The branch, v3-5-test has been updated via b2b8363... s4-lsa: Fix dcesrv_lsa_EnumTrustDom() and avoid infite windows client loop. via e91e374... s3-lsa: Fix _lsa_EnumTrustDom() and avoid infite windows client loop. via 1500ee6... s4-smbtorture: test whether an lsa_EnumTrustDom implementation would hang up a client. via e669b7a... s3-lsa: make s3 pass against RPC-LSA-LOOKUPNAMES again. via d48513e... nsswitch: fix the build of the winbind krb5 locator plugin. via f8706be... s4-smbtorture: fix RPC-LSA-LSALOOKUP test against w2k3 and w2k8. from df0430e... Turn on LOCK9 test which will test for regressions in bug 6828. Jeremy.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test - Log ----------------------------------------------------------------- commit b2b836330c7c75130675354937a5609df54718c0 Author: Günther Deschner <g...@samba.org> Date: Wed Oct 21 02:18:54 2009 +0200 s4-lsa: Fix dcesrv_lsa_EnumTrustDom() and avoid infite windows client loop. Found by RPC-LSA-TRUSTED-DOMAIN torture test. Guenther (cherry picked from commit 4b6cfbb6d27eea07400d0eacb08b2f69724b19ca) commit e91e37485290c1c9132009a14488757936dc7e9e Author: Günther Deschner <g...@samba.org> Date: Wed Oct 21 02:17:32 2009 +0200 s3-lsa: Fix _lsa_EnumTrustDom() and avoid infite windows client loop. Found by RPC-LSA-TRUSTED-DOMAIN torture test. Guenther (cherry picked from commit 209a65bc6f783055f3f6a8cea3fb36587d346511) commit 1500ee66e7b8d4d0644762aebed9be63b7cacb0b Author: Günther Deschner <g...@samba.org> Date: Wed Oct 21 02:16:32 2009 +0200 s4-smbtorture: test whether an lsa_EnumTrustDom implementation would hang up a client. Guenther (cherry picked from commit 48520b2274638bde88b08361197c1056936bcba0) commit e669b7a668b529bf239aad1039f3ce7d1e011bc4 Author: Günther Deschner <g...@samba.org> Date: Wed Oct 21 02:45:21 2009 +0200 s3-lsa: make s3 pass against RPC-LSA-LOOKUPNAMES again. Do what W2k8 does and return the builtin domain for a NULL name. Guenther (cherry picked from commit 32f2cc448778ec6eeab8bbd42d459f7e57b188ac) commit d48513e216cf8f9084dcb20454503d161aa232d7 Author: Günther Deschner <g...@samba.org> Date: Wed Oct 21 02:44:44 2009 +0200 nsswitch: fix the build of the winbind krb5 locator plugin. Guenther (cherry picked from commit b9d9353b548d9b2ab684aa171f511174e6414762) commit f8706bef307b1de684ce91ed2e5ecbda7695db09 Author: Günther Deschner <g...@samba.org> Date: Tue Oct 20 23:47:40 2009 +0200 s4-smbtorture: fix RPC-LSA-LSALOOKUP test against w2k3 and w2k8. Make sure to split out lsa_LookupName NULL name test so that we can better track results from bogus names and NULL names. Guenther (cherry picked from commit a4d54875768bbe6bcd019a788081d182ce9d4a80) ----------------------------------------------------------------------- Summary of changes: source3/Makefile.in | 2 +- source3/rpc_server/srv_lsa_nt.c | 22 +++++-- source4/rpc_server/lsa/dcesrv_lsa.c | 9 +++ source4/torture/rpc/lsa.c | 117 ++++++++++++++++++++++++++++------- 4 files changed, 121 insertions(+), 29 deletions(-) Changeset truncated at 500 lines: diff --git a/source3/Makefile.in b/source3/Makefile.in index cce6e7c..af0f53a 100644 --- a/source3/Makefile.in +++ b/source3/Makefile.in @@ -2522,7 +2522,7 @@ bin/v...@exeext@: $(BINARY_PREREQS) $(VLP_OBJ) $(LIBTDB) bin/winbind_krb5_locat...@shlibext@: $(BINARY_PREREQS) $(WINBIND_KRB5_LOCATOR_OBJ) $(LIBWBCLIENT) @echo "Linking $@" - @$(SHLD) $(LDSHFLAGS) -o $@ $(WINBIND_KRB5_LOCATOR_OBJ) $(LIBWBCLIENT_LIBS) \ + @$(SHLD) $(LDSHFLAGS) -o $@ $(WINBIND_KRB5_LOCATOR_OBJ) $(LIBWBCLIENT_LIBS) $(KRB5_LIBS) \ @sonamef...@`basename $...@` bin/pam_winbi...@shlibext@: $(BINARY_PREREQS) $(PAM_WINBIND_OBJ) $(LIBTALLOC) $(LIBWBCLIENT) diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c index eafbd51..a9a4fa5 100644 --- a/source3/rpc_server/srv_lsa_nt.c +++ b/source3/rpc_server/srv_lsa_nt.c @@ -159,12 +159,13 @@ static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx, /* Split name into domain and user component */ - full_name = name[i].string; - if (full_name == NULL) { - prid[i].sid_type = type; - prid[i].rid = 0; - prid[i].sid_index = (uint32_t)-1; - continue; + /* follow w2k8 behavior and return the builtin domain when no + * input has been passed in */ + + if (name[i].string) { + full_name = name[i].string; + } else { + full_name = "BUILTIN"; } DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name)); @@ -476,6 +477,15 @@ NTSTATUS _lsa_EnumTrustDom(pipes_struct *p, return STATUS_MORE_ENTRIES; } + /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST + * always be larger than the previous input resume handle, in + * particular when hitting the last query it is vital to set the + * resume handle correctly to avoid infinite client loops, as + * seen e.g. with Windows XP SP3 when resume handle is 0 and + * status is NT_STATUS_OK - gd */ + + *r->out.resume_handle = (uint32_t)-1; + return NT_STATUS_OK; } diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c index 3d6352a..cf1a893 100644 --- a/source4/rpc_server/lsa/dcesrv_lsa.c +++ b/source4/rpc_server/lsa/dcesrv_lsa.c @@ -1660,6 +1660,15 @@ static NTSTATUS dcesrv_lsa_EnumTrustDom(struct dcesrv_call_state *dce_call, TALL return STATUS_MORE_ENTRIES; } + /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST + * always be larger than the previous input resume handle, in + * particular when hitting the last query it is vital to set the + * resume handle correctly to avoid infinite client loops, as + * seen e.g. with Windows XP SP3 when resume handle is 0 and + * status is NT_STATUS_OK - gd */ + + *r->out.resume_handle = (uint32_t)-1; + return NT_STATUS_OK; } diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c index e4a6a84..710f4c5 100644 --- a/source4/torture/rpc/lsa.c +++ b/source4/torture/rpc/lsa.c @@ -232,31 +232,19 @@ static bool test_LookupNames_bogus(struct dcerpc_pipe *p, struct lsa_LookupNames r; struct lsa_TransSidArray sids; struct lsa_RefDomainList *domains = NULL; - struct lsa_String *names; + struct lsa_String names[1]; uint32_t count = 0; NTSTATUS status; - int i; - - struct lsa_TranslatedName name[2]; - struct lsa_TransNameArray tnames; - tnames.names = name; - tnames.count = 2; - name[0].name.string = "NT AUTHORITY\\BOGUS"; - name[1].name.string = NULL; - - torture_comment(tctx, "\nTesting LookupNames with bogus names\n"); + torture_comment(tctx, "\nTesting LookupNames with bogus name\n"); sids.count = 0; sids.sids = NULL; - names = talloc_array(tctx, struct lsa_String, tnames.count); - for (i=0;i<tnames.count;i++) { - init_lsa_String(&names[i], tnames.names[i].name.string); - } + init_lsa_String(&names[0], "NT AUTHORITY\\BOGUS"); r.in.handle = handle; - r.in.num_names = tnames.count; + r.in.num_names = 1; r.in.names = names; r.in.sids = &sids; r.in.level = 1; @@ -276,6 +264,48 @@ static bool test_LookupNames_bogus(struct dcerpc_pipe *p, return true; } +static bool test_LookupNames_NULL(struct dcerpc_pipe *p, + struct torture_context *tctx, + struct policy_handle *handle) +{ + struct lsa_LookupNames r; + struct lsa_TransSidArray sids; + struct lsa_RefDomainList *domains = NULL; + struct lsa_String names[1]; + uint32_t count = 0; + + torture_comment(tctx, "\nTesting LookupNames with NULL name\n"); + + sids.count = 0; + sids.sids = NULL; + + names[0].string = NULL; + + r.in.handle = handle; + r.in.num_names = 1; + r.in.names = names; + r.in.sids = &sids; + r.in.level = 1; + r.in.count = &count; + r.out.count = &count; + r.out.sids = &sids; + r.out.domains = &domains; + + /* nt4 returns NT_STATUS_NONE_MAPPED with sid_type + * SID_NAME_UNKNOWN, rid 0, and sid_index -1; + * + * w2k3/w2k8 return NT_STATUS_OK with sid_type + * SID_NAME_DOMAIN, rid -1 and sid_index 0 and BUILTIN domain + */ + + torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupNames(p, tctx, &r), + "LookupNames with NULL name failed"); + + torture_comment(tctx, "\n"); + + return true; +} + static bool test_LookupNames_wellknown(struct dcerpc_pipe *p, struct torture_context *tctx, struct policy_handle *handle) @@ -1996,20 +2026,39 @@ static bool test_EnumTrustDom(struct dcerpc_pipe *p, { struct lsa_EnumTrustDom r; NTSTATUS enum_status; - uint32_t resume_handle = 0; + uint32_t in_resume_handle = 0; + uint32_t out_resume_handle; struct lsa_DomainList domains; bool ret = true; torture_comment(tctx, "\nTesting EnumTrustDom\n"); r.in.handle = handle; - r.in.resume_handle = &resume_handle; + r.in.resume_handle = &in_resume_handle; r.in.max_size = 0; r.out.domains = &domains; - r.out.resume_handle = &resume_handle; + r.out.resume_handle = &out_resume_handle; enum_status = dcerpc_lsa_EnumTrustDom(p, tctx, &r); + /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST + * always be larger than the previous input resume handle, in + * particular when hitting the last query it is vital to set the + * resume handle correctly to avoid infinite client loops, as + * seen e.g. with Windows XP SP3 when resume handle is 0 and + * status is NT_STATUS_OK - gd */ + + if (NT_STATUS_IS_OK(enum_status) || + NT_STATUS_EQUAL(enum_status, NT_STATUS_NO_MORE_ENTRIES) || + NT_STATUS_EQUAL(enum_status, STATUS_MORE_ENTRIES)) + { + if (out_resume_handle <= in_resume_handle) { + torture_comment(tctx, "EnumTrustDom failed - should have returned output resume_handle (0x%08x) larger than input resume handle (0x%08x)\n", + out_resume_handle, in_resume_handle); + return false; + } + } + if (NT_STATUS_IS_OK(enum_status)) { if (domains.count == 0) { torture_comment(tctx, "EnumTrustDom failed - should have returned 'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains\n"); @@ -2021,17 +2070,35 @@ static bool test_EnumTrustDom(struct dcerpc_pipe *p, } /* Start from the bottom again */ - resume_handle = 0; + in_resume_handle = 0; do { r.in.handle = handle; - r.in.resume_handle = &resume_handle; + r.in.resume_handle = &in_resume_handle; r.in.max_size = LSA_ENUM_TRUST_DOMAIN_MULTIPLIER * 3; r.out.domains = &domains; - r.out.resume_handle = &resume_handle; + r.out.resume_handle = &out_resume_handle; enum_status = dcerpc_lsa_EnumTrustDom(p, tctx, &r); + /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST + * always be larger than the previous input resume handle, in + * particular when hitting the last query it is vital to set the + * resume handle correctly to avoid infinite client loops, as + * seen e.g. with Windows XP SP3 when resume handle is 0 and + * status is NT_STATUS_OK - gd */ + + if (NT_STATUS_IS_OK(enum_status) || + NT_STATUS_EQUAL(enum_status, NT_STATUS_NO_MORE_ENTRIES) || + NT_STATUS_EQUAL(enum_status, STATUS_MORE_ENTRIES)) + { + if (out_resume_handle <= in_resume_handle) { + torture_comment(tctx, "EnumTrustDom failed - should have returned output resume_handle (0x%08x) larger than input resume handle (0x%08x)\n", + out_resume_handle, in_resume_handle); + return false; + } + } + /* NO_MORE_ENTRIES is allowed */ if (NT_STATUS_EQUAL(enum_status, NT_STATUS_NO_MORE_ENTRIES)) { if (domains.count == 0) { @@ -2060,6 +2127,8 @@ static bool test_EnumTrustDom(struct dcerpc_pipe *p, ret &= test_query_each_TrustDom(p, tctx, handle, &domains); + in_resume_handle = out_resume_handle; + } while ((NT_STATUS_EQUAL(enum_status, STATUS_MORE_ENTRIES))); return ret; @@ -2768,6 +2837,10 @@ static bool testcase_LookupNames(struct torture_context *tctx, ret = false; } + if (!test_LookupNames_NULL(p, tctx, handle)) { + ret = false; + } + if (!test_LookupNames_bogus(p, tctx, handle)) { ret = false; } -- Samba Shared Repository