From: Ondřej Surý <ondrej@isc.org>
Date: Sat, 14 Mar 2026 11:54:50 +0000 (+0100)
Subject: Fix KASP key leaks on keystore lookup failure
X-Git-Tag: v9.21.21~41^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=df1993611bae62ad0267d8652d599b4158f3e9a9;p=thirdparty%2Fbind9.git

Fix KASP key leaks on keystore lookup failure

In both cfg_kasp_fromconfig() and cfg_kasp_builtinconfig(), the
newly allocated KASP key was not destroyed when the keystore
lookup failed.
---

diff --git a/lib/isccfg/kaspconf.c b/lib/isccfg/kaspconf.c
index 6593f78145a..ab4df8a51d5 100644
--- a/lib/isccfg/kaspconf.c
+++ b/lib/isccfg/kaspconf.c
@@ -817,6 +817,7 @@ cfg_kasp_fromconfig(const cfg_obj_t *config, dns_kasp_t *default_kasp,
 						    "find keystore (%s)",
 						    isc_result_totext(result));
 				}
+				dns_kasp_key_destroy(new_key);
 				goto cleanup;
 			}
 			dns_kasp_addkey(kasp, new_key);
@@ -930,9 +931,13 @@ cfg_kasp_builtinconfig(isc_mem_t *mctx, const char *name,
 		new_key->lifetime = 0;
 		new_key->algorithm = DST_ALG_ECDSA256;
 		new_key->length = 256;
-		CHECK(dns_keystorelist_find(keystorelist,
-					    DNS_KEYSTORE_KEYDIRECTORY,
-					    &new_key->keystore));
+		result = dns_keystorelist_find(keystorelist,
+					       DNS_KEYSTORE_KEYDIRECTORY,
+					       &new_key->keystore);
+		if (result != ISC_R_SUCCESS) {
+			dns_kasp_key_destroy(new_key);
+			goto cleanup;
+		}
 		dns_kasp_addkey(kasp, new_key);
 	}