summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source3/torture/torture.c99
1 files changed, 53 insertions, 46 deletions
diff --git a/source3/torture/torture.c b/source3/torture/torture.c
index c3497f777b..a28078fe9d 100644
--- a/source3/torture/torture.c
+++ b/source3/torture/torture.c
@@ -37,6 +37,7 @@
#include "libsmb/nmblib.h"
#include "../lib/util/tevent_ntstatus.h"
#include "util_tdb.h"
+#include "libsmb/read_smb.h"
extern char *optarg;
extern int optind;
@@ -237,75 +238,81 @@ static struct cli_state *open_nbt_connection(void)
static bool cli_bad_session_request(struct cli_state *cli,
struct nmb_name *calling, struct nmb_name *called)
{
- char *p;
- int len = 4;
- int namelen = 0;
- char *tmp;
+ TALLOC_CTX *frame;
+ uint8_t len_buf[4];
+ struct iovec iov[3];
+ ssize_t len;
+ uint8_t *inbuf;
+ int err;
+ bool ret = false;
memcpy(&(cli->calling), calling, sizeof(*calling));
memcpy(&(cli->called ), called , sizeof(*called ));
- /* put in the destination name */
+ /* 445 doesn't have session request */
+ if (cli->port == 445)
+ return True;
- tmp = name_mangle(talloc_tos(), cli->called.name,
- cli->called.name_type);
- if (tmp == NULL) {
- return false;
- }
+ frame = talloc_stackframe();
- p = cli->outbuf+len;
- namelen = name_len((unsigned char *)tmp, talloc_get_size(tmp));
- if (namelen > 0) {
- memcpy(p, tmp, namelen);
- len += namelen;
- }
- TALLOC_FREE(tmp);
+ iov[0].iov_base = len_buf;
+ iov[0].iov_len = sizeof(len_buf);
- /* Deliberately corrupt the name len (first byte) */
- *p = 100;
+ /* put in the destination name */
- /* and my name */
+ iov[1].iov_base = name_mangle(talloc_tos(), called->name,
+ called->name_type);
+ if (iov[1].iov_base == NULL) {
+ goto fail;
+ }
+ iov[1].iov_len = name_len((unsigned char *)iov[1].iov_base,
+ talloc_get_size(iov[1].iov_base));
- tmp = name_mangle(talloc_tos(), cli->calling.name,
- cli->calling.name_type);
- if (tmp == NULL) {
- return false;
- }
+ /* and my name */
+
+ iov[2].iov_base = name_mangle(talloc_tos(), calling->name,
+ calling->name_type);
+ if (iov[2].iov_base == NULL) {
+ goto fail;
+ }
+ iov[2].iov_len = name_len((unsigned char *)iov[2].iov_base,
+ talloc_get_size(iov[2].iov_base));
- p = cli->outbuf+len;
- namelen = name_len((unsigned char *)tmp, talloc_get_size(tmp));
- if (namelen > 0) {
- memcpy(p, tmp, namelen);
- len += namelen;
- }
- TALLOC_FREE(tmp);
/* Deliberately corrupt the name len (first byte) */
- *p = 100;
+ *((uint8_t *)iov[2].iov_base) = 100;
- /* send a session request (RFC 1002) */
- /* setup the packet length
+ /* send a session request (RFC 1002) */
+ /* setup the packet length
* Remove four bytes from the length count, since the length
* field in the NBT Session Service header counts the number
* of bytes which follow. The cli_send_smb() function knows
* about this and accounts for those four bytes.
* CRH.
*/
- len -= 4;
- _smb_setlen(cli->outbuf,len);
- SCVAL(cli->outbuf,0,0x81);
- cli_send_smb(cli);
- DEBUG(5,("Sent session request\n"));
+ _smb_setlen(len_buf, iov[1].iov_len + iov[2].iov_len);
+ SCVAL(len_buf,0,0x81);
- if (!cli_receive_smb(cli))
- return False;
+ len = write_data_iov(cli->fd, iov, 3);
+ if (len == -1) {
+ goto fail;
+ }
+ len = read_smb(cli->fd, talloc_tos(), &inbuf, &err);
+ if (len == -1) {
+ errno = err;
+ goto fail;
+ }
- if (CVAL(cli->inbuf,0) != 0x82) {
+ if (CVAL(inbuf,0) != 0x82) {
/* This is the wrong place to put the error... JRA. */
- cli->rap_error = CVAL(cli->inbuf,4);
- return False;
+ cli->rap_error = CVAL(inbuf,4);
+ goto fail;
}
- return(True);
+
+ ret = true;
+fail:
+ TALLOC_FREE(frame);
+ return ret;
}
static struct cli_state *open_bad_nbt_connection(void)