diff options
author | Volker Lendecke <vl@samba.org> | 2008-11-03 15:25:02 +0100 |
---|---|---|
committer | Volker Lendecke <vl@samba.org> | 2008-11-04 09:41:15 +0100 |
commit | 0953688012dcacca5b28a19c7a2d8393428ca151 (patch) | |
tree | 43d0266ce1c2a3a29bac2ba0adde5251b53b8444 /source4 | |
parent | d98e48c7cb5a5f2765afa874f09ec3e6cf4dd7a5 (diff) | |
download | samba-0953688012dcacca5b28a19c7a2d8393428ca151.tar.gz samba-0953688012dcacca5b28a19c7a2d8393428ca151.tar.bz2 samba-0953688012dcacca5b28a19c7a2d8393428ca151.zip |
Trigger (and fix) a bug in Samba3 making smbd an infinite data source
A deferred open directly followed by a ulogoffX makes smbd3 send an infinite
stream of ERRinvuid replies :-(
Diffstat (limited to 'source4')
-rw-r--r-- | source4/torture/raw/raw.c | 1 | ||||
-rw-r--r-- | source4/torture/raw/samba3misc.c | 80 |
2 files changed, 81 insertions, 0 deletions
diff --git a/source4/torture/raw/raw.c b/source4/torture/raw/raw.c index 0a7fc3ebfd..138f263106 100644 --- a/source4/torture/raw/raw.c +++ b/source4/torture/raw/raw.c @@ -71,6 +71,7 @@ NTSTATUS torture_raw_init(void) torture_suite_add_simple_test(suite, "SAMBA3ROOTDIRFID", torture_samba3_rootdirfid); torture_suite_add_simple_test(suite, "SAMBA3CHECKFSP", torture_samba3_checkfsp); + torture_suite_add_simple_test(suite, "SAMBA3OPLOCKLOGOFF", torture_samba3_oplock_logoff); torture_suite_add_simple_test(suite, "SAMBA3BADPATH", torture_samba3_badpath); torture_suite_add_simple_test(suite, "SAMBA3CASEINSENSITIVE", torture_samba3_caseinsensitive); diff --git a/source4/torture/raw/samba3misc.c b/source4/torture/raw/samba3misc.c index 27b4d42dd8..8cdccb3906 100644 --- a/source4/torture/raw/samba3misc.c +++ b/source4/torture/raw/samba3misc.c @@ -889,3 +889,83 @@ bool torture_samba3_rootdirfid(struct torture_context *tctx) return ret; } +bool torture_samba3_oplock_logoff(struct torture_context *tctx) +{ + struct smbcli_state *cli; + NTSTATUS status; + uint16_t fnum1; + union smb_open io; + const char *fname = "testfile"; + bool ret = false; + struct smbcli_request *req; + struct smb_echo echo_req; + + if (!torture_open_connection(&cli, tctx, 0)) { + ret = false; + goto done; + } + + smbcli_unlink(cli->tree, fname); + + ZERO_STRUCT(io); + io.generic.level = RAW_OPEN_NTCREATEX; + io.ntcreatex.in.flags = NTCREATEX_FLAGS_EXTENDED; + io.ntcreatex.in.root_fid = 0; + io.ntcreatex.in.security_flags = 0; + io.ntcreatex.in.access_mask = + SEC_STD_SYNCHRONIZE | SEC_FILE_EXECUTE; + io.ntcreatex.in.alloc_size = 0; + io.ntcreatex.in.file_attr = FILE_ATTRIBUTE_NORMAL; + io.ntcreatex.in.share_access = NTCREATEX_SHARE_ACCESS_NONE; + io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN_IF; + io.ntcreatex.in.create_options = 0; + io.ntcreatex.in.fname = "testfile"; + status = smb_raw_open(cli->tree, tctx, &io); + if (!NT_STATUS_IS_OK(status)) { + d_printf("first smb_open failed: %s\n", nt_errstr(status)); + ret = false; + goto done; + } + fnum1 = io.ntcreatex.out.file.fnum; + + /* + * Create a conflicting open, causing the one-second delay + */ + + req = smb_raw_open_send(cli->tree, &io); + if (req == NULL) { + d_printf("smb_raw_open_send failed\n"); + ret = false; + goto done; + } + + /* + * Pull the VUID from under that request. As of Nov 3, 2008 all Samba3 + * versions (3.0, 3.2 and master) would spin sending ERRinvuid errors + * as long as the client is still connected. + */ + + status = smb_raw_ulogoff(cli->session); + + if (!NT_STATUS_IS_OK(status)) { + d_printf("ulogoff failed: %s\n", nt_errstr(status)); + ret = false; + goto done; + } + + echo_req.in.repeat_count = 1; + echo_req.in.size = 1; + echo_req.in.data = (uint8_t *)""; + + status = smb_raw_echo(cli->session->transport, &echo_req); + if (!NT_STATUS_IS_OK(status)) { + d_printf("smb_raw_echo returned %s\n", + nt_errstr(status)); + ret = false; + goto done; + } + + ret = true; + done: + return ret; +} |