Merge branch '3112-test-lingering-tcp-sockets-in-closewait' into 'main'

[CVE-2022-0396] Add system test lingering CLOSE_WAIT TCP sockets

Closes #3112

See merge request isc-projects/bind9!6046

.reuse/dep5

@@ -47,16 +47,8 @@ Files: **/*.after*
        bin/tests/system/journal/ns2/managed-keys.bind.in
        bin/tests/system/journal/ns2/managed-keys.bind.jnl.in
        bin/tests/system/keepalive/expected
-       bin/tests/system/legacy/ns10/named.ednsrefused
-       bin/tests/system/legacy/ns2/named.dropedns
-       bin/tests/system/legacy/ns3/named.dropedns
-       bin/tests/system/legacy/ns3/named.notcp
-       bin/tests/system/legacy/ns5/named.notcp
        bin/tests/system/legacy/ns6/edns512.db.signed
        bin/tests/system/legacy/ns7/edns512-notcp.db.signed
-       bin/tests/system/legacy/ns7/named.notcp
-       bin/tests/system/legacy/ns8/named.ednsformerr
-       bin/tests/system/legacy/ns9/named.ednsnotimp
        bin/tests/system/nsupdate/commandlist
        bin/tests/system/nsupdate/verylarge.in
        bin/tests/system/org.isc.bind.system.plist
@@ -139,6 +131,16 @@ Files: **/.clang-format
        **/.gitattributes
        **/.gitignore
        **/named*.args
+       **/named.dropedns
+       **/named.ednsformerr
+       **/named.ednsnotimp
+       **/named.ednsrefused
+       **/named.maxudp1460
+       **/named.maxudp512
+       **/named.noaa
+       **/named.noedns
+       **/named.nosoa
+       **/named.notcp
        **/startme
        .clang-format
        .clang-format.headers

bin/tests/system/tcp/ns7/named.dropedns

@@ -0,0 +1 @@
+dropedns

bin/tests/system/tcp/tests-tcp.py

@@ -27,9 +27,8 @@ import dns.query
 TIMEOUT = 10
 
 
-def create_msg(qname, qtype):
+def create_msg(qname, qtype, edns=-1):
-    msg = dns.message.make_query(qname, qtype, want_dnssec=True,
+    msg = dns.message.make_query(qname, qtype, use_edns=edns)
-                                 use_edns=0, payload=4096)
     return msg
 
 
@@ -87,3 +86,36 @@ def test_tcp_garbage_response(named_port):
                 (response, rtime) = dns.query.receive_tcp(sock, timeout())
             except ConnectionError as e:
                 raise EOFError from e
+
+
+# Regression test for CVE-2022-0396
+def test_close_wait(named_port):
+    with create_socket("10.53.0.7", named_port) as sock:
+
+        msg = create_msg("a.example.", "A")
+        (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
+        (response, rtime) = dns.query.receive_tcp(sock, timeout())
+
+        msg = dns.message.make_query("a.example.", "A", use_edns=0,
+                                     payload=1232)
+        (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
+
+        # Shutdown the socket, but ignore the other side closing the socket
+        # first because we sent DNS message with EDNS0
+        try:
+            sock.shutdown(socket.SHUT_RDWR)
+        except ConnectionError:
+            pass
+        except OSError:
+            pass
+
+    # BIND allows one TCP client, the part above sends DNS messaage with EDNS0
+    # after the first query. BIND should react adequately because of
+    # ns7/named.dropedns and close the socket, making room for the next
+    # request. If it gets stuck in CLOSE_WAIT state, there is no connection
+    # available for the query below and it will time out.
+    with create_socket("10.53.0.7", named_port) as sock:
+
+        msg = create_msg("a.example.", "A")
+        (sbytes, stime) = dns.query.send_tcp(sock, msg, timeout())
+        (response, rtime) = dns.query.receive_tcp(sock, timeout())