2 Unix SMB/CIFS implementation.
3 SMB torture tester - scanning functions
4 Copyright (C) Andrew Tridgell 2001
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 #include "libcli/raw/libcliraw.h"
23 #include "system/filesys.h"
30 /****************************************************************************
31 look for a partial hit
32 ****************************************************************************/
33 static void trans2_check_hit(const char *format, int op, int level, NTSTATUS status)
35 if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_LEVEL) ||
36 NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED) ||
37 NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED) ||
38 NT_STATUS_EQUAL(status, NT_STATUS_UNSUCCESSFUL) ||
39 NT_STATUS_EQUAL(status, NT_STATUS_INVALID_INFO_CLASS)) {
43 printf("possible %s hit op=%3d level=%5d status=%s\n",
44 format, op, level, nt_errstr(status));
48 /****************************************************************************
49 check for existance of a trans2 call
50 ****************************************************************************/
51 static NTSTATUS try_trans2(struct smbcli_state *cli,
53 uint8_t *param, uint8_t *data,
54 int param_len, int data_len,
55 int *rparam_len, int *rdata_len)
62 mem_ctx = talloc_init("try_trans2");
65 t2.in.max_data = smb_raw_max_trans_data(cli->tree, 64);
69 t2.in.setup_count = 1;
71 t2.in.params.data = param;
72 t2.in.params.length = param_len;
73 t2.in.data.data = data;
74 t2.in.data.length = data_len;
76 status = smb_raw_trans2(cli->tree, mem_ctx, &t2);
78 *rparam_len = t2.out.params.length;
79 *rdata_len = t2.out.data.length;
87 static NTSTATUS try_trans2_len(struct smbcli_state *cli,
90 uint8_t *param, uint8_t *data,
91 int param_len, int *data_len,
92 int *rparam_len, int *rdata_len)
94 NTSTATUS ret=NT_STATUS_OK;
96 ret = try_trans2(cli, op, param, data, param_len,
97 sizeof(pstring), rparam_len, rdata_len);
99 printf("op=%d level=%d ret=%s\n", op, level, nt_errstr(ret));
101 if (!NT_STATUS_IS_OK(ret)) return ret;
104 while (*data_len < sizeof(pstring)) {
105 ret = try_trans2(cli, op, param, data, param_len,
106 *data_len, rparam_len, rdata_len);
107 if (NT_STATUS_IS_OK(ret)) break;
110 if (NT_STATUS_IS_OK(ret)) {
111 printf("found %s level=%d data_len=%d rparam_len=%d rdata_len=%d\n",
112 format, level, *data_len, *rparam_len, *rdata_len);
114 trans2_check_hit(format, op, level, ret);
120 /****************************************************************************
121 check whether a trans2 opnum exists at all
122 ****************************************************************************/
123 static BOOL trans2_op_exists(struct smbcli_state *cli, int op)
127 int rparam_len, rdata_len;
128 uint8_t param[1024], data[1024];
129 NTSTATUS status1, status2;
131 memset(data, 0, sizeof(data));
134 /* try with a info level only */
135 param_len = sizeof(param);
136 data_len = sizeof(data);
138 memset(param, 0xFF, sizeof(param));
139 memset(data, 0xFF, sizeof(data));
141 status1 = try_trans2(cli, 0xFFFF, param, data, param_len, data_len,
142 &rparam_len, &rdata_len);
144 status2 = try_trans2(cli, op, param, data, param_len, data_len,
145 &rparam_len, &rdata_len);
147 if (NT_STATUS_EQUAL(status1, status2)) return False;
149 printf("Found op %d (status=%s)\n", op, nt_errstr(status2));
154 /****************************************************************************
155 check for existance of a trans2 call
156 ****************************************************************************/
157 static BOOL scan_trans2(struct smbcli_state *cli, int op, int level,
158 int fnum, int dnum, int qfnum, const char *fname)
162 int rparam_len, rdata_len;
163 uint8_t param[1024], data[1024];
166 memset(data, 0, sizeof(data));
169 /* try with a info level only */
171 SSVAL(param, 0, level);
172 status = try_trans2_len(cli, "void", op, level, param, data, param_len, &data_len,
173 &rparam_len, &rdata_len);
174 if (NT_STATUS_IS_OK(status)) return True;
176 /* try with a file descriptor */
178 SSVAL(param, 0, fnum);
179 SSVAL(param, 2, level);
181 status = try_trans2_len(cli, "fnum", op, level, param, data, param_len, &data_len,
182 &rparam_len, &rdata_len);
183 if (NT_STATUS_IS_OK(status)) return True;
185 /* try with a quota file descriptor */
187 SSVAL(param, 0, qfnum);
188 SSVAL(param, 2, level);
190 status = try_trans2_len(cli, "qfnum", op, level, param, data, param_len, &data_len,
191 &rparam_len, &rdata_len);
192 if (NT_STATUS_IS_OK(status)) return True;
194 /* try with a notify style */
196 SSVAL(param, 0, dnum);
197 SSVAL(param, 2, dnum);
198 SSVAL(param, 4, level);
199 status = try_trans2_len(cli, "notify", op, level, param, data, param_len, &data_len,
200 &rparam_len, &rdata_len);
201 if (NT_STATUS_IS_OK(status)) return True;
203 /* try with a file name */
205 SSVAL(param, 0, level);
208 param_len += push_string(¶m[6], fname, sizeof(pstring)-7, STR_TERMINATE|STR_UNICODE);
210 status = try_trans2_len(cli, "fname", op, level, param, data, param_len, &data_len,
211 &rparam_len, &rdata_len);
212 if (NT_STATUS_IS_OK(status)) return True;
214 /* try with a new file name */
216 SSVAL(param, 0, level);
219 param_len += push_string(¶m[6], "\\newfile.dat", sizeof(pstring)-7, STR_TERMINATE|STR_UNICODE);
221 status = try_trans2_len(cli, "newfile", op, level, param, data, param_len, &data_len,
222 &rparam_len, &rdata_len);
223 smbcli_unlink(cli->tree, "\\newfile.dat");
224 smbcli_rmdir(cli->tree, "\\newfile.dat");
225 if (NT_STATUS_IS_OK(status)) return True;
228 smbcli_mkdir(cli->tree, "\\testdir");
230 SSVAL(param, 0, level);
231 param_len += push_string(¶m[2], "\\testdir", sizeof(pstring)-3, STR_TERMINATE|STR_UNICODE);
233 status = try_trans2_len(cli, "dfs", op, level, param, data, param_len, &data_len,
234 &rparam_len, &rdata_len);
235 smbcli_rmdir(cli->tree, "\\testdir");
236 if (NT_STATUS_IS_OK(status)) return True;
242 BOOL torture_trans2_scan(void)
244 static struct smbcli_state *cli;
246 const char *fname = "\\scanner.dat";
247 int fnum, dnum, qfnum;
249 printf("starting trans2 scan test\n");
251 if (!torture_open_connection(&cli)) {
255 fnum = smbcli_open(cli->tree, fname, O_RDWR | O_CREAT | O_TRUNC, DENY_NONE);
257 printf("file open failed - %s\n", smbcli_errstr(cli->tree));
259 dnum = smbcli_nt_create_full(cli->tree, "\\",
261 SEC_RIGHTS_FILE_READ,
262 FILE_ATTRIBUTE_NORMAL,
263 NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE,
265 NTCREATEX_OPTIONS_DIRECTORY, 0);
267 printf("directory open failed - %s\n", smbcli_errstr(cli->tree));
269 qfnum = smbcli_nt_create_full(cli->tree, "\\$Extend\\$Quota:$Q:$INDEX_ALLOCATION",
270 NTCREATEX_FLAGS_EXTENDED,
271 SEC_FLAG_MAXIMUM_ALLOWED,
273 NTCREATEX_SHARE_ACCESS_READ|NTCREATEX_SHARE_ACCESS_WRITE,
277 printf("quota open failed - %s\n", smbcli_errstr(cli->tree));
280 for (op=OP_MIN; op<=OP_MAX; op++) {
282 if (!trans2_op_exists(cli, op)) {
286 for (level = 0; level <= 50; level++) {
287 scan_trans2(cli, op, level, fnum, dnum, qfnum, fname);
290 for (level = 0x100; level <= 0x130; level++) {
291 scan_trans2(cli, op, level, fnum, dnum, qfnum, fname);
294 for (level = 1000; level < 1050; level++) {
295 scan_trans2(cli, op, level, fnum, dnum, qfnum, fname);
299 torture_close_connection(cli);
301 printf("trans2 scan finished\n");
308 /****************************************************************************
309 look for a partial hit
310 ****************************************************************************/
311 static void nttrans_check_hit(const char *format, int op, int level, NTSTATUS status)
313 if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_LEVEL) ||
314 NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED) ||
315 NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED) ||
316 NT_STATUS_EQUAL(status, NT_STATUS_UNSUCCESSFUL) ||
317 NT_STATUS_EQUAL(status, NT_STATUS_INVALID_INFO_CLASS)) {
321 printf("possible %s hit op=%3d level=%5d status=%s\n",
322 format, op, level, nt_errstr(status));
326 /****************************************************************************
327 check for existence of a nttrans call
328 ****************************************************************************/
329 static NTSTATUS try_nttrans(struct smbcli_state *cli,
331 uint8_t *param, uint8_t *data,
332 int param_len, int data_len,
333 int *rparam_len, int *rdata_len)
335 struct smb_nttrans parms;
336 DATA_BLOB ntparam_blob, ntdata_blob;
340 mem_ctx = talloc_init("try_nttrans");
342 ntparam_blob.length = param_len;
343 ntparam_blob.data = param;
344 ntdata_blob.length = data_len;
345 ntdata_blob.data = data;
347 parms.in.max_param = 64;
348 parms.in.max_data = smb_raw_max_trans_data(cli->tree, 64);
349 parms.in.max_setup = 0;
350 parms.in.setup_count = 0;
351 parms.in.function = op;
352 parms.in.params = ntparam_blob;
353 parms.in.data = ntdata_blob;
355 status = smb_raw_nttrans(cli->tree, mem_ctx, &parms);
357 if (NT_STATUS_IS_ERR(status)) {
358 DEBUG(1,("Failed to send NT_TRANS\n"));
359 talloc_free(mem_ctx);
362 *rparam_len = parms.out.params.length;
363 *rdata_len = parms.out.data.length;
365 talloc_free(mem_ctx);
371 static NTSTATUS try_nttrans_len(struct smbcli_state *cli,
374 uint8_t *param, uint8_t *data,
375 int param_len, int *data_len,
376 int *rparam_len, int *rdata_len)
378 NTSTATUS ret=NT_STATUS_OK;
380 ret = try_nttrans(cli, op, param, data, param_len,
381 sizeof(pstring), rparam_len, rdata_len);
383 printf("op=%d level=%d ret=%s\n", op, level, nt_errstr(ret));
385 if (!NT_STATUS_IS_OK(ret)) return ret;
388 while (*data_len < sizeof(pstring)) {
389 ret = try_nttrans(cli, op, param, data, param_len,
390 *data_len, rparam_len, rdata_len);
391 if (NT_STATUS_IS_OK(ret)) break;
394 if (NT_STATUS_IS_OK(ret)) {
395 printf("found %s level=%d data_len=%d rparam_len=%d rdata_len=%d\n",
396 format, level, *data_len, *rparam_len, *rdata_len);
398 nttrans_check_hit(format, op, level, ret);
403 /****************************************************************************
404 check for existance of a nttrans call
405 ****************************************************************************/
406 static BOOL scan_nttrans(struct smbcli_state *cli, int op, int level,
407 int fnum, int dnum, const char *fname)
411 int rparam_len, rdata_len;
412 uint8_t param[1024], data[1024];
415 memset(data, 0, sizeof(data));
418 /* try with a info level only */
420 SSVAL(param, 0, level);
421 status = try_nttrans_len(cli, "void", op, level, param, data, param_len, &data_len,
422 &rparam_len, &rdata_len);
423 if (NT_STATUS_IS_OK(status)) return True;
425 /* try with a file descriptor */
427 SSVAL(param, 0, fnum);
428 SSVAL(param, 2, level);
430 status = try_nttrans_len(cli, "fnum", op, level, param, data, param_len, &data_len,
431 &rparam_len, &rdata_len);
432 if (NT_STATUS_IS_OK(status)) return True;
435 /* try with a notify style */
437 SSVAL(param, 0, dnum);
438 SSVAL(param, 2, dnum);
439 SSVAL(param, 4, level);
440 status = try_nttrans_len(cli, "notify", op, level, param, data, param_len, &data_len,
441 &rparam_len, &rdata_len);
442 if (NT_STATUS_IS_OK(status)) return True;
444 /* try with a file name */
446 SSVAL(param, 0, level);
449 param_len += push_string(¶m[6], fname, -1, STR_TERMINATE | STR_UNICODE);
451 status = try_nttrans_len(cli, "fname", op, level, param, data, param_len, &data_len,
452 &rparam_len, &rdata_len);
453 if (NT_STATUS_IS_OK(status)) return True;
455 /* try with a new file name */
457 SSVAL(param, 0, level);
460 param_len += push_string(¶m[6], "\\newfile.dat", -1, STR_TERMINATE | STR_UNICODE);
462 status = try_nttrans_len(cli, "newfile", op, level, param, data, param_len, &data_len,
463 &rparam_len, &rdata_len);
464 smbcli_unlink(cli->tree, "\\newfile.dat");
465 smbcli_rmdir(cli->tree, "\\newfile.dat");
466 if (NT_STATUS_IS_OK(status)) return True;
469 smbcli_mkdir(cli->tree, "\\testdir");
471 SSVAL(param, 0, level);
472 param_len += push_string(¶m[2], "\\testdir", -1, STR_TERMINATE | STR_UNICODE);
474 status = try_nttrans_len(cli, "dfs", op, level, param, data, param_len, &data_len,
475 &rparam_len, &rdata_len);
476 smbcli_rmdir(cli->tree, "\\testdir");
477 if (NT_STATUS_IS_OK(status)) return True;
483 BOOL torture_nttrans_scan(void)
485 static struct smbcli_state *cli;
487 const char *fname = "\\scanner.dat";
490 printf("starting nttrans scan test\n");
492 if (!torture_open_connection(&cli)) {
496 fnum = smbcli_open(cli->tree, fname, O_RDWR | O_CREAT | O_TRUNC,
498 dnum = smbcli_open(cli->tree, "\\", O_RDONLY, DENY_NONE);
500 for (op=OP_MIN; op<=OP_MAX; op++) {
501 printf("Scanning op=%d\n", op);
502 for (level = 0; level <= 50; level++) {
503 scan_nttrans(cli, op, level, fnum, dnum, fname);
506 for (level = 0x100; level <= 0x130; level++) {
507 scan_nttrans(cli, op, level, fnum, dnum, fname);
510 for (level = 1000; level < 1050; level++) {
511 scan_nttrans(cli, op, level, fnum, dnum, fname);
515 torture_close_connection(cli);
517 printf("nttrans scan finished\n");
522 /* scan for valid base SMB requests */
523 BOOL torture_smb_scan(void)
525 static struct smbcli_state *cli;
527 struct smbcli_request *req;
530 for (op=0x0;op<=0xFF;op++) {
531 if (op == SMBreadbraw) continue;
533 if (!torture_open_connection(&cli)) {
537 req = smbcli_request_setup(cli->tree, op, 0, 0);
539 if (!smbcli_request_send(req)) {
540 smbcli_request_destroy(req);
545 smbcli_transport_process(cli->transport);
546 if (req->state > SMBCLI_REQUEST_RECV) {
547 status = smbcli_request_simple_recv(req);
548 printf("op=0x%x status=%s\n", op, nt_errstr(status));
549 torture_close_connection(cli);
554 smbcli_transport_process(cli->transport);
555 if (req->state > SMBCLI_REQUEST_RECV) {
556 status = smbcli_request_simple_recv(req);
557 printf("op=0x%x status=%s\n", op, nt_errstr(status));
559 printf("op=0x%x no reply\n", op);
560 smbcli_request_destroy(req);
561 continue; /* don't attempt close! */
564 torture_close_connection(cli);
568 printf("smb scan finished\n");
git.samba.org / abartlet / samba.git / .git / blob