From: Evan Hunt Date: Wed, 13 May 2026 21:37:42 +0000 (-0700) Subject: Check dns_rdata_fromstruct() return values X-Git-Url: http://git.ipfire.org/gitweb/index.cgi?a=commitdiff_plain;h=175d418e2840b2779b4aa21ae7663eddab5cf1d9;p=thirdparty%2Fbind9.git Check dns_rdata_fromstruct() return values The in some functions implementing RFC 5011 key maintenance, the results of dns_rdata_fromstruct() were not checked. This has been fixed. --- diff --git a/lib/dns/zone.c b/lib/dns/zone.c index 3638e06c855..7dd82b81205 100644 --- a/lib/dns/zone.c +++ b/lib/dns/zone.c @@ -3413,15 +3413,15 @@ compute_tag(dns_name_t *name, dns_rdata_dnskey_t *dnskey, isc_mem_t *mctx, dst_key_t *dstkey = NULL; isc_buffer_init(&buffer, data, sizeof(data)); - dns_rdata_fromstruct(&rdata, dnskey->common.rdclass, - dns_rdatatype_dnskey, dnskey, &buffer); - result = dns_dnssec_keyfromrdata(name, &rdata, mctx, &dstkey); - if (result == ISC_R_SUCCESS) { - *tag = dst_key_id(dstkey); - dst_key_free(&dstkey); - } + CHECK(dns_rdata_fromstruct(&rdata, dnskey->common.rdclass, + dns_rdatatype_dnskey, dnskey, &buffer)); + CHECK(dns_dnssec_keyfromrdata(name, &rdata, mctx, &dstkey)); + + *tag = dst_key_id(dstkey); + dst_key_free(&dstkey); +cleanup: return result; } @@ -3455,15 +3455,12 @@ trust_key(dns_zone_t *zone, dns_name_t *keyname, dns_rdata_dnskey_t *dnskey, dns_keytable_t *sr = NULL; dns_rdata_ds_t ds; - result = dns_view_getsecroots(zone->view, &sr); - if (result != ISC_R_SUCCESS) { - return; - } + CHECK(dns_view_getsecroots(zone->view, &sr)); /* Build DS record for key. */ isc_buffer_init(&buffer, data, sizeof(data)); - dns_rdata_fromstruct(&rdata, dnskey->common.rdclass, - dns_rdatatype_dnskey, dnskey, &buffer); + CHECK(dns_rdata_fromstruct(&rdata, dnskey->common.rdclass, + dns_rdatatype_dnskey, dnskey, &buffer)); CHECK(dns_ds_fromkeyrdata(keyname, &rdata, DNS_DSDIGEST_SHA256, digest, sizeof(digest), &ds)); CHECK(dns_keytable_add(sr, true, initial, keyname, &ds, sfd_add, @@ -8722,7 +8719,7 @@ normalize_key(dns_rdata_t *rr, dns_rdata_t *target, unsigned char *data, dns_rdata_dnskey_t dnskey; dns_rdata_keydata_t keydata; isc_buffer_t buf; - isc_result_t result; + isc_result_t result = ISC_R_SUCCESS; dns_rdata_reset(target); isc_buffer_init(&buf, data, size); @@ -8732,8 +8729,9 @@ normalize_key(dns_rdata_t *rr, dns_rdata_t *target, unsigned char *data, result = dns_rdata_tostruct(rr, &dnskey, NULL); RUNTIME_CHECK(result == ISC_R_SUCCESS); dnskey.flags &= ~DNS_KEYFLAG_REVOKE; - dns_rdata_fromstruct(target, rr->rdclass, dns_rdatatype_dnskey, - &dnskey, &buf); + result = dns_rdata_fromstruct(target, rr->rdclass, + dns_rdatatype_dnskey, &dnskey, + &buf); break; case dns_rdatatype_keydata: result = dns_rdata_tostruct(rr, &keydata, NULL); @@ -8742,13 +8740,15 @@ normalize_key(dns_rdata_t *rr, dns_rdata_t *target, unsigned char *data, } RUNTIME_CHECK(result == ISC_R_SUCCESS); dns_keydata_todnskey(&keydata, &dnskey, NULL); - dns_rdata_fromstruct(target, rr->rdclass, dns_rdatatype_dnskey, - &dnskey, &buf); + result = dns_rdata_fromstruct(target, rr->rdclass, + dns_rdatatype_dnskey, &dnskey, + &buf); break; default: UNREACHABLE(); } - return ISC_R_SUCCESS; + + return result; } /* @@ -8952,8 +8952,13 @@ revocable(dns_zonefetch_t *fetch, dns_rdata_keydata_t *keydata) { /* Generate a key from keydata */ isc_buffer_init(&keyb, key_buf, sizeof(key_buf)); dns_keydata_todnskey(keydata, &dnskey, NULL); - dns_rdata_fromstruct(&rr, keydata->common.rdclass, dns_rdatatype_dnskey, - &dnskey, &keyb); + + result = dns_rdata_fromstruct(&rr, keydata->common.rdclass, + dns_rdatatype_dnskey, &dnskey, &keyb); + if (result != ISC_R_SUCCESS) { + return false; + } + result = dns_dnssec_keyfromrdata(keyname, &rr, mctx, &dstkey); if (result != ISC_R_SUCCESS) { return false; @@ -9331,9 +9336,16 @@ anchors_done: dns_rdata_reset(&keydatarr); isc_buffer_init(&keyb, key_buf, sizeof(key_buf)); - dns_rdata_fromstruct(&keydatarr, zone->rdclass, - dns_rdatatype_keydata, &keydata, - &keyb); + result = dns_rdata_fromstruct(&keydatarr, zone->rdclass, + dns_rdatatype_keydata, + &keydata, &keyb); + if (result != ISC_R_SUCCESS) { + dnssec_log(zone, ISC_LOG_WARNING, + "dns_rdata_fromstruct failed: " + "KEYDATA %d: %s", + keytag, isc_result_totext(result)); + continue; + } /* Insert updated version */ CHECK(update_one_rr(kfetch->db, ver, &diff, @@ -9560,9 +9572,16 @@ anchors_done: keydata.refresh = refresh_time(fetch, false); dns_rdata_reset(&keydatarr); isc_buffer_init(&keyb, key_buf, sizeof(key_buf)); - dns_rdata_fromstruct(&keydatarr, zone->rdclass, - dns_rdatatype_keydata, &keydata, - &keyb); + result = dns_rdata_fromstruct(&keydatarr, zone->rdclass, + dns_rdatatype_keydata, + &keydata, &keyb); + if (result != ISC_R_SUCCESS) { + dnssec_log(zone, ISC_LOG_WARNING, + "dns_rdata_fromstruct failed: " + "KEYDATA %d: %s", + keytag, isc_result_totext(result)); + continue; + } /* Insert updated version */ CHECK(update_one_rr(kfetch->db, ver, &diff, @@ -9580,9 +9599,9 @@ anchors_done: keydata.refresh = refresh_time(fetch, false); dns_rdata_reset(&keydatarr); isc_buffer_init(&keyb, key_buf, sizeof(key_buf)); - dns_rdata_fromstruct(&keydatarr, zone->rdclass, - dns_rdatatype_keydata, &keydata, - &keyb); + CHECK(dns_rdata_fromstruct(&keydatarr, zone->rdclass, + dns_rdatatype_keydata, + &keydata, &keyb)); /* Insert into key zone */ CHECK(update_one_rr(kfetch->db, ver, &diff,