Add a regression test for the BRID/HHIT crash

Add two short records to example.com.db that cause assertion failures
when converted to wire form.

The checks added to tests.sh are technically not required: the relevant
assertion failures are already hit when the zone is transferred out of
ns1.

Update the relevant unit tests with 1-byte records.

Co-authored-by: Mark Andrews <marka@isc.org>
(cherry picked from commit ce1d68cbc5d702749497a9bc6a758564f72abe2f)

diff --git a/bin/tests/system/auth/ns1/example.com.db b/bin/tests/system/auth/ns1/example.com.db
index 67688950eda99b890f4e3999206767f4354207a0..3e03e6e34e024213024da972606c7286ce158181 100644 (file)
--- a/bin/tests/system/auth/ns1/example.com.db
+++ b/bin/tests/system/auth/ns1/example.com.db
@@ -23,3 +23,6 @@ www                   CNAME   server.example.net.
 inzone                 CNAME   a.example.com.
 a                      A       10.53.0.1
 dname                  DNAME   @
+
+brid                   BRID    \# 2 0000
+hhit                   HHIT    \# 2 0000

diff --git a/bin/tests/system/auth/tests.sh b/bin/tests/system/auth/tests.sh
index edb382202cb13b096ba784ec7f473a15affe4c4c..ae5df8c006e0b7c6db69e1ae4f4f5a75d9db94d9 100644 (file)
--- a/bin/tests/system/auth/tests.sh
+++ b/bin/tests/system/auth/tests.sh
@@ -196,5 +196,22 @@ grep 'ns\.child\.example\.net\..300.IN.A.10\.53\.0\.1$' dig.out.test$n >/dev/nul
 [ $ret -eq 0 ] || echo_i "failed"
 status=$((status + ret))
 
+# Regression tests for #5616 [CVE-2025-13878] BRID and HHIT assertion failure.
+n=$((n + 1))
+echo_i "check that BRID query does not trigger assertion failure ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 brid.example.com BRID >dig.out.test$n
+grep "BRID" dig.out.test$n >/dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that HHIT query does not trigger assertion failure ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 hhit.example.com HHIT >dig.out.test$n
+grep "HHIT" dig.out.test$n >/dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1

diff --git a/tests/dns/rdata_test.c b/tests/dns/rdata_test.c
index ff653adc919a1e498f1a2e74921cebbd6ef717e8..a43d28abe7182e89db62e23fc7267beef8c9f374 100644 (file)
--- a/tests/dns/rdata_test.c
+++ b/tests/dns/rdata_test.c
@@ -1101,10 +1101,14 @@ ISC_RUN_TEST_IMPL(amtrelay) {
                    dns_rdatatype_amtrelay, sizeof(dns_rdata_amtrelay_t));
 }
 
-/* BRIB RDATA - base64 encoded opaque */
+/* BRID RDATA - base64 encoded opaque */
 ISC_RUN_TEST_IMPL(brid) {
        text_ok_t text_ok[] = { /* empty  */
                                TEXT_INVALID(""),
+                               /* zero length */
+                               TEXT_INVALID("\\# 0"),
+                               /* valid base64 string - minimum size */
+                               TEXT_VALID("AA=="),
                                /* valid base64 string */
                                TEXT_VALID("aaaa"),
                                /* invalid base64 string */
@@ -2059,6 +2063,10 @@ ISC_RUN_TEST_IMPL(hip) {
 ISC_RUN_TEST_IMPL(hhit) {
        text_ok_t text_ok[] = { /* empty  */
                                TEXT_INVALID(""),
+                               /* zero length */
+                               TEXT_INVALID("\\# 0"),
+                               /* valid base64 string - minimum size */
+                               TEXT_VALID("AA=="),
                                /* valid base64 string */
                                TEXT_VALID("aaaa"),
                                /* invalid base64 string */