From 46899ecf836d350c0c29b615869851da7d0ad6fb Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 2 Dec 2019 17:23:21 -0800
Subject: [PATCH] python: tests. Add test for fuzzing smbd crash bug.

Mark knownfail for now.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14205

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 python/samba/tests/smbd_fuzztest.py | 77 +++++++++++++++++++++++++++++
 selftest/knownfail.d/smb1_fuzz_smbd |  1 +
 selftest/tests.py                   |  1 +
 3 files changed, 79 insertions(+)
 create mode 100644 python/samba/tests/smbd_fuzztest.py
 create mode 100644 selftest/knownfail.d/smb1_fuzz_smbd

diff --git a/python/samba/tests/smbd_fuzztest.py b/python/samba/tests/smbd_fuzztest.py
new file mode 100644
index 00000000000..900cddf3880
--- /dev/null
+++ b/python/samba/tests/smbd_fuzztest.py
@@ -0,0 +1,77 @@
+# Unix SMB/CIFS implementation. Tests for smbd fuzzing.
+# Copyright (C) Jeremy Allison 2019.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import sys
+import samba
+import os
+import binascii
+import socket
+
+class fuzzsmbd(samba.tests.TestCase):
+    def test_bug_14205(self):
+        #
+        # badblob consists of an incorrectly
+        # terminated SMB1 Negprot, with a valid SessionSetup after.
+        # BUG: #14205 causes the smbd server to crash.
+        #
+        state = True;
+        badblob = binascii.a2b_base64("AAAA1P9TTUJyAAAAABhDyAAAAAAAAAAAAAAAACcA/v8AAAAAALEAAlBDIE5F"
+                                      "VFdPUksgUFJPR1JBTSD//jAAAk1JQ1JPU09GVCBOR1RXT1JLUyAxLjANDAJN"
+                                      "SR3hkXOl0mb+QXW4Da/jp0f+AAAA1P9TTUJyAAAAABgDyAAABDQAAAAAAAAA"
+                                      "ACcA/v8AAAAAALEAAlBDIE5FVFdPUksgUFJPR1JBFBX//jAAAk1JQ1JPU09G"
+                                      "VCBOR1RXT1JLUyAxLjANDAJNSR3hkUal0mb+QXW4Da/jp0f+AAAA1P9TTUJz"
+                                      "LTE0OEF1uA2v46dH/gqAIIwiAoRiVHWgODu8OdksJQAAAAAnAP7/AAAAAACx"
+                                      "AAJQQyBORVRXT1JLIFBST0dSQU0g//4wAAJNSUNST1NPRlQgTkdUV09SS1Mg"
+                                      "MS4wDQwCTUkd4ZFGpdJm/kF1uA2v46dH/gAAANT/U01Ccy0xNDgyMTIyOTE3"
+                                      "Nzk2MzIAAAAAGAPIAAAAAAAAAAAAAAAAJwD+/wAAAAAAsQACUEMgTkVUV09S"
+                                      "SyBQUk9HUkFNIP/+MAACTUlDUk9TT0ZUIE5HVFdPUktTIDEuMA0GAAAAAAAA"
+                                      "AKXSZv5BdbgNr+OnR/4AAADU/1NNQnMtMTQ4MjEyMjkxNzc5NjMyNDQ4NDNA"
+                                      "ujcyNjgAsQACUEMgTkVUF09SSyAgAAAAAAAAAP/+MAACTUlDUk9TT0bAIE5H"
+                                      "BwAtMjMxODIxMjE4MTM5OTU0ODA2OP5BdbgNr+OnR/4KgCCMIgKEYlR1oDg7"
+                                      "vDnZLCWy")
+        s = None
+        try:
+            s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+            s.connect(("fileserver", 445))
+            s.send(badblob)
+            # Read the 39-byte SMB1 reply to the SMB1 Negprot.
+            # This is an error message saying the Negprot was
+            # invalid.
+            rb = s.recv(1024)
+            try:
+                # Read again to wait for the server to exit.
+                rb = s.recv(1024)
+            except socket.error as e:
+                # We expect a socket error here as
+                # in both success and fail cases the
+                # server just resets the connection.
+                pass
+            finally:
+                pass
+        finally:
+            if s is not None:
+                s.close()
+        #
+        # If the server crashed there is the
+        # following message in the debug log.
+        #
+        for line in open(os.environ['SMBD_TEST_LOG']):
+            if "INTERNAL ERROR: Signal 11 in pid" in line:
+                print("Found crash in smbd log")
+                state = False;
+                break
+        self.assertTrue(state)
diff --git a/selftest/knownfail.d/smb1_fuzz_smbd b/selftest/knownfail.d/smb1_fuzz_smbd
new file mode 100644
index 00000000000..82b1b26254f
--- /dev/null
+++ b/selftest/knownfail.d/smb1_fuzz_smbd
@@ -0,0 +1 @@
+^samba.tests.smbd_fuzztest
diff --git a/selftest/tests.py b/selftest/tests.py
index cca2ad02c9e..32b76b4bc5b 100644
--- a/selftest/tests.py
+++ b/selftest/tests.py
@@ -90,6 +90,7 @@ planpythontestsuite(
     "none", "wafsamba.tests.test_suite",
     extra_path=[os.path.join(samba4srcdir, "..", "buildtools"),
                 os.path.join(samba4srcdir, "..", "third_party", "waf")])
+planpythontestsuite("fileserver", "samba.tests.smbd_fuzztest")
 
 
 def cmdline(script, *args):
-- 
2.47.3