[PATCH] SMB2 Compound related chain handling when generation of FileId has failed

anubhav rakshit anubhav.rakshit at gmail.com
Mon May 18 15:02:12 UTC 2020 

Hi Ralph,
I am attaching additional test case that would verify
Create(RO)->Read->Write->Read->Close chain. As expected we see Write
failing with ACCESS DENIED.

=-=-=
2948 35.969303 10.46.189.203 10.46.184.237 SMB2 742 Create Request File:
compound_related6.dat;Read Request Len:1 Off:0;Write Request Len:64
Off:0;Read Request Len:1 Off:0;Close Request
2949 35.969500 10.46.184.237 10.46.189.203 SMB2 606 Create Response File:
compound_related6.dat;Read Response;Write Response, Error:
STATUS_ACCESS_DENIED;Read Response;Close Response
=-=-=

Thanks,
Anubhav

On Mon, May 18, 2020 at 4:19 PM Ralph Boehme <slow at samba.org> wrote:

> Am 5/15/20 um 11:29 PM schrieb Anubhav Rakshit via samba-technical:
> > Please review the following patches.They consist of:
> > 1. Smbtorture test case to verify the expected behaviour in case of
> > Create failure in a compound related chain.
> > 2. Implement the behaviour in Samba Fileserver code.
> >
> > I have attached the patches.
> > The changes are also staged in github.
> >
> https://github.com/anubhavrakshit/samba/commit/a0e7d6196b259038342569d371ff67ed30c9b6b8
> >
> https://github.com/anubhavrakshit/samba/commit/4637b6108f188c1a2df7cce94165b621294942a1
>
> https://gitlab.com/samba-team/samba/-/merge_requests/1350
>
> -slow
>
> --
> Ralph Boehme, Samba Team                https://samba.org/
> Samba Developer, SerNet GmbH   https://sernet.de/en/samba/
> GPG-Fingerprint   FAE2C6088A24252051C559E4AA1E9B7126399E46
>
>
-------------- next part --------------
From 619e934f6caaaaf11492ff2d05fd69774580ef84 Mon Sep 17 00:00:00 2001
From: Anubhav Rakshit <anubhav.rakshit at gmail.com>
Date: Mon, 18 May 2020 20:20:05 +0530
Subject: [PATCH] smbtorture test case to verify Compound related handling

This test case checks what happens when we have an intermediate request
failure and how it impacts rest of the chain.

Signed-off-by: Anubhav Rakshit <anubhav.rakshit at gmail.com>
---
 source4/torture/smb2/compound.c | 94 +++++++++++++++++++++++++++++++++
 1 file changed, 94 insertions(+)

diff --git a/source4/torture/smb2/compound.c b/source4/torture/smb2/compound.c
index 9ab370d6792..52c45e83c0d 100644
--- a/source4/torture/smb2/compound.c
+++ b/source4/torture/smb2/compound.c
@@ -575,6 +575,98 @@ done:
 	return ret;
 }
 
+static bool test_compound_related6(struct torture_context *tctx,
+                                   struct smb2_tree *tree) {
+  struct smb2_handle hd;
+  struct smb2_create cr;
+  struct smb2_read rd;
+  struct smb2_write wr;
+  struct smb2_close cl;
+  NTSTATUS status;
+  const char *fname = "compound_related6.dat";
+  struct smb2_request *req[5];
+  uint8_t buf[64];
+  bool ret = true;
+
+  smb2_util_unlink(tree, fname);
+
+  ZERO_STRUCT(cr);
+  cr.level = RAW_OPEN_SMB2;
+  cr.in.create_flags = 0;
+  cr.in.desired_access = SEC_RIGHTS_FILE_ALL;
+  cr.in.create_options = 0;
+  cr.in.file_attributes = FILE_ATTRIBUTE_NORMAL;
+  cr.in.share_access = NTCREATEX_SHARE_ACCESS_DELETE |
+                       NTCREATEX_SHARE_ACCESS_READ |
+                       NTCREATEX_SHARE_ACCESS_WRITE;
+  cr.in.alloc_size = 0;
+  cr.in.create_disposition = NTCREATEX_DISP_OPEN_IF;
+  cr.in.impersonation_level = NTCREATEX_IMPERSONATION_ANONYMOUS;
+  cr.in.security_flags = 0;
+  cr.in.fname = fname;
+
+  status = smb2_create(tree, tctx, &cr);
+  CHECK_STATUS(status, NT_STATUS_OK);
+  hd = cr.out.file.handle;
+
+  ZERO_STRUCT(buf);
+  status = smb2_util_write(tree, hd, buf, 0, ARRAY_SIZE(buf));
+  CHECK_STATUS(status, NT_STATUS_OK);
+
+  torture_comment(tctx, "try open for read\n");
+  cr.in.desired_access = SEC_FILE_READ_DATA;
+  smb2_transport_compound_start(tree->session->transport, 5);
+
+  req[0] = smb2_create_send(tree, &cr);
+
+  hd.data[0] = UINT64_MAX;
+  hd.data[1] = UINT64_MAX;
+
+  smb2_transport_compound_set_related(tree->session->transport, true);
+
+  ZERO_STRUCT(rd);
+  rd.in.file.handle = hd;
+  rd.in.length      = 1;
+  rd.in.offset      = 0;
+
+  req[1] = smb2_read_send(tree, &rd);
+
+  ZERO_STRUCT(wr);
+  wr.in.file.handle = hd;
+  wr.in.offset = 0;
+  wr.in.data = data_blob_talloc(tctx, NULL, 64);
+
+  req[2] = smb2_write_send(tree, &wr);
+
+  ZERO_STRUCT(rd);
+  rd.in.file.handle = hd;
+  rd.in.length      = 1;
+  rd.in.offset      = 0;
+
+  req[3] = smb2_read_send(tree, &rd);
+
+  ZERO_STRUCT(cl);
+  cl.in.file.handle = hd;
+
+  req[4] = smb2_close_send(tree, &cl);
+
+  status = smb2_create_recv(req[0], tree, &cr);
+  CHECK_STATUS(status, NT_STATUS_OK);
+  status = smb2_read_recv(req[1], tree, &rd);
+  CHECK_STATUS(status, NT_STATUS_OK);
+  status = smb2_write_recv(req[2], &wr);
+  CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
+  status = smb2_read_recv(req[3], tree, &rd);
+  CHECK_STATUS(status, NT_STATUS_OK);
+  status = smb2_close_recv(req[4], &cl);
+  CHECK_STATUS(status, NT_STATUS_OK);
+done:
+  smb2_util_unlink(tree, fname);
+  smb2_tdis(tree);
+  smb2_logoff(tree->session);
+  return ret;
+}
+
 static bool test_compound_padding(struct torture_context *tctx,
 				  struct smb2_tree *tree)
 {
@@ -1574,6 +1666,8 @@ struct torture_suite *torture_smb2_compound_init(TALLOC_CTX *ctx)
 				     test_compound_related4);
 	torture_suite_add_1smb2_test(suite, "related5",
 				     test_compound_related5);
+	torture_suite_add_1smb2_test(suite, "related6",
+				     test_compound_related6);
 	torture_suite_add_1smb2_test(suite, "unrelated1", test_compound_unrelated1);
 	torture_suite_add_1smb2_test(suite, "invalid1", test_compound_invalid1);
 	torture_suite_add_1smb2_test(suite, "invalid2", test_compound_invalid2);
-- 
2.20.1

More information about the samba-technical mailing list