Skip to content

[v9_16] Add tests for CVE-2022-2795

Michal Nowak requested to merge 3394-cve-2022-2795-test-v9_16 into v9_16

Add a test ensuring that the amount of work fctx_getaddresses() performs for any encountered delegation is limited: delegate example.net to a set of 1,000 name servers in the redirect.com zone, the names of which all resolve to IP addresses that nothing listens on, and query for a name in the example.net domain, checking the number of times the findname() function gets executed in the process; fail if that count is excessively large.

Since the size of the referral response sent by ans3 is about 20 kB, it cannot be sent back over UDP (EMSGSIZE) on some operating systems in their default configuration (e.g. FreeBSD - see the net.inet.udp.maxdgram sysctl). To enable reliable reproduction of CVE-2022-2795 (retry patterns vary across BIND 9 versions) and avoid false positives at the same time (thread scheduling - and therefore the number of fetch context restarts - vary across operating systems and across test runs), extend bin/tests/system/resolver/ans3/ans.pl so that it also listens on TCP and make "ns1" in the "resolver" system test always use TCP when communicating with "ans3".

Also add a test (foo.bar.sub.tld1/TXT) that ensures the new limitations imposed on the resolution process by the mitigation for CVE-2022-2795 do not prevent valid, glueless delegation chains from working properly.

(cherry picked from commit 604d8f0b)

See #3394 (closed)

Merge request reports