2025-01-29 21:47:30 +03:00 · 1998-10-20 06:46:25 +00:00 · 1998-10-20 06:46:25 +00:00 · e4678f5d1d
commit e4678f5d1d
parent ad64fc6bc5
1 changed files with 66 additions and 11 deletions
--- a/source3/utils/torture.c
+++ b/source3/utils/torture.c
@ -47,37 +47,38 @@ static BOOL open_connection(struct cli_state *c)
 {
 	struct nmb_name called, calling;

+	ZERO_STRUCTP(c);
+
+	make_nmb_name(&calling, myname, 0x0, "");
+	make_nmb_name(&called , host, 0x20, "");
+
 	if (!cli_initialise(c) || !cli_connect(c, host, NULL)) {
 		printf("Failed to connect with %s\n", host);
 		return False;
 	}

-	make_nmb_name(&calling, myname, 0x0, "");
-	make_nmb_name(&called , host, 0x20, "");
-
 	if (!cli_session_request(c, &calling, &called)) {
-		printf("%s rejected the session\n",host);
 		cli_shutdown(c);
+		printf("%s rejected the session\n",host);
 		return False;
 	}

-	c->protocol = max_protocol;
-
 	if (!cli_negprot(c)) {
 		printf("%s rejected the negprot (%s)\n",host, cli_errstr(c));
 		cli_shutdown(c);
 		return False;
 	}

-	if (!cli_session_setup(c, username, password, strlen(password),
-			       "", 0, workgroup)) {
-		printf("%s rejected the sessionsetup (%s)\n", host, cli_errstr(c));
+	if (!cli_session_setup(c, username, 
+			       password, strlen(password),
+			       password, strlen(password),
+			       workgroup)) {
 		cli_shutdown(c);
+		printf("%s rejected the sessionsetup (%s)\n", host, cli_errstr(c));
 		return False;
 	}

-	if (!cli_send_tconX(c, share, 
-			    strstr(share,"IPC$")?"IPC":"A:", 
+	if (!cli_send_tconX(c, share, "?????",
 			    password, strlen(password)+1)) {
 		printf("%s refused tree connect (%s)\n", host, cli_errstr(c));
 		cli_shutdown(c);
@ -555,6 +556,59 @@ static void run_locktest3(int numops)
 }


+/*
+test whether fnums and tids open on one VC are available on another (a major
+security hole)
+*/
+static void run_fdpasstest(void)
+{
+	static struct cli_state cli1, cli2;
+	char *fname = "\\fdpass.tst";
+	int fnum1;
+	pstring buf;
+
+	if (!open_connection(&cli1) || !open_connection(&cli2)) {
+		return;
+	}
+	cli_sockopt(&cli1, sockops);
+	cli_sockopt(&cli2, sockops);
+
+	printf("starting fdpasstest\n");
+
+	cli_unlink(&cli1, fname);
+
+	fnum1 = cli_open(&cli1, fname, O_RDWR|O_CREAT|O_EXCL, DENY_NONE);
+	if (fnum1 == -1) {
+		printf("open of %s failed (%s)\n", fname, cli_errstr(&cli1));
+		return;
+	}
+
+	if (cli_write(&cli1, fnum1, 0, "hello world\n", 0, 13) != 13) {
+		printf("write failed (%s)\n", cli_errstr(&cli1));
+		return;
+	}
+
+	cli2.vuid = cli1.vuid;
+	cli2.cnum = cli1.cnum;
+	cli2.pid = cli1.pid;
+
+
+	if (cli_read(&cli2, fnum1, buf, 0, 13) == 13) {
+		printf("read succeeded! nasty security hole [%s]\n",
+		       buf);
+		return;
+	}
+
+	cli_close(&cli1, fnum1);
+	cli_unlink(&cli1, fname);
+
+	close_connection(&cli1);
+	close_connection(&cli2);
+
+	printf("finished fdpasstest\n");
+}
+
+
 /*
  This test checks that 

@ -1003,6 +1057,7 @@ static void create_procs(int nprocs, int numops, void (*fn)(int ))
 	printf("host=%s share=%s user=%s myname=%s\n", 
 	       host, share, username, myname);

+	run_fdpasstest();
 	run_locktest1();
 	run_locktest2();
 	run_locktest3(numops);