Adjust RPZ trigger counts only when the entry being deleted exists (#43386)

(cherry picked from commit f23c10f925bb56529b7b472b147ec657c73e40e3)
(cherry picked from commit 9a8b2b3ab35fbbdf03acba32dade90ad91f75742)

diff --git a/CHANGES b/CHANGES
index 8b78c0a2a8fd17d65d59a053ca12d9d9f70a8416..546c29c6d957df3a9e3132a1f1f9bbac5e16ed21 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+4600.  [bug]           Adjust RPZ trigger counts only when the entry
+                       being deleted exists. [RT #43386]
+
 4599.  [bug]           Fix inconsistencies in inline signing time
                        comparison that were introduced with the
                        introduction of rdatasetheader->resign_lsb.

diff --git a/lib/dns/rbtdb.c b/lib/dns/rbtdb.c
index 2afb2ea834d7d861644d3dff92b46b3a18799f70..c9350daf73e7833b6e2b3579ec1359895e4b7d98 100644 (file)
--- a/lib/dns/rbtdb.c
+++ b/lib/dns/rbtdb.c
@@ -1902,7 +1902,13 @@ delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
                name = dns_fixedname_name(&fname);
                dns_rbt_fullnamefromnode(node, name);
 
+               /*
+                * dns_rbt_deletenode() may keep the node if it has a
+                * down pointer, but we mustn't call dns_rpz_delete() on
+                * it again.
+                */
                node_has_rpz = node->rpz;
+               node->rpz = 0;
                result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE);
                if (result == ISC_R_SUCCESS &&
                    rbtdb->rpzs != NULL && node_has_rpz)
@@ -1939,7 +1945,13 @@ delete_node(dns_rbtdb_t *rbtdb, dns_rbtnode_t *node) {
                                              isc_result_totext(result));
                        }
                }
+               /*
+                * dns_rbt_deletenode() may keep the node if it has a
+                * down pointer, but we mustn't call dns_rpz_delete() on
+                * it again.
+                */
                node_has_rpz = node->rpz;
+               node->rpz = 0;
                result = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE);
                if (result == ISC_R_SUCCESS &&
                    rbtdb->rpzs != NULL && node_has_rpz)
@@ -7141,8 +7153,12 @@ loadnode(dns_rbtdb_t *rbtdb, dns_name_t *name, dns_rbtnode_t **nodep,
 
                /*
                 * Remove the node we just added above.
+                * dns_rbt_deletenode() may keep the node if it has a
+                * down pointer, but we mustn't call dns_rpz_delete() on
+                * it again.
                 */
                node_has_rpz = node->rpz;
+               node->rpz = 0;
                tmpresult = dns_rbt_deletenode(rbtdb->tree, node, ISC_FALSE);
                if (tmpresult == ISC_R_SUCCESS) {
                        /*

diff --git a/lib/dns/rpz.c b/lib/dns/rpz.c
index 567687564718cd31bbb5d5d8b1744d6ee95d0016..10e25ce83492687f9aef1bffa26720fd37920b22 100644 (file)
--- a/lib/dns/rpz.c
+++ b/lib/dns/rpz.c
@@ -2025,6 +2025,7 @@ del_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
        dns_rbtnode_t *nmnode;
        dns_rpz_nm_data_t *nm_data, del_data;
        isc_result_t result;
+       isc_boolean_t exists;
 
        /*
         * We need a summary database of names even with 1 policy zone,
@@ -2068,6 +2069,9 @@ del_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
        del_data.wild.qname &= nm_data->wild.qname;
        del_data.wild.ns &= nm_data->wild.ns;
 
+       exists = ISC_TF(del_data.set.qname != 0 || del_data.set.ns != 0 ||
+                       del_data.wild.qname != 0 || del_data.wild.ns != 0);
+
        nm_data->set.qname &= ~del_data.set.qname;
        nm_data->set.ns &= ~del_data.set.ns;
        nm_data->wild.qname &= ~del_data.wild.qname;
@@ -2088,7 +2092,8 @@ del_name(dns_rpz_zones_t *rpzs, dns_rpz_num_t rpz_num,
                }
        }
 
-       adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_FALSE);
+       if (exists)
+               adj_trigger_cnt(rpzs, rpz_num, rpz_type, NULL, 0, ISC_FALSE);
 }
 
 /*