				ldns_rr_list_deep_free(keys);
                                 exit(EXIT_FAILURE);
 			}
 			if (c == 'e')
@@ -804,6 +806,7 @@ main(int argc, char **argv)
 						"%s: %s\n",optarg,
 						ldns_get_errorstr_by_id(s));
 				}
+				ldns_rr_list_deep_free(keys);
                                 exit(EXIT_FAILURE);
 			}
 			if (ldns_rr_list_rr_count(keys) == nkeys) {
@@ -812,6 +815,7 @@ main(int argc, char **argv)
 						"No keys found in file %s\n",
 						optarg);
 				}
+				ldns_rr_list_deep_free(keys);
 				exit(EXIT_FAILURE);
 			}
 			nkeys = ldns_rr_list_rr_count(keys);
@@ -824,6 +828,7 @@ main(int argc, char **argv)
 						"percentage needs to fall "
 						"between 0..100\n");
 				}
+				ldns_rr_list_deep_free(keys);
                                 exit(EXIT_FAILURE);
                         }
                         srandom(time(NULL) ^ getpid());
@@ -850,6 +855,7 @@ main(int argc, char **argv)
 		case 'v':
 			printf("verify-zone version %s (ldns version %s)\n",
 					LDNS_VERSION, ldns_version());
+			ldns_rr_list_deep_free(keys);
 			exit(EXIT_SUCCESS);
 			break;
 		case 'V':
@@ -869,6 +875,7 @@ main(int argc, char **argv)
 				fprintf(myerr, "Unable to chase "
 						"signature without keys.\n");
 			}
+			ldns_rr_list_deep_free(keys);
 			exit(EXIT_FAILURE);
 		}
 	}
@@ -887,10 +894,12 @@ main(int argc, char **argv)
 				fprintf(myerr, "Unable to open %s: %s\n",
 					filename, strerror(errno));
 			}
+			ldns_rr_list_deep_free(keys);
 			exit(EXIT_FAILURE);
 		}
 	} else {
 		print_usage(stderr, progname);
+		ldns_rr_list_deep_free(keys);
 		exit(EXIT_FAILURE);
 	}
 
@@ -901,6 +910,7 @@ main(int argc, char **argv)
 			fprintf(myerr, "%s at line %d\n",
 				ldns_get_errorstr_by_id(s), line_nr);
 		}
+		ldns_rr_list_deep_free(keys);
                 exit(EXIT_FAILURE);
 	}
 	if (!dnssec_zone->soa) {
@@ -908,6 +918,7 @@ main(int argc, char **argv)
 			fprintf(myerr,
 				"; Error: no SOA in the zone\n");
 		}
+		ldns_rr_list_deep_free(keys);
 		exit(EXIT_FAILURE);
 	}
 
@@ -961,6 +972,7 @@ main(int argc, char **argv)
 
 	ldns_dnssec_zone_deep_free(dnssec_zone);
 	fclose(fp);
+	ldns_rr_list_deep_free(keys);
 	exit(result);
 }
 
diff --git a/ldns/error.h b/ldns/error.h
index 011df284..a76eb2ec 100644
--- a/ldns/error.h
+++ b/ldns/error.h
@@ -143,7 +143,8 @@ enum ldns_enum_status {
 	LDNS_STATUS_SVCPARAM_KEY_MORE_THAN_ONCE,
 	LDNS_STATUS_INVALID_SVCPARAM_VALUE,
 	LDNS_STATUS_NOT_EDE,
-	LDNS_STATUS_EDE_OPTION_MALFORMED
+	LDNS_STATUS_EDE_OPTION_MALFORMED,
+	LDNS_STATUS_EQUAL_RR
 };
 typedef enum ldns_enum_status ldns_status;