2 Unix SMB/CIFS implementation.
3 SMB torture tester - scanning functions
4 Copyright (C) Andrew Tridgell 2001
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22 #include "libcli/raw/libcliraw.h"
28 /****************************************************************************
29 look for a partial hit
30 ****************************************************************************/
31 static void trans2_check_hit(const char *format, int op, int level, NTSTATUS status)
33 if (NT_STATUS_V(status) == NT_STATUS_V(NT_STATUS_INVALID_LEVEL) ||
34 NT_STATUS_V(status) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ||
35 NT_STATUS_V(status) == NT_STATUS_V(NT_STATUS_NOT_SUPPORTED) ||
36 NT_STATUS_V(status) == NT_STATUS_V(NT_STATUS_UNSUCCESSFUL) ||
37 NT_STATUS_V(status) == NT_STATUS_V(NT_STATUS_INVALID_INFO_CLASS)) {
41 printf("possible %s hit op=%3d level=%5d status=%s\n",
42 format, op, level, nt_errstr(status));
46 /****************************************************************************
47 check for existance of a trans2 call
48 ****************************************************************************/
49 static NTSTATUS try_trans2(struct smbcli_state *cli,
51 uint8_t *param, uint8_t *data,
52 int param_len, int data_len,
53 int *rparam_len, int *rdata_len)
60 mem_ctx = talloc_init("try_trans2");
63 t2.in.max_data = smb_raw_max_trans_data(cli->tree, 64);
67 t2.in.setup_count = 1;
69 t2.in.params.data = param;
70 t2.in.params.length = param_len;
71 t2.in.data.data = data;
72 t2.in.data.length = data_len;
74 status = smb_raw_trans2(cli->tree, mem_ctx, &t2);
76 *rparam_len = t2.out.params.length;
77 *rdata_len = t2.out.data.length;
79 talloc_destroy(mem_ctx);
85 static NTSTATUS try_trans2_len(struct smbcli_state *cli,
88 uint8_t *param, uint8_t *data,
89 int param_len, int *data_len,
90 int *rparam_len, int *rdata_len)
92 NTSTATUS ret=NT_STATUS_OK;
94 ret = try_trans2(cli, op, param, data, param_len,
95 sizeof(pstring), rparam_len, rdata_len);
97 printf("op=%d level=%d ret=%s\n", op, level, nt_errstr(ret));
99 if (!NT_STATUS_IS_OK(ret)) return ret;
102 while (*data_len < sizeof(pstring)) {
103 ret = try_trans2(cli, op, param, data, param_len,
104 *data_len, rparam_len, rdata_len);
105 if (NT_STATUS_IS_OK(ret)) break;
108 if (NT_STATUS_IS_OK(ret)) {
109 printf("found %s level=%d data_len=%d rparam_len=%d rdata_len=%d\n",
110 format, level, *data_len, *rparam_len, *rdata_len);
112 trans2_check_hit(format, op, level, ret);
118 /****************************************************************************
119 check whether a trans2 opnum exists at all
120 ****************************************************************************/
121 static BOOL trans2_op_exists(struct smbcli_state *cli, int op)
125 int rparam_len, rdata_len;
126 uint8_t param[1024], data[1024];
127 NTSTATUS status1, status2;
129 memset(data, 0, sizeof(data));
132 /* try with a info level only */
133 param_len = sizeof(param);
134 data_len = sizeof(data);
136 memset(param, 0xFF, sizeof(param));
137 memset(data, 0xFF, sizeof(data));
139 status1 = try_trans2(cli, 0xFFFF, param, data, param_len, data_len,
140 &rparam_len, &rdata_len);
142 status2 = try_trans2(cli, op, param, data, param_len, data_len,
143 &rparam_len, &rdata_len);
145 if (NT_STATUS_EQUAL(status1, status2)) return False;
147 printf("Found op %d (status=%s)\n", op, nt_errstr(status2));
152 /****************************************************************************
153 check for existance of a trans2 call
154 ****************************************************************************/
155 static BOOL scan_trans2(struct smbcli_state *cli, int op, int level,
156 int fnum, int dnum, int qfnum, const char *fname)
160 int rparam_len, rdata_len;
161 uint8_t param[1024], data[1024];
164 memset(data, 0, sizeof(data));
167 /* try with a info level only */
169 SSVAL(param, 0, level);
170 status = try_trans2_len(cli, "void", op, level, param, data, param_len, &data_len,
171 &rparam_len, &rdata_len);
172 if (NT_STATUS_IS_OK(status)) return True;
174 /* try with a file descriptor */
176 SSVAL(param, 0, fnum);
177 SSVAL(param, 2, level);
179 status = try_trans2_len(cli, "fnum", op, level, param, data, param_len, &data_len,
180 &rparam_len, &rdata_len);
181 if (NT_STATUS_IS_OK(status)) return True;
183 /* try with a quota file descriptor */
185 SSVAL(param, 0, qfnum);
186 SSVAL(param, 2, level);
188 status = try_trans2_len(cli, "qfnum", op, level, param, data, param_len, &data_len,
189 &rparam_len, &rdata_len);
190 if (NT_STATUS_IS_OK(status)) return True;
192 /* try with a notify style */
194 SSVAL(param, 0, dnum);
195 SSVAL(param, 2, dnum);
196 SSVAL(param, 4, level);
197 status = try_trans2_len(cli, "notify", op, level, param, data, param_len, &data_len,
198 &rparam_len, &rdata_len);
199 if (NT_STATUS_IS_OK(status)) return True;
201 /* try with a file name */
203 SSVAL(param, 0, level);
206 param_len += push_string(¶m[6], fname, sizeof(pstring)-7, STR_TERMINATE|STR_UNICODE);
208 status = try_trans2_len(cli, "fname", op, level, param, data, param_len, &data_len,
209 &rparam_len, &rdata_len);
210 if (NT_STATUS_IS_OK(status)) return True;
212 /* try with a new file name */
214 SSVAL(param, 0, level);
217 param_len += push_string(¶m[6], "\\newfile.dat", sizeof(pstring)-7, STR_TERMINATE|STR_UNICODE);
219 status = try_trans2_len(cli, "newfile", op, level, param, data, param_len, &data_len,
220 &rparam_len, &rdata_len);
221 smbcli_unlink(cli->tree, "\\newfile.dat");
222 smbcli_rmdir(cli->tree, "\\newfile.dat");
223 if (NT_STATUS_IS_OK(status)) return True;
226 smbcli_mkdir(cli->tree, "\\testdir");
228 SSVAL(param, 0, level);
229 param_len += push_string(¶m[2], "\\testdir", sizeof(pstring)-3, STR_TERMINATE|STR_UNICODE);
231 status = try_trans2_len(cli, "dfs", op, level, param, data, param_len, &data_len,
232 &rparam_len, &rdata_len);
233 smbcli_rmdir(cli->tree, "\\testdir");
234 if (NT_STATUS_IS_OK(status)) return True;
240 BOOL torture_trans2_scan(void)
242 static struct smbcli_state *cli;
244 const char *fname = "\\scanner.dat";
245 int fnum, dnum, qfnum;
247 printf("starting trans2 scan test\n");
249 if (!torture_open_connection(&cli)) {
253 fnum = smbcli_open(cli->tree, fname, O_RDWR | O_CREAT | O_TRUNC, DENY_NONE);
255 printf("file open failed - %s\n", smbcli_errstr(cli->tree));
257 dnum = smbcli_nt_create_full(cli->tree, "\\",
258 0, GENERIC_RIGHTS_FILE_READ, FILE_ATTRIBUTE_NORMAL,
259 NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE,
261 NTCREATEX_OPTIONS_DIRECTORY, 0);
263 printf("directory open failed - %s\n", smbcli_errstr(cli->tree));
265 qfnum = smbcli_nt_create_full(cli->tree, "\\$Extend\\$Quota:$Q:$INDEX_ALLOCATION",
266 NTCREATEX_FLAGS_EXTENDED,
267 SEC_RIGHTS_MAXIMUM_ALLOWED,
269 NTCREATEX_SHARE_ACCESS_READ|NTCREATEX_SHARE_ACCESS_WRITE,
273 printf("quota open failed - %s\n", smbcli_errstr(cli->tree));
276 for (op=OP_MIN; op<=OP_MAX; op++) {
278 if (!trans2_op_exists(cli, op)) {
282 for (level = 0; level <= 50; level++) {
283 scan_trans2(cli, op, level, fnum, dnum, qfnum, fname);
286 for (level = 0x100; level <= 0x130; level++) {
287 scan_trans2(cli, op, level, fnum, dnum, qfnum, fname);
290 for (level = 1000; level < 1050; level++) {
291 scan_trans2(cli, op, level, fnum, dnum, qfnum, fname);
295 torture_close_connection(cli);
297 printf("trans2 scan finished\n");
304 /****************************************************************************
305 look for a partial hit
306 ****************************************************************************/
307 static void nttrans_check_hit(const char *format, int op, int level, NTSTATUS status)
309 if (NT_STATUS_V(status) == NT_STATUS_V(NT_STATUS_INVALID_LEVEL) ||
310 NT_STATUS_V(status) == NT_STATUS_V(NT_STATUS_NOT_IMPLEMENTED) ||
311 NT_STATUS_V(status) == NT_STATUS_V(NT_STATUS_NOT_SUPPORTED) ||
312 NT_STATUS_V(status) == NT_STATUS_V(NT_STATUS_UNSUCCESSFUL) ||
313 NT_STATUS_V(status) == NT_STATUS_V(NT_STATUS_INVALID_INFO_CLASS)) {
317 printf("possible %s hit op=%3d level=%5d status=%s\n",
318 format, op, level, nt_errstr(status));
322 /****************************************************************************
323 check for existence of a nttrans call
324 ****************************************************************************/
325 static NTSTATUS try_nttrans(struct smbcli_state *cli,
327 uint8_t *param, uint8_t *data,
328 int param_len, int data_len,
329 int *rparam_len, int *rdata_len)
331 struct smb_nttrans parms;
332 DATA_BLOB ntparam_blob, ntdata_blob;
336 mem_ctx = talloc_init("try_nttrans");
338 ntparam_blob.length = param_len;
339 ntparam_blob.data = param;
340 ntdata_blob.length = data_len;
341 ntdata_blob.data = data;
343 parms.in.max_param = 64;
344 parms.in.max_data = smb_raw_max_trans_data(cli->tree, 64);
345 parms.in.max_setup = 0;
346 parms.in.setup_count = 0;
347 parms.in.function = op;
348 parms.in.params = ntparam_blob;
349 parms.in.data = ntdata_blob;
351 status = smb_raw_nttrans(cli->tree, mem_ctx, &parms);
353 if (NT_STATUS_IS_ERR(status)) {
354 DEBUG(1,("Failed to send NT_TRANS\n"));
355 talloc_destroy(mem_ctx);
358 *rparam_len = parms.out.params.length;
359 *rdata_len = parms.out.data.length;
361 talloc_destroy(mem_ctx);
367 static NTSTATUS try_nttrans_len(struct smbcli_state *cli,
370 uint8_t *param, uint8_t *data,
371 int param_len, int *data_len,
372 int *rparam_len, int *rdata_len)
374 NTSTATUS ret=NT_STATUS_OK;
376 ret = try_nttrans(cli, op, param, data, param_len,
377 sizeof(pstring), rparam_len, rdata_len);
379 printf("op=%d level=%d ret=%s\n", op, level, nt_errstr(ret));
381 if (!NT_STATUS_IS_OK(ret)) return ret;
384 while (*data_len < sizeof(pstring)) {
385 ret = try_nttrans(cli, op, param, data, param_len,
386 *data_len, rparam_len, rdata_len);
387 if (NT_STATUS_IS_OK(ret)) break;
390 if (NT_STATUS_IS_OK(ret)) {
391 printf("found %s level=%d data_len=%d rparam_len=%d rdata_len=%d\n",
392 format, level, *data_len, *rparam_len, *rdata_len);
394 nttrans_check_hit(format, op, level, ret);
399 /****************************************************************************
400 check for existance of a nttrans call
401 ****************************************************************************/
402 static BOOL scan_nttrans(struct smbcli_state *cli, int op, int level,
403 int fnum, int dnum, const char *fname)
407 int rparam_len, rdata_len;
408 uint8_t param[1024], data[1024];
411 memset(data, 0, sizeof(data));
414 /* try with a info level only */
416 SSVAL(param, 0, level);
417 status = try_nttrans_len(cli, "void", op, level, param, data, param_len, &data_len,
418 &rparam_len, &rdata_len);
419 if (NT_STATUS_IS_OK(status)) return True;
421 /* try with a file descriptor */
423 SSVAL(param, 0, fnum);
424 SSVAL(param, 2, level);
426 status = try_nttrans_len(cli, "fnum", op, level, param, data, param_len, &data_len,
427 &rparam_len, &rdata_len);
428 if (NT_STATUS_IS_OK(status)) return True;
431 /* try with a notify style */
433 SSVAL(param, 0, dnum);
434 SSVAL(param, 2, dnum);
435 SSVAL(param, 4, level);
436 status = try_nttrans_len(cli, "notify", op, level, param, data, param_len, &data_len,
437 &rparam_len, &rdata_len);
438 if (NT_STATUS_IS_OK(status)) return True;
440 /* try with a file name */
442 SSVAL(param, 0, level);
445 param_len += push_string(¶m[6], fname, -1, STR_TERMINATE | STR_UNICODE);
447 status = try_nttrans_len(cli, "fname", op, level, param, data, param_len, &data_len,
448 &rparam_len, &rdata_len);
449 if (NT_STATUS_IS_OK(status)) return True;
451 /* try with a new file name */
453 SSVAL(param, 0, level);
456 param_len += push_string(¶m[6], "\\newfile.dat", -1, STR_TERMINATE | STR_UNICODE);
458 status = try_nttrans_len(cli, "newfile", op, level, param, data, param_len, &data_len,
459 &rparam_len, &rdata_len);
460 smbcli_unlink(cli->tree, "\\newfile.dat");
461 smbcli_rmdir(cli->tree, "\\newfile.dat");
462 if (NT_STATUS_IS_OK(status)) return True;
465 smbcli_mkdir(cli->tree, "\\testdir");
467 SSVAL(param, 0, level);
468 param_len += push_string(¶m[2], "\\testdir", -1, STR_TERMINATE | STR_UNICODE);
470 status = try_nttrans_len(cli, "dfs", op, level, param, data, param_len, &data_len,
471 &rparam_len, &rdata_len);
472 smbcli_rmdir(cli->tree, "\\testdir");
473 if (NT_STATUS_IS_OK(status)) return True;
479 BOOL torture_nttrans_scan(void)
481 static struct smbcli_state *cli;
483 const char *fname = "\\scanner.dat";
486 printf("starting nttrans scan test\n");
488 if (!torture_open_connection(&cli)) {
492 fnum = smbcli_open(cli->tree, fname, O_RDWR | O_CREAT | O_TRUNC,
494 dnum = smbcli_open(cli->tree, "\\", O_RDONLY, DENY_NONE);
496 for (op=OP_MIN; op<=OP_MAX; op++) {
497 printf("Scanning op=%d\n", op);
498 for (level = 0; level <= 50; level++) {
499 scan_nttrans(cli, op, level, fnum, dnum, fname);
502 for (level = 0x100; level <= 0x130; level++) {
503 scan_nttrans(cli, op, level, fnum, dnum, fname);
506 for (level = 1000; level < 1050; level++) {
507 scan_nttrans(cli, op, level, fnum, dnum, fname);
511 torture_close_connection(cli);
513 printf("nttrans scan finished\n");
518 /* scan for valid base SMB requests */
519 BOOL torture_smb_scan(void)
521 static struct smbcli_state *cli;
523 struct smbcli_request *req;
526 for (op=0x0;op<=0xFF;op++) {
527 if (op == SMBreadbraw) continue;
529 if (!torture_open_connection(&cli)) {
533 req = smbcli_request_setup(cli->tree, op, 0, 0);
535 if (!smbcli_request_send(req)) {
536 smbcli_request_destroy(req);
541 smbcli_transport_process(cli->transport);
542 if (req->state > SMBCLI_REQUEST_RECV) {
543 status = smbcli_request_simple_recv(req);
544 printf("op=0x%x status=%s\n", op, nt_errstr(status));
545 torture_close_connection(cli);
550 smbcli_transport_process(cli->transport);
551 if (req->state > SMBCLI_REQUEST_RECV) {
552 status = smbcli_request_simple_recv(req);
553 printf("op=0x%x status=%s\n", op, nt_errstr(status));
555 printf("op=0x%x no reply\n", op);
556 smbcli_request_destroy(req);
557 continue; /* don't attempt close! */
560 torture_close_connection(cli);
564 printf("smb scan finished\n");
git.samba.org / bbaumbach / samba-autobuild / .git / blob