Add tests for CVE-2022-3924

Reproduce the assertion by configuring a 'named' resolver with 'recursive-clients 10;' configuration option and running 20 queries is parallel. Also tweak the 'ans2/ans.pl' to simulate a 50ms network latency when qname starts with "latency". This makes sure that queries running in parallel don't get served immediately, thus allowing the configured recursive clients quota limitation to be activated.
2022-11-11 14:44:26 +00:00
parent 1fb5d42416
commit 4b52b0b4a9
3 changed files with 26 additions and 0 deletions
--- a/bin/tests/system/serve-stale/ans2/ans.pl
+++ b/bin/tests/system/serve-stale/ans2/ans.pl
@@ -100,6 +100,12 @@ sub reply_handler {
    # If we are not responding to queries we are done.
    return if (!$send_response);

+    if (index($qname, "latency") == 0) {
+        # simulate network latency before answering
+        print "  Sleeping 50 milliseconds\n";
+        select(undef, undef, undef, 0.05);
+    }
+
    # Construct the response and send it.
    if ($qname eq "ns.example" ) {
 	if ($qtype eq "A") {
--- a/bin/tests/system/serve-stale/ns3/named2.conf.in
+++ b/bin/tests/system/serve-stale/ns3/named2.conf.in
@@ -39,6 +39,7 @@ options {
 	stale-answer-ttl 3;
 	stale-refresh-time 0;
 	stale-answer-client-timeout 1800; # 1.8 seconds
+	recursive-clients 10; # CVE-2022-3924
 	max-stale-ttl 3600;
 	resolver-query-timeout 30000; # 30 seconds
 };
--- a/bin/tests/system/serve-stale/tests.sh
+++ b/bin/tests/system/serve-stale/tests.sh
@@ -1781,6 +1781,25 @@ grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status+ret))

+# CVE-2022-3924, GL #3619
+n=$((n+1))
+echo_i "check that named survives reaching recursive-clients quota (stale-answer-client-timeout 1.8) ($n)"
+ret=0
+num=0
+# Make sure to exceed the configured value of 'recursive-clients 10;' by running
+# 20 parallel queries with simulated network latency.
+while [ $num -lt 20 ]; do
+    $DIG +tries=1 -p ${PORT} @10.53.0.3 "latency${num}.data.example" TXT >/dev/null 2>&1 &
+    num=$((num+1))
+done;
+_dig_data() {
+    $DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n || return 1
+    grep "status: NOERROR" dig.out.test$n > /dev/null || return 1
+}
+retry_quiet 5 _dig_data || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
 #############################################
 # Test for stale-answer-client-timeout off. #
 #############################################