r275: added IDL and test code for samr_QueryDisplayInfo3(),

samr_AddMultipleMembersToAlias(),
samr_RemoveMultipleMembersFromAlias(), samr_OemChangePasswordUser2(),
and samr_ChangePasswordUser2()

The password change functions don't actually work yet (but should
soon). At this stage I have just completed the IDL for them. Next step
is to get the hash verifiers right and the torture test should be able
to do password changes.
(This used to be commit 849d0d314a2add80f2b2be6b503fea05973f998e)

1 files changed, 77 insertions, 14 deletions

diff --git a/source4/torture/rpc/autoidl.c b/source4/torture/rpc/autoidl.c
index 5f89970d17..31359b4baf 100644
--- a/source4/torture/rpc/autoidl.c
+++ b/source4/torture/rpc/autoidl.c
@@ -74,9 +74,56 @@ static void reopen(struct dcerpc_pipe **p, const struct dcerpc_interface_table *
 	}
 }
 
+static void print_depth(int depth)
+{
+	int i;
+	for (i=0;i<depth;i++) {
+		printf("    ");
+	}
+}
 
 static void test_ptr_scan(TALLOC_CTX *mem_ctx, const struct dcerpc_interface_table *iface, 
-			  int opnum, int min_in)
+			  int opnum, DATA_BLOB *base_in, int min_ofs, int max_ofs, int depth);
+
+static void try_expand(TALLOC_CTX *mem_ctx, const struct dcerpc_interface_table *iface, 
+		       int opnum, DATA_BLOB *base_in, int insert_ofs, int depth)
+{
+	DATA_BLOB stub_in, stub_out;
+	int n;
+	NTSTATUS status;
+	struct dcerpc_pipe *p = NULL;
+
+	reopen(&p, iface);
+
+	/* work out how much to expand to get a non fault */
+	for (n=0;n<2000;n++) {
+		stub_in = data_blob(NULL, base_in->length + n);
+		data_blob_clear(&stub_in);
+		memcpy(stub_in.data, base_in->data, insert_ofs);
+		memcpy(stub_in.data+insert_ofs+n, base_in->data+insert_ofs, base_in->length-insert_ofs);
+
+		status = dcerpc_request(p, opnum, mem_ctx, &stub_in, &stub_out);
+
+		if (!NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
+			print_depth(depth);
+			printf("expand by %d gives %s\n", n, nt_errstr(status));
+			if (n >= 4) {
+				test_ptr_scan(mem_ctx, iface, opnum, &stub_in, 
+					      insert_ofs, insert_ofs+n, depth+1);
+			}
+			return;
+		}
+		if (p->last_fault_code == 5) {
+			reopen(&p, iface);
+		}
+	}
+
+	dcerpc_pipe_close(p);	
+}
+
+
+static void test_ptr_scan(TALLOC_CTX *mem_ctx, const struct dcerpc_interface_table *iface, 
+			  int opnum, DATA_BLOB *base_in, int min_ofs, int max_ofs, int depth)
 {
 	DATA_BLOB stub_in, stub_out;
 	int ofs;
@@ -85,24 +132,30 @@ static void test_ptr_scan(TALLOC_CTX *mem_ctx, const struct dcerpc_interface_tab
 
 	reopen(&p, iface);
 
-	stub_in = data_blob(NULL, min_in);
-	data_blob_clear(&stub_in);
+	stub_in = data_blob(NULL, base_in->length);
+	memcpy(stub_in.data, base_in->data, base_in->length);
 
-	/* work out the minimum amount of input data */
-	for (ofs=0;ofs<min_in;ofs+=4) {
+	/* work out which elements are pointers */
+	for (ofs=min_ofs;ofs<=max_ofs-4;ofs+=4) {
 		SIVAL(stub_in.data, ofs, 1);
 		status = dcerpc_request(p, opnum, mem_ctx, &stub_in, &stub_out);
-		SIVAL(stub_in.data, ofs, 0);
 
 		if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
-			printf("opnum %d ofs %d size %d fault 0x%08x\n", 
-			       opnum, ofs, min_in, p->last_fault_code);
+			print_depth(depth);
+			printf("possible ptr at ofs %d - fault 0x%08x\n", 
+			       ofs-min_ofs, p->last_fault_code);
 			if (p->last_fault_code == 5) {
 				reopen(&p, iface);
 			}
+			if (depth == 0) {
+				try_expand(mem_ctx, iface, opnum, &stub_in, ofs+4, depth+1);
+			} else {
+				try_expand(mem_ctx, iface, opnum, &stub_in, max_ofs, depth+1);
+			}
+			SIVAL(stub_in.data, ofs, 0);
 			continue;
 		}
-		printf("opnum %d  ofs %d error %s\n", opnum, ofs, nt_errstr(status));
+		SIVAL(stub_in.data, ofs, 0);
 	}
 
 	dcerpc_pipe_close(p);	
@@ -126,9 +179,6 @@ static void test_scan_call(TALLOC_CTX *mem_ctx, const struct dcerpc_interface_ta
 		stub_in = data_blob(NULL, i);
 		data_blob_clear(&stub_in);
 
-#if 1
-		fill_blob_handle(&stub_in, mem_ctx, &handle);
-#endif
 
 		status = dcerpc_request(p, opnum, mem_ctx, &stub_in, &stub_out);
 
@@ -137,7 +187,20 @@ static void test_scan_call(TALLOC_CTX *mem_ctx, const struct dcerpc_interface_ta
 			       opnum, stub_in.length, stub_out.length);
 			dump_data(0, stub_out.data, stub_out.length);
 			dcerpc_pipe_close(p);
-			test_ptr_scan(mem_ctx, iface, opnum, stub_in.length);
+			test_ptr_scan(mem_ctx, iface, opnum, &stub_in, 0, stub_in.length, 0);
+			return;
+		}
+
+		fill_blob_handle(&stub_in, mem_ctx, &handle);
+
+		status = dcerpc_request(p, opnum, mem_ctx, &stub_in, &stub_out);
+
+		if (NT_STATUS_IS_OK(status)) {
+			printf("opnum %d   min_input %d - output %d (with handle)\n", 
+			       opnum, stub_in.length, stub_out.length);
+			dump_data(0, stub_out.data, stub_out.length);
+			dcerpc_pipe_close(p);
+			test_ptr_scan(mem_ctx, iface, opnum, &stub_in, 0, stub_in.length, 0);
 			return;
 		}
 
@@ -159,7 +222,7 @@ static void test_scan_call(TALLOC_CTX *mem_ctx, const struct dcerpc_interface_ta
 
 static void test_auto_scan(TALLOC_CTX *mem_ctx, const struct dcerpc_interface_table *iface)
 {
-	test_scan_call(mem_ctx, iface, 0x26);
+	test_scan_call(mem_ctx, iface, 0x37);
 }
 
 BOOL torture_rpc_autoidl(int dummy)