[SCM] Samba Shared Repository - branch v3-5-test updated

Günther Deschner gd at samba.org
Tue Oct 20 19:20:46 MDT 2009


The branch, v3-5-test has been updated
       via  b2b8363... s4-lsa: Fix dcesrv_lsa_EnumTrustDom() and avoid infite windows client loop.
       via  e91e374... s3-lsa: Fix _lsa_EnumTrustDom() and avoid infite windows client loop.
       via  1500ee6... s4-smbtorture: test whether an lsa_EnumTrustDom implementation would hang up a client.
       via  e669b7a... s3-lsa: make s3 pass against RPC-LSA-LOOKUPNAMES again.
       via  d48513e... nsswitch: fix the build of the winbind krb5 locator plugin.
       via  f8706be... s4-smbtorture: fix RPC-LSA-LSALOOKUP test against w2k3 and w2k8.
      from  df0430e... Turn on LOCK9 test which will test for regressions in bug 6828. Jeremy.

http://gitweb.samba.org/?p=samba.git;a=shortlog;h=v3-5-test


- Log -----------------------------------------------------------------
commit b2b836330c7c75130675354937a5609df54718c0
Author: Günther Deschner <gd at samba.org>
Date:   Wed Oct 21 02:18:54 2009 +0200

    s4-lsa: Fix dcesrv_lsa_EnumTrustDom() and avoid infite windows client loop.
    
    Found by RPC-LSA-TRUSTED-DOMAIN torture test.
    
    Guenther
    (cherry picked from commit 4b6cfbb6d27eea07400d0eacb08b2f69724b19ca)

commit e91e37485290c1c9132009a14488757936dc7e9e
Author: Günther Deschner <gd at samba.org>
Date:   Wed Oct 21 02:17:32 2009 +0200

    s3-lsa: Fix _lsa_EnumTrustDom() and avoid infite windows client loop.
    
    Found by RPC-LSA-TRUSTED-DOMAIN torture test.
    
    Guenther
    (cherry picked from commit 209a65bc6f783055f3f6a8cea3fb36587d346511)

commit 1500ee66e7b8d4d0644762aebed9be63b7cacb0b
Author: Günther Deschner <gd at samba.org>
Date:   Wed Oct 21 02:16:32 2009 +0200

    s4-smbtorture: test whether an lsa_EnumTrustDom implementation would hang up a client.
    
    Guenther
    (cherry picked from commit 48520b2274638bde88b08361197c1056936bcba0)

commit e669b7a668b529bf239aad1039f3ce7d1e011bc4
Author: Günther Deschner <gd at samba.org>
Date:   Wed Oct 21 02:45:21 2009 +0200

    s3-lsa: make s3 pass against RPC-LSA-LOOKUPNAMES again.
    
    Do what W2k8 does and return the builtin domain for a NULL name.
    
    Guenther
    (cherry picked from commit 32f2cc448778ec6eeab8bbd42d459f7e57b188ac)

commit d48513e216cf8f9084dcb20454503d161aa232d7
Author: Günther Deschner <gd at samba.org>
Date:   Wed Oct 21 02:44:44 2009 +0200

    nsswitch: fix the build of the winbind krb5 locator plugin.
    
    Guenther
    (cherry picked from commit b9d9353b548d9b2ab684aa171f511174e6414762)

commit f8706bef307b1de684ce91ed2e5ecbda7695db09
Author: Günther Deschner <gd at samba.org>
Date:   Tue Oct 20 23:47:40 2009 +0200

    s4-smbtorture: fix RPC-LSA-LSALOOKUP test against w2k3 and w2k8.
    
    Make sure to split out lsa_LookupName NULL name test so that we can better track
    results from bogus names and NULL names.
    
    Guenther
    (cherry picked from commit a4d54875768bbe6bcd019a788081d182ce9d4a80)

-----------------------------------------------------------------------

Summary of changes:
 source3/Makefile.in                 |    2 +-
 source3/rpc_server/srv_lsa_nt.c     |   22 +++++--
 source4/rpc_server/lsa/dcesrv_lsa.c |    9 +++
 source4/torture/rpc/lsa.c           |  117 ++++++++++++++++++++++++++++-------
 4 files changed, 121 insertions(+), 29 deletions(-)


Changeset truncated at 500 lines:

diff --git a/source3/Makefile.in b/source3/Makefile.in
index cce6e7c..af0f53a 100644
--- a/source3/Makefile.in
+++ b/source3/Makefile.in
@@ -2522,7 +2522,7 @@ bin/vlp at EXEEXT@: $(BINARY_PREREQS) $(VLP_OBJ) $(LIBTDB)
 
 bin/winbind_krb5_locator. at SHLIBEXT@: $(BINARY_PREREQS) $(WINBIND_KRB5_LOCATOR_OBJ) $(LIBWBCLIENT)
 	@echo "Linking $@"
-	@$(SHLD) $(LDSHFLAGS) -o $@ $(WINBIND_KRB5_LOCATOR_OBJ) $(LIBWBCLIENT_LIBS) \
+	@$(SHLD) $(LDSHFLAGS) -o $@ $(WINBIND_KRB5_LOCATOR_OBJ) $(LIBWBCLIENT_LIBS) $(KRB5_LIBS) \
 		@SONAMEFLAG@`basename $@`
 
 bin/pam_winbind. at SHLIBEXT@: $(BINARY_PREREQS) $(PAM_WINBIND_OBJ) $(LIBTALLOC) $(LIBWBCLIENT)
diff --git a/source3/rpc_server/srv_lsa_nt.c b/source3/rpc_server/srv_lsa_nt.c
index eafbd51..a9a4fa5 100644
--- a/source3/rpc_server/srv_lsa_nt.c
+++ b/source3/rpc_server/srv_lsa_nt.c
@@ -159,12 +159,13 @@ static NTSTATUS lookup_lsa_rids(TALLOC_CTX *mem_ctx,
 
 		/* Split name into domain and user component */
 
-		full_name = name[i].string;
-		if (full_name == NULL) {
-			prid[i].sid_type	= type;
-			prid[i].rid		= 0;
-			prid[i].sid_index	= (uint32_t)-1;
-			continue;
+		/* follow w2k8 behavior and return the builtin domain when no
+		 * input has been passed in */
+
+		if (name[i].string) {
+			full_name = name[i].string;
+		} else {
+			full_name = "BUILTIN";
 		}
 
 		DEBUG(5, ("lookup_lsa_rids: looking up name %s\n", full_name));
@@ -476,6 +477,15 @@ NTSTATUS _lsa_EnumTrustDom(pipes_struct *p,
 		return STATUS_MORE_ENTRIES;
 	}
 
+	/* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
+	 * always be larger than the previous input resume handle, in
+	 * particular when hitting the last query it is vital to set the
+	 * resume handle correctly to avoid infinite client loops, as
+	 * seen e.g. with Windows XP SP3 when resume handle is 0 and
+	 * status is NT_STATUS_OK - gd */
+
+	*r->out.resume_handle = (uint32_t)-1;
+
 	return NT_STATUS_OK;
 }
 
diff --git a/source4/rpc_server/lsa/dcesrv_lsa.c b/source4/rpc_server/lsa/dcesrv_lsa.c
index 3d6352a..cf1a893 100644
--- a/source4/rpc_server/lsa/dcesrv_lsa.c
+++ b/source4/rpc_server/lsa/dcesrv_lsa.c
@@ -1660,6 +1660,15 @@ static NTSTATUS dcesrv_lsa_EnumTrustDom(struct dcesrv_call_state *dce_call, TALL
 		return STATUS_MORE_ENTRIES;
 	}
 
+	/* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
+	 * always be larger than the previous input resume handle, in
+	 * particular when hitting the last query it is vital to set the
+	 * resume handle correctly to avoid infinite client loops, as
+	 * seen e.g. with Windows XP SP3 when resume handle is 0 and
+	 * status is NT_STATUS_OK - gd */
+
+	*r->out.resume_handle = (uint32_t)-1;
+
 	return NT_STATUS_OK;
 }
 
diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
index e4a6a84..710f4c5 100644
--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@@ -232,31 +232,19 @@ static bool test_LookupNames_bogus(struct dcerpc_pipe *p,
 	struct lsa_LookupNames r;
 	struct lsa_TransSidArray sids;
 	struct lsa_RefDomainList *domains = NULL;
-	struct lsa_String *names;
+	struct lsa_String names[1];
 	uint32_t count = 0;
 	NTSTATUS status;
-	int i;
-
-	struct lsa_TranslatedName name[2];
-	struct lsa_TransNameArray tnames;
 
-	tnames.names = name;
-	tnames.count = 2;
-	name[0].name.string = "NT AUTHORITY\\BOGUS";
-	name[1].name.string = NULL;
-
-	torture_comment(tctx, "\nTesting LookupNames with bogus names\n");
+	torture_comment(tctx, "\nTesting LookupNames with bogus name\n");
 
 	sids.count = 0;
 	sids.sids = NULL;
 
-	names = talloc_array(tctx, struct lsa_String, tnames.count);
-	for (i=0;i<tnames.count;i++) {
-		init_lsa_String(&names[i], tnames.names[i].name.string);
-	}
+	init_lsa_String(&names[0], "NT AUTHORITY\\BOGUS");
 
 	r.in.handle = handle;
-	r.in.num_names = tnames.count;
+	r.in.num_names = 1;
 	r.in.names = names;
 	r.in.sids = &sids;
 	r.in.level = 1;
@@ -276,6 +264,48 @@ static bool test_LookupNames_bogus(struct dcerpc_pipe *p,
 	return true;
 }
 
+static bool test_LookupNames_NULL(struct dcerpc_pipe *p,
+				  struct torture_context *tctx,
+				  struct policy_handle *handle)
+{
+	struct lsa_LookupNames r;
+	struct lsa_TransSidArray sids;
+	struct lsa_RefDomainList *domains = NULL;
+	struct lsa_String names[1];
+	uint32_t count = 0;
+
+	torture_comment(tctx, "\nTesting LookupNames with NULL name\n");
+
+	sids.count = 0;
+	sids.sids = NULL;
+
+	names[0].string = NULL;
+
+	r.in.handle = handle;
+	r.in.num_names = 1;
+	r.in.names = names;
+	r.in.sids = &sids;
+	r.in.level = 1;
+	r.in.count = &count;
+	r.out.count = &count;
+	r.out.sids = &sids;
+	r.out.domains = &domains;
+
+	/* nt4 returns NT_STATUS_NONE_MAPPED with sid_type
+	 * SID_NAME_UNKNOWN, rid 0, and sid_index -1;
+	 *
+	 * w2k3/w2k8 return NT_STATUS_OK with sid_type
+	 * SID_NAME_DOMAIN, rid -1 and sid_index 0 and BUILTIN domain
+	 */
+
+	torture_assert_ntstatus_ok(tctx, dcerpc_lsa_LookupNames(p, tctx, &r),
+		"LookupNames with NULL name failed");
+
+	torture_comment(tctx, "\n");
+
+	return true;
+}
+
 static bool test_LookupNames_wellknown(struct dcerpc_pipe *p,
 				       struct torture_context *tctx,
 				       struct policy_handle *handle)
@@ -1996,20 +2026,39 @@ static bool test_EnumTrustDom(struct dcerpc_pipe *p,
 {
 	struct lsa_EnumTrustDom r;
 	NTSTATUS enum_status;
-	uint32_t resume_handle = 0;
+	uint32_t in_resume_handle = 0;
+	uint32_t out_resume_handle;
 	struct lsa_DomainList domains;
 	bool ret = true;
 
 	torture_comment(tctx, "\nTesting EnumTrustDom\n");
 
 	r.in.handle = handle;
-	r.in.resume_handle = &resume_handle;
+	r.in.resume_handle = &in_resume_handle;
 	r.in.max_size = 0;
 	r.out.domains = &domains;
-	r.out.resume_handle = &resume_handle;
+	r.out.resume_handle = &out_resume_handle;
 
 	enum_status = dcerpc_lsa_EnumTrustDom(p, tctx, &r);
 
+	/* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
+	 * always be larger than the previous input resume handle, in
+	 * particular when hitting the last query it is vital to set the
+	 * resume handle correctly to avoid infinite client loops, as
+	 * seen e.g.  with Windows XP SP3 when resume handle is 0 and
+	 * status is NT_STATUS_OK - gd */
+
+	if (NT_STATUS_IS_OK(enum_status) ||
+	    NT_STATUS_EQUAL(enum_status, NT_STATUS_NO_MORE_ENTRIES) ||
+	    NT_STATUS_EQUAL(enum_status, STATUS_MORE_ENTRIES))
+	{
+		if (out_resume_handle <= in_resume_handle) {
+			torture_comment(tctx, "EnumTrustDom failed - should have returned output resume_handle (0x%08x) larger than input resume handle (0x%08x)\n",
+				out_resume_handle, in_resume_handle);
+			return false;
+		}
+	}
+
 	if (NT_STATUS_IS_OK(enum_status)) {
 		if (domains.count == 0) {
 			torture_comment(tctx, "EnumTrustDom failed - should have returned 'NT_STATUS_NO_MORE_ENTRIES' for 0 trusted domains\n");
@@ -2021,17 +2070,35 @@ static bool test_EnumTrustDom(struct dcerpc_pipe *p,
 	}
 
 	/* Start from the bottom again */
-	resume_handle = 0;
+	in_resume_handle = 0;
 
 	do {
 		r.in.handle = handle;
-		r.in.resume_handle = &resume_handle;
+		r.in.resume_handle = &in_resume_handle;
 		r.in.max_size = LSA_ENUM_TRUST_DOMAIN_MULTIPLIER * 3;
 		r.out.domains = &domains;
-		r.out.resume_handle = &resume_handle;
+		r.out.resume_handle = &out_resume_handle;
 
 		enum_status = dcerpc_lsa_EnumTrustDom(p, tctx, &r);
 
+		/* according to MS-LSAD 3.1.4.7.8 output resume handle MUST
+		 * always be larger than the previous input resume handle, in
+		 * particular when hitting the last query it is vital to set the
+		 * resume handle correctly to avoid infinite client loops, as
+		 * seen e.g.  with Windows XP SP3 when resume handle is 0 and
+		 * status is NT_STATUS_OK - gd */
+
+		if (NT_STATUS_IS_OK(enum_status) ||
+		    NT_STATUS_EQUAL(enum_status, NT_STATUS_NO_MORE_ENTRIES) ||
+		    NT_STATUS_EQUAL(enum_status, STATUS_MORE_ENTRIES))
+		{
+			if (out_resume_handle <= in_resume_handle) {
+				torture_comment(tctx, "EnumTrustDom failed - should have returned output resume_handle (0x%08x) larger than input resume handle (0x%08x)\n",
+					out_resume_handle, in_resume_handle);
+				return false;
+			}
+		}
+
 		/* NO_MORE_ENTRIES is allowed */
 		if (NT_STATUS_EQUAL(enum_status, NT_STATUS_NO_MORE_ENTRIES)) {
 			if (domains.count == 0) {
@@ -2060,6 +2127,8 @@ static bool test_EnumTrustDom(struct dcerpc_pipe *p,
 
 		ret &= test_query_each_TrustDom(p, tctx, handle, &domains);
 
+		in_resume_handle = out_resume_handle;
+
 	} while ((NT_STATUS_EQUAL(enum_status, STATUS_MORE_ENTRIES)));
 
 	return ret;
@@ -2768,6 +2837,10 @@ static bool testcase_LookupNames(struct torture_context *tctx,
 		ret = false;
 	}
 
+	if (!test_LookupNames_NULL(p, tctx, handle)) {
+		ret = false;
+	}
+
 	if (!test_LookupNames_bogus(p, tctx, handle)) {
 		ret = false;
 	}


-- 
Samba Shared Repository


More information about the samba-cvs mailing list