From: W.C.A. Wijngaards Date: Wed, 20 May 2026 10:40:32 +0000 (+0200) Subject: - Unit test for CVE-2026-42960. X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0d2282d5513e73b526a44483d63fc5d0f9c41439;p=thirdparty%2Funbound.git - Unit test for CVE-2026-42960. --- diff --git a/doc/Changelog b/doc/Changelog index 208ca24ad..4ab7c95bc 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -34,6 +34,7 @@ - Unit test for CVE-2026-42944. - Unit test for CVE-2026-42959. - Unit test for CVE-2026-40622. + - Unit test for CVE-2026-42960. 18 May 2026: Wouter - Fix for mixed class referrals, the resolver uses the query diff --git a/testdata/iter_scrub_mx.rpl b/testdata/iter_scrub_mx.rpl new file mode 100644 index 000000000..4fe7cfc98 --- /dev/null +++ b/testdata/iter_scrub_mx.rpl @@ -0,0 +1,191 @@ +; config options +server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: no + iter-scrub-promiscuous: yes + +stub-zone: + name: "." + stub-addr: 1.2.3.0 # ns.root +CONFIG_END + +SCENARIO_BEGIN Test iterator with scrub of authority MX records +; The test queries receive spoofed answers. The check queries see if +; the record is returned by the original server or by a spoofed source. +; The test domain is pollute3.mesa. +; with ns.pollute3.mesa A records are tested for cache placement. +; MX records and other records should not be allowed to make glue in cache, +; when present in the authority section. + +; ns.root +RANGE_BEGIN 0 400 + ADDRESS 1.2.3.0 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS NS.ROOT. +SECTION ADDITIONAL +NS.ROOT. IN A 1.2.3.0 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +mesa. IN NS +SECTION AUTHORITY +mesa. IN NS ns.mesa. +SECTION ADDITIONAL +ns.mesa. IN A 1.2.7.7 +ENTRY_END +RANGE_END + +; ns.mesa +RANGE_BEGIN 0 400 + ADDRESS 1.2.7.7 +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +pollute3.mesa. IN NS +SECTION AUTHORITY +pollute3.mesa. IN NS ns.pollute3.mesa. +SECTION ADDITIONAL +ns.pollute3.mesa. IN A 1.2.4.3 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +attacker.mesa. IN NS +SECTION AUTHORITY +attacker.mesa. IN NS ns.attacker.mesa. +SECTION ADDITIONAL +ns.attacker.mesa. IN A 5.6.7.8 +ENTRY_END +RANGE_END + +; ns.pollute3.mesa +RANGE_BEGIN 0 400 + ADDRESS 1.2.4.3 + +; This is the spoofed answer that is returned. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +test3.atkr.pollute3.mesa. IN A +SECTION ANSWER +test3.atkr.pollute3.mesa. 86400 IN A 1.2.3.4 +SECTION AUTHORITY +test3.atkr.pollute3.mesa. 86400 IN MX 20 ns.pollute3.mesa. +SECTION ADDITIONAL +ns.pollute3.mesa. 86400 IN A 5.6.7.8 +ENTRY_END + +; correct answer for the check query. +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +check.pollute3.mesa. IN A +SECTION ANSWER +check.pollute3.mesa. IN A 1.8.9.3 +ENTRY_END +RANGE_END + +; ns.attacker.mesa +RANGE_BEGIN 0 400 + ADDRESS 5.6.7.8 + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.attacker.mesa. IN A +SECTION ANSWER +ns.attacker.mesa. 86400 IN A 5.6.7.8 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.attacker.mesa. IN AAAA +SECTION AUTHORITY +attacker.mesa. 3600 IN SOA ns.attacker.mesa. root.attacker.mesa. 4 7200 3600 604800 3600 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +ns.attacker.mesa. IN A +SECTION ANSWER +ns.attacker.mesa. 86400 IN A 5.6.7.8 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +check.pollute3.mesa. IN A +SECTION ANSWER +check.pollute3.mesa. 86400 IN A 5.6.7.9 +ENTRY_END +RANGE_END + +; Test query with authority section MX glue. +STEP 10 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +test3.atkr.pollute3.mesa. IN A +ENTRY_END + +STEP 20 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +test3.atkr.pollute3.mesa. IN A +SECTION ANSWER +test3.atkr.pollute3.mesa. 86400 IN A 1.2.3.4 +ENTRY_END + +; Check the cache contents, for query with authority section MX glue. +STEP 100 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +check.pollute3.mesa. IN A +ENTRY_END + +STEP 110 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +check.pollute3.mesa. IN A +SECTION ANSWER +; good answer +check.pollute3.mesa. IN A 1.8.9.3 +; bad answer +;check.pollute3.mesa. IN A 5.6.7.9 +ENTRY_END + +SCENARIO_END