The branch, v3-5-test has been updated
via b2b8363... s4-lsa: Fix dcesrv_lsa_EnumTrustDom() and avoid infite
windows client loop.
via e91e374... s3-lsa: Fix _lsa_EnumTrustDom() and avoid infite windows
client loop.
via 1500ee6... s4-smbtorture: test whether an lsa_EnumTrustDom
implementation would hang up a client.
via e669b7a... s3-lsa: make s3 pass against RPC-LSA-LOOKUPNAMES again.
via d48513e... nsswitch: fix the build of the winbind krb5 locator
plugin.
via f8706be... s4-smbtorture: fix RPC-LSA-LSALOOKUP test against w2k3
and w2k8.
from df0430e... Turn on LOCK9 test which will test for regressions in
bug 6828. Jeremy.
http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test
- Log -----------------------------------------------------------------
commit b2b836330c7c75130675354937a5609df54718c0
Author: Günther Deschner <g...@samba.org>
Date: Wed Oct 21 02:18:54 2009 +0200
s4-lsa: Fix dcesrv_lsa_EnumTrustDom() and avoid infite windows client loop.
Found by RPC-LSA-TRUSTED-DOMAIN torture test.
Guenther
(cherry picked from commit 4b6cfbb6d27eea07400d0eacb08b2f69724b19ca)
commit e91e37485290c1c9132009a14488757936dc7e9e
Author: Günther Deschner <g...@samba.org>
Date: Wed Oct 21 02:17:32 2009 +0200
s3-lsa: Fix _lsa_EnumTrustDom() and avoid infite windows client loop.
Found by RPC-LSA-TRUSTED-DOMAIN torture test.
Guenther
(cherry picked from commit 209a65bc6f783055f3f6a8cea3fb36587d346511)
commit 1500ee66e7b8d4d0644762aebed9be63b7cacb0b
Author: Günther Deschner <g...@samba.org>
Date: Wed Oct 21 02:16:32 2009 +0200
s4-smbtorture: test whether an lsa_EnumTrustDom implementation would hang
up a client.
Guenther
(cherry picked from commit 48520b2274638bde88b08361197c1056936bcba0)
commit e669b7a668b529bf239aad1039f3ce7d1e011bc4
Author: Günther Deschner <g...@samba.org>
Date: Wed Oct 21 02:45:21 2009 +0200
s3-lsa: make s3 pass against RPC-LSA-LOOKUPNAMES again.
Do what W2k8 does and return the builtin domain for a NULL name.
Guenther
(cherry picked from commit 32f2cc448778ec6eeab8bbd42d459f7e57b188ac)
commit d48513e216cf8f9084dcb20454503d161aa232d7
Author: Günther Deschner <g...@samba.org>
Date: Wed Oct 21 02:44:44 2009 +0200
nsswitch: fix the build of the winbind krb5 locator plugin.
Guenther
(cherry picked from commit b9d9353b548d9b2ab684aa171f511174e6414762)
commit f8706bef307b1de684ce91ed2e5ecbda7695db09
Author: Günther Deschner <g...@samba.org>
Date: Tue Oct 20 23:47:40 2009 +0200
s4-smbtorture: fix RPC-LSA-LSALOOKUP test against w2k3 and w2k8.
Make sure to split out lsa_LookupName NULL name test so that we can better
track
results from bogus names and NULL names.
Guenther
(cherry picked from commit a4d54875768bbe6bcd019a788081d182ce9d4a80)
-----------------------------------------------------------------------
Summary of changes:
source3/Makefile.in | 2 +-
source3/rpc_server/srv_lsa_nt.c | 22 +++++--
source4/rpc_server/lsa/dcesrv_lsa.c | 9 +++
source4/torture/rpc/lsa.c | 117 ++++++++++++++++++++++++++++-------
4 files changed, 121 insertions(+), 29 deletions(-)
Changeset truncated at 500 lines:
diff --git a/source3/Makefile.in b/source3/Makefile.in
index cce6e7c..af0f53a 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -2522,7 +2522,7 @@ bin/v...@exeext@: $(BINARY_PREREQS) $(VLP_OBJ) $(LIBTDB)
bin/winbind_krb5_locat...@shlibext@: $(BINARY_PREREQS)
$(WINBIND_KRB5_LOCATOR_OBJ) $(LIBWBCLIENT)
@echo "Linking $@"
- @$(SHLD) $(LDSHFLAGS) -o $@ $(WINBIND_KRB5_LOCATOR_OBJ)
$(LIBWBCLIENT_LIBS) \
+ @$(SHLD) $(LDSHFLAGS) -o $@ $(WINBIND_KRB5_LOCATOR_OBJ)
$(LIBWBCLIENT_LIBS) $(KRB5_LIBS) \
@sonamef...@`basename $...@`
bin/pam_winbi...@shlibext@: $(BINARY_PREREQS) $(PAM_WINBIND_OBJ) $(LIBTALLOC)
$(LIBWBCLIENT)
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index eafbd51..a9a4fa5 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -159,12 +159,13 @@ static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
/* Split name into domain and user component */
- full_name = name[i].string;
- if (full_name == NULL) {
- prid[i].sid_type = type;
- prid[i].rid = 0;
- prid[i].sid_index = (uint32_t)-1;
- continue;
+ /* follow w2k8 behavior and return the builtin domain when no
+ * input has been passed in */
+
+ if (name[i].string) {
+ full_name = name[i].string;
+ } else {
+ full_name = "BUILTIN";
}
DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
@@ -476,6 +477,15 @@ NTSTATUS _lsa_EnumTrustDom(pipes_struct *p,
return STATUS_MORE_ENTRIES;
}
+ /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
+ * always be larger than the previous input resume handle, in
+ * particular when hitting the last query it is vital to set the
+ * resume handle correctly to avoid infinite client loops, as
+ * seen e.g. with Windows XP SP3 when resume handle is 0 and
+ * status is NT_STATUS_OK - gd */
+
+ *r->out.resume_handle = (uint32_t)-1;
+
return NT_STATUS_OK;
}
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c
b/source4/rpc_server/lsa/dcesrv_lsa.c
index 3d6352a..cf1a893 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -1660,6 +1660,15 @@ static NTSTATUS dcesrv_lsa_EnumTrustDom(struct
dcesrv_call_state *dce_call, TALL
return STATUS_MORE_ENTRIES;
}
+ /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
+ * always be larger than the previous input resume handle, in
+ * particular when hitting the last query it is vital to set the
+ * resume handle correctly to avoid infinite client loops, as
+ * seen e.g. with Windows XP SP3 when resume handle is 0 and
+ * status is NT_STATUS_OK - gd */
+
+ *r->out.resume_handle = (uint32_t)-1;
+
return NT_STATUS_OK;
}
diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
index e4a6a84..710f4c5 100644
--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@@ -232,31 +232,19 @@ static bool test_LookupNames_bogus(struct dcerpc_pipe *p,
struct lsa_LookupNames r;
struct lsa_TransSidArray sids;
struct lsa_RefDomainList *domains = NULL;
- struct lsa_String *names;
+ struct lsa_String names[1];
uint32_t count = 0;
NTSTATUS status;
- int i;
-
- struct lsa_TranslatedName name[2];
- struct lsa_TransNameArray tnames;
- tnames.names = name;
- tnames.count = 2;
- name[0].name.string = "NT AUTHORITY\\BOGUS";
- name[1].name.string = NULL;
-
- torture_comment(tctx, "\nTesting LookupNames with bogus names\n");
+ torture_comment(tctx, "\nTesting LookupNames with bogus name\n");
sids.count = 0;
sids.sids = NULL;
- names = talloc_array(tctx, struct lsa_String, tnames.count);
- for (i=0;i<tnames.count;i++) {
- init_lsa_String(&names[i], tnames.names[i].name.string);
- }
+ init_lsa_String(&names[0], "NT AUTHORITY\\BOGUS");
r.in.handle = handle;
- r.in.num_names = tnames.count;
+ r.in.num_names = 1;
r.in.names = names;
r.in.sids = &sids;
r.in.level = 1;
@@ -276,6 +264,48 @@ static bool test_LookupNames_bogus(struct dcerpc_pipe *p,
return true;
}
+static bool test_LookupNames_NULL(struct dcerpc_pipe *p,
+ struct torture_context *tctx,
+ struct policy_handle *handle)
+{
+ struct lsa_LookupNames r;
+ struct lsa_TransSidArray sids;
+ struct lsa_RefDomainList *domains = NULL;
+ struct lsa_String names[1];
+ uint32_t count = 0;
+
+ torture_comment(tctx, "\nTesting LookupNames with NULL name\n");
+
+ sids.count = 0;
+ sids.sids = NULL;
+
+ names[0].string = NULL;
+
+ r.in.handle = handle;
+ r.in.num_names = 1;
+ r.in.names = names;
+ r.in.sids = &sids;
+ r.in.level = 1;
+ r.in.count = &count;
+ r.out.count = &count;
+ r.out.sids = &sids;
+ r.out.domains = &domains;
+
+ /* nt4 returns NT_STATUS_NONE_MAPPED with sid_type
+ * SID_NAME_UNKNOWN, rid 0, and sid_index -1;
+ *
+ * w2k3/w2k8 return NT_STATUS_OK with sid_type
+ * SID_NAME_DOMAIN, rid -1 and sid_index 0 and BUILTIN domain
+ */
+
+ torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupNames(p, tctx, &r),
+ "LookupNames with NULL name failed");
+
+ torture_comment(tctx, "\n");
+
+ return true;
+}
+
static bool test_LookupNames_wellknown(struct dcerpc_pipe *p,
struct torture_context *tctx,
struct policy_handle *handle)
@@ -1996,20 +2026,39 @@ static bool test_EnumTrustDom(struct dcerpc_pipe *p,
{
struct lsa_EnumTrustDom r;
NTSTATUS enum_status;
- uint32_t resume_handle = 0;
+ uint32_t in_resume_handle = 0;
+ uint32_t out_resume_handle;
struct lsa_DomainList domains;
bool ret = true;
torture_comment(tctx, "\nTesting EnumTrustDom\n");
r.in.handle = handle;
- r.in.resume_handle = &resume_handle;
+ r.in.resume_handle = &in_resume_handle;
r.in.max_size = 0;
r.out.domains = &domains;
- r.out.resume_handle = &resume_handle;
+ r.out.resume_handle = &out_resume_handle;
enum_status = dcerpc_lsa_EnumTrustDom(p, tctx, &r);
+ /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
+ * always be larger than the previous input resume handle, in
+ * particular when hitting the last query it is vital to set the
+ * resume handle correctly to avoid infinite client loops, as
+ * seen e.g. with Windows XP SP3 when resume handle is 0 and
+ * status is NT_STATUS_OK - gd */
+
+ if (NT_STATUS_IS_OK(enum_status) ||
+ NT_STATUS_EQUAL(enum_status, NT_STATUS_NO_MORE_ENTRIES) ||
+ NT_STATUS_EQUAL(enum_status, STATUS_MORE_ENTRIES))
+ {
+ if (out_resume_handle <= in_resume_handle) {
+ torture_comment(tctx, "EnumTrustDom failed - should
have returned output resume_handle (0x%08x) larger than input resume handle
(0x%08x)\n",
+ out_resume_handle, in_resume_handle);
+ return false;
+ }
+ }
+
if (NT_STATUS_IS_OK(enum_status)) {
if (domains.count == 0) {
torture_comment(tctx, "EnumTrustDom failed - should
have returned 'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains\n");
@@ -2021,17 +2070,35 @@ static bool test_EnumTrustDom(struct dcerpc_pipe *p,
}
/* Start from the bottom again */
- resume_handle = 0;
+ in_resume_handle = 0;
do {
r.in.handle = handle;
- r.in.resume_handle = &resume_handle;
+ r.in.resume_handle = &in_resume_handle;
r.in.max_size = LSA_ENUM_TRUST_DOMAIN_MULTIPLIER * 3;
r.out.domains = &domains;
- r.out.resume_handle = &resume_handle;
+ r.out.resume_handle = &out_resume_handle;
enum_status = dcerpc_lsa_EnumTrustDom(p, tctx, &r);
+ /* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
+ * always be larger than the previous input resume handle, in
+ * particular when hitting the last query it is vital to set the
+ * resume handle correctly to avoid infinite client loops, as
+ * seen e.g. with Windows XP SP3 when resume handle is 0 and
+ * status is NT_STATUS_OK - gd */
+
+ if (NT_STATUS_IS_OK(enum_status) ||
+ NT_STATUS_EQUAL(enum_status, NT_STATUS_NO_MORE_ENTRIES) ||
+ NT_STATUS_EQUAL(enum_status, STATUS_MORE_ENTRIES))
+ {
+ if (out_resume_handle <= in_resume_handle) {
+ torture_comment(tctx, "EnumTrustDom failed -
should have returned output resume_handle (0x%08x) larger than input resume
handle (0x%08x)\n",
+ out_resume_handle, in_resume_handle);
+ return false;
+ }
+ }
+
/* NO_MORE_ENTRIES is allowed */
if (NT_STATUS_EQUAL(enum_status, NT_STATUS_NO_MORE_ENTRIES)) {
if (domains.count == 0) {
@@ -2060,6 +2127,8 @@ static bool test_EnumTrustDom(struct dcerpc_pipe *p,
ret &= test_query_each_TrustDom(p, tctx, handle, &domains);
+ in_resume_handle = out_resume_handle;
+
} while ((NT_STATUS_EQUAL(enum_status, STATUS_MORE_ENTRIES)));
return ret;
@@ -2768,6 +2837,10 @@ static bool testcase_LookupNames(struct torture_context
*tctx,
ret = false;
}
+ if (!test_LookupNames_NULL(p, tctx, handle)) {
+ ret = false;
+ }
+
if (!test_LookupNames_bogus(p, tctx, handle)) {
ret = false;
}
--
Samba Shared Repository
