resolved: check return value of gcrypt APIs

author Luca Boccassi <luca.boccassi@microsoft.com>

Thu, 20 May 2021 09:36:18 +0000 (10:36 +0100)

committer Luca Boccassi <luca.boccassi@microsoft.com>

Thu, 20 May 2021 09:47:41 +0000 (10:47 +0100)
author Luca Boccassi <luca.boccassi@microsoft.com>
Thu, 20 May 2021 09:36:18 +0000 (10:36 +0100)
committer Luca Boccassi <luca.boccassi@microsoft.com>
Thu, 20 May 2021 09:47:41 +0000 (10:47 +0100)
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c

index 4fa3c1d995df7f00e9936026456a1595bec0941d..91da5b65156e85f805582c3611728057e11f084b 100644 (file)
--- a/src/resolve/resolved-dns-dnssec.c
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -805,7 +805,9 @@ int dnssec_verify_rrset(
          case DNSSEC_ALGORITHM_ED448:
                  *result = DNSSEC_UNSUPPORTED_ALGORITHM;
                  return 0;
-        default:
+        default: {
+                gcry_error_t err;
+
                  /* OK, the RRs are now in canonical order. Let's calculate the digest */
                  md_algorithm = algorithm_to_gcrypt_md(rrsig->rrsig.algorithm);
                  if (md_algorithm == -EOPNOTSUPP) {
@@ -815,8 +817,8 @@ int dnssec_verify_rrset(
                  if (md_algorithm < 0)
                          return md_algorithm;
  
-                gcry_md_open(&md, md_algorithm, 0);
-                if (!md)
+                err = gcry_md_open(&md, md_algorithm, 0);
+                if (gcry_err_code(err) != GPG_ERR_NO_ERROR || !md)
                          return -EIO;
  
                  hash_size = gcry_md_get_algo_dlen(md_algorithm);
@@ -828,6 +830,7 @@ int dnssec_verify_rrset(
                  if (!hash)
                          return -EIO;
          }
+        }
  
          switch (rrsig->rrsig.algorithm) {
author	Luca Boccassi <luca.boccassi@microsoft.com>
	Thu, 20 May 2021 09:36:18 +0000 (10:36 +0100)
committer	Luca Boccassi <luca.boccassi@microsoft.com>
	Thu, 20 May 2021 09:47:41 +0000 (10:47 +0100)