1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00

s4: torture: Add smb2.notify.handle-permissions test.

Add knownfail entry.

CVE-2020-14318

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14434

Signed-off-by: Jeremy Allison <jra@samba.org>
This commit is contained in:
Jeremy Allison 2020-07-10 15:09:33 -07:00 committed by Karolin Seeger
parent 40f23c2459
commit 6e143d9c7a
2 changed files with 82 additions and 0 deletions

View File

@ -0,0 +1,2 @@
^samba3.smb2.notify.handle-permissions

View File

@ -2649,6 +2649,83 @@ done:
return ok;
}
/*
Test asking for a change notify on a handle without permissions.
*/
#define BASEDIR_HPERM BASEDIR "_HPERM"
static bool torture_smb2_notify_handle_permissions(
struct torture_context *torture,
struct smb2_tree *tree)
{
bool ret = true;
NTSTATUS status;
union smb_notify notify;
union smb_open io;
struct smb2_handle h1 = {{0}};
struct smb2_request *req;
smb2_deltree(tree, BASEDIR_HPERM);
smb2_util_rmdir(tree, BASEDIR_HPERM);
torture_comment(torture,
"TESTING CHANGE NOTIFY "
"ON A HANDLE WITHOUT PERMISSIONS\n");
/*
get a handle on the directory
*/
ZERO_STRUCT(io.smb2);
io.generic.level = RAW_OPEN_SMB2;
io.smb2.in.create_flags = 0;
io.smb2.in.desired_access = SEC_FILE_READ_ATTRIBUTE;
io.smb2.in.create_options = NTCREATEX_OPTIONS_DIRECTORY;
io.smb2.in.file_attributes = FILE_ATTRIBUTE_NORMAL;
io.smb2.in.share_access = NTCREATEX_SHARE_ACCESS_READ |
NTCREATEX_SHARE_ACCESS_WRITE;
io.smb2.in.alloc_size = 0;
io.smb2.in.create_disposition = NTCREATEX_DISP_CREATE;
io.smb2.in.impersonation_level = SMB2_IMPERSONATION_ANONYMOUS;
io.smb2.in.security_flags = 0;
io.smb2.in.fname = BASEDIR_HPERM;
status = smb2_create(tree, torture, &io.smb2);
CHECK_STATUS(status, NT_STATUS_OK);
h1 = io.smb2.out.file.handle;
/* ask for a change notify,
on file or directory name changes */
ZERO_STRUCT(notify.smb2);
notify.smb2.level = RAW_NOTIFY_SMB2;
notify.smb2.in.buffer_size = 1000;
notify.smb2.in.completion_filter = FILE_NOTIFY_CHANGE_NAME;
notify.smb2.in.file.handle = h1;
notify.smb2.in.recursive = true;
req = smb2_notify_send(tree, &notify.smb2);
torture_assert_goto(torture,
req != NULL,
ret,
done,
"smb2_notify_send failed\n");
/*
* Cancel it, we don't really want to wait.
*/
smb2_cancel(req);
status = smb2_notify_recv(req, torture, &notify.smb2);
/* Handle h1 doesn't have permissions for ChangeNotify. */
CHECK_STATUS(status, NT_STATUS_ACCESS_DENIED);
done:
if (!smb2_util_handle_empty(h1)) {
smb2_util_close(tree, h1);
}
smb2_deltree(tree, BASEDIR_HPERM);
return ret;
}
/*
basic testing of SMB2 change notify
*/
@ -2682,6 +2759,9 @@ struct torture_suite *torture_smb2_notify_init(TALLOC_CTX *ctx)
torture_smb2_notify_rmdir3);
torture_suite_add_2smb2_test(suite, "rmdir4",
torture_smb2_notify_rmdir4);
torture_suite_add_1smb2_test(suite,
"handle-permissions",
torture_smb2_notify_handle_permissions);
suite->description = talloc_strdup(suite, "SMB2-NOTIFY tests");