3996. [bug] Address use after free on out of memory error in

keyring_add. [RT #37639] (cherry picked from commit c2f8108123)
2014-10-31 11:44:09 +11:00
parent 1083f358ae
commit 5ccdac854e
2 changed files with 6 additions and 2 deletions
--- a/3
+++ b/3
@@ -1,3 +1,6 @@
+3996.	[bug]		Address use after free on out of memory error in
+			keyring_add. [RT #37639]
+
 3995.	[bug]		receive_secure_serial holds the zone lock for too
 			long. [RT #37626]

--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -275,12 +275,12 @@ keyring_add(dns_tsig_keyring_t *ring, dns_name_t *name,
 	}

 	result = dns_rbt_addname(ring->keys, name, tkey);
-	if (tkey->generated) {
+	if (result == ISC_R_SUCCESS && tkey->generated) {
 		/*
 		 * Add the new key to the LRU list and remove the least
 		 * recently used key if there are too many keys on the list.
 		 */
-		ISC_LIST_INITANDAPPEND(ring->lru, tkey, link);
+		ISC_LIST_APPEND(ring->lru, tkey, link);
 		if (ring->generated++ > ring->maxgenerated)
 			remove_fromring(ISC_LIST_HEAD(ring->lru));
 	}
@@ -419,6 +419,7 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 	tkey->expire = expire;
 	tkey->mctx = NULL;
 	isc_mem_attach(mctx, &tkey->mctx);
+	ISC_LINK_INIT(tkey, link);

 	tkey->magic = TSIG_MAGIC;