Merge branch '3619-serve-stale-client-timeout-crash-test' into 'main'

[CVE-2022-3924] Add a reproducer for the serve-stale crash when recursive clients soft quota is reached

Closes #3619

See merge request isc-projects/bind9!7575

bin/tests/system/serve-stale/ans2/ans.pl

@@ -100,6 +100,12 @@ sub reply_handler {
     # If we are not responding to queries we are done.
     return if (!$send_response);
 
+    if (index($qname, "latency") == 0) {
+        # simulate network latency before answering
+        print "  Sleeping 50 milliseconds\n";
+        select(undef, undef, undef, 0.05);
+    }
+
     # Construct the response and send it.
     if ($qname eq "ns.example" ) {
 	if ($qtype eq "A") {

bin/tests/system/serve-stale/ns3/named2.conf.in

@@ -39,6 +39,7 @@ options {
 	stale-answer-ttl 3;
 	stale-refresh-time 0;
 	stale-answer-client-timeout 1800; # 1.8 seconds
+	recursive-clients 10; # CVE-2022-3924
 	max-stale-ttl 3600;
 	resolver-query-timeout 30000; # 30 seconds
 };

bin/tests/system/serve-stale/tests.sh

@@ -1781,6 +1781,25 @@ grep "ANSWER: 1," dig.out.test$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; fi
 status=$((status+ret))
 
+# CVE-2022-3924, GL #3619
+n=$((n+1))
+echo_i "check that named survives reaching recursive-clients quota (stale-answer-client-timeout 1.8) ($n)"
+ret=0
+num=0
+# Make sure to exceed the configured value of 'recursive-clients 10;' by running
+# 20 parallel queries with simulated network latency.
+while [ $num -lt 20 ]; do
+    $DIG +tries=1 -p ${PORT} @10.53.0.3 "latency${num}.data.example" TXT >/dev/null 2>&1 &
+    num=$((num+1))
+done;
+_dig_data() {
+    $DIG -p ${PORT} @10.53.0.3 data.example TXT >dig.out.test$n || return 1
+    grep "status: NOERROR" dig.out.test$n > /dev/null || return 1
+}
+retry_quiet 5 _dig_data || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; fi
+status=$((status+ret))
+
 #############################################
 # Test for stale-answer-client-timeout off. #
 #############################################