2 Unix SMB/CIFS implementation.
6 Copyright (C) Andrew Tridgell 2003
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "librpc/gen_ndr/ndr_drsuapi_c.h"
24 #include "librpc/ndr/ndr_table.h"
25 #include "torture/rpc/rpc.h"
30 get a DRSUAPI policy handle
32 static bool get_policy_handle(struct dcerpc_pipe
*p
,
34 struct policy_handle
*handle
)
37 struct drsuapi_DsBind r
;
40 r
.out
.bind_handle
= handle
;
42 status
= dcerpc_drsuapi_DsBind(p
, mem_ctx
, &r
);
43 if (!NT_STATUS_IS_OK(status
)) {
44 printf("drsuapi_DsBind failed - %s\n", nt_errstr(status
));
54 static bool get_policy_handle(struct dcerpc_pipe
*p
, TALLOC_CTX
*mem_ctx
,
55 struct policy_handle
*handle
)
58 struct samr_Connect r
;
61 r
.in
.access_mask
= SEC_FLAG_MAXIMUM_ALLOWED
;
62 r
.out
.connect_handle
= handle
;
64 status
= dcerpc_samr_Connect(p
, mem_ctx
, &r
);
65 if (!NT_STATUS_IS_OK(status
)) {
66 printf("samr_Connect failed - %s\n", nt_errstr(status
));
74 static void fill_blob_handle(DATA_BLOB
*blob
, TALLOC_CTX
*mem_ctx
,
75 struct policy_handle
*handle
)
79 if (blob
->length
< 20) {
83 ndr_push_struct_blob(&b2
, mem_ctx
, NULL
, handle
, (ndr_push_flags_fn_t
)ndr_push_policy_handle
);
85 memcpy(blob
->data
, b2
.data
, 20);
88 static void reopen(struct torture_context
*tctx
,
89 struct dcerpc_pipe
**p
,
90 const struct ndr_interface_table
*iface
)
96 status
= torture_rpc_connection(tctx
, p
, iface
);
97 if (!NT_STATUS_IS_OK(status
)) {
98 printf("Failed to reopen '%s' - %s\n", iface
->name
, nt_errstr(status
));
103 static void print_depth(int depth
)
106 for (i
=0;i
<depth
;i
++) {
111 static void test_ptr_scan(struct torture_context
*tctx
, const struct ndr_interface_table
*iface
,
112 int opnum
, DATA_BLOB
*base_in
, int min_ofs
, int max_ofs
, int depth
);
114 static void try_expand(struct torture_context
*tctx
, const struct ndr_interface_table
*iface
,
115 int opnum
, DATA_BLOB
*base_in
, int insert_ofs
, int depth
)
117 DATA_BLOB stub_in
, stub_out
;
120 struct dcerpc_pipe
*p
= NULL
;
122 reopen(tctx
, &p
, iface
);
124 /* work out how much to expand to get a non fault */
125 for (n
=0;n
<2000;n
++) {
126 stub_in
= data_blob(NULL
, base_in
->length
+ n
);
127 data_blob_clear(&stub_in
);
128 memcpy(stub_in
.data
, base_in
->data
, insert_ofs
);
129 memcpy(stub_in
.data
+insert_ofs
+n
, base_in
->data
+insert_ofs
, base_in
->length
-insert_ofs
);
131 status
= dcerpc_request(p
, NULL
, opnum
, tctx
, &stub_in
, &stub_out
);
133 if (!NT_STATUS_EQUAL(status
, NT_STATUS_NET_WRITE_FAULT
)) {
135 printf("expand by %d gives %s\n", n
, nt_errstr(status
));
137 test_ptr_scan(tctx
, iface
, opnum
, &stub_in
,
138 insert_ofs
, insert_ofs
+n
, depth
+1);
144 printf("expand by %d gives fault %s\n", n
, dcerpc_errstr(tctx
, p
->last_fault_code
));
147 if (p
->last_fault_code
== 5) {
148 reopen(tctx
, &p
, iface
);
156 static void test_ptr_scan(struct torture_context
*tctx
, const struct ndr_interface_table
*iface
,
157 int opnum
, DATA_BLOB
*base_in
, int min_ofs
, int max_ofs
, int depth
)
159 DATA_BLOB stub_in
, stub_out
;
162 struct dcerpc_pipe
*p
= NULL
;
164 reopen(tctx
, &p
, iface
);
166 stub_in
= data_blob(NULL
, base_in
->length
);
167 memcpy(stub_in
.data
, base_in
->data
, base_in
->length
);
169 /* work out which elements are pointers */
170 for (ofs
=min_ofs
;ofs
<=max_ofs
-4;ofs
+=4) {
171 SIVAL(stub_in
.data
, ofs
, 1);
172 status
= dcerpc_request(p
, NULL
, opnum
, tctx
, &stub_in
, &stub_out
);
174 if (NT_STATUS_EQUAL(status
, NT_STATUS_NET_WRITE_FAULT
)) {
176 printf("possible ptr at ofs %d - fault %s\n",
177 ofs
-min_ofs
, dcerpc_errstr(tctx
, p
->last_fault_code
));
178 if (p
->last_fault_code
== 5) {
179 reopen(tctx
, &p
, iface
);
182 try_expand(tctx
, iface
, opnum
, &stub_in
, ofs
+4, depth
+1);
184 try_expand(tctx
, iface
, opnum
, &stub_in
, max_ofs
, depth
+1);
186 SIVAL(stub_in
.data
, ofs
, 0);
189 SIVAL(stub_in
.data
, ofs
, 0);
196 static void test_scan_call(struct torture_context
*tctx
, const struct ndr_interface_table
*iface
, int opnum
)
198 DATA_BLOB stub_in
, stub_out
;
201 struct dcerpc_pipe
*p
= NULL
;
202 struct policy_handle handle
;
204 reopen(tctx
, &p
, iface
);
206 get_policy_handle(p
, tctx
, &handle
);
208 /* work out the minimum amount of input data */
209 for (i
=0;i
<2000;i
++) {
210 stub_in
= data_blob(NULL
, i
);
211 data_blob_clear(&stub_in
);
214 status
= dcerpc_request(p
, NULL
, opnum
, tctx
, &stub_in
, &stub_out
);
216 if (NT_STATUS_IS_OK(status
)) {
217 printf("opnum %d min_input %d - output %d\n",
218 opnum
, (int)stub_in
.length
, (int)stub_out
.length
);
219 dump_data(0, stub_out
.data
, stub_out
.length
);
221 test_ptr_scan(tctx
, iface
, opnum
, &stub_in
, 0, stub_in
.length
, 0);
225 fill_blob_handle(&stub_in
, tctx
, &handle
);
227 status
= dcerpc_request(p
, NULL
, opnum
, tctx
, &stub_in
, &stub_out
);
229 if (NT_STATUS_IS_OK(status
)) {
230 printf("opnum %d min_input %d - output %d (with handle)\n",
231 opnum
, (int)stub_in
.length
, (int)stub_out
.length
);
232 dump_data(0, stub_out
.data
, stub_out
.length
);
234 test_ptr_scan(tctx
, iface
, opnum
, &stub_in
, 0, stub_in
.length
, 0);
238 if (NT_STATUS_EQUAL(status
, NT_STATUS_NET_WRITE_FAULT
)) {
239 printf("opnum %d size %d fault %s\n", opnum
, i
, dcerpc_errstr(tctx
, p
->last_fault_code
));
240 if (p
->last_fault_code
== 5) {
241 reopen(tctx
, &p
, iface
);
246 printf("opnum %d size %d error %s\n", opnum
, i
, nt_errstr(status
));
249 printf("opnum %d minimum not found!?\n", opnum
);
254 static void test_auto_scan(struct torture_context
*tctx
, const struct ndr_interface_table
*iface
)
256 test_scan_call(tctx
, iface
, 2);
259 bool torture_rpc_autoidl(struct torture_context
*torture
)
261 const struct ndr_interface_table
*iface
;
263 iface
= ndr_table_by_name("drsuapi");
265 printf("Unknown interface!\n");
269 printf("\nProbing pipe '%s'\n", iface
->name
);
271 test_auto_scan(torture
, iface
);