fix: usr: Fix an assertion failure in validate_dnskey_dsset_done()

Under rare circumstances, named could terminate unexpectedly when validating a DNSKEY resource record if the validation was canceled in the meantime. This has been fixed. Closes isc-projects/bind9#4911 Merge branch '4911-assertion-failure-in-validate_dnskey_dsset_done' into 'v9.21.1-release' See merge request isc-private/bind9!731
2024-09-04 14:18:25 +00:00
parent 8a09d54d6b d85918aebf
commit 31245213a0
1 changed files with 18 additions and 7 deletions
--- a/lib/dns/validator.c
+++ b/lib/dns/validator.c
@@ -1952,15 +1952,26 @@ get_dsset(dns_validator_t *val, dns_name_t *tname, isc_result_t *resp) {

 static void
 validate_dnskey_dsset_done(dns_validator_t *val, isc_result_t result) {
-	if (result == ISC_R_SUCCESS) {
+	switch (result) {
+	case ISC_R_CANCELED:
+	case ISC_R_SHUTTINGDOWN:
+		/* Abort, abort, abort! */
+		break;
+	case ISC_R_SUCCESS:
 		marksecure(val);
 		validator_log(val, ISC_LOG_DEBUG(3), "marking as secure (DS)");
-	} else if (result == ISC_R_NOMORE && !val->supported_algorithm) {
-		validator_log(val, ISC_LOG_DEBUG(3),
-			      "no supported algorithm/digest (DS)");
-		result = markanswer(val, "validate_dnskey (3)",
-				    "no supported algorithm/digest (DS)");
-	} else {
+		break;
+	case ISC_R_NOMORE:
+		if (!val->supported_algorithm) {
+			validator_log(val, ISC_LOG_DEBUG(3),
+				      "no supported algorithm/digest (DS)");
+			result = markanswer(
+				val, "validate_dnskey (3)",
+				"no supported algorithm/digest (DS)");
+			break;
+		}
+		FALLTHROUGH;
+	default:
 		validator_log(val, ISC_LOG_INFO,
 			      "no valid signature found (DS)");
 		result = DNS_R_NOVALIDSIG;