summaryrefslogtreecommitdiff
path: root/source4/torture/rpc/autoidl.c
diff options
context:
space:
mode:
Diffstat (limited to 'source4/torture/rpc/autoidl.c')
-rw-r--r--source4/torture/rpc/autoidl.c91
1 files changed, 77 insertions, 14 deletions
diff --git a/source4/torture/rpc/autoidl.c b/source4/torture/rpc/autoidl.c
index 5f89970d17..31359b4baf 100644
--- a/source4/torture/rpc/autoidl.c
+++ b/source4/torture/rpc/autoidl.c
@@ -74,9 +74,56 @@ static void reopen(struct dcerpc_pipe **p, const struct dcerpc_interface_table *
}
}
+static void print_depth(int depth)
+{
+ int i;
+ for (i=0;i<depth;i++) {
+ printf(" ");
+ }
+}
static void test_ptr_scan(TALLOC_CTX *mem_ctx, const struct dcerpc_interface_table *iface,
- int opnum, int min_in)
+ int opnum, DATA_BLOB *base_in, int min_ofs, int max_ofs, int depth);
+
+static void try_expand(TALLOC_CTX *mem_ctx, const struct dcerpc_interface_table *iface,
+ int opnum, DATA_BLOB *base_in, int insert_ofs, int depth)
+{
+ DATA_BLOB stub_in, stub_out;
+ int n;
+ NTSTATUS status;
+ struct dcerpc_pipe *p = NULL;
+
+ reopen(&p, iface);
+
+ /* work out how much to expand to get a non fault */
+ for (n=0;n<2000;n++) {
+ stub_in = data_blob(NULL, base_in->length + n);
+ data_blob_clear(&stub_in);
+ memcpy(stub_in.data, base_in->data, insert_ofs);
+ memcpy(stub_in.data+insert_ofs+n, base_in->data+insert_ofs, base_in->length-insert_ofs);
+
+ status = dcerpc_request(p, opnum, mem_ctx, &stub_in, &stub_out);
+
+ if (!NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
+ print_depth(depth);
+ printf("expand by %d gives %s\n", n, nt_errstr(status));
+ if (n >= 4) {
+ test_ptr_scan(mem_ctx, iface, opnum, &stub_in,
+ insert_ofs, insert_ofs+n, depth+1);
+ }
+ return;
+ }
+ if (p->last_fault_code == 5) {
+ reopen(&p, iface);
+ }
+ }
+
+ dcerpc_pipe_close(p);
+}
+
+
+static void test_ptr_scan(TALLOC_CTX *mem_ctx, const struct dcerpc_interface_table *iface,
+ int opnum, DATA_BLOB *base_in, int min_ofs, int max_ofs, int depth)
{
DATA_BLOB stub_in, stub_out;
int ofs;
@@ -85,24 +132,30 @@ static void test_ptr_scan(TALLOC_CTX *mem_ctx, const struct dcerpc_interface_tab
reopen(&p, iface);
- stub_in = data_blob(NULL, min_in);
- data_blob_clear(&stub_in);
+ stub_in = data_blob(NULL, base_in->length);
+ memcpy(stub_in.data, base_in->data, base_in->length);
- /* work out the minimum amount of input data */
- for (ofs=0;ofs<min_in;ofs+=4) {
+ /* work out which elements are pointers */
+ for (ofs=min_ofs;ofs<=max_ofs-4;ofs+=4) {
SIVAL(stub_in.data, ofs, 1);
status = dcerpc_request(p, opnum, mem_ctx, &stub_in, &stub_out);
- SIVAL(stub_in.data, ofs, 0);
if (NT_STATUS_EQUAL(status, NT_STATUS_NET_WRITE_FAULT)) {
- printf("opnum %d ofs %d size %d fault 0x%08x\n",
- opnum, ofs, min_in, p->last_fault_code);
+ print_depth(depth);
+ printf("possible ptr at ofs %d - fault 0x%08x\n",
+ ofs-min_ofs, p->last_fault_code);
if (p->last_fault_code == 5) {
reopen(&p, iface);
}
+ if (depth == 0) {
+ try_expand(mem_ctx, iface, opnum, &stub_in, ofs+4, depth+1);
+ } else {
+ try_expand(mem_ctx, iface, opnum, &stub_in, max_ofs, depth+1);
+ }
+ SIVAL(stub_in.data, ofs, 0);
continue;
}
- printf("opnum %d ofs %d error %s\n", opnum, ofs, nt_errstr(status));
+ SIVAL(stub_in.data, ofs, 0);
}
dcerpc_pipe_close(p);
@@ -126,9 +179,6 @@ static void test_scan_call(TALLOC_CTX *mem_ctx, const struct dcerpc_interface_ta
stub_in = data_blob(NULL, i);
data_blob_clear(&stub_in);
-#if 1
- fill_blob_handle(&stub_in, mem_ctx, &handle);
-#endif
status = dcerpc_request(p, opnum, mem_ctx, &stub_in, &stub_out);
@@ -137,7 +187,20 @@ static void test_scan_call(TALLOC_CTX *mem_ctx, const struct dcerpc_interface_ta
opnum, stub_in.length, stub_out.length);
dump_data(0, stub_out.data, stub_out.length);
dcerpc_pipe_close(p);
- test_ptr_scan(mem_ctx, iface, opnum, stub_in.length);
+ test_ptr_scan(mem_ctx, iface, opnum, &stub_in, 0, stub_in.length, 0);
+ return;
+ }
+
+ fill_blob_handle(&stub_in, mem_ctx, &handle);
+
+ status = dcerpc_request(p, opnum, mem_ctx, &stub_in, &stub_out);
+
+ if (NT_STATUS_IS_OK(status)) {
+ printf("opnum %d min_input %d - output %d (with handle)\n",
+ opnum, stub_in.length, stub_out.length);
+ dump_data(0, stub_out.data, stub_out.length);
+ dcerpc_pipe_close(p);
+ test_ptr_scan(mem_ctx, iface, opnum, &stub_in, 0, stub_in.length, 0);
return;
}
@@ -159,7 +222,7 @@ static void test_scan_call(TALLOC_CTX *mem_ctx, const struct dcerpc_interface_ta
static void test_auto_scan(TALLOC_CTX *mem_ctx, const struct dcerpc_interface_table *iface)
{
- test_scan_call(mem_ctx, iface, 0x26);
+ test_scan_call(mem_ctx, iface, 0x37);
}
BOOL torture_rpc_autoidl(int dummy)
generated by cgit (git 2.34.1) at 2024-08-01 00:27:00 +0000