From e4678f5d1de6d2bddb7dd33e9361e1eafbf61d6c Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 20 Oct 1998 06:46:25 +0000 Subject: fixed a connection bug in torture test (This used to be commit 2b892130dfc1938e93e69e490a8a9e9ed57a1971) --- source3/utils/torture.c | 77 ++++++++++++++++++++++++++++++++++++++++++------- 1 file changed, 66 insertions(+), 11 deletions(-) diff --git a/source3/utils/torture.c b/source3/utils/torture.c index dd5cf04cc5..3ef4d5133f 100644 --- a/source3/utils/torture.c +++ b/source3/utils/torture.c @@ -47,37 +47,38 @@ static BOOL open_connection(struct cli_state *c) { struct nmb_name called, calling; + ZERO_STRUCTP(c); + + make_nmb_name(&calling, myname, 0x0, ""); + make_nmb_name(&called , host, 0x20, ""); + if (!cli_initialise(c) || !cli_connect(c, host, NULL)) { printf("Failed to connect with %s\n", host); return False; } - make_nmb_name(&calling, myname, 0x0, ""); - make_nmb_name(&called , host, 0x20, ""); - if (!cli_session_request(c, &calling, &called)) { - printf("%s rejected the session\n",host); cli_shutdown(c); + printf("%s rejected the session\n",host); return False; } - c->protocol = max_protocol; - if (!cli_negprot(c)) { printf("%s rejected the negprot (%s)\n",host, cli_errstr(c)); cli_shutdown(c); return False; } - if (!cli_session_setup(c, username, password, strlen(password), - "", 0, workgroup)) { - printf("%s rejected the sessionsetup (%s)\n", host, cli_errstr(c)); + if (!cli_session_setup(c, username, + password, strlen(password), + password, strlen(password), + workgroup)) { cli_shutdown(c); + printf("%s rejected the sessionsetup (%s)\n", host, cli_errstr(c)); return False; } - if (!cli_send_tconX(c, share, - strstr(share,"IPC$")?"IPC":"A:", + if (!cli_send_tconX(c, share, "?????", password, strlen(password)+1)) { printf("%s refused tree connect (%s)\n", host, cli_errstr(c)); cli_shutdown(c); @@ -555,6 +556,59 @@ static void run_locktest3(int numops) } +/* +test whether fnums and tids open on one VC are available on another (a major +security hole) +*/ +static void run_fdpasstest(void) +{ + static struct cli_state cli1, cli2; + char *fname = "\\fdpass.tst"; + int fnum1; + pstring buf; + + if (!open_connection(&cli1) || !open_connection(&cli2)) { + return; + } + cli_sockopt(&cli1, sockops); + cli_sockopt(&cli2, sockops); + + printf("starting fdpasstest\n"); + + cli_unlink(&cli1, fname); + + fnum1 = cli_open(&cli1, fname, O_RDWR|O_CREAT|O_EXCL, DENY_NONE); + if (fnum1 == -1) { + printf("open of %s failed (%s)\n", fname, cli_errstr(&cli1)); + return; + } + + if (cli_write(&cli1, fnum1, 0, "hello world\n", 0, 13) != 13) { + printf("write failed (%s)\n", cli_errstr(&cli1)); + return; + } + + cli2.vuid = cli1.vuid; + cli2.cnum = cli1.cnum; + cli2.pid = cli1.pid; + + + if (cli_read(&cli2, fnum1, buf, 0, 13) == 13) { + printf("read succeeded! nasty security hole [%s]\n", + buf); + return; + } + + cli_close(&cli1, fnum1); + cli_unlink(&cli1, fname); + + close_connection(&cli1); + close_connection(&cli2); + + printf("finished fdpasstest\n"); +} + + /* This test checks that @@ -1003,6 +1057,7 @@ static void create_procs(int nprocs, int numops, void (*fn)(int )) printf("host=%s share=%s user=%s myname=%s\n", host, share, username, myname); + run_fdpasstest(); run_locktest1(); run_locktest2(); run_locktest3(numops); -- cgit