Merge branch '3112-test-lingering-tcp-sockets-in-closewait' into 'main'

[CVE-2022-0396] Add system test lingering CLOSE_WAIT TCP sockets Closes #3112 See merge request isc-projects/bind9!6046
2025-08-31 06:25:31 +00:00 · 2022-04-07 16:06:21 +00:00
parent 180f77dd9c b6eb31a0e3
commit e58d8f2acb
3 changed files with 46 additions and 11 deletions
--- a/.reuse/dep5
+++ b/.reuse/dep5
@@ -47,16 +47,8 @@ Files: **/*.after*
       bin/tests/system/journal/ns2/managed-keys.bind.in
       bin/tests/system/journal/ns2/managed-keys.bind.jnl.in
       bin/tests/system/keepalive/expected
-       bin/tests/system/legacy/ns10/named.ednsrefused
-       bin/tests/system/legacy/ns2/named.dropedns
-       bin/tests/system/legacy/ns3/named.dropedns
-       bin/tests/system/legacy/ns3/named.notcp
-       bin/tests/system/legacy/ns5/named.notcp
       bin/tests/system/legacy/ns6/edns512.db.signed
       bin/tests/system/legacy/ns7/edns512-notcp.db.signed
-       bin/tests/system/legacy/ns7/named.notcp
-       bin/tests/system/legacy/ns8/named.ednsformerr
-       bin/tests/system/legacy/ns9/named.ednsnotimp
       bin/tests/system/nsupdate/commandlist
       bin/tests/system/nsupdate/verylarge.in
       bin/tests/system/org.isc.bind.system.plist
@@ -139,6 +131,16 @@ Files: **/.clang-format
       **/.gitattributes
       **/.gitignore
       **/named*.args
+       **/named.dropedns
+       **/named.ednsformerr
+       **/named.ednsnotimp
+       **/named.ednsrefused
+       **/named.maxudp1460
+       **/named.maxudp512
+       **/named.noaa
+       **/named.noedns
+       **/named.nosoa
+       **/named.notcp
       **/startme
       .clang-format
       .clang-format.headers
--- a/bin/tests/system/tcp/ns7/named.dropedns
+++ b/bin/tests/system/tcp/ns7/named.dropedns
@@ -0,0 +1 @@
+dropedns
--- a/bin/tests/system/tcp/tests-tcp.py
+++ b/bin/tests/system/tcp/tests-tcp.py
@@ -27,9 +27,8 @@ import dns.query
 TIMEOUT = 10


-def create_msg(qname, qtype):
-    msg = dns.message.make_query(qname, qtype, want_dnssec=True,
-                                 use_edns=0, payload=4096)
+def create_msg(qname, qtype, edns=-1):
+    msg = dns.message.make_query(qname, qtype, use_edns=edns)
    return msg


@@ -87,3 +86,36 @@ def test_tcp_garbage_response(named_port):
                (response, rtime) = dns.query.receive_tcp(sock, timeout())
            except ConnectionError as e:
                raise EOFError from e
+
+
+# Regression test for CVE-2022-0396
+def test_close_wait(named_port):
+    with create_socket("10.53.0.7", named_port) as sock:
+
+        msg = create_msg("a.example.", "A")
+        (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
+        (response, rtime) = dns.query.receive_tcp(sock, timeout())
+
+        msg = dns.message.make_query("a.example.", "A", use_edns=0,
+                                     payload=1232)
+        (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
+
+        # Shutdown the socket, but ignore the other side closing the socket
+        # first because we sent DNS message with EDNS0
+        try:
+            sock.shutdown(socket.SHUT_RDWR)
+        except ConnectionError:
+            pass
+        except OSError:
+            pass
+
+    # BIND allows one TCP client, the part above sends DNS messaage with EDNS0
+    # after the first query. BIND should react adequately because of
+    # ns7/named.dropedns and close the socket, making room for the next
+    # request. If it gets stuck in CLOSE_WAIT state, there is no connection
+    # available for the query below and it will time out.
+    with create_socket("10.53.0.7", named_port) as sock:
+
+        msg = create_msg("a.example.", "A")
+        (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
+        (response, rtime) = dns.query.receive_tcp(sock, timeout())