From 5ccdac854e2bf9fda4dd7005225fe6744078aa97 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Fri, 31 Oct 2014 11:44:09 +1100
Subject: [PATCH] 3996.   [bug]           Address use after free on out of
 memory error in                         keyring_add. [RT #37639]

(cherry picked from commit c2f8108123c40f9be5c7d8255300e578ca8a47a6)
---
 CHANGES        | 3 +++
 lib/dns/tsig.c | 5 +++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/CHANGES b/CHANGES
index d58be14b80..b3e637a298 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+3996.	[bug]		Address use after free on out of memory error in
+			keyring_add. [RT #37639]
+
 3995.	[bug]		receive_secure_serial holds the zone lock for too
 			long. [RT #37626]
 
diff --git a/lib/dns/tsig.c b/lib/dns/tsig.c
index 0c0745de12..bddbbbdf00 100644
--- a/lib/dns/tsig.c
+++ b/lib/dns/tsig.c
@@ -275,12 +275,12 @@ keyring_add(dns_tsig_keyring_t *ring, dns_name_t *name,
 	}
 
 	result = dns_rbt_addname(ring->keys, name, tkey);
-	if (tkey->generated) {
+	if (result == ISC_R_SUCCESS && tkey->generated) {
 		/*
 		 * Add the new key to the LRU list and remove the least
 		 * recently used key if there are too many keys on the list.
 		 */
-		ISC_LIST_INITANDAPPEND(ring->lru, tkey, link);
+		ISC_LIST_APPEND(ring->lru, tkey, link);
 		if (ring->generated++ > ring->maxgenerated)
 			remove_fromring(ISC_LIST_HEAD(ring->lru));
 	}
@@ -419,6 +419,7 @@ dns_tsigkey_createfromkey(dns_name_t *name, dns_name_t *algorithm,
 	tkey->expire = expire;
 	tkey->mctx = NULL;
 	isc_mem_attach(mctx, &tkey->mctx);
+	ISC_LINK_INIT(tkey, link);
 
 	tkey->magic = TSIG_MAGIC;