Add a regression test for the BRID/HHIT crash

Add two short records to example.com.db that cause assertion failures
when converted to wire form.

The checks added to tests.sh are technically not required: the relevant
assertion failures are already hit when the zone is transferred out of
ns1.

Update the relevant unit tests with 1-byte records.

Co-authored-by: Mark Andrews <marka@isc.org>

diff --git a/bin/tests/system/auth/ns1/example.com.db b/bin/tests/system/auth/ns1/example.com.db
index 67688950eda99b890f4e3999206767f4354207a0..3e03e6e34e024213024da972606c7286ce158181 100644 (file)
--- a/bin/tests/system/auth/ns1/example.com.db
+++ b/bin/tests/system/auth/ns1/example.com.db
@@ -23,3 +23,6 @@ www                   CNAME   server.example.net.
 inzone                 CNAME   a.example.com.
 a                      A       10.53.0.1
 dname                  DNAME   @
+
+brid                   BRID    \# 2 0000
+hhit                   HHIT    \# 2 0000

diff --git a/bin/tests/system/auth/tests.sh b/bin/tests/system/auth/tests.sh
index 957e48c693c8a4409c1338248b1e69fe18a3726e..27399f512dc294c54f3c21a5d1ccfecf9882228d 100644 (file)
--- a/bin/tests/system/auth/tests.sh
+++ b/bin/tests/system/auth/tests.sh
@@ -248,5 +248,22 @@ grep 'ns\.child\.example\.net\..300.IN.A.10\.53\.0\.1$' dig.out.test$n >/dev/nul
 [ $ret -eq 0 ] || echo_i "failed"
 status=$((status + ret))
 
+# Regression tests for #5616 [CVE-2025-13878] BRID and HHIT assertion failure.
+n=$((n + 1))
+echo_i "check that BRID query does not trigger assertion failure ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 brid.example.com BRID >dig.out.test$n
+grep "BRID" dig.out.test$n >/dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that HHIT query does not trigger assertion failure ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 hhit.example.com HHIT >dig.out.test$n
+grep "HHIT" dig.out.test$n >/dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1

diff --git a/tests/dns/rdata_test.c b/tests/dns/rdata_test.c
index e0f073ab33d5098e2beb0a70578775271fbd4f1b..01c99623c4c42677774e8498671fc8c4a1d1f704 100644 (file)
--- a/tests/dns/rdata_test.c
+++ b/tests/dns/rdata_test.c
@@ -1104,10 +1104,14 @@ ISC_RUN_TEST_IMPL(amtrelay) {
                    dns_rdatatype_amtrelay, sizeof(dns_rdata_amtrelay_t));
 }
 
-/* BRIB RDATA - base64 encoded opaque */
+/* BRID RDATA - base64 encoded opaque */
 ISC_RUN_TEST_IMPL(brid) {
        text_ok_t text_ok[] = { /* empty  */
                                TEXT_INVALID(""),
+                               /* zero length */
+                               TEXT_INVALID("\\# 0"),
+                               /* valid base64 string - minimum size */
+                               TEXT_VALID("AA=="),
                                /* valid base64 string */
                                TEXT_VALID("aaaa"),
                                /* invalid base64 string */
@@ -2101,6 +2105,10 @@ ISC_RUN_TEST_IMPL(hip) {
 ISC_RUN_TEST_IMPL(hhit) {
        text_ok_t text_ok[] = { /* empty  */
                                TEXT_INVALID(""),
+                               /* zero length */
+                               TEXT_INVALID("\\# 0"),
+                               /* valid base64 string - minimum size */
+                               TEXT_VALID("AA=="),
                                /* valid base64 string */
                                TEXT_VALID("aaaa"),
                                /* invalid base64 string */