From: W.C.A. Wijngaards Date: Tue, 21 Apr 2026 07:41:53 +0000 (+0200) Subject: - Add test case for malformed SVCB records. Thanks to X-Git-Tag: release-1.25.0rc1~10 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=d489e6027eeaf980638359af4d6a09cc4fdb229f;p=thirdparty%2Funbound.git - Add test case for malformed SVCB records. Thanks to Qifan Zhang, Palo Alto Networks for the additional test. --- diff --git a/doc/Changelog b/doc/Changelog index c0c54759c..c336f91b9 100644 --- a/doc/Changelog +++ b/doc/Changelog @@ -1,3 +1,7 @@ +21 April 2026: Wouter + - Add test case for malformed SVCB records. Thanks to + Qifan Zhang, Palo Alto Networks for the additional test. + 20 April 2026: Wouter - Fix compile warnings for thread setname routine, and test compile. - Fix unused variable warning when compiled without ssl. diff --git a/testdata/iter_svcb_malformed.rpl b/testdata/iter_svcb_malformed.rpl new file mode 100644 index 000000000..8ac31fd2d --- /dev/null +++ b/testdata/iter_svcb_malformed.rpl @@ -0,0 +1,200 @@ +; config options +server: + target-fetch-policy: "0 0 0 0 0" + qname-minimisation: "no" + minimal-responses: no + iter-scrub-promiscuous: no + +stub-zone: + name: "." + stub-addr: 193.0.14.129 # K.ROOT-SERVERS.NET. +CONFIG_END + +SCENARIO_BEGIN Test lookup of malformed SVCB + +; K.ROOT-SERVERS.NET. +RANGE_BEGIN 0 100 + ADDRESS 193.0.14.129 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +. IN NS +SECTION ANSWER +. IN NS K.ROOT-SERVERS.NET. +SECTION ADDITIONAL +K.ROOT-SERVERS.NET. IN A 193.0.14.129 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION AUTHORITY +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END +RANGE_END + +; a.gtld-servers.net. +RANGE_BEGIN 0 100 + ADDRESS 192.5.6.30 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +com. IN NS +SECTION ANSWER +com. IN NS a.gtld-servers.net. +SECTION ADDITIONAL +a.gtld-servers.net. IN A 192.5.6.30 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode subdomain +ADJUST copy_id copy_query +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION AUTHORITY +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END +RANGE_END + +; ns.example.com. +RANGE_BEGIN 0 100 + ADDRESS 1.2.3.4 +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR NOERROR +SECTION QUESTION +example.com. IN NS +SECTION ANSWER +example.com. IN NS ns.example.com. +SECTION ADDITIONAL +ns.example.com. IN A 1.2.3.4 +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +www.example.com. IN HTTPS +SECTION ANSWER +www.example.com. IN HTTPS \# 17 00 01 00 00 01 00 03 02 68 32 00 01 00 03 02 68 33 +; Duplicate `alpn` key (17 bytes) +; Decoded: +; SvcPriority = 1 (service mode) +; TargetName = . (root label, 0x00) +; SvcParam[0]: key=1 (alpn), value_len=3, value=\x02h2 ← "h2" +; SvcParam[1]: key=1 (alpn), value_len=3, value=\x02h3 ← DUPLICATE KEY +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +testb.example.com. IN HTTPS +SECTION ANSWER +; The parser for testbound does allow this. +;testb.example.com. IN HTTPS \# 9 00 01 00 00 01 00 04 02 68 +; Truncated `alpn` value (9 bytes) +; Decoded: +; SvcPriority = 1 +; TargetName = . +; SvcParam[0]: key=1 (alpn), value_len=4 (claims 4 bytes), value=\x02h (only 2 bytes present) +; placeholder for hex: testb.example.com. IN HTTPS \# 9 00 01 00 00 01 00 02 01 68 +HEX_ANSWER_BEGIN +000084000001000100000000057465737462076578616D706C6503636F6D0000410001057465737462076578616D706C6503636F6D000041000100000E10 +0009 +0001 +00 +000100040268 +HEX_ANSWER_END +ENTRY_END + +ENTRY_BEGIN +MATCH opcode qtype qname +ADJUST copy_id +REPLY QR AA NOERROR +SECTION QUESTION +testc.example.com. IN HTTPS +SECTION ANSWER +testc.example.com. IN HTTPS \# 21 00 01 00 00 01 00 06 02 68 32 02 68 33 00 04 00 04 01 02 03 04 +; valid HTTPS RDATA +; SvcPriority=1, TargetName=., alpn=h2+h3, ipv4hint=1.2.3.4 +ENTRY_END +RANGE_END + +STEP 1 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +www.example.com. IN HTTPS +ENTRY_END + +; recursion happens here. +STEP 10 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +www.example.com. IN HTTPS +SECTION ANSWER +www.example.com. 0 IN HTTPS 1 . alpn="h2" alpn="h3" +ENTRY_END + +STEP 20 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +testb.example.com. IN HTTPS +ENTRY_END + +; recursion happens here. +STEP 30 CHECK_ANSWER +ENTRY_BEGIN +MATCH rcode +REPLY QR RD RA NOERROR +SECTION QUESTION +testb.example.com. IN HTTPS +SECTION ANSWER +; testb.example.com. 0 IN HTTPS \# 9 000100000100040268 +HEX_ANSWER_BEGIN +000084000001000100000000057465737462076578616D706C6503636F6D0000410001057465737462076578616D706C6503636F6D000041000100000E10 +0009 +0001 +00 +000100040268 +HEX_ANSWER_END +ENTRY_END + +STEP 40 QUERY +ENTRY_BEGIN +REPLY RD +SECTION QUESTION +testc.example.com. IN HTTPS +ENTRY_END + +; recursion happens here. +STEP 50 CHECK_ANSWER +ENTRY_BEGIN +MATCH all +REPLY QR RD RA NOERROR +SECTION QUESTION +testc.example.com. IN HTTPS +SECTION ANSWER +testc.example.com. 0 IN HTTPS 1 . alpn="h2,h3" ipv4hint=1.2.3.4 +ENTRY_END + +SCENARIO_END