2025-03-30 06:50:24 +03:00 · 2003-11-04 09:10:31 +00:00 · 2003-11-04 09:10:31 +00:00 · 46046aa69b
commit 46046aa69b
parent d8cbe76b86
14 changed files with 458 additions and 105 deletions
--- a/source4/Makefile.in
+++ b/source4/Makefile.in
@ -194,9 +194,9 @@ LIBCLIUTIL_OBJ = libcli/util/asn1.o \
 	     libcli/util/pwd_cache.o libcli/util/clierror.o libcli/util/cliutil.o

 LIBRAW_NDR_OBJ = libcli/ndr/ndr.o libcli/ndr/ndr_basic.o libcli/ndr/ndr_sec.o \
-		libcli/ndr/ndr_echo.o
+		libcli/ndr/ndr_echo.o libcli/ndr/ndr_misc.o libcli/ndr/ndr_lsa.o

-LIBRAW_RPC_OBJ = libcli/rpc/dcerpc.o libcli/rpc/rpc_echo.o
+LIBRAW_RPC_OBJ = libcli/rpc/dcerpc.o libcli/rpc/rpc_echo.o libcli/rpc/rpc_lsa.o

 LIBRAW_OBJ = libcli/raw/rawfile.o libcli/raw/smb_signing.o  \
 	     libcli/raw/clisocket.o libcli/raw/clitransport.o \
@ -533,7 +533,7 @@ SMBTORTURE_RPC_OBJ = torture/rpc/lsa.o torture/rpc/echo.o
 SMBTORTURE_OBJ1 = torture/torture.o torture/torture_util.o torture/nbio.o torture/scanner.o \
 		torture/utable.o torture/denytest.o torture/mangle_test.o \
 		torture/aliases.o libcli/raw/clirewrite.o $(SMBTORTURE_RAW_OBJ) \
-		$(SMBTORTURE_RPC_OBJ) rpc_parse/parse_lsa.o
+		$(SMBTORTURE_RPC_OBJ)

 SMBTORTURE_OBJ = $(SMBTORTURE_OBJ1) \
 	$(LIBSMB_OBJ) $(LIBDFS_OBJ) $(PARAM_OBJ) $(LIB_OBJ)
--- a/source4/libcli/ndr/libndr.h
+++ b/source4/libcli/ndr/libndr.h
@ -54,6 +54,10 @@ struct ndr_push {
 	TALLOC_CTX *mem_ctx;
 };

+struct ndr_push_save {
+	uint32 offset;
+};
+
 #define NDR_BASE_MARSHALL_SIZE 1024


@ -90,4 +94,6 @@ typedef NTSTATUS (*ndr_pull_fn_t)(struct ndr_pull *, void *);

 /* now pull in the individual parsers */
 #include "libcli/ndr/ndr_sec.h"
+#include "libcli/ndr/ndr_misc.h"
 #include "libcli/ndr/ndr_echo.h"
+#include "libcli/ndr/ndr_lsa.h"
--- a/source4/libcli/ndr/ndr_basic.c
+++ b/source4/libcli/ndr/ndr_basic.c
@ -35,21 +35,6 @@
 	} \
 } while(0)

-/*
-  parse a GUID
-*/
-NTSTATUS ndr_pull_guid(struct ndr_pull *ndr, GUID *guid)
-{
-	int i;
-	NDR_PULL_NEED_BYTES(ndr, GUID_SIZE);
-	for (i=0;i<GUID_SIZE;i++) {
-		guid->info[i] = CVAL(ndr->data, ndr->offset + i);
-	}
-	ndr->offset += i;
-	return NT_STATUS_OK;
-}
-
-
 /*
  parse a u8
 */
@ -95,18 +80,41 @@ NTSTATUS ndr_pull_u32(struct ndr_pull *ndr, uint32 *v)
 	return NT_STATUS_OK;
 }

+/*
+  pull a NTSTATUS
+*/
+NTSTATUS ndr_pull_status(struct ndr_pull *ndr, NTSTATUS *status)
+{
+	uint32 v;
+	NDR_CHECK(ndr_pull_u32(ndr, &v));
+	*status = NT_STATUS(v);
+	return NT_STATUS_OK;
+}
+
 /*
  parse a set of bytes
 */
-NTSTATUS ndr_pull_bytes(struct ndr_pull *ndr, char **data, uint32 n)
+NTSTATUS ndr_pull_bytes(struct ndr_pull *ndr, char *data, uint32 n)
 {
 	NDR_PULL_NEED_BYTES(ndr, n);
-	NDR_ALLOC_N(ndr, *data, n);
-	memcpy(*data, ndr->data + ndr->offset, n);
+	memcpy(data, ndr->data + ndr->offset, n);
 	ndr->offset += n;
 	return NT_STATUS_OK;
 }

+/*
+  parse a GUID
+*/
+NTSTATUS ndr_pull_guid(struct ndr_pull *ndr, GUID *guid)
+{
+	int i;
+	NDR_PULL_NEED_BYTES(ndr, GUID_SIZE);
+	for (i=0;i<GUID_SIZE;i++) {
+		guid->info[i] = CVAL(ndr->data, ndr->offset + i);
+	}
+	ndr->offset += i;
+	return NT_STATUS_OK;
+}


 #define NDR_PUSH_NEED_BYTES(ndr, n) NDR_CHECK(ndr_push_expand(ndr, ndr->offset+(n)))
@ -161,3 +169,55 @@ NTSTATUS ndr_push_bytes(struct ndr_push *ndr, const char *data, uint32 n)
 	ndr->offset += n;
 	return NT_STATUS_OK;
 }
+
+
+/*
+  this is used when a packet has a 4 byte length field. We remember the start position
+  and come back to it later to fill in the size
+*/
+NTSTATUS ndr_push_length4_start(struct ndr_push *ndr, struct ndr_push_save *save)
+{
+	save->offset = ndr->offset;
+	return ndr_push_u32(ndr, 0);
+}
+
+NTSTATUS ndr_push_length4_end(struct ndr_push *ndr, struct ndr_push_save *save)
+{
+	uint32 offset = ndr->offset;
+	ndr->offset = save->offset;
+	NDR_CHECK(ndr_push_u32(ndr, offset - save->offset));
+	ndr->offset = offset;
+	return NT_STATUS_OK;
+}
+
+/*
+  push a 1 if a pointer is non-NULL, otherwise 0
+*/
+NTSTATUS ndr_push_ptr(struct ndr_push *ndr, const void *p)
+{
+	return ndr_push_u32(ndr, p?1:0);
+}
+
+/*
+  push a comformant, variable ucs2 string onto the wire from a C string
+*/
+NTSTATUS ndr_push_unistr(struct ndr_push *ndr, const char *s)
+{
+	smb_ucs2_t *ws;
+	ssize_t len;
+	int i;
+	len = push_ucs2_talloc(ndr->mem_ctx, &ws, s);
+	if (len == -1) {
+		return NT_STATUS_INVALID_PARAMETER;
+	}
+	NDR_CHECK(ndr_push_u32(ndr, len));
+	NDR_CHECK(ndr_push_u32(ndr, 0));
+	NDR_CHECK(ndr_push_u32(ndr, len-2));
+	NDR_PUSH_NEED_BYTES(ndr, len);
+	for (i=0;i<len;i+=2) {
+		SSVAL(ndr->data, ndr->offset + i, ws[i]);
+	}
+	ndr->offset += i;
+	return NT_STATUS_OK;
+}
+
--- a/source4/libcli/ndr/ndr_echo.c
+++ b/source4/libcli/ndr/ndr_echo.c
@ -53,7 +53,8 @@ NTSTATUS ndr_pull_rpcecho_echodata(struct ndr_pull *ndr,
 				   struct rpcecho_echodata *r)
 {
 	NDR_CHECK(ndr_pull_u32(ndr, &r->out.len));
-	NDR_CHECK(ndr_pull_bytes(ndr, &r->out.data, r->out.len));
+	NDR_ALLOC_N(ndr, r->out.data, r->out.len);
+	NDR_CHECK(ndr_pull_bytes(ndr, r->out.data, r->out.len));
 	return NT_STATUS_OK;
 }

@ -97,7 +98,8 @@ NTSTATUS ndr_pull_rpcecho_sourcedata(struct ndr_pull *ndr,
 				   struct rpcecho_sourcedata *r)
 {
 	NDR_CHECK(ndr_pull_u32(ndr, &r->out.len));
-	NDR_CHECK(ndr_pull_bytes(ndr, &r->out.data, r->out.len));
+	NDR_ALLOC_N(ndr, r->out.data, r->out.len);
+	NDR_CHECK(ndr_pull_bytes(ndr, r->out.data, r->out.len));
 	return NT_STATUS_OK;
 }

--- a/source4/libcli/ndr/ndr_lsa.c
+++ b/source4/libcli/ndr/ndr_lsa.c
@ -0,0 +1,85 @@
+/* 
+   Unix SMB/CIFS implementation.
+
+   routines for marshalling/unmarshalling lsa pipe
+
+   Copyright (C) Andrew Tridgell 2003
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+
+#include "includes.h"
+
+NTSTATUS ndr_push_lsa_QosInfo(struct ndr_push *ndr,
+			      struct lsa_QosInfo *r)
+{
+	struct ndr_push_save length;
+
+	NDR_CHECK(ndr_push_length4_start(ndr, &length));
+	NDR_CHECK(ndr_push_u16(ndr, r->impersonation_level));
+	NDR_CHECK(ndr_push_u8(ndr, r->context_mode));
+	NDR_CHECK(ndr_push_u8(ndr, r->effective_only));
+	NDR_CHECK(ndr_push_length4_end(ndr, &length));
+
+	return NT_STATUS_OK;
+}
+
+NTSTATUS ndr_push_lsa_ObjectAttribute(struct ndr_push *ndr,
+				      struct lsa_ObjectAttribute *r)
+{
+	struct ndr_push_save length;
+
+	NDR_CHECK(ndr_push_length4_start(ndr, &length));
+	NDR_CHECK(ndr_push_ptr(ndr, r->root_dir));
+	NDR_CHECK(ndr_push_ptr(ndr, r->object_name));
+	NDR_CHECK(ndr_push_u32(ndr, r->attributes));
+	NDR_CHECK(ndr_push_ptr(ndr, r->sec_desc));
+	NDR_CHECK(ndr_push_ptr(ndr, r->sec_qos));
+
+	if (r->root_dir)    NDR_CHECK(ndr_push_u8(ndr, r->root_dir[0]));
+	if (r->object_name) NDR_CHECK(ndr_push_unistr(ndr, r->object_name));
+	if (r->sec_desc)    NDR_CHECK(ndr_push_security_descriptor(ndr, r->sec_desc));
+	if (r->sec_qos)     NDR_CHECK(ndr_push_lsa_QosInfo(ndr, r->sec_qos));
+
+	NDR_CHECK(ndr_push_length4_end(ndr, &length));
+
+	return NT_STATUS_OK;
+}
+
+/*
+  push a openpolicy
+*/
+NTSTATUS ndr_push_lsa_OpenPolicy(struct ndr_push *ndr, 
+				 struct lsa_OpenPolicy *r)
+{
+	NDR_CHECK(ndr_push_ptr(ndr, r->in.system_name));
+	NDR_CHECK(ndr_push_u16(ndr, r->in.system_name[0]));
+	NDR_CHECK(ndr_push_lsa_ObjectAttribute(ndr, r->in.attr));
+	NDR_CHECK(ndr_push_u32(ndr, r->in.desired_access));
+	return NT_STATUS_OK;
+}
+
+
+/*
+  parse a openpolicy
+*/
+NTSTATUS ndr_pull_lsa_OpenPolicy(struct ndr_pull *ndr,
+				 struct lsa_OpenPolicy *r)
+{
+	NDR_CHECK(ndr_pull_policy_handle(ndr, &r->out.handle));
+	NDR_CHECK(ndr_pull_status(ndr, &r->out.status));
+	return NT_STATUS_OK;
+}
--- a/source4/libcli/ndr/ndr_lsa.h
+++ b/source4/libcli/ndr/ndr_lsa.h
@ -0,0 +1,47 @@
+/* 
+   Unix SMB/CIFS implementation.
+
+   definitions for marshalling/unmarshalling the lsa pipe
+
+   Copyright (C) Andrew Tridgell 2003
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+struct lsa_QosInfo {
+	uint16 impersonation_level;
+	uint8  context_mode;
+	uint8  effective_only;
+};
+
+struct lsa_ObjectAttribute {
+	const char *root_dir;
+	const char *object_name;
+	uint32 attributes;
+	struct security_descriptor *sec_desc;
+	struct lsa_QosInfo *sec_qos;
+};
+
+struct lsa_OpenPolicy {
+	struct {
+		const char *system_name;
+		struct lsa_ObjectAttribute *attr;
+		uint32 desired_access;
+	} in;
+	struct {
+		struct policy_handle handle;
+		NTSTATUS status;
+	} out;
+};
--- a/source4/libcli/ndr/ndr_misc.c
+++ b/source4/libcli/ndr/ndr_misc.c
@ -0,0 +1,45 @@
+/* 
+   Unix SMB/CIFS implementation.
+
+   routines for marshalling/unmarshalling miscellaneous rpc structures
+
+   Copyright (C) Andrew Tridgell 2003
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+
+#include "includes.h"
+
+
+/*
+  parse a policy handle
+*/
+NTSTATUS ndr_pull_policy_handle(struct ndr_pull *ndr, 
+				struct policy_handle *r)
+{
+	NDR_CHECK(ndr_pull_bytes(ndr, r->data, 20));
+	return NT_STATUS_OK;
+}
+
+/*
+  push a policy handle
+*/
+NTSTATUS ndr_push_policy_handle(struct ndr_push *ndr, 
+				struct policy_handle *r)
+{
+	NDR_CHECK(ndr_push_bytes(ndr, r->data, 20));
+	return NT_STATUS_OK;
+}
--- a/source4/libcli/ndr/ndr_misc.h
+++ b/source4/libcli/ndr/ndr_misc.h
@ -0,0 +1,26 @@
+/* 
+   Unix SMB/CIFS implementation.
+
+   definitions for marshalling/unmarshalling miscellaneous structures
+
+   Copyright (C) Andrew Tridgell 2003
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+/* policy handles are used all over the place */
+struct policy_handle {
+	char data[20];
+};
--- a/source4/libcli/raw/rawdcerpc.c
+++ b/source4/libcli/raw/rawdcerpc.c
@ -22,6 +22,68 @@

 #include "includes.h"

+
+/* 
+   open a rpc connection to a named pipe 
+*/
+NTSTATUS dcerpc_pipe_open_smb(struct dcerpc_pipe *p, const char *pipe_name)
+{
+        NTSTATUS status;
+	char *name = NULL;
+	union smb_open io;
+	TALLOC_CTX *mem_ctx;
+
+	asprintf(&name, "\\%s", pipe_name);
+	if (!name) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	io.ntcreatex.level = RAW_OPEN_NTCREATEX;
+	io.ntcreatex.in.flags = 0;
+	io.ntcreatex.in.root_fid = 0;
+	io.ntcreatex.in.access_mask = 
+		STD_RIGHT_READ_CONTROL_ACCESS | 
+		SA_RIGHT_FILE_WRITE_ATTRIBUTES | 
+		SA_RIGHT_FILE_WRITE_EA | 
+		GENERIC_RIGHTS_FILE_READ |
+		GENERIC_RIGHTS_FILE_WRITE;
+	io.ntcreatex.in.file_attr = 0;
+	io.ntcreatex.in.alloc_size = 0;
+	io.ntcreatex.in.share_access = 
+		NTCREATEX_SHARE_ACCESS_READ |
+		NTCREATEX_SHARE_ACCESS_WRITE;
+	io.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN;
+	io.ntcreatex.in.create_options = 0;
+	io.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_IMPERSONATION;
+	io.ntcreatex.in.security_flags = 0;
+	io.ntcreatex.in.fname = name;
+
+	mem_ctx = talloc_init("torture_rpc_connection");
+	status = smb_raw_open(p->tree, mem_ctx, &io);
+	free(name);
+	talloc_destroy(mem_ctx);
+
+	if (!NT_STATUS_IS_OK(status)) {
+                return status;
+        }
+ 
+	p->fnum = io.ntcreatex.out.fnum;
+
+	/* bind to the pipe, using the pipe_name as the key */
+	status = dcerpc_bind_byname(p, pipe_name);
+
+	if (!NT_STATUS_IS_OK(status)) {
+		union smb_close c;
+		c.close.level = RAW_CLOSE_CLOSE;
+		c.close.in.fnum = p->fnum;
+		c.close.in.write_time = 0;
+		smb_raw_close(p->tree, &c);
+	}
+
+        return status;
+}
+
+
 struct cli_request *dcerpc_raw_send(struct dcerpc_pipe *p, DATA_BLOB *blob)
 {
 	struct smb_trans2 trans;
--- a/source4/libcli/rpc/dcerpc.c
+++ b/source4/libcli/rpc/dcerpc.c
@ -28,7 +28,7 @@ struct dcerpc_pipe *dcerpc_pipe_init(struct cli_tree *tree)
 {
 	struct dcerpc_pipe *p;

-	TALLOC_CTX *mem_ctx = talloc_init("cli_dcerpc_tree");
+	TALLOC_CTX *mem_ctx = talloc_init("dcerpc_tree");
 	if (mem_ctx == NULL)
 		return NULL;

@ -513,7 +513,7 @@ NTSTATUS dcerpc_bind(struct dcerpc_pipe *p,
 	DATA_BLOB blob;
 	DATA_BLOB blob_out;

-	mem_ctx = talloc_init("cli_dcerpc_bind");
+	mem_ctx = talloc_init("dcerpc_bind");
 	if (!mem_ctx) {
 		return NT_STATUS_NO_MEMORY;
 	}
@ -590,7 +590,7 @@ static const struct {


 /* Perform a bind using the given well-known pipe name */
-NTSTATUS cli_dcerpc_bind_byname(struct dcerpc_pipe *p, const char *pipe_name)
+NTSTATUS dcerpc_bind_byname(struct dcerpc_pipe *p, const char *pipe_name)
 {
 	int i;

@ -609,7 +609,7 @@ NTSTATUS cli_dcerpc_bind_byname(struct dcerpc_pipe *p, const char *pipe_name)
 /*
  perform a full request/response pair on a dcerpc pipe
 */
-NTSTATUS cli_dcerpc_request(struct dcerpc_pipe *p, 
+NTSTATUS dcerpc_request(struct dcerpc_pipe *p, 
 			    uint16 opnum,
 			    TALLOC_CTX *mem_ctx,
 			    DATA_BLOB *stub_data_in,
@ -777,7 +777,7 @@ NTSTATUS dcerpc_ndr_request(struct dcerpc_pipe *p,
 	request = ndr_push_blob(push);

 	/* make the actual dcerpc request */
-	status = cli_dcerpc_request(p, opnum, mem_ctx, &request, &response);
+	status = dcerpc_request(p, opnum, mem_ctx, &request, &response);
 	if (!NT_STATUS_IS_OK(status)) {
 		goto failed;
 	}
--- a/source4/libcli/rpc/rpc_lsa.c
+++ b/source4/libcli/rpc/rpc_lsa.c
@ -0,0 +1,64 @@
+/* 
+   Unix SMB/CIFS implementation.
+
+   rpc lsa pipe calls
+
+   Copyright (C) Andrew Tridgell 2003
+   
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2 of the License, or
+   (at your option) any later version.
+   
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+   
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software
+   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+*/
+
+#include "includes.h"
+
+/*
+  OpenPolicy interface
+*/
+NTSTATUS dcerpc_lsa_OpenPolicy(struct dcerpc_pipe *p,
+			       const char *server,
+			       struct lsa_ObjectAttribute *attr,
+			       uint32 access_mask,
+			       struct policy_handle *handle)
+{
+	struct lsa_OpenPolicy r;
+	NTSTATUS status;
+	TALLOC_CTX *mem_ctx;
+
+	mem_ctx = talloc_init("dcerpc_rpcecho_addone");
+	if (!mem_ctx) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	/* fill the .in side of the call */
+	r.in.system_name = server;
+	r.in.attr = attr;
+	r.in.desired_access = access_mask;
+
+	/* make the call */
+	status = dcerpc_ndr_request(p, LSA_OPENPOLICY, mem_ctx,
+				    (ndr_push_fn_t) ndr_push_lsa_OpenPolicy,
+				    (ndr_pull_fn_t) ndr_pull_lsa_OpenPolicy,
+				    &r);
+	if (!NT_STATUS_IS_OK(status)) {
+		goto done;
+	}
+	
+	/* and extract the .out parameters */
+	*handle = r.out.handle;
+	status = r.out.status;
+
+done:
+	talloc_destroy(mem_ctx);
+	return status;
+}
--- a/source4/torture/rpc/echo.c
+++ b/source4/torture/rpc/echo.c
@ -53,7 +53,7 @@ static BOOL test_echodata(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
 	int i;
 	NTSTATUS status;
 	char *data_in, *data_out;
-	int len = 17;
+	int len = 1 + (random() % 5000);
 	int len_out;

 	printf("\nTesting EchoData\n");
@ -92,7 +92,7 @@ static BOOL test_sourcedata(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
 	int i;
 	NTSTATUS status;
 	char *data_out;
-	int len = 200000;
+	int len = 200000 + (random() % 5000);
 	int len_out;

 	printf("\nTesting SourceData\n");
@ -126,7 +126,7 @@ static BOOL test_sinkdata(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
 	int i;
 	NTSTATUS status;
 	char *data_in;
-	int len = 200000;
+	int len = 200000 + (random() % 5000);

 	printf("\nTesting SinkData\n");

@ -143,6 +143,8 @@ static BOOL test_sinkdata(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx)
 		return False;
 	}

+	printf("sunk %d bytes\n", len);
+
 	return True;
 }

--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@ -1,7 +1,7 @@
 /* 
   Unix SMB/CIFS implementation.
   test suite for lsa rpc operations
-   Copyright (C) Tim Potter 2003
+
   Copyright (C) Andrew Tridgell 2003
   
   This program is free software; you can redistribute it and/or modify
@ -21,38 +21,40 @@

 #include "includes.h"

-/* form a lsa open request */
-static DATA_BLOB blob_lsa_open_policy_req(TALLOC_CTX *mem_ctx, BOOL sec_qos, uint32 des_access)
+static BOOL test_OpenPolicy(struct dcerpc_pipe *p)
 {
-	prs_struct qbuf;
-	LSA_Q_OPEN_POL q;
-	LSA_SEC_QOS qos;
+	struct lsa_ObjectAttribute attr;
+	struct policy_handle handle;
+	struct lsa_QosInfo qos;
+	NTSTATUS status;

-	ZERO_STRUCT(q);
+	qos.impersonation_level = 2;
+	qos.context_mode = 1;
+	qos.effective_only = 0;

-	/* Initialise parse structures */
-	prs_init(&qbuf, MAX_PDU_FRAG_LEN, mem_ctx, MARSHALL);
+	attr.root_dir = NULL;
+	attr.object_name = NULL;
+	attr.attributes = 0;
+	attr.sec_desc = NULL;
+	attr.sec_qos = &qos;

-	/* Initialise input parameters */
-	if (sec_qos) {
-		init_lsa_sec_qos(&qos, 2, 1, 0);
-		init_q_open_pol(&q, '\\', 0, des_access, &qos);
-	} else {
-		init_q_open_pol(&q, '\\', 0, des_access, NULL);
+	status = dcerpc_lsa_OpenPolicy(p, 
+				       "\\",
+				       &attr,
+				       SEC_RIGHTS_MAXIMUM_ALLOWED,
+				       &handle);
+	if (!NT_STATUS_IS_OK(status)) {
+		printf("OpenPolicy failed - %s\n", nt_errstr(status));
+		return False;
 	}

-	if (lsa_io_q_open_pol("", &q, &qbuf, 0))
-		return data_blob_talloc(
-			mem_ctx, prs_data_p(&qbuf), prs_offset(&qbuf));
-
-	return data_blob(NULL, 0);
+	return True;
 }

 BOOL torture_rpc_lsa(int dummy)
 {
        NTSTATUS status;
        struct dcerpc_pipe *p;
-	DATA_BLOB request, response;
 	TALLOC_CTX *mem_ctx;

 	mem_ctx = talloc_init("torture_rpc_lsa");
@ -62,13 +64,7 @@ BOOL torture_rpc_lsa(int dummy)
 		return False;
 	}
 	
-	request = blob_lsa_open_policy_req(mem_ctx, True, 
-					   SEC_RIGHTS_MAXIMUM_ALLOWED);
-
-	status = cli_dcerpc_request(p, LSA_OPENPOLICY, mem_ctx, &request, &response);
-	if (!NT_STATUS_IS_OK(status)) {
-		d_printf("Failed to LSA_OPENPOLICY - %s\n", nt_errstr(status));
-	}
+	test_OpenPolicy(p);

        torture_rpc_close(p);

--- a/source4/torture/torture.c
+++ b/source4/torture/torture.c
@ -135,65 +135,23 @@ BOOL torture_close_connection(struct cli_state *c)
 NTSTATUS torture_rpc_connection(struct dcerpc_pipe **p, const char *pipe_name)
 {
        struct cli_state *cli;
-        int fnum;
        NTSTATUS status;
-	char *name = NULL;
-	union smb_open open_parms;
-	TALLOC_CTX *mem_ctx;

 	if (!torture_open_connection(&cli)) {
                return NT_STATUS_UNSUCCESSFUL;
 	}

-	asprintf(&name, "\\%s", pipe_name);
-	if (!name) {
-		return NT_STATUS_NO_MEMORY;
+        if (!(*p = dcerpc_pipe_init(cli->tree))) {
+                return NT_STATUS_NO_MEMORY;
 	}
-
-	open_parms.ntcreatex.level = RAW_OPEN_NTCREATEX;
-	open_parms.ntcreatex.in.flags = 0;
-	open_parms.ntcreatex.in.root_fid = 0;
-	open_parms.ntcreatex.in.access_mask = 
-		STD_RIGHT_READ_CONTROL_ACCESS | 
-		SA_RIGHT_FILE_WRITE_ATTRIBUTES | 
-		SA_RIGHT_FILE_WRITE_EA | 
-		GENERIC_RIGHTS_FILE_READ |
-		GENERIC_RIGHTS_FILE_WRITE;
-	open_parms.ntcreatex.in.file_attr = 0;
-	open_parms.ntcreatex.in.alloc_size = 0;
-	open_parms.ntcreatex.in.share_access = 
-		NTCREATEX_SHARE_ACCESS_READ |
-		NTCREATEX_SHARE_ACCESS_WRITE;
-	open_parms.ntcreatex.in.open_disposition = NTCREATEX_DISP_OPEN;
-	open_parms.ntcreatex.in.create_options = 0;
-	open_parms.ntcreatex.in.impersonation = NTCREATEX_IMPERSONATION_IMPERSONATION;
-	open_parms.ntcreatex.in.security_flags = 0;
-	open_parms.ntcreatex.in.fname = name;
-
-	mem_ctx = talloc_init("torture_rpc_connection");
-	status = smb_raw_open(cli->tree, mem_ctx, &open_parms);
-	free(name);
-	talloc_destroy(mem_ctx);
-
+ 
+	status = dcerpc_pipe_open_smb(*p, pipe_name);
 	if (!NT_STATUS_IS_OK(status)) {
                printf("Open of pipe %s failed with error (%s)\n",
 		       pipe_name, nt_errstr(status));
                return status;
        }
 
-        if (!(*p = dcerpc_pipe_init(cli->tree))) {
-                return NT_STATUS_NO_MEMORY;
-	}
- 
-	(*p)->fnum = open_parms.ntcreatex.out.fnum;
- 
-	status = cli_dcerpc_bind_byname(*p, pipe_name);
-
-	if (!NT_STATUS_IS_OK(status)) {
-		cli_close(cli, fnum);
-		dcerpc_pipe_close(*p);
-	}
-
        return status;
 }