From 34291111df272c8a8396b54ff86e6e839c7ab3ff Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Fri, 11 Aug 2023 17:18:26 -0700
Subject: [PATCH] s3: torture: Add SMB1-NEGOTIATE-TCON that shows the SMB1
 server crashes on the uninitialized req->session.

Found by Robert Morris <rtm@lcs.mit.edu>.

Adds knownfail.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15432

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <nopower@samba.org>
(cherry picked from commit c32df3bb31ce6275cfb91107e34e2d6b3c2fba1b)
---
 selftest/knownfail.d/smb1_negprot_tcon |  1 +
 source3/selftest/tests.py              | 11 ++++++++++
 source3/torture/torture.c              | 40 ++++++++++++++++++++++++++++++++++
 3 files changed, 52 insertions(+)
 create mode 100644 selftest/knownfail.d/smb1_negprot_tcon

diff --git a/selftest/knownfail.d/smb1_negprot_tcon b/selftest/knownfail.d/smb1_negprot_tcon
new file mode 100644
index 00000000000..4f620948c31
--- /dev/null
+++ b/selftest/knownfail.d/smb1_negprot_tcon
@@ -0,0 +1 @@
+^samba3.smbtorture_s3.smb1.SMB1-NEGOTIATE-TCON.smbtorture\(fileserver_smb1\)
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py
index e4c535c5fe5..979422734da 100755
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -241,6 +241,17 @@ plantestsuite("samba3.smbtorture_s3.smb1.SMB1-NEGOTIATE-EXIT",
                 smbtorture3,
                 "-mNT1"])
 
+plantestsuite("samba3.smbtorture_s3.smb1.SMB1-NEGOTIATE-TCON",
+                "fileserver_smb1",
+                [os.path.join(samba3srcdir,
+                              "script/tests/test_smbtorture_s3.sh"),
+                'SMB1-NEGOTIATE-TCON',
+                '//$SERVER_IP/tmp',
+                '$USERNAME',
+                '$PASSWORD',
+                smbtorture3,
+                "-mNT1"])
+
 #
 # MSDFS attribute tests.
 #
diff --git a/source3/torture/torture.c b/source3/torture/torture.c
index 1e496e74456..2a8b8dec22f 100644
--- a/source3/torture/torture.c
+++ b/source3/torture/torture.c
@@ -14999,6 +14999,42 @@ static bool run_smb1_negotiate_exit(int dummy)
 	return true;
 }
 
+static bool run_smb1_negotiate_tcon(int dummy)
+{
+	struct cli_state *cli = NULL;
+	uint16_t cnum = 0;
+	uint16_t max_xmit = 0;
+	NTSTATUS status;
+
+	printf("Starting send SMB1 negotiate+tcon.\n");
+	cli = open_nbt_connection();
+	if (cli == NULL) {
+		d_fprintf(stderr, "open_nbt_connection failed!\n");
+		return false;
+	}
+	smbXcli_conn_set_sockopt(cli->conn, sockops);
+
+	status = smbXcli_negprot(cli->conn, 0, PROTOCOL_NT1, PROTOCOL_NT1);
+	if (!NT_STATUS_IS_OK(status)) {
+		d_fprintf(stderr, "smbXcli_negprot failed %s!\n",
+			nt_errstr(status));
+		return false;
+	}
+        status = cli_raw_tcon(cli,
+			      share,
+			      "",
+			      "?????",
+			      &max_xmit,
+			      &cnum);
+	if (!NT_STATUS_EQUAL(status, NT_STATUS_ACCESS_DENIED)) {
+		d_fprintf(stderr, "cli_raw_tcon failed - got %s "
+			"(should get NT_STATUS_ACCESS_DENIED)!\n",
+			nt_errstr(status));
+		return false;
+	}
+	return true;
+}
+
 static bool run_ign_bad_negprot(int dummy)
 {
 	struct tevent_context *ev;
@@ -15736,6 +15772,10 @@ static struct {
 		.fn    = run_smb1_negotiate_exit,
 	},
 	{
+		.name  = "SMB1-NEGOTIATE-TCON",
+		.fn    = run_smb1_negotiate_tcon,
+	},
+	{
 		.name  = "SMB1-DFS-PATHS",
 		.fn    = run_smb1_dfs_paths,
 	},
-- 
2.11.4.GIT