[9.20] [CVE-2025-13878] sec: test: Add a regression test for the BRID/HHIT crash

Add two short records to example.com.db that cause assertion failures when converted to wire form. The checks added to tests.sh are technically not required: the relevant assertion failures are already hit when the zone is transferred out of ns1. Update the relevant unit tests with 1-byte records. Co-authored-by: Mark Andrews <marka@isc.org> Closes #5616 Backport of MR !11522 Merge branch 'backport-5616-add-brid-hhit-towire-tests-9.20' into 'bind-9.20' See merge request isc-projects/bind9!11523
2026-05-27 12:13:20 -04:00 · 2026-02-05 20:04:10 +01:00 · 2026-02-05 20:04:10 +01:00 · 4a5406241a
commit 4a5406241a
parent e7f78c203c 440ada653d
3 changed files with 29 additions and 1 deletions
--- a/bin/tests/system/auth/ns1/example.com.db
+++ b/bin/tests/system/auth/ns1/example.com.db
@ -23,3 +23,6 @@ www			CNAME	server.example.net.
 inzone			CNAME	a.example.com.
 a			A	10.53.0.1
 dname			DNAME	@
+
+brid			BRID	\# 2 0000
+hhit			HHIT	\# 2 0000
--- a/bin/tests/system/auth/tests.sh
+++ b/bin/tests/system/auth/tests.sh
@ -196,5 +196,22 @@ grep 'ns\.child\.example\.net\..300.IN.A.10\.53\.0\.1$' dig.out.test$n >/dev/nul
 [ $ret -eq 0 ] || echo_i "failed"
 status=$((status + ret))

+# Regression tests for #5616 [CVE-2025-13878] BRID and HHIT assertion failure.
+n=$((n + 1))
+echo_i "check that BRID query does not trigger assertion failure ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 brid.example.com BRID >dig.out.test$n
+grep "BRID" dig.out.test$n >/dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
+n=$((n + 1))
+echo_i "check that HHIT query does not trigger assertion failure ($n)"
+ret=0
+$DIG $DIGOPTS @10.53.0.1 hhit.example.com HHIT >dig.out.test$n
+grep "HHIT" dig.out.test$n >/dev/null || ret=1
+[ $ret -eq 0 ] || echo_i "failed"
+status=$((status + ret))
+
 echo_i "exit status: $status"
 [ $status -eq 0 ] || exit 1
--- a/tests/dns/rdata_test.c
+++ b/tests/dns/rdata_test.c
@ -1099,10 +1099,14 @@ ISC_RUN_TEST_IMPL(amtrelay) {
 		    dns_rdatatype_amtrelay, sizeof(dns_rdata_amtrelay_t));
 }

-/* BRIB RDATA - base64 encoded opaque */
+/* BRID RDATA - base64 encoded opaque */
 ISC_RUN_TEST_IMPL(brid) {
 	text_ok_t text_ok[] = { /* empty  */
 				TEXT_INVALID(""),
+				/* zero length */
+				TEXT_INVALID("\\# 0"),
+				/* valid base64 string - minimum size */
+				TEXT_VALID("AA=="),
 				/* valid base64 string */
 				TEXT_VALID("aaaa"),
 				/* invalid base64 string */
@ -2057,6 +2061,10 @@ ISC_RUN_TEST_IMPL(hip) {
 ISC_RUN_TEST_IMPL(hhit) {
 	text_ok_t text_ok[] = { /* empty  */
 				TEXT_INVALID(""),
+				/* zero length */
+				TEXT_INVALID("\\# 0"),
+				/* valid base64 string - minimum size */
+				TEXT_VALID("AA=="),
 				/* valid base64 string */
 				TEXT_VALID("aaaa"),
 				/* invalid base64 string */