validator.c:check_signer now clones val->event->sigrdataset

Spurious validation failures were traced back to check_signer looping
over val->event->sigrdataset directly.  Cloning val->event->sigrdataset
prevents check_signer from interacting with callers that are also
looping over val->event->sigrdataset.

(cherry picked from commit 8aa130f253b11e61d87dadea576e2c1430ce8dcc)

diff --git a/lib/dns/validator.c b/lib/dns/validator.c
index 1c319560fd0ad7f1bce387fdc34a80297c8a0a79..55138d25906d0637c02374add7d1b03a4c6b79a0 100644 (file)
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1668,14 +1668,16 @@ check_signer(dns_validator_t *val, dns_rdata_t *keyrdata, uint16_t keyid,
        dns_rdata_rrsig_t sig;
        dst_key_t *dstkey = NULL;
        isc_result_t result;
+       dns_rdataset_t rdataset = DNS_RDATASET_INIT;
 
-       for (result = dns_rdataset_first(val->event->sigrdataset);
-            result == ISC_R_SUCCESS;
-            result = dns_rdataset_next(val->event->sigrdataset))
+       dns_rdataset_clone(val->event->sigrdataset, &rdataset);
+
+       for (result = dns_rdataset_first(&rdataset); result == ISC_R_SUCCESS;
+            result = dns_rdataset_next(&rdataset))
        {
                dns_rdata_t rdata = DNS_RDATA_INIT;
 
-               dns_rdataset_current(val->event->sigrdataset, &rdata);
+               dns_rdataset_current(&rdataset, &rdata);
                result = dns_rdata_tostruct(&rdata, &sig, NULL);
                RUNTIME_CHECK(result == ISC_R_SUCCESS);
                if (keyid != sig.keyid || algorithm != sig.algorithm) {
@@ -1701,6 +1703,7 @@ check_signer(dns_validator_t *val, dns_rdata_t *keyrdata, uint16_t keyid,
        if (dstkey != NULL) {
                dst_key_free(&dstkey);
        }
+       dns_rdataset_disassociate(&rdataset);
 
        return result;
 }