From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Tue, 16 Jun 2026 08:40:10 +0000 (+0200)
Subject: - Fix that dnscrypt configuration does not crash, due to
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a45e54555dc2fcdb13f2209c08ef756bac3a631d;p=thirdparty%2Funbound.git

- Fix that dnscrypt configuration does not crash, due to
  inconsistency between secret and public keys. Also
  duplicate files are skipped. Thanks to Qifan Zhang, Palo
  Alto Networks, for the report.
---

diff --git a/dnscrypt/dnscrypt.c b/dnscrypt/dnscrypt.c
index 173484cdf..c4289dd68 100644
--- a/dnscrypt/dnscrypt.c
+++ b/dnscrypt/dnscrypt.c
@@ -830,7 +830,14 @@ dnsc_parse_keys(struct dnsc_env *env, struct config_file *cfg)
 			if(memcmp(current_keypair->crypt_publickey,
 				env->signed_certs[c].server_publickey,
 				crypto_box_PUBLICKEYBYTES) == 0) {
-				dnsccert *current_cert = &env->certs[cert_id++];
+				dnsccert* current_cert;
+				if(cert_id >= env->signed_certs_count) {
+					log_err("dnscrypt: secret key %s matches a cert that "
+						"is already bound to another key (duplicate "
+						"dnscrypt-secret-key?)", head->str);
+					return -1;
+				}
+				current_cert = &env->certs[cert_id++];
 				found_cert = 1;
 				current_cert->keypair = current_keypair;
 				memcpy(current_cert->magic_query,
diff --git a/doc/Changelog b/doc/Changelog
index 9cb8c1fb5..65c5983f2 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -32,7 +32,10 @@
 	  list does not crash later. The newly created RRset is
 	  linked after creation has succeeded. Thanks to Qifan Zhang,
 	  Palo Alto Networks, for the report.
-
+	- Fix that dnscrypt configuration does not crash, due to
+	  inconsistency between secret and public keys. Also
+	  duplicate files are skipped. Thanks to Qifan Zhang, Palo
+	  Alto Networks, for the report.
 
 15 June 2026: Wouter
 	- Fix to add `max-transfer-size` and `max-transfer-time` that
diff --git a/util/configparser.y b/util/configparser.y
index 71cb56ba9..6e01b15d7 100644
--- a/util/configparser.y
+++ b/util/configparser.y
@@ -3862,10 +3862,12 @@ dnsc_dnscrypt_provider: VAR_DNSCRYPT_PROVIDER STRING_ARG
 dnsc_dnscrypt_provider_cert: VAR_DNSCRYPT_PROVIDER_CERT STRING_ARG
 	{
 		OUTYY(("P(dnsc_dnscrypt_provider_cert:%s)\n", $2));
-		if(cfg_strlist_find(cfg_parser->cfg->dnscrypt_provider_cert, $2))
+		if(cfg_strlist_find(cfg_parser->cfg->dnscrypt_provider_cert, $2)) {
 			log_warn("dnscrypt-provider-cert %s is a duplicate", $2);
-		if(!cfg_strlist_insert(&cfg_parser->cfg->dnscrypt_provider_cert, $2))
+			free($2);
+		} else if(!cfg_strlist_insert(&cfg_parser->cfg->dnscrypt_provider_cert, $2)) {
 			fatal_exit("out of memory adding dnscrypt-provider-cert");
+		}
 	}
 	;
 dnsc_dnscrypt_provider_cert_rotated: VAR_DNSCRYPT_PROVIDER_CERT_ROTATED STRING_ARG
@@ -3878,10 +3880,12 @@ dnsc_dnscrypt_provider_cert_rotated: VAR_DNSCRYPT_PROVIDER_CERT_ROTATED STRING_A
 dnsc_dnscrypt_secret_key: VAR_DNSCRYPT_SECRET_KEY STRING_ARG
 	{
 		OUTYY(("P(dnsc_dnscrypt_secret_key:%s)\n", $2));
-		if(cfg_strlist_find(cfg_parser->cfg->dnscrypt_secret_key, $2))
+		if(cfg_strlist_find(cfg_parser->cfg->dnscrypt_secret_key, $2)) {
 			log_warn("dnscrypt-secret-key: %s is a duplicate", $2);
-		if(!cfg_strlist_insert(&cfg_parser->cfg->dnscrypt_secret_key, $2))
+			free($2);
+		} else if(!cfg_strlist_insert(&cfg_parser->cfg->dnscrypt_secret_key, $2)) {
 			fatal_exit("out of memory adding dnscrypt-secret-key");
+		}
 	}
 	;
 dnsc_dnscrypt_shared_secret_cache_size: VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE STRING_ARG