From: Matthijs Mekking <matthijs@isc.org>
Date: Tue, 2 Dec 2025 15:23:01 +0000 (+0100)
Subject: Add a regression test for the BRID/HHIT crash
X-Git-Tag: v9.21.19~40^2
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ce1d68cbc5d702749497a9bc6a758564f72abe2f;p=thirdparty%2Fbind9.git

Add a regression test for the BRID/HHIT crash

Add two short records to example.com.db that cause assertion failures
when converted to wire form.

The checks added to tests.sh are technically not required: the relevant
assertion failures are already hit when the zone is transferred out of
ns1.

Update the relevant unit tests with 1-byte records.

Co-authored-by: Mark Andrews <marka@isc.org>
---

diff --git a/bin/tests/system/auth/ns1/example.com.db b/bin/tests/system/auth/ns1/example.com.db
index 67688950eda..3e03e6e34e0 100644
--- a/bin/tests/system/auth/ns1/example.com.db
+++ b/bin/tests/system/auth/ns1/example.com.db
@@ -23,3 +23,6 @@ www			CNAME	server.example.net.
 inzone			CNAME	a.example.com.
 a			A	10.53.0.1
 dname			DNAME	@
+
+brid			BRID	\# 2 0000
+hhit			HHIT	\# 2 0000
diff --git a/bin/tests/system/auth/tests.sh b/bin/tests/system/auth/tests.sh
index 957e48c693c..27399f512dc 100644
--- a/bin/tests/system/auth/tests.sh
+++ b/bin/tests/system/auth/tests.sh
@@ -248,5 +248,22 @@ grep 'ns\.child\.example\.net\..300.IN.A.10\.53\.0\.1$' dig.out.test$n >/dev/nul
 [ $ret -eq 0 ] || echo_i "failed"
 status=$((status + ret))
 
+# Regression tests for #5616 [CVE-2025-13878] BRID and HHIT assertion failure.
+n=$((n + 1))
+echo_i "check that BRID query does not trigger assertion failure ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 brid.example.com BRID >dig.out.test$n
+grep "BRID" dig.out.test$n >/dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that HHIT query does not trigger assertion failure ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 hhit.example.com HHIT >dig.out.test$n
+grep "HHIT" dig.out.test$n >/dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
diff --git a/tests/dns/rdata_test.c b/tests/dns/rdata_test.c
index e0f073ab33d..01c99623c4c 100644
--- a/tests/dns/rdata_test.c
+++ b/tests/dns/rdata_test.c
@@ -1104,10 +1104,14 @@ ISC_RUN_TEST_IMPL(amtrelay) {
 		    dns_rdatatype_amtrelay, sizeof(dns_rdata_amtrelay_t));
 }
 
-/* BRIB RDATA - base64 encoded opaque */
+/* BRID RDATA - base64 encoded opaque */
 ISC_RUN_TEST_IMPL(brid) {
 	text_ok_t text_ok[] = { /* empty  */
 				TEXT_INVALID(""),
+				/* zero length */
+				TEXT_INVALID("\\# 0"),
+				/* valid base64 string - minimum size */
+				TEXT_VALID("AA=="),
 				/* valid base64 string */
 				TEXT_VALID("aaaa"),
 				/* invalid base64 string */
@@ -2101,6 +2105,10 @@ ISC_RUN_TEST_IMPL(hip) {
 ISC_RUN_TEST_IMPL(hhit) {
 	text_ok_t text_ok[] = { /* empty  */
 				TEXT_INVALID(""),
+				/* zero length */
+				TEXT_INVALID("\\# 0"),
+				/* valid base64 string - minimum size */
+				TEXT_VALID("AA=="),
 				/* valid base64 string */
 				TEXT_VALID("aaaa"),
 				/* invalid base64 string */