2 Unix SMB/CIFS implementation.
3 SMB torture tester - scanning functions
4 Copyright (C) Andrew Tridgell 2001
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "torture/torture.h"
22 #include "libcli/libcli.h"
23 #include "torture/util.h"
24 #include "libcli/raw/libcliraw.h"
25 #include "system/filesys.h"
32 /****************************************************************************
33 look for a partial hit
34 ****************************************************************************/
35 static void trans2_check_hit(const char *format, int op, int level, NTSTATUS status)
37 if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_LEVEL) ||
38 NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED) ||
39 NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED) ||
40 NT_STATUS_EQUAL(status, NT_STATUS_UNSUCCESSFUL) ||
41 NT_STATUS_EQUAL(status, NT_STATUS_INVALID_INFO_CLASS)) {
45 printf("possible %s hit op=%3d level=%5d status=%s\n",
46 format, op, level, nt_errstr(status));
50 /****************************************************************************
51 check for existance of a trans2 call
52 ****************************************************************************/
53 static NTSTATUS try_trans2(struct smbcli_state *cli,
55 uint8_t *param, uint8_t *data,
56 int param_len, int data_len,
57 int *rparam_len, int *rdata_len)
64 mem_ctx = talloc_init("try_trans2");
67 t2.in.max_data = smb_raw_max_trans_data(cli->tree, 64);
71 t2.in.setup_count = 1;
73 t2.in.params.data = param;
74 t2.in.params.length = param_len;
75 t2.in.data.data = data;
76 t2.in.data.length = data_len;
78 status = smb_raw_trans2(cli->tree, mem_ctx, &t2);
80 *rparam_len = t2.out.params.length;
81 *rdata_len = t2.out.data.length;
89 static NTSTATUS try_trans2_len(struct smbcli_state *cli,
92 uint8_t *param, uint8_t *data,
93 int param_len, int *data_len,
94 int *rparam_len, int *rdata_len)
96 NTSTATUS ret=NT_STATUS_OK;
98 ret = try_trans2(cli, op, param, data, param_len,
99 sizeof(pstring), rparam_len, rdata_len);
101 printf("op=%d level=%d ret=%s\n", op, level, nt_errstr(ret));
103 if (!NT_STATUS_IS_OK(ret)) return ret;
106 while (*data_len < sizeof(pstring)) {
107 ret = try_trans2(cli, op, param, data, param_len,
108 *data_len, rparam_len, rdata_len);
109 if (NT_STATUS_IS_OK(ret)) break;
112 if (NT_STATUS_IS_OK(ret)) {
113 printf("found %s level=%d data_len=%d rparam_len=%d rdata_len=%d\n",
114 format, level, *data_len, *rparam_len, *rdata_len);
116 trans2_check_hit(format, op, level, ret);
122 /****************************************************************************
123 check whether a trans2 opnum exists at all
124 ****************************************************************************/
125 static BOOL trans2_op_exists(struct smbcli_state *cli, int op)
129 int rparam_len, rdata_len;
130 uint8_t param[1024], data[1024];
131 NTSTATUS status1, status2;
133 memset(data, 0, sizeof(data));
136 /* try with a info level only */
137 param_len = sizeof(param);
138 data_len = sizeof(data);
140 memset(param, 0xFF, sizeof(param));
141 memset(data, 0xFF, sizeof(data));
143 status1 = try_trans2(cli, 0xFFFF, param, data, param_len, data_len,
144 &rparam_len, &rdata_len);
146 status2 = try_trans2(cli, op, param, data, param_len, data_len,
147 &rparam_len, &rdata_len);
149 if (NT_STATUS_EQUAL(status1, status2)) return False;
151 printf("Found op %d (status=%s)\n", op, nt_errstr(status2));
156 /****************************************************************************
157 check for existance of a trans2 call
158 ****************************************************************************/
159 static BOOL scan_trans2(struct smbcli_state *cli, int op, int level,
160 int fnum, int dnum, int qfnum, const char *fname)
164 int rparam_len, rdata_len;
165 uint8_t param[1024], data[1024];
168 memset(data, 0, sizeof(data));
171 /* try with a info level only */
173 SSVAL(param, 0, level);
174 status = try_trans2_len(cli, "void", op, level, param, data, param_len, &data_len,
175 &rparam_len, &rdata_len);
176 if (NT_STATUS_IS_OK(status)) return True;
178 /* try with a file descriptor */
180 SSVAL(param, 0, fnum);
181 SSVAL(param, 2, level);
183 status = try_trans2_len(cli, "fnum", op, level, param, data, param_len, &data_len,
184 &rparam_len, &rdata_len);
185 if (NT_STATUS_IS_OK(status)) return True;
187 /* try with a quota file descriptor */
189 SSVAL(param, 0, qfnum);
190 SSVAL(param, 2, level);
192 status = try_trans2_len(cli, "qfnum", op, level, param, data, param_len, &data_len,
193 &rparam_len, &rdata_len);
194 if (NT_STATUS_IS_OK(status)) return True;
196 /* try with a notify style */
198 SSVAL(param, 0, dnum);
199 SSVAL(param, 2, dnum);
200 SSVAL(param, 4, level);
201 status = try_trans2_len(cli, "notify", op, level, param, data, param_len, &data_len,
202 &rparam_len, &rdata_len);
203 if (NT_STATUS_IS_OK(status)) return True;
205 /* try with a file name */
207 SSVAL(param, 0, level);
210 param_len += push_string(¶m[6], fname, sizeof(pstring)-7, STR_TERMINATE|STR_UNICODE);
212 status = try_trans2_len(cli, "fname", op, level, param, data, param_len, &data_len,
213 &rparam_len, &rdata_len);
214 if (NT_STATUS_IS_OK(status)) return True;
216 /* try with a new file name */
218 SSVAL(param, 0, level);
221 param_len += push_string(¶m[6], "\\newfile.dat", sizeof(pstring)-7, STR_TERMINATE|STR_UNICODE);
223 status = try_trans2_len(cli, "newfile", op, level, param, data, param_len, &data_len,
224 &rparam_len, &rdata_len);
225 smbcli_unlink(cli->tree, "\\newfile.dat");
226 smbcli_rmdir(cli->tree, "\\newfile.dat");
227 if (NT_STATUS_IS_OK(status)) return True;
230 smbcli_mkdir(cli->tree, "\\testdir");
232 SSVAL(param, 0, level);
233 param_len += push_string(¶m[2], "\\testdir", sizeof(pstring)-3, STR_TERMINATE|STR_UNICODE);
235 status = try_trans2_len(cli, "dfs", op, level, param, data, param_len, &data_len,
236 &rparam_len, &rdata_len);
237 smbcli_rmdir(cli->tree, "\\testdir");
238 if (NT_STATUS_IS_OK(status)) return True;
244 BOOL torture_trans2_scan(struct torture_context *torture,
245 struct smbcli_state *cli)
248 const char *fname = "\\scanner.dat";
249 int fnum, dnum, qfnum;
251 fnum = smbcli_open(cli->tree, fname, O_RDWR | O_CREAT | O_TRUNC, DENY_NONE);
253 printf("file open failed - %s\n", smbcli_errstr(cli->tree));
255 dnum = smbcli_nt_create_full(cli->tree, "\\",
257 SEC_RIGHTS_FILE_READ,
258 FILE_ATTRIBUTE_NORMAL,
259 NTCREATEX_SHARE_ACCESS_READ | NTCREATEX_SHARE_ACCESS_WRITE,
261 NTCREATEX_OPTIONS_DIRECTORY, 0);
263 printf("directory open failed - %s\n", smbcli_errstr(cli->tree));
265 qfnum = smbcli_nt_create_full(cli->tree, "\\$Extend\\$Quota:$Q:$INDEX_ALLOCATION",
266 NTCREATEX_FLAGS_EXTENDED,
267 SEC_FLAG_MAXIMUM_ALLOWED,
269 NTCREATEX_SHARE_ACCESS_READ|NTCREATEX_SHARE_ACCESS_WRITE,
273 printf("quota open failed - %s\n", smbcli_errstr(cli->tree));
276 for (op=OP_MIN; op<=OP_MAX; op++) {
278 if (!trans2_op_exists(cli, op)) {
282 for (level = 0; level <= 50; level++) {
283 scan_trans2(cli, op, level, fnum, dnum, qfnum, fname);
286 for (level = 0x100; level <= 0x130; level++) {
287 scan_trans2(cli, op, level, fnum, dnum, qfnum, fname);
290 for (level = 1000; level < 1050; level++) {
291 scan_trans2(cli, op, level, fnum, dnum, qfnum, fname);
301 /****************************************************************************
302 look for a partial hit
303 ****************************************************************************/
304 static void nttrans_check_hit(const char *format, int op, int level, NTSTATUS status)
306 if (NT_STATUS_EQUAL(status, NT_STATUS_INVALID_LEVEL) ||
307 NT_STATUS_EQUAL(status, NT_STATUS_NOT_IMPLEMENTED) ||
308 NT_STATUS_EQUAL(status, NT_STATUS_NOT_SUPPORTED) ||
309 NT_STATUS_EQUAL(status, NT_STATUS_UNSUCCESSFUL) ||
310 NT_STATUS_EQUAL(status, NT_STATUS_INVALID_INFO_CLASS)) {
314 printf("possible %s hit op=%3d level=%5d status=%s\n",
315 format, op, level, nt_errstr(status));
319 /****************************************************************************
320 check for existence of a nttrans call
321 ****************************************************************************/
322 static NTSTATUS try_nttrans(struct smbcli_state *cli,
324 uint8_t *param, uint8_t *data,
325 int param_len, int data_len,
326 int *rparam_len, int *rdata_len)
328 struct smb_nttrans parms;
329 DATA_BLOB ntparam_blob, ntdata_blob;
333 mem_ctx = talloc_init("try_nttrans");
335 ntparam_blob.length = param_len;
336 ntparam_blob.data = param;
337 ntdata_blob.length = data_len;
338 ntdata_blob.data = data;
340 parms.in.max_param = 64;
341 parms.in.max_data = smb_raw_max_trans_data(cli->tree, 64);
342 parms.in.max_setup = 0;
343 parms.in.setup_count = 0;
344 parms.in.function = op;
345 parms.in.params = ntparam_blob;
346 parms.in.data = ntdata_blob;
348 status = smb_raw_nttrans(cli->tree, mem_ctx, &parms);
350 if (NT_STATUS_IS_ERR(status)) {
351 DEBUG(1,("Failed to send NT_TRANS\n"));
352 talloc_free(mem_ctx);
355 *rparam_len = parms.out.params.length;
356 *rdata_len = parms.out.data.length;
358 talloc_free(mem_ctx);
364 static NTSTATUS try_nttrans_len(struct smbcli_state *cli,
367 uint8_t *param, uint8_t *data,
368 int param_len, int *data_len,
369 int *rparam_len, int *rdata_len)
371 NTSTATUS ret=NT_STATUS_OK;
373 ret = try_nttrans(cli, op, param, data, param_len,
374 sizeof(pstring), rparam_len, rdata_len);
376 printf("op=%d level=%d ret=%s\n", op, level, nt_errstr(ret));
378 if (!NT_STATUS_IS_OK(ret)) return ret;
381 while (*data_len < sizeof(pstring)) {
382 ret = try_nttrans(cli, op, param, data, param_len,
383 *data_len, rparam_len, rdata_len);
384 if (NT_STATUS_IS_OK(ret)) break;
387 if (NT_STATUS_IS_OK(ret)) {
388 printf("found %s level=%d data_len=%d rparam_len=%d rdata_len=%d\n",
389 format, level, *data_len, *rparam_len, *rdata_len);
391 nttrans_check_hit(format, op, level, ret);
396 /****************************************************************************
397 check for existance of a nttrans call
398 ****************************************************************************/
399 static BOOL scan_nttrans(struct smbcli_state *cli, int op, int level,
400 int fnum, int dnum, const char *fname)
404 int rparam_len, rdata_len;
405 uint8_t param[1024], data[1024];
408 memset(data, 0, sizeof(data));
411 /* try with a info level only */
413 SSVAL(param, 0, level);
414 status = try_nttrans_len(cli, "void", op, level, param, data, param_len, &data_len,
415 &rparam_len, &rdata_len);
416 if (NT_STATUS_IS_OK(status)) return True;
418 /* try with a file descriptor */
420 SSVAL(param, 0, fnum);
421 SSVAL(param, 2, level);
423 status = try_nttrans_len(cli, "fnum", op, level, param, data, param_len, &data_len,
424 &rparam_len, &rdata_len);
425 if (NT_STATUS_IS_OK(status)) return True;
428 /* try with a notify style */
430 SSVAL(param, 0, dnum);
431 SSVAL(param, 2, dnum);
432 SSVAL(param, 4, level);
433 status = try_nttrans_len(cli, "notify", op, level, param, data, param_len, &data_len,
434 &rparam_len, &rdata_len);
435 if (NT_STATUS_IS_OK(status)) return True;
437 /* try with a file name */
439 SSVAL(param, 0, level);
442 param_len += push_string(¶m[6], fname, sizeof(pstring), STR_TERMINATE | STR_UNICODE);
444 status = try_nttrans_len(cli, "fname", op, level, param, data, param_len, &data_len,
445 &rparam_len, &rdata_len);
446 if (NT_STATUS_IS_OK(status)) return True;
448 /* try with a new file name */
450 SSVAL(param, 0, level);
453 param_len += push_string(¶m[6], "\\newfile.dat", sizeof(pstring), STR_TERMINATE | STR_UNICODE);
455 status = try_nttrans_len(cli, "newfile", op, level, param, data, param_len, &data_len,
456 &rparam_len, &rdata_len);
457 smbcli_unlink(cli->tree, "\\newfile.dat");
458 smbcli_rmdir(cli->tree, "\\newfile.dat");
459 if (NT_STATUS_IS_OK(status)) return True;
462 smbcli_mkdir(cli->tree, "\\testdir");
464 SSVAL(param, 0, level);
465 param_len += push_string(¶m[2], "\\testdir", sizeof(pstring), STR_TERMINATE | STR_UNICODE);
467 status = try_nttrans_len(cli, "dfs", op, level, param, data, param_len, &data_len,
468 &rparam_len, &rdata_len);
469 smbcli_rmdir(cli->tree, "\\testdir");
470 if (NT_STATUS_IS_OK(status)) return True;
476 BOOL torture_nttrans_scan(struct torture_context *torture,
477 struct smbcli_state *cli)
480 const char *fname = "\\scanner.dat";
483 fnum = smbcli_open(cli->tree, fname, O_RDWR | O_CREAT | O_TRUNC,
485 dnum = smbcli_open(cli->tree, "\\", O_RDONLY, DENY_NONE);
487 for (op=OP_MIN; op<=OP_MAX; op++) {
488 printf("Scanning op=%d\n", op);
489 for (level = 0; level <= 50; level++) {
490 scan_nttrans(cli, op, level, fnum, dnum, fname);
493 for (level = 0x100; level <= 0x130; level++) {
494 scan_nttrans(cli, op, level, fnum, dnum, fname);
497 for (level = 1000; level < 1050; level++) {
498 scan_nttrans(cli, op, level, fnum, dnum, fname);
502 torture_close_connection(cli);
504 printf("nttrans scan finished\n");
509 /* scan for valid base SMB requests */
510 BOOL torture_smb_scan(struct torture_context *torture)
512 static struct smbcli_state *cli;
514 struct smbcli_request *req;
517 for (op=0x0;op<=0xFF;op++) {
518 if (op == SMBreadbraw) continue;
520 if (!torture_open_connection(&cli, 0)) {
524 req = smbcli_request_setup(cli->tree, op, 0, 0);
526 if (!smbcli_request_send(req)) {
527 smbcli_request_destroy(req);
532 smbcli_transport_process(cli->transport);
533 if (req->state > SMBCLI_REQUEST_RECV) {
534 status = smbcli_request_simple_recv(req);
535 printf("op=0x%x status=%s\n", op, nt_errstr(status));
536 torture_close_connection(cli);
541 smbcli_transport_process(cli->transport);
542 if (req->state > SMBCLI_REQUEST_RECV) {
543 status = smbcli_request_simple_recv(req);
544 printf("op=0x%x status=%s\n", op, nt_errstr(status));
546 printf("op=0x%x no reply\n", op);
547 smbcli_request_destroy(req);
548 continue; /* don't attempt close! */
551 torture_close_connection(cli);
555 printf("smb scan finished\n");
git.samba.org / garming / samba-autobuild / .git / blob