From: W.C.A. Wijngaards <wouter@nlnetlabs.nl>
Date: Wed, 17 Jun 2026 13:26:56 +0000 (+0200)
Subject: - Fix that malloc failure for new_local_rrset for RPZ qname
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=fa8e94f155ee75f90d2744c12d4b5c0dbead3582;p=thirdparty%2Funbound.git

- Fix that malloc failure for new_local_rrset for RPZ qname
  trigger RR insert does not crash. It does not link a
  partial RRset, and logs an error on failure, and cleans
  up the dname allocation. Thanks to Qifan Zhang, Palo Alto
  Networks, for the report.
---

diff --git a/doc/Changelog b/doc/Changelog
index ce19e50a4..b3751dd5a 100644
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -18,6 +18,11 @@
 	  not set up a half-built reply for cache store, that could
 	  lead to a crash. Thanks to Qifan Zhang, Palo Alto Networks,
 	  for the report.
+	- Fix that malloc failure for new_local_rrset for RPZ qname
+	  trigger RR insert does not crash. It does not link a
+	  partial RRset, and logs an error on failure, and cleans
+	  up the dname allocation. Thanks to Qifan Zhang, Palo Alto
+	  Networks, for the report.
 
 16 June 2026: Wouter
 	- Fix to disallow $INCLUDE for secondary zones. Start up
diff --git a/services/localzone.c b/services/localzone.c
index 7ad9376a9..77fc5b6b9 100644
--- a/services/localzone.c
+++ b/services/localzone.c
@@ -386,8 +386,6 @@ new_local_rrset(struct regional* region, struct local_data* node,
 		log_err("out of memory");
 		return NULL;
 	}
-	rrset->next = node->rrsets;
-	node->rrsets = rrset;
 	rrset->rrset = (struct ub_packed_rrset_key*)
 		regional_alloc_zero(region, sizeof(*rrset->rrset));
 	if(!rrset->rrset) {
@@ -408,6 +406,8 @@ new_local_rrset(struct regional* region, struct local_data* node,
 	rrset->rrset->rk.dname_len = node->namelen;
 	rrset->rrset->rk.type = htons(rrtype);
 	rrset->rrset->rk.rrset_class = htons(rrclass);
+	rrset->next = node->rrsets;
+	node->rrsets = rrset;
 	return rrset;
 }
 
diff --git a/services/rpz.c b/services/rpz.c
index 46c23adf0..70bbeda56 100644
--- a/services/rpz.c
+++ b/services/rpz.c
@@ -721,13 +721,22 @@ rpz_insert_local_zones_trigger(struct local_zones* lz, uint8_t* dname,
 		char* rrstr = sldns_wire2str_rr(rr, rr_len);
 		if(rrstr == NULL) {
 			log_err("malloc error while inserting rpz nsdname trigger");
-			free(dname);
+			if(!newzone)
+				free(dname);
 			lock_rw_unlock(&lz->lock);
 			return;
 		}
 		lock_rw_wrlock(&z->lock);
-		local_zone_enter_rr(z, dname, dnamelen, dnamelabs, rrtype,
-				    rrclass, ttl, rdata, rdata_len, rrstr);
+		if(!local_zone_enter_rr(z, dname, dnamelen, dnamelabs, rrtype,
+				    rrclass, ttl, rdata, rdata_len, rrstr)) {
+			log_err("rpz: could not enter local-data: %s", rrstr);
+			if(!newzone)
+				free(dname);
+			lock_rw_unlock(&z->lock);
+			lock_rw_unlock(&lz->lock);
+			free(rrstr);
+			return;
+		}
 		lock_rw_unlock(&z->lock);
 		free(rrstr);
 	}