From d23785e69ddd1b511202be1e601e970798aac409 Mon Sep 17 00:00:00 2001
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Fri, 26 Jul 2019 16:02:04 +1200
Subject: [PATCH] ldb: a short program to hammer ldb_dn_explode

We exhaustively try short strings from a selected alphabet, both on
its own, and as suffixes and prefixes of an ordinary looking DN.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
---
 lib/ldb/tests/ldb_dn_pseudo_fuzz.c | 128 +++++++++++++++++++++++++++++
 lib/ldb/wscript                    |   5 ++
 2 files changed, 133 insertions(+)
 create mode 100644 lib/ldb/tests/ldb_dn_pseudo_fuzz.c

diff --git a/lib/ldb/tests/ldb_dn_pseudo_fuzz.c b/lib/ldb/tests/ldb_dn_pseudo_fuzz.c
new file mode 100644
index 00000000000..8eba901ed96
--- /dev/null
+++ b/lib/ldb/tests/ldb_dn_pseudo_fuzz.c
@@ -0,0 +1,128 @@
+/*
+ * Unix SMB/CIFS implementation.
+ *
+ * Copyright (C) 2018      Andreas Schneider <asn@samba.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <ldb.h>
+#include "replace.h"
+
+#define SLOW_PERMUTE_DEPTH 8
+#define MAX_PERMUTE_DEPTH 20
+
+const char letters[] = "1-.\"+\\<>;,=A \x80";
+size_t n_letters = strlen(letters);
+
+uint64_t n_failures = 0;
+uint64_t n_successes = 0;
+
+struct ldb_context *ldb = NULL;
+
+char buffer[300];
+
+const char *TEMPLATES[] = {
+	"CN=onething,CN=another,CN=Configuration,DC=addom,DC=samba,DC=example,DC=com",
+	"",
+};
+
+/* permutations with replacement */
+static int permute(char *dest,
+		   unsigned int dest_len,
+		   unsigned int pos)
+{
+	unsigned int i;
+	size_t count = 0;
+	struct ldb_dn *dn;
+	int result;
+	if (pos == dest_len) {
+		dn = ldb_dn_new(ldb, ldb, dest);
+		result = ldb_dn_validate(dn);
+		if (result == false) {
+			n_failures++;
+		} else {
+			n_successes++;
+			ldb_dn_canonical_string(dn, dn);
+		}
+		talloc_free(dn);
+		return 1;
+	}
+	for (i = 0; i < n_letters; i++) {
+		dest[pos] = letters[i];
+		count += permute(dest, dest_len, pos + 1);
+	}
+	return count;
+}
+
+
+static void print_usage_and_exit(void) {
+	printf("USAGE: ldb_dn_pseudo_fuzz [DEPTH]\n\n");
+	printf("DEPTH is in the range 1-%d\n", MAX_PERMUTE_DEPTH);	
+	printf("DEPTH >= %d will be quite slow\n", SLOW_PERMUTE_DEPTH);
+	exit(1);
+}
+
+int main(int argc, const char **argv) {
+	unsigned int len, i;
+	size_t count = 0;
+	size_t round_count;
+	unsigned long permute_length = 0;
+	if (argc != 2) {
+		print_usage_and_exit();
+	} else if (argc == 2) {
+		char *end = NULL;
+		permute_length = strtoul(argv[1], &end, 10);		
+		if (end == argv[0] || *end != '\0' ||
+		    permute_length == 0 ||
+		    permute_length > MAX_PERMUTE_DEPTH) {
+			print_usage_and_exit();
+		}
+	}
+	ldb = ldb_init(NULL, NULL);
+
+	printf("testing with %zu letters\n", n_letters);
+	printf("«%s»\n", letters);
+	printf("using permutations up to %lu\n", permute_length);
+	if (permute_length >= SLOW_PERMUTE_DEPTH) {
+		printf("This may take some time!\n");
+	}
+
+	for (i = 0; i < ARRAY_SIZE(TEMPLATES); i++) {
+		const char *template = TEMPLATES[i];
+		size_t t_len = strlen(template);
+		strncpy(buffer, template, sizeof(buffer));
+		printf("template: %s\n", buffer);
+		for (len = 1; len <= permute_length; len++) {
+			printf("round %u  ", len);
+			round_count = permute(buffer, len, 0);
+			printf("%zu\n", round_count);
+			count += round_count;
+		}
+		if (t_len > 0) {
+			strncpy(buffer, template, sizeof(buffer));
+			printf("doing tail of %s\n", buffer);
+			for (len = 1; len <= permute_length; len++) {
+				printf("round %u  ", len);
+				round_count = permute(buffer + t_len, len, 0);
+				printf("%zu\n", round_count);
+				count += round_count;
+			}
+		}
+	}
+	printf("total     %zu\n", count);
+	printf("successes %zu\n", n_successes);
+	printf("failures  %zu\n", n_failures);
+	exit(0);
+}
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index fdb9b23de6d..7b498b2fe07 100644
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -502,6 +502,11 @@ def build(bld):
                          deps='ldb',
                          install=False)
 
+        bld.SAMBA_BINARY('ldb_dn_pseudo_fuzz',
+                         source='tests/ldb_dn_pseudo_fuzz.c',
+                         deps='ldb',
+                         install=False)
+
         bld.SAMBA_BINARY('ldb_match_test',
                          source='tests/ldb_match_test.c',
                          deps='cmocka ldb',
-- 
2.20.1