From: Ondřej Surý <ondrej@isc.org>
Date: Sat, 14 Mar 2026 11:53:03 +0000 (+0100)
Subject: Fix TSIG key and transport leaks in zone_notify() error paths
X-Git-Tag: v9.20.22~29^2~4
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=109d10049539af26dcc7244e1f20e7ea135433d7;p=thirdparty%2Fbind9.git

Fix TSIG key and transport leaks in zone_notify() error paths

Two 'goto next' paths in zone_notify() skipped detaching the TSIG
key and transport, leaking them on TLS configuration failure and
when the destination address is disabled.

(cherry picked from commit 1505cb1c24fcbfcf43b1a1de6957c73afacccdd1)
---

diff --git a/lib/dns/zone.c b/lib/dns/zone.c
index 40b0e1fdade..705795d443c 100644
--- a/lib/dns/zone.c
+++ b/lib/dns/zone.c
@@ -13020,6 +13020,9 @@ zone_notify(dns_zone_t *zone, isc_time_t *now) {
 					      "could not get TLS configuration "
 					      "for zone transfer: %s",
 					      isc_result_totext(result));
+				if (key != NULL) {
+					dns_tsigkey_detach(&key);
+				}
 				goto next;
 			}
 
@@ -13033,6 +13036,12 @@ zone_notify(dns_zone_t *zone, isc_time_t *now) {
 		INSIST(isc_sockaddr_pf(&src) == isc_sockaddr_pf(&dst));
 
 		if (isc_sockaddr_disabled(&dst)) {
+			if (key != NULL) {
+				dns_tsigkey_detach(&key);
+			}
+			if (transport != NULL) {
+				dns_transport_detach(&transport);
+			}
 			goto next;
 		}