2599. [bug] Address rapid memory growth when validation fails.

                        [RT #19654]

diff --git a/CHANGES b/CHANGES
index 5ee6badb7219c170c8dd7d00dbb24cc20cf38e06..e1d1193ecab34946ae6a6b0fd60fef32957919e2 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -1,4 +1,7 @@
 2597.  [bug]           Handle a validation failure with a insecure delegation
+2599.  [bug]           Address rapid memory growth when validation fails.
+                       [RT #19654]
+
                        from a NSEC3 signed master/slave zone.  [RT #19464]
 
 2596.  [bug]           Stale tree nodes of cache/dynamic rbtdb could stay

diff --git a/lib/dns/resolver.c b/lib/dns/resolver.c
index 39ff4bd18ee2462c248c88540c70ebcb053e393c..50f0d861065dcae2bd921afdab3385e4c87e415c 100644 (file)
--- a/lib/dns/resolver.c
+++ b/lib/dns/resolver.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: resolver.c,v 1.384.14.9 2009/02/27 23:05:22 marka Exp $ */
+/* $Id: resolver.c,v 1.384.14.10 2009/05/11 02:25:11 marka Exp $ */
 
 /*! \file */
 
@@ -4228,53 +4228,53 @@ cache_name(fetchctx_t *fctx, dns_name_t *name, dns_adbaddrinfo_t *addrinfo,
                        rdataset->trust = dns_trust_pending;
                        if (sigrdataset != NULL)
                                sigrdataset->trust = dns_trust_pending;
-                       if (!need_validation)
+                       if (!need_validation || !ANSWER(rdataset)) {
                                addedrdataset = ardataset;
-                       else
-                               addedrdataset = NULL;
-                       result = dns_db_addrdataset(fctx->cache, node, NULL,
-                                                   now, rdataset, 0,
-                                                   addedrdataset);
-                       if (result == DNS_R_UNCHANGED) {
-                               result = ISC_R_SUCCESS;
-                               if (!need_validation &&
-                                   ardataset != NULL &&
-                                   ardataset->type == 0) {
-                                       /*
-                                        * The answer in the cache is better
-                                        * than the answer we found, and is
-                                        * a negative cache entry, so we
-                                        * must set eresult appropriately.
-                                        */
-                                       if (NXDOMAIN(ardataset))
-                                               eresult = DNS_R_NCACHENXDOMAIN;
-                                       else
-                                               eresult = DNS_R_NCACHENXRRSET;
-                                       /*
-                                        * We have a negative response from
-                                        * the cache so don't attempt to
-                                        * add the RRSIG rrset.
-                                        */
-                                       continue;
-                               }
-                       }
-                       if (result != ISC_R_SUCCESS)
-                               break;
-                       if (sigrdataset != NULL) {
-                               if (!need_validation)
-                                       addedrdataset = asigrdataset;
-                               else
-                                       addedrdataset = NULL;
-                               result = dns_db_addrdataset(fctx->cache,
-                                                           node, NULL, now,
-                                                           sigrdataset, 0,
-                                                           addedrdataset);
-                               if (result == DNS_R_UNCHANGED)
+                               result = dns_db_addrdataset(fctx->cache, node,
+                                                           NULL, now, rdataset,
+                                                           0, addedrdataset);
+                               if (result == DNS_R_UNCHANGED) {
                                        result = ISC_R_SUCCESS;
+                                       if (!need_validation &&
+                                           ardataset != NULL &&
+                                           ardataset->type == 0) {
+                                               /*
+                                                * The answer in the cache isi
+                                                * better than the answer we
+                                                * found, and is a negative
+                                                * cache entry, so we must set
+                                                * eresult appropriately.
+                                                */
+                                               if (NXDOMAIN(ardataset))
+                                                       eresult =
+                                                          DNS_R_NCACHENXDOMAIN;
+                                               else
+                                                       eresult =
+                                                          DNS_R_NCACHENXRRSET;
+                                               /*
+                                                * We have a negative response
+                                                * from the cache so don't
+                                                * attempt to add the RRSIG
+                                                * rrset.
+                                                */
+                                               continue;
+                                       }
+                               }
                                if (result != ISC_R_SUCCESS)
                                        break;
-                       } else if (!ANSWER(rdataset))
-                               continue;
+                               if (sigrdataset != NULL) {
+                                       addedrdataset = asigrdataset;
+                                       result = dns_db_addrdataset(fctx->cache,
+                                                               node, NULL, now,
+                                                               sigrdataset, 0,
+                                                               addedrdataset);
+                                       if (result == DNS_R_UNCHANGED)
+                                               result = ISC_R_SUCCESS;
+                                       if (result != ISC_R_SUCCESS)
+                                               break;
+                               } else if (!ANSWER(rdataset))
+                                       continue;
+                       } 
 
                        if (ANSWER(rdataset) && need_validation) {
                                if (fctx->type != dns_rdatatype_any &&