- Add test case for malformed SVCB records. Thanks to

  Qifan Zhang, Palo Alto Networks for the additional test.

diff --git a/doc/Changelog b/doc/Changelog
index c0c54759cdd74d87101033908f22fc9419425f32..c336f91b949c2ab81023210bc858b423ae2ed042 100644 (file)
--- a/doc/Changelog
+++ b/doc/Changelog
@@ -1,3 +1,7 @@
+21 April 2026: Wouter
+       - Add test case for malformed SVCB records. Thanks to
+         Qifan Zhang, Palo Alto Networks for the additional test.
+
 20 April 2026: Wouter
        - Fix compile warnings for thread setname routine, and test compile.
        - Fix unused variable warning when compiled without ssl.

diff --git a/testdata/iter_svcb_malformed.rpl b/testdata/iter_svcb_malformed.rpl
new file mode 100644 (file)
index 0000000..8ac31fd
--- /dev/null
+++ b/testdata/iter_svcb_malformed.rpl
@@ -0,0 +1,200 @@
+; config options
+server:
+       target-fetch-policy: "0 0 0 0 0"
+       qname-minimisation: "no"
+       minimal-responses: no
+       iter-scrub-promiscuous: no
+
+stub-zone:
+       name: "."
+       stub-addr: 193.0.14.129         # K.ROOT-SERVERS.NET.
+CONFIG_END
+
+SCENARIO_BEGIN Test lookup of malformed SVCB
+
+; K.ROOT-SERVERS.NET.
+RANGE_BEGIN 0 100
+       ADDRESS 193.0.14.129 
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+. IN NS
+SECTION ANSWER
+. IN NS        K.ROOT-SERVERS.NET.
+SECTION ADDITIONAL
+K.ROOT-SERVERS.NET.    IN      A       193.0.14.129
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain 
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION AUTHORITY
+com.   IN NS   a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.    IN      A       192.5.6.30
+ENTRY_END
+RANGE_END
+
+; a.gtld-servers.net.
+RANGE_BEGIN 0 100
+       ADDRESS 192.5.6.30
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+com. IN NS
+SECTION ANSWER
+com.   IN NS   a.gtld-servers.net.
+SECTION ADDITIONAL
+a.gtld-servers.net.    IN      A       192.5.6.30
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode subdomain
+ADJUST copy_id copy_query
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION AUTHORITY
+example.com.   IN NS   ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.                IN      A       1.2.3.4
+ENTRY_END
+RANGE_END
+
+; ns.example.com.
+RANGE_BEGIN 0 100
+       ADDRESS 1.2.3.4
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR NOERROR
+SECTION QUESTION
+example.com. IN NS
+SECTION ANSWER
+example.com.   IN NS   ns.example.com.
+SECTION ADDITIONAL
+ns.example.com.                IN      A       1.2.3.4
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+www.example.com. IN HTTPS
+SECTION ANSWER
+www.example.com. IN HTTPS \# 17 00 01 00 00 01 00 03 02 68 32 00 01 00 03 02 68 33
+; Duplicate `alpn` key (17 bytes)
+; Decoded:
+;   SvcPriority = 1  (service mode)
+;   TargetName  = .  (root label, 0x00)
+;   SvcParam[0]: key=1 (alpn), value_len=3, value=\x02h2   ← "h2"
+;   SvcParam[1]: key=1 (alpn), value_len=3, value=\x02h3   ← DUPLICATE KEY
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+testb.example.com. IN HTTPS
+SECTION ANSWER
+; The parser for testbound does allow this.
+;testb.example.com. IN HTTPS \# 9 00 01 00 00 01 00 04 02 68
+; Truncated `alpn` value (9 bytes)
+; Decoded:
+;   SvcPriority = 1
+;   TargetName  = .
+;   SvcParam[0]: key=1 (alpn), value_len=4 (claims 4 bytes), value=\x02h (only 2 bytes present)
+; placeholder for hex: testb.example.com. IN HTTPS \# 9 00 01 00 00 01 00 02 01 68
+HEX_ANSWER_BEGIN
+000084000001000100000000057465737462076578616D706C6503636F6D0000410001057465737462076578616D706C6503636F6D000041000100000E10
+0009
+0001
+00
+000100040268
+HEX_ANSWER_END
+ENTRY_END
+
+ENTRY_BEGIN
+MATCH opcode qtype qname
+ADJUST copy_id
+REPLY QR AA NOERROR
+SECTION QUESTION
+testc.example.com. IN HTTPS
+SECTION ANSWER
+testc.example.com. IN HTTPS \# 21 00 01 00 00 01 00 06 02 68 32 02 68 33 00 04 00 04 01 02 03 04
+; valid HTTPS RDATA
+;   SvcPriority=1, TargetName=., alpn=h2+h3, ipv4hint=1.2.3.4
+ENTRY_END
+RANGE_END
+
+STEP 1 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+www.example.com. IN HTTPS
+ENTRY_END
+
+; recursion happens here.
+STEP 10 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+www.example.com. IN HTTPS
+SECTION ANSWER
+www.example.com.        0       IN      HTTPS   1 . alpn="h2" alpn="h3"
+ENTRY_END
+
+STEP 20 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+testb.example.com. IN HTTPS
+ENTRY_END
+
+; recursion happens here.
+STEP 30 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH rcode
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+testb.example.com. IN HTTPS
+SECTION ANSWER
+; testb.example.com.      0       IN      HTTPS   \# 9 000100000100040268
+HEX_ANSWER_BEGIN
+000084000001000100000000057465737462076578616D706C6503636F6D0000410001057465737462076578616D706C6503636F6D000041000100000E10
+0009
+0001
+00
+000100040268
+HEX_ANSWER_END
+ENTRY_END
+
+STEP 40 QUERY
+ENTRY_BEGIN
+REPLY RD
+SECTION QUESTION
+testc.example.com. IN HTTPS
+ENTRY_END
+
+; recursion happens here.
+STEP 50 CHECK_ANSWER
+ENTRY_BEGIN
+MATCH all
+REPLY QR RD RA NOERROR
+SECTION QUESTION
+testc.example.com. IN HTTPS
+SECTION ANSWER
+testc.example.com.      0       IN      HTTPS   1 . alpn="h2,h3" ipv4hint=1.2.3.4
+ENTRY_END
+
+SCENARIO_END