From: Jeremy Allison <jra@samba.org>
Date: Tue, 3 Dec 2019 01:23:21 +0000 (-0800)
Subject: python: tests. Add test for fuzzing smbd crash bug.
X-Git-Tag: samba-4.10.13~24
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d8d661aabfdb04b8a472b85e6cc3fba0dd490c23;p=thirdparty%2Fsamba.git

python: tests. Add test for fuzzing smbd crash bug.

Mark knownfail for now.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14205

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 46899ecf836d350c0c29b615869851da7d0ad6fb)
---

diff --git a/python/samba/tests/smbd_fuzztest.py b/python/samba/tests/smbd_fuzztest.py
new file mode 100644
index 00000000000..900cddf3880
--- /dev/null
+++ b/python/samba/tests/smbd_fuzztest.py
@@ -0,0 +1,77 @@
+# Unix SMB/CIFS implementation. Tests for smbd fuzzing.
+# Copyright (C) Jeremy Allison 2019.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import sys
+import samba
+import os
+import binascii
+import socket
+
+class fuzzsmbd(samba.tests.TestCase):
+    def test_bug_14205(self):
+        #
+        # badblob consists of an incorrectly
+        # terminated SMB1 Negprot, with a valid SessionSetup after.
+        # BUG: #14205 causes the smbd server to crash.
+        #
+        state = True;
+        badblob = binascii.a2b_base64("AAAA1P9TTUJyAAAAABhDyAAAAAAAAAAAAAAAACcA/v8AAAAAALEAAlBDIE5F"
+                                      "VFdPUksgUFJPR1JBTSD//jAAAk1JQ1JPU09GVCBOR1RXT1JLUyAxLjANDAJN"
+                                      "SR3hkXOl0mb+QXW4Da/jp0f+AAAA1P9TTUJyAAAAABgDyAAABDQAAAAAAAAA"
+                                      "ACcA/v8AAAAAALEAAlBDIE5FVFdPUksgUFJPR1JBFBX//jAAAk1JQ1JPU09G"
+                                      "VCBOR1RXT1JLUyAxLjANDAJNSR3hkUal0mb+QXW4Da/jp0f+AAAA1P9TTUJz"
+                                      "LTE0OEF1uA2v46dH/gqAIIwiAoRiVHWgODu8OdksJQAAAAAnAP7/AAAAAACx"
+                                      "AAJQQyBORVRXT1JLIFBST0dSQU0g//4wAAJNSUNST1NPRlQgTkdUV09SS1Mg"
+                                      "MS4wDQwCTUkd4ZFGpdJm/kF1uA2v46dH/gAAANT/U01Ccy0xNDgyMTIyOTE3"
+                                      "Nzk2MzIAAAAAGAPIAAAAAAAAAAAAAAAAJwD+/wAAAAAAsQACUEMgTkVUV09S"
+                                      "SyBQUk9HUkFNIP/+MAACTUlDUk9TT0ZUIE5HVFdPUktTIDEuMA0GAAAAAAAA"
+                                      "AKXSZv5BdbgNr+OnR/4AAADU/1NNQnMtMTQ4MjEyMjkxNzc5NjMyNDQ4NDNA"
+                                      "ujcyNjgAsQACUEMgTkVUF09SSyAgAAAAAAAAAP/+MAACTUlDUk9TT0bAIE5H"
+                                      "BwAtMjMxODIxMjE4MTM5OTU0ODA2OP5BdbgNr+OnR/4KgCCMIgKEYlR1oDg7"
+                                      "vDnZLCWy")
+        s = None
+        try:
+            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+            s.connect(("fileserver", 445))
+            s.send(badblob)
+            # Read the 39-byte SMB1 reply to the SMB1 Negprot.
+            # This is an error message saying the Negprot was
+            # invalid.
+            rb = s.recv(1024)
+            try:
+                # Read again to wait for the server to exit.
+                rb = s.recv(1024)
+            except socket.error as e:
+                # We expect a socket error here as
+                # in both success and fail cases the
+                # server just resets the connection.
+                pass
+            finally:
+                pass
+        finally:
+            if s is not None:
+                s.close()
+        #
+        # If the server crashed there is the
+        # following message in the debug log.
+        #
+        for line in open(os.environ['SMBD_TEST_LOG']):
+            if "INTERNAL ERROR: Signal 11 in pid" in line:
+                print("Found crash in smbd log")
+                state = False;
+                break
+        self.assertTrue(state)
diff --git a/selftest/knownfail.d/smb1_fuzz_smbd b/selftest/knownfail.d/smb1_fuzz_smbd
new file mode 100644
index 00000000000..82b1b26254f
--- /dev/null
+++ b/selftest/knownfail.d/smb1_fuzz_smbd
@@ -0,0 +1 @@
+^samba.tests.smbd_fuzztest
diff --git a/selftest/tests.py b/selftest/tests.py
index c9529328359..5d7d8eebeda 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -87,6 +87,7 @@ planpythontestsuite("none", "samba.tests.s3registry", py3_compatible=True)
 planpythontestsuite("none", "samba.tests.s3windb", py3_compatible=True)
 planpythontestsuite("none", "samba.tests.s3idmapdb", py3_compatible=True)
 planpythontestsuite("none", "samba.tests.samba3sam")
+planpythontestsuite("fileserver", "samba.tests.smbd_fuzztest")
 planpythontestsuite(
     "none", "wafsamba.tests.test_suite",
     extra_path=[os.path.join(samba4srcdir, "..", "buildtools"),