Add tests for CVE-2022-3924

Reproduce the assertion by configuring a 'named' resolver with
'recursive-clients 10;' configuration option and running 20
queries is parallel.

Also tweak the 'ans2/ans.pl' to simulate a 50ms network latency
when qname starts with "latency". This makes sure that queries
running in parallel don't get served immediately, thus allowing
the configured recursive clients quota limitation to be activated.

diff --git a/bin/tests/system/serve-stale/ans2/ans.pl b/bin/tests/system/serve-stale/ans2/ans.pl
index f14ae67fe8f7306c1a0d42558dc34fde07c31990..28c3c9316f4ebdc68f5e750daacacf580113bf73 100644 (file)
--- a/bin/tests/system/serve-stale/ans2/ans.pl
+++ b/bin/tests/system/serve-stale/ans2/ans.pl
@@ -100,6 +100,12 @@ sub reply_handler {
     # If we are not responding to queries we are done.
     return if (!$send_response);
 
+    if (index($qname, "latency") == 0) {
+        # simulate network latency before answering
+        print "  Sleeping 50 milliseconds\n";
+        select(undef, undef, undef, 0.05);
+    }
+
     # Construct the response and send it.
     if ($qname eq "ns.example" ) {
        if ($qtype eq "A") {

diff --git a/bin/tests/system/serve-stale/ns3/named2.conf.in b/bin/tests/system/serve-stale/ns3/named2.conf.in
index 8b855833d46650cd6f9f5a1e063c1075cc1e7e1c..d33abc80d17fa09ea461560520b864956925eff0 100644 (file)
--- a/bin/tests/system/serve-stale/ns3/named2.conf.in
+++ b/bin/tests/system/serve-stale/ns3/named2.conf.in
@@ -39,6 +39,7 @@ options {
        stale-answer-ttl 3;
        stale-refresh-time 0;
        stale-answer-client-timeout 1800; # 1.8 seconds
+       recursive-clients 10; # CVE-2022-3924
        max-stale-ttl 3600;
        resolver-query-timeout 30000; # 30 seconds
 };

diff --git a/bin/tests/system/serve-stale/tests.sh b/bin/tests/system/serve-stale/tests.sh
index 63a87a3d580165c1aea50076fc78e0c40315e8d2..2419f5657166b68e1b1cdab82573e332bf2e6732 100755 (executable)
--- a/bin/tests/system/serve-stale/tests.sh
+++ b/bin/tests/system/serve-stale/tests.sh
@@ -1781,6 +1781,25 @@ grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
+# CVE-2022-3924, GL #3619
+n=$((n+1))
+echo_i "check that named survives reaching recursive-clients quota (stale-answer-client-timeout 1.8) ($n)"
+ret=0
+num=0
+# Make sure to exceed the configured value of 'recursive-clients 10;' by running
+# 20 parallel queries with simulated network latency.
+while [ $num -lt 20 ]; do
+    $DIG +tries=1 -p ${PORT} @10.53.0.3 "latency${num}.data.example" TXT >/dev/null 2>&1 &
+    num=$((num+1))
+done;
+_dig_data() {
+    $DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n || return 1
+    grep "status: NOERROR" dig.out.test$n > /dev/null || return 1
+}
+retry_quiet 5 _dig_data || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
 #############################################
 # Test for stale-answer-client-timeout off. #
 #############################################