>From 99ecf077e5f226ca50339c0c96f7b97409a10661 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 28 Jan 2014 14:07:26 -0800 Subject: [PATCH 1/2] s4: smbtorture: Update the torture_smb2_notify_ulogoff test to demonstrate the problem. [Bug 10344] SessionLogoff on a signed connection with an outstanding notify request crashes smbd. https://bugzilla.samba.org/show_bug.cgi?id=10344 Signed-off-by: Jeremy Allison --- source4/torture/smb2/notify.c | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/source4/torture/smb2/notify.c b/source4/torture/smb2/notify.c index e83b099..e9664d3 100644 --- a/source4/torture/smb2/notify.c +++ b/source4/torture/smb2/notify.c @@ -69,6 +69,13 @@ goto done; \ }} while (0) +#define WAIT_FOR_ASYNC_RESPONSE(req) \ + while (!req->cancel.can_cancel && req->state <= SMB2_REQUEST_RECV) { \ + if (tevent_loop_once(torture->ev) != 0) { \ + break; \ + } \ + } + #define BASEDIR "test_notify" #define FNAME "smb2-notify01.dat" @@ -1280,7 +1287,7 @@ static bool torture_smb2_notify_ulogoff(struct torture_context *torture, CHECK_STATUS(status, NT_STATUS_OK); io.smb2.in.create_disposition = NTCREATEX_DISP_OPEN; - status = smb2_create(tree2, torture, &(io.smb2)); + status = smb2_create(tree1, torture, &(io.smb2)); CHECK_STATUS(status, NT_STATUS_OK); h1 = io.smb2.out.file.handle; @@ -1295,7 +1302,9 @@ static bool torture_smb2_notify_ulogoff(struct torture_context *torture, req = smb2_notify_send(tree1, &(notify.smb2)); - status = smb2_logoff(tree2->session); + WAIT_FOR_ASYNC_RESPONSE(req); + + status = smb2_logoff(tree1->session); CHECK_STATUS(status, NT_STATUS_OK); status = smb2_notify_recv(req, torture, &(notify.smb2)); -- 1.7.9.5 >From 67d84bf3cdfde8a5d1c51b24264d52b5243d83de Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Mon, 24 Feb 2014 10:44:59 -0800 Subject: [PATCH 2/2] s4: smbtorture: Add a proper change_notify going async followed by tdis test. [Bug 10344] SessionLogoff on a signed connection with an outstanding notify request crashes smbd. https://bugzilla.samba.org/show_bug.cgi?id=10344 Signed-off-by: Jeremy Allison --- source4/torture/smb2/notify.c | 68 ++++++++++++++++++++++++++++++++++++++++- 1 file changed, 67 insertions(+), 1 deletion(-) diff --git a/source4/torture/smb2/notify.c b/source4/torture/smb2/notify.c index e9664d3..650337e 100644 --- a/source4/torture/smb2/notify.c +++ b/source4/torture/smb2/notify.c @@ -1195,7 +1195,7 @@ static bool torture_smb2_notify_tree_disconnect( smb2_deltree(tree, BASEDIR); smb2_util_rmdir(tree, BASEDIR); - torture_comment(torture, "TESTING CHANGE NOTIFY FOLLOWED BY " + torture_comment(torture, "TESTING CHANGE NOTIFY+CANCEL FOLLOWED BY " "TREE-DISCONNECT\n"); /* @@ -1247,6 +1247,71 @@ done: } /* + testing of change notifies followed by a tdis - no cancel +*/ + +static bool torture_smb2_notify_tree_disconnect_1( + struct torture_context *torture, + struct smb2_tree *tree) +{ + bool ret = true; + NTSTATUS status; + union smb_notify notify; + union smb_open io; + struct smb2_handle h1; + struct smb2_request *req; + + smb2_deltree(tree, BASEDIR); + smb2_util_rmdir(tree, BASEDIR); + + torture_comment(torture, "TESTING CHANGE NOTIFY ASYNC FOLLOWED BY " + "TREE-DISCONNECT\n"); + + /* + get a handle on the directory + */ + ZERO_STRUCT(io.smb2); + io.generic.level = RAW_OPEN_SMB2; + io.smb2.in.create_flags = 0; + io.smb2.in.desired_access = SEC_FILE_ALL; + io.smb2.in.create_options = NTCREATEX_OPTIONS_DIRECTORY; + io.smb2.in.file_attributes = FILE_ATTRIBUTE_NORMAL; + io.smb2.in.share_access = NTCREATEX_SHARE_ACCESS_READ | + NTCREATEX_SHARE_ACCESS_WRITE; + io.smb2.in.alloc_size = 0; + io.smb2.in.create_disposition = NTCREATEX_DISP_CREATE; + io.smb2.in.impersonation_level = SMB2_IMPERSONATION_ANONYMOUS; + io.smb2.in.security_flags = 0; + io.smb2.in.fname = BASEDIR; + + status = smb2_create(tree, torture, &(io.smb2)); + CHECK_STATUS(status, NT_STATUS_OK); + h1 = io.smb2.out.file.handle; + + /* ask for a change notify, + on file or directory name changes */ + ZERO_STRUCT(notify.smb2); + notify.smb2.level = RAW_NOTIFY_SMB2; + notify.smb2.in.buffer_size = 1000; + notify.smb2.in.completion_filter = FILE_NOTIFY_CHANGE_NAME; + notify.smb2.in.file.handle = h1; + notify.smb2.in.recursive = true; + + req = smb2_notify_send(tree, &(notify.smb2)); + WAIT_FOR_ASYNC_RESPONSE(req); + + status = smb2_tdis(tree); + CHECK_STATUS(status, NT_STATUS_OK); + + status = smb2_notify_recv(req, torture, &(notify.smb2)); + CHECK_VAL(notify.smb2.out.num_changes, 0); + +done: + smb2_deltree(tree, BASEDIR); + return ret; +} + +/* basic testing of change notifies followed by a ulogoff */ @@ -2000,6 +2065,7 @@ struct torture_suite *torture_smb2_notify_init(void) torture_suite_add_2smb2_test(suite, "dir", torture_smb2_notify_dir); torture_suite_add_2smb2_test(suite, "mask", torture_smb2_notify_mask); torture_suite_add_1smb2_test(suite, "tdis", torture_smb2_notify_tree_disconnect); + torture_suite_add_1smb2_test(suite, "tdis1", torture_smb2_notify_tree_disconnect_1); torture_suite_add_2smb2_test(suite, "mask-change", torture_smb2_notify_mask_change); torture_suite_add_2smb2_test(suite, "logoff", torture_smb2_notify_ulogoff); torture_suite_add_1smb2_test(suite, "tree", torture_smb2_notify_tree); -- 1.7.9.5