The Samba-Bugzilla – Attachment 8036 Details for
Bug 9209
Parse of invalid SMB2 create blob can cause smbd crash.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Test for v4-0-test
tmp40.diff (text/plain), 4.48 KB, created by
Stefan Metzmacher
on 2012-10-10 07:07:40 UTC
(
hide
)
Description:
Test for v4-0-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2012-10-10 07:07:40 UTC
Size:
4.48 KB
patch
obsolete
>From a45ae31745168263a39e46a755ff8c7c12c6bcb8 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 19 Sep 2012 21:18:46 +0200 >Subject: [PATCH] s4:torture/smb2: improve the smb2.create.blob test > >metze >(cherry picked from commit e6c600aa2c751e694917322378417816c3e58eb6) >--- > source4/torture/smb2/create.c | 93 ++++++++++++++++++++++++++++++++++++++++- > 1 file changed, 91 insertions(+), 2 deletions(-) > >diff --git a/source4/torture/smb2/create.c b/source4/torture/smb2/create.c >index 4668e12..e36a078 100644 >--- a/source4/torture/smb2/create.c >+++ b/source4/torture/smb2/create.c >@@ -445,14 +445,103 @@ static bool test_create_blob(struct torture_context *tctx, struct smb2_tree *tre > status = smb2_util_close(tree, io.out.file.handle); > CHECK_STATUS(status, NT_STATUS_OK); > >- torture_comment(tctx, "Testing bad tag length\n"); >+ torture_comment(tctx, "Testing bad tag length 0\n"); >+ ZERO_STRUCT(io.in.blobs); > status = smb2_create_blob_add(tctx, &io.in.blobs, >- "xxx", data_blob(NULL, 0)); >+ "x", data_blob(NULL, 0)); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ status = smb2_create(tree, tctx, &io); >+ CHECK_STATUS(status, NT_STATUS_INVALID_PARAMETER); >+ >+ torture_comment(tctx, "Testing bad tag length 1\n"); >+ ZERO_STRUCT(io.in.blobs); >+ status = smb2_create_blob_add(tctx, &io.in.blobs, >+ "x", data_blob(NULL, 0)); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ status = smb2_create(tree, tctx, &io); >+ CHECK_STATUS(status, NT_STATUS_INVALID_PARAMETER); >+ >+ torture_comment(tctx, "Testing bad tag length 2\n"); >+ ZERO_STRUCT(io.in.blobs); >+ status = smb2_create_blob_add(tctx, &io.in.blobs, >+ "xx", data_blob(NULL, 0)); > CHECK_STATUS(status, NT_STATUS_OK); >+ status = smb2_create(tree, tctx, &io); >+ CHECK_STATUS(status, NT_STATUS_INVALID_PARAMETER); > >+ torture_comment(tctx, "Testing bad tag length 3\n"); >+ ZERO_STRUCT(io.in.blobs); >+ status = smb2_create_blob_add(tctx, &io.in.blobs, >+ "xxx", data_blob(NULL, 0)); >+ CHECK_STATUS(status, NT_STATUS_OK); > status = smb2_create(tree, tctx, &io); > CHECK_STATUS(status, NT_STATUS_INVALID_PARAMETER); > >+ torture_comment(tctx, "Testing tag length 4\n"); >+ ZERO_STRUCT(io.in.blobs); >+ status = smb2_create_blob_add(tctx, &io.in.blobs, >+ "xxxx", data_blob(NULL, 0)); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ status = smb2_create(tree, tctx, &io); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ >+ torture_comment(tctx, "Testing tag length 5\n"); >+ ZERO_STRUCT(io.in.blobs); >+ status = smb2_create_blob_add(tctx, &io.in.blobs, >+ "xxxxx", data_blob(NULL, 0)); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ status = smb2_create(tree, tctx, &io); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ >+ torture_comment(tctx, "Testing tag length 6\n"); >+ ZERO_STRUCT(io.in.blobs); >+ status = smb2_create_blob_add(tctx, &io.in.blobs, >+ "xxxxxx", data_blob(NULL, 0)); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ status = smb2_create(tree, tctx, &io); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ >+ torture_comment(tctx, "Testing tag length 7\n"); >+ ZERO_STRUCT(io.in.blobs); >+ status = smb2_create_blob_add(tctx, &io.in.blobs, >+ "xxxxxxx", data_blob(NULL, 0)); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ status = smb2_create(tree, tctx, &io); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ >+ torture_comment(tctx, "Testing tag length 8\n"); >+ ZERO_STRUCT(io.in.blobs); >+ status = smb2_create_blob_add(tctx, &io.in.blobs, >+ "xxxxxxxx", data_blob(NULL, 0)); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ status = smb2_create(tree, tctx, &io); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ >+ torture_comment(tctx, "Testing tag length 16\n"); >+ ZERO_STRUCT(io.in.blobs); >+ status = smb2_create_blob_add(tctx, &io.in.blobs, >+ "xxxxxxxxxxxxxxxx", data_blob(NULL, 0)); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ status = smb2_create(tree, tctx, &io); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ >+ torture_comment(tctx, "Testing tag length 17\n"); >+ ZERO_STRUCT(io.in.blobs); >+ status = smb2_create_blob_add(tctx, &io.in.blobs, >+ "xxxxxxxxxxxxxxxxx", data_blob(NULL, 0)); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ status = smb2_create(tree, tctx, &io); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ >+ torture_comment(tctx, "Testing tag length 34\n"); >+ ZERO_STRUCT(io.in.blobs); >+ status = smb2_create_blob_add(tctx, &io.in.blobs, >+ "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx", >+ data_blob(NULL, 0)); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ status = smb2_create(tree, tctx, &io); >+ CHECK_STATUS(status, NT_STATUS_OK); >+ > smb2_deltree(tree, FNAME); > > return true; >-- >1.7.9.5 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=8036">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
jra
:
review+
Actions:
View
Attachments on
bug 9209
:
7956
| 8036 |
8110