From 0d8333f087bb38cc3276cc528811a177e90face7 Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Mon, 28 Jul 2008 08:46:11 +0000
Subject: [PATCH] 2403.   [bug]           TSIG context leak. [RT #18341]

---
 CHANGES           |  2 ++
 lib/dns/message.c |  5 ++++-
 lib/dns/xfrin.c   | 14 ++++++++++++--
 3 files changed, 18 insertions(+), 3 deletions(-)

diff --git a/CHANGES b/CHANGES
index 08451f2bc9..ddf757a0a3 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2403.	[bug]		TSIG context leak. [RT #18341]
+
 2402.	[port]		Support Solaris 2.11 and over. [RT #18362]
 
 2401.	[bug]		Expect to get E[MN]FILE errno internal_accept()
diff --git a/lib/dns/message.c b/lib/dns/message.c
index e8e4948618..3011d3ba16 100644
--- a/lib/dns/message.c
+++ b/lib/dns/message.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: message.c,v 1.222.18.14 2007/08/28 07:20:04 tbox Exp $ */
+/* $Id: message.c,v 1.222.18.15 2008/07/28 08:46:11 marka Exp $ */
 
 /*! \file */
 
@@ -592,6 +592,9 @@ msgreset(dns_message_t *msg, isc_boolean_t everything) {
 		msg->tsigkey = NULL;
 	}
 
+	if (msg->tsigctx != NULL)
+		dst_context_destroy(&msg->tsigctx);
+
 	if (msg->query.base != NULL) {
 		if (msg->free_query != 0)
 			isc_mem_put(msg->mctx, msg->query.base,
diff --git a/lib/dns/xfrin.c b/lib/dns/xfrin.c
index cc12f4f481..013c97b364 100644
--- a/lib/dns/xfrin.c
+++ b/lib/dns/xfrin.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: xfrin.c,v 1.135.18.19 2008/07/23 23:33:02 marka Exp $ */
+/* $Id: xfrin.c,v 1.135.18.20 2008/07/28 08:46:11 marka Exp $ */
 
 /*! \file */
 
@@ -1051,6 +1051,8 @@ xfrin_send_request(dns_xfrin_ctx_t *xfr) {
 	xfr->id++;
 	xfr->nmsg = 0;
 	msg->id = xfr->id;
+	if (xfr->tsigctx != NULL)
+		dst_context_destroy(&xfr->tsigctx);
 
 	CHECK(render(msg, xfr->mctx, &xfr->qbuffer));
 
@@ -1186,7 +1188,10 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
 
 	CHECK(dns_message_settsigkey(msg, xfr->tsigkey));
 	CHECK(dns_message_setquerytsig(msg, xfr->lasttsig));
+
 	msg->tsigctx = xfr->tsigctx;
+	xfr->tsigctx = NULL;
+	
 	if (xfr->nmsg > 0)
 		msg->tcp_continuation = 1;
 
@@ -1299,9 +1304,11 @@ xfrin_recv_done(isc_task_t *task, isc_event_t *ev) {
 	xfr->nmsg++;
 
 	/*
-	 * Copy the context back.
+	 * Take the context back.
 	 */
+	INSIST(xfr->tsigctx == NULL);
 	xfr->tsigctx = msg->tsigctx;
+	msg->tsigctx = NULL;
 
 	dns_message_destroy(&msg);
 
@@ -1397,6 +1404,9 @@ maybe_free(dns_xfrin_ctx_t *xfr) {
 	if (xfr->tcpmsg_valid)
 		dns_tcpmsg_invalidate(&xfr->tcpmsg);
 
+	if (xfr->tsigctx != NULL)
+		dst_context_destroy(&xfr->tsigctx);
+
 	if ((xfr->name.attributes & DNS_NAMEATTR_DYNAMIC) != 0)
 		dns_name_free(&xfr->name, xfr->mctx);