Merge branch '2856-CVE-2021-25218-regression-test' into 'main'

Add a regression test in the RRL system test See merge request isc-projects/bind9!5360
2026-06-09 00:02:04 -04:00 · 2021-08-30 15:30:26 +00:00 · 2021-08-30 15:30:26 +00:00 · 611995ada3
commit 611995ada3
parent 5e5f4bc851 d8363845b6
4 changed files with 19 additions and 3 deletions
--- a/bin/tests/system/ifconfig.sh.in
+++ b/bin/tests/system/ifconfig.sh.in
@ -19,6 +19,9 @@
 #       fd92:7065:b8e:99ff::{1..2}
 #       fd92:7065:b8e:ff::{1..2}
 #
+# We also set the MTU on the 1500 bytes to match the default MTU on physical
+# interfaces, so we can properly test the cases with packets bigger than
+# interface MTU.

 top_srcdir=@abs_top_srcdir@

@ -65,6 +68,7 @@ case "$1" in
 			    *-*-solaris2.[8-9]|*-*-solaris2.1[0-9])
 				/sbin/ifconfig lo0:$int plumb
 				/sbin/ifconfig lo0:$int 10.53.$i.$ns up
+				/sbin/ifconfig lo0:$int mtu 1500
 				/sbin/ifconfig lo0:$int inet6 plumb
 				[ "$ipv6" ] && /sbin/ifconfig lo0:$int \
 					inet6 fd92:7065:b8e:${ipv6}ff::$ns up
@ -73,25 +77,29 @@ case "$1" in
                                if [ $use_ip ]; then
                                        ip address add 10.53.$i.$ns/24 \
                                            dev lo:$int
+                                        ip link set dev lo:$int mtu 1500
                                        [ "$ipv6" ] && ip address add \
                                            fd92:7065:b8e:${ipv6}ff::$ns/64 \
                                            dev lo
                                else
                                        ifconfig lo:$int 10.53.$i.$ns up \
-                                                netmask 255.255.255.0
+                                                netmask 255.255.255.0 \
+                                                mtu 1500
                                        [ "$ipv6" ] && ifconfig lo inet6 add \
                                                fd92:7065:b8e:${ipv6}ff::$ns/64
                                fi
 				;;
 			    *-unknown-freebsd*)
 				ifconfig lo0 10.53.$i.$ns alias \
-					netmask 0xffffffff
+					netmask 0xffffffff \
+					mtu 1500
 				[ "$ipv6" ] && ifconfig lo0 inet6 \
 					fd92:7065:b8e:${ipv6}ff::$ns alias
 				;;
 			    *-unknown-dragonfly*|*-unknown-netbsd*|*-unknown-openbsd*)
 				ifconfig lo0 10.53.$i.$ns alias \
-					netmask 255.255.255.0
+					netmask 255.255.255.0 \
+					mtu 1500
 				[ "$ipv6" ] && ifconfig lo0 inet6 \
 					fd92:7065:b8e:${ipv6}ff::$ns alias
 				;;
--- a/bin/tests/system/rrl/ns4/named.conf.in
+++ b/bin/tests/system/rrl/ns4/named.conf.in
@ -22,6 +22,7 @@ options {
 	notify no;
 	recursion yes;
 	dnssec-validation yes;
+	max-udp-size 4096;

 	rate-limit {
 	    responses-per-second 2;
--- a/bin/tests/system/rrl/ns4/tld4.db
+++ b/bin/tests/system/rrl/ns4/tld4.db
@ -40,3 +40,6 @@ a8		A	192.0.2.8

 ; a9 for all-per-second limit
 $GENERATE 101-180 all$.a9 A 192.0.2.8
+
+; oversized TXT record
+$GENERATE 1-100    big    1    TXT    "txt$"
--- a/bin/tests/system/rrl/tests.sh
+++ b/bin/tests/system/rrl/tests.sh
@ -270,6 +270,10 @@ $DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1
 $DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1
 $DIG $DIGOPTS @$ns4 A a7.tld4 > /dev/null 2>&1

+# regression test for GL #2839
+DIGOPTS="+bufsize=4096 +ignore -p ${PORT}"
+$DIG $DIGOPTS @$ns4 TXT big.tld4 > /dev/null 2>&1
+
 grep "would limit" ns4/named.run >/dev/null 2>&1 ||
 setret "\"would limit\" not found in log file."