From 02b8356a19b119d895d611c9ce17f24a207faa6d Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 23 Jun 2020 10:26:01 +1000 Subject: [PATCH] The validator could fail when select_signing_key/get_dst_key failed to select the signing key because the algorithm was not supported and the loop was prematurely aborted. (cherry picked from commit d475f3aeedbb0dff940ff5bd25c71fcfc3a71f95) --- lib/dns/validator.c | 33 ++++++++++++++++----------------- 1 file changed, 16 insertions(+), 17 deletions(-) diff --git a/lib/dns/validator.c b/lib/dns/validator.c index 864301ba1b..092de65172 100644 --- a/lib/dns/validator.c +++ b/lib/dns/validator.c @@ -1651,26 +1651,25 @@ get_dst_key(dns_validator_t *val, dns_rdata_rrsig_t *siginfo, INSIST(val->key == NULL); result = dst_key_fromdns(&siginfo->signer, rdata.rdclass, &b, val->view->mctx, &val->key); - if (result != ISC_R_SUCCESS) - goto failure; - if (siginfo->algorithm == - (dns_secalg_t)dst_key_alg(val->key) && - siginfo->keyid == - (dns_keytag_t)dst_key_id(val->key) && - dst_key_iszonekey(val->key)) - { - if (foundold) - /* - * This is the key we're looking for. - */ - return (ISC_R_SUCCESS); - else if (dst_key_compare(oldkey, val->key) == ISC_TRUE) + if (result == ISC_R_SUCCESS) { + if (siginfo->algorithm == + (dns_secalg_t)dst_key_alg(val->key) && + siginfo->keyid == + (dns_keytag_t)dst_key_id(val->key) && + dst_key_iszonekey(val->key)) { - foundold = ISC_TRUE; - dst_key_free(&oldkey); + if (foundold) { + /* + * This is the key we're looking for. + */ + return (ISC_R_SUCCESS); + } else if (dst_key_compare(oldkey, val->key)) { + foundold = ISC_TRUE; + dst_key_free(&oldkey); + } } + dst_key_free(&val->key); } - dst_key_free(&val->key); dns_rdata_reset(&rdata); result = dns_rdataset_next(rdataset); } while (result == ISC_R_SUCCESS); -- 2.26.2