diff options
| author | David Disseldorp <ddiss@samba.org> | 2015-03-09 16:21:24 +0100 |
|---|---|---|
| committer | Jeremy Allison <jra@samba.org> | 2015-03-10 00:02:18 +0100 |
| commit | 95a6a892d9f50aced3d67e7b79e5ca2401134c38 (patch) | |
| tree | 10b7361792a3fa901a83e9a5141f02b3f752fb05 | |
| parent | 27e19a81e6fae6ea072d865dcadebc9bb9db48c5 (diff) | |
| download | samba-95a6a892d9f50aced3d67e7b79e5ca2401134c38.tar.gz samba-95a6a892d9f50aced3d67e7b79e5ca2401134c38.tar.xz samba-95a6a892d9f50aced3d67e7b79e5ca2401134c38.zip | |
torture/ioctl: add range overflow QAR test
Issue a QAR request with an offset and length that generate an integer
(uint64_t) overflow when summed together. This should result in an
NT_STATUS_INVALID_PARAMETER response, as confirmed against Windows
Server 2012 & 2008.
Signed-off-by: David Disseldorp <ddiss@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Mar 10 00:02:18 CET 2015 on sn-devel-104
| -rw-r--r-- | source4/torture/smb2/ioctl.c | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/source4/torture/smb2/ioctl.c b/source4/torture/smb2/ioctl.c index 5067d52016..43f98be195 100644 --- a/source4/torture/smb2/ioctl.c +++ b/source4/torture/smb2/ioctl.c @@ -4596,6 +4596,55 @@ static bool test_ioctl_sparse_qar_multi(struct torture_context *torture, return true; } +static bool test_ioctl_sparse_qar_overflow(struct torture_context *torture, + struct smb2_tree *tree) +{ + struct smb2_handle fh; + union smb_ioctl ioctl; + struct file_alloced_range_buf far_buf; + NTSTATUS status; + enum ndr_err_code ndr_ret; + TALLOC_CTX *tmp_ctx = talloc_new(tree); + bool ok; + + ok = test_setup_create_fill(torture, tree, tmp_ctx, + FNAME, &fh, 1024, SEC_RIGHTS_FILE_ALL, + FILE_ATTRIBUTE_NORMAL); + torture_assert(torture, ok, "setup file"); + + status = test_ioctl_sparse_fs_supported(torture, tree, tmp_ctx, &fh, + &ok); + torture_assert_ntstatus_ok(torture, status, "SMB2_GETINFO_FS"); + if (!ok) { + smb2_util_close(tree, fh); + torture_skip(torture, "Sparse files not supported\n"); + } + + /* no allocated ranges, no space for range response, should pass */ + ZERO_STRUCT(ioctl); + ioctl.smb2.level = RAW_IOCTL_SMB2; + ioctl.smb2.in.file.handle = fh; + ioctl.smb2.in.function = FSCTL_QUERY_ALLOCATED_RANGES; + ioctl.smb2.in.max_response_size = 1024; + ioctl.smb2.in.flags = SMB2_IOCTL_FLAG_IS_FSCTL; + + /* off + length wraps around to 511 */ + far_buf.file_off = 512; + far_buf.len = (uint64_t)0xffffffffffffffff; + ndr_ret = ndr_push_struct_blob(&ioctl.smb2.in.out, tmp_ctx, + &far_buf, + (ndr_push_flags_fn_t)ndr_push_file_alloced_range_buf); + torture_assert_ndr_success(torture, ndr_ret, "push far ndr buf"); + + status = smb2_ioctl(tree, tmp_ctx, &ioctl.smb2); + torture_assert_ntstatus_equal(torture, status, + NT_STATUS_INVALID_PARAMETER, + "FSCTL_QUERY_ALLOCATED_RANGES overflow"); + + return true; +} + + /* * basic testing of SMB2 ioctls */ @@ -4695,6 +4744,8 @@ struct torture_suite *torture_smb2_ioctl_init(void) test_ioctl_sparse_qar_ob1); torture_suite_add_1smb2_test(suite, "sparse_qar_multi", test_ioctl_sparse_qar_multi); + torture_suite_add_1smb2_test(suite, "sparse_qar_overflow", + test_ioctl_sparse_qar_overflow); suite->description = talloc_strdup(suite, "SMB2-IOCTL tests"); |