317 lines
8.7 KiB
Diff
317 lines
8.7 KiB
Diff
From ddeabf87957ce73e12030977948418c93436a05c Mon Sep 17 00:00:00 2001
|
|
From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
Date: Fri, 12 Jun 2020 14:26:38 +1200
|
|
Subject: [PATCH 13/22] CVE-2020-10745: librpc/tests: cmocka tests of dns and
|
|
ndr strings
|
|
|
|
These time the push and pull function in isolation.
|
|
|
|
Timing should be under 0.0001 seconds on even quite old hardware; we
|
|
assert it must be under 0.2 seconds.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14378
|
|
|
|
(backported from master commit)
|
|
[abartlet@samba.org: backported due to differences in pre-existing
|
|
tests - eg test_ndr - mentioned in wscript_build and tests.py]
|
|
|
|
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
|
|
---
|
|
librpc/tests/test_ndr_dns_nbt.c | 236 +++++++++++++++++++++++++++++++
|
|
librpc/wscript_build | 13 ++
|
|
selftest/knownfail.d/ndr_dns_nbt | 4 +
|
|
source4/selftest/tests.py | 2 +
|
|
4 files changed, 255 insertions(+)
|
|
create mode 100644 librpc/tests/test_ndr_dns_nbt.c
|
|
create mode 100644 selftest/knownfail.d/ndr_dns_nbt
|
|
|
|
diff --git a/librpc/tests/test_ndr_dns_nbt.c b/librpc/tests/test_ndr_dns_nbt.c
|
|
new file mode 100644
|
|
index 00000000000..1e2ef45c10d
|
|
--- /dev/null
|
|
+++ b/librpc/tests/test_ndr_dns_nbt.c
|
|
@@ -0,0 +1,236 @@
|
|
+/*
|
|
+ * Tests for librpc ndr functions
|
|
+ *
|
|
+ * Copyright (C) Catalyst.NET Ltd 2020
|
|
+ *
|
|
+ * This program is free software; you can redistribute it and/or modify
|
|
+ * it under the terms of the GNU General Public License as published by
|
|
+ * the Free Software Foundation; either version 3 of the License, or
|
|
+ * (at your option) any later version.
|
|
+ *
|
|
+ * This program is distributed in the hope that it will be useful,
|
|
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
+ * GNU General Public License for more details.
|
|
+ *
|
|
+ * You should have received a copy of the GNU General Public License
|
|
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
+ *
|
|
+ */
|
|
+
|
|
+#include "replace.h"
|
|
+#include <setjmp.h>
|
|
+#include <cmocka.h>
|
|
+
|
|
+#include "includes.h"
|
|
+#include "librpc/ndr/libndr.h"
|
|
+#include "librpc/gen_ndr/ndr_dns.h"
|
|
+#include "librpc/gen_ndr/ndr_nbt.h"
|
|
+#include "lib/util/time.h"
|
|
+
|
|
+#define NBT_NAME "EOGFGLGPCACACACACACACACACACACACA" /* "neko" */
|
|
+
|
|
+
|
|
+static DATA_BLOB generate_obnoxious_dns_name(TALLOC_CTX *mem_ctx,
|
|
+ size_t n_labels,
|
|
+ size_t dot_every,
|
|
+ bool is_nbt)
|
|
+{
|
|
+ size_t i, j;
|
|
+ char *s;
|
|
+ DATA_BLOB name = data_blob_talloc(mem_ctx, NULL, 64 * n_labels + 1);
|
|
+ assert_non_null(name.data);
|
|
+
|
|
+ s = (char*)name.data;
|
|
+ if (is_nbt) {
|
|
+ size_t len = strlen(NBT_NAME);
|
|
+ *s = len;
|
|
+ s++;
|
|
+ memcpy(s, NBT_NAME, len);
|
|
+ s += len;
|
|
+ n_labels--;
|
|
+ }
|
|
+
|
|
+ for (i = 0; i < n_labels; i++) {
|
|
+ *s = 63;
|
|
+ s++;
|
|
+ for (j = 0; j < 63; j++) {
|
|
+ if (j % dot_every == (dot_every - 1)) {
|
|
+ *s = '.';
|
|
+ } else {
|
|
+ *s = 'x';
|
|
+ }
|
|
+ s++;
|
|
+ }
|
|
+ }
|
|
+ *s = 0;
|
|
+ s++;
|
|
+ name.length = s - (char*)name.data;
|
|
+ return name;
|
|
+}
|
|
+
|
|
+
|
|
+static char *_test_ndr_pull_dns_string_list(TALLOC_CTX *mem_ctx,
|
|
+ size_t n_labels,
|
|
+ size_t dot_every,
|
|
+ bool is_nbt)
|
|
+{
|
|
+ enum ndr_err_code ndr_err;
|
|
+ DATA_BLOB blob = generate_obnoxious_dns_name(mem_ctx,
|
|
+ n_labels,
|
|
+ dot_every,
|
|
+ is_nbt);
|
|
+
|
|
+ char *name;
|
|
+ ndr_pull_flags_fn_t fn;
|
|
+
|
|
+ if (is_nbt) {
|
|
+ fn = (ndr_pull_flags_fn_t)ndr_pull_nbt_string;
|
|
+ } else {
|
|
+ fn = (ndr_pull_flags_fn_t)ndr_pull_dns_string;
|
|
+ }
|
|
+
|
|
+ ndr_err = ndr_pull_struct_blob(&blob,
|
|
+ mem_ctx,
|
|
+ &name,
|
|
+ fn);
|
|
+ /* Success here is not expected, but we let it go to measure timing. */
|
|
+ if (ndr_err == NDR_ERR_SUCCESS) {
|
|
+ printf("pull succeed\n");
|
|
+ } else {
|
|
+ assert_int_equal(ndr_err, NDR_ERR_STRING);
|
|
+ }
|
|
+
|
|
+ TALLOC_FREE(blob.data);
|
|
+ return name;
|
|
+}
|
|
+
|
|
+
|
|
+static void _test_ndr_push_dns_string_list(TALLOC_CTX *mem_ctx,
|
|
+ char *name,
|
|
+ bool is_nbt)
|
|
+{
|
|
+ DATA_BLOB blob;
|
|
+ enum ndr_err_code ndr_err;
|
|
+ ndr_push_flags_fn_t fn;
|
|
+
|
|
+ if (is_nbt) {
|
|
+ fn = (ndr_push_flags_fn_t)ndr_push_nbt_string;
|
|
+ } else {
|
|
+ fn = (ndr_push_flags_fn_t)ndr_push_dns_string;
|
|
+ }
|
|
+
|
|
+ ndr_err = ndr_push_struct_blob(&blob,
|
|
+ mem_ctx,
|
|
+ name,
|
|
+ fn);
|
|
+
|
|
+ /* Success here is not expected, but we let it go to measure timing. */
|
|
+ if (ndr_err == NDR_ERR_SUCCESS) {
|
|
+ printf("push succeed\n");
|
|
+ } else {
|
|
+ assert_int_equal(ndr_err, NDR_ERR_STRING);
|
|
+ }
|
|
+}
|
|
+
|
|
+
|
|
+static uint64_t elapsed_time(struct timespec start, const char *print)
|
|
+{
|
|
+ struct timespec end;
|
|
+ unsigned long long microsecs;
|
|
+ clock_gettime_mono(&end);
|
|
+ end.tv_sec -= start.tv_sec;
|
|
+ if (end.tv_nsec < start.tv_nsec) {
|
|
+ /* we need to borrow */
|
|
+ end.tv_nsec += 1000 * 1000 * 1000;
|
|
+ end.tv_sec -= 1;
|
|
+ }
|
|
+ end.tv_nsec -= start.tv_nsec;
|
|
+ microsecs = end.tv_sec * 1000000;
|
|
+ microsecs += end.tv_nsec / 1000;
|
|
+
|
|
+ if (print != NULL) {
|
|
+ printf(" %s: %llu microseconds\n", print, microsecs);
|
|
+ }
|
|
+ return microsecs;
|
|
+}
|
|
+
|
|
+
|
|
+static void test_ndr_dns_string_half_dots(void **state)
|
|
+{
|
|
+ TALLOC_CTX *mem_ctx = talloc_new(NULL);
|
|
+ char *name;
|
|
+ struct timespec start;
|
|
+ uint64_t elapsed;
|
|
+
|
|
+ clock_gettime_mono(&start);
|
|
+ name =_test_ndr_pull_dns_string_list(mem_ctx, 127, 2, false);
|
|
+ elapsed_time(start, "pull");
|
|
+ _test_ndr_push_dns_string_list(mem_ctx, name, false);
|
|
+ elapsed = elapsed_time(start, "total");
|
|
+ assert_in_range(elapsed, 0, 200000);
|
|
+ talloc_free(mem_ctx);
|
|
+}
|
|
+
|
|
+static void test_ndr_nbt_string_half_dots(void **state)
|
|
+{
|
|
+ TALLOC_CTX *mem_ctx = talloc_new(NULL);
|
|
+ char *name;
|
|
+ struct timespec start;
|
|
+ uint64_t elapsed;
|
|
+
|
|
+ clock_gettime_mono(&start);
|
|
+ name =_test_ndr_pull_dns_string_list(mem_ctx, 127, 2, true);
|
|
+ elapsed_time(start, "pull");
|
|
+ _test_ndr_push_dns_string_list(mem_ctx, name, true);
|
|
+ elapsed = elapsed_time(start, "total");
|
|
+ assert_in_range(elapsed, 0, 200000);
|
|
+ talloc_free(mem_ctx);
|
|
+}
|
|
+
|
|
+static void test_ndr_dns_string_all_dots(void **state)
|
|
+{
|
|
+ TALLOC_CTX *mem_ctx = talloc_new(NULL);
|
|
+ char *name;
|
|
+ struct timespec start;
|
|
+ uint64_t elapsed;
|
|
+
|
|
+ clock_gettime_mono(&start);
|
|
+ name =_test_ndr_pull_dns_string_list(mem_ctx, 127, 1, false);
|
|
+ elapsed_time(start, "pull");
|
|
+ _test_ndr_push_dns_string_list(mem_ctx, name, false);
|
|
+ elapsed = elapsed_time(start, "total");
|
|
+ assert_in_range(elapsed, 0, 200000);
|
|
+ talloc_free(mem_ctx);
|
|
+}
|
|
+
|
|
+static void test_ndr_nbt_string_all_dots(void **state)
|
|
+{
|
|
+ TALLOC_CTX *mem_ctx = talloc_new(NULL);
|
|
+ char *name;
|
|
+ struct timespec start;
|
|
+ uint64_t elapsed;
|
|
+
|
|
+ clock_gettime_mono(&start);
|
|
+ name =_test_ndr_pull_dns_string_list(mem_ctx, 127, 1, true);
|
|
+ elapsed_time(start, "pull");
|
|
+ _test_ndr_push_dns_string_list(mem_ctx, name, true);
|
|
+ elapsed = elapsed_time(start, "total");
|
|
+ assert_in_range(elapsed, 0, 200000);
|
|
+ talloc_free(mem_ctx);
|
|
+}
|
|
+
|
|
+
|
|
+
|
|
+int main(int argc, const char **argv)
|
|
+{
|
|
+ const struct CMUnitTest tests[] = {
|
|
+ cmocka_unit_test(test_ndr_nbt_string_half_dots),
|
|
+ cmocka_unit_test(test_ndr_dns_string_half_dots),
|
|
+ cmocka_unit_test(test_ndr_nbt_string_all_dots),
|
|
+ cmocka_unit_test(test_ndr_dns_string_all_dots),
|
|
+ };
|
|
+
|
|
+ cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
|
|
+ return cmocka_run_group_tests(tests, NULL, NULL);
|
|
+}
|
|
diff --git a/librpc/wscript_build b/librpc/wscript_build
|
|
index 70fe8c2f7fe..e3be298c725 100644
|
|
--- a/librpc/wscript_build
|
|
+++ b/librpc/wscript_build
|
|
@@ -656,3 +656,16 @@ bld.SAMBA_SUBSYSTEM('NDR_FSRVP_STATE',
|
|
source='gen_ndr/ndr_fsrvp_state.c',
|
|
public_deps='ndr'
|
|
)
|
|
+#
|
|
+# Cmocka tests
|
|
+#
|
|
+
|
|
+bld.SAMBA_BINARY('test_ndr_dns_nbt',
|
|
+ source='tests/test_ndr_dns_nbt.c',
|
|
+ deps='''
|
|
+ cmocka
|
|
+ ndr
|
|
+ ndr_nbt
|
|
+ NDR_DNS
|
|
+ ''',
|
|
+ install=False)
|
|
diff --git a/selftest/knownfail.d/ndr_dns_nbt b/selftest/knownfail.d/ndr_dns_nbt
|
|
new file mode 100644
|
|
index 00000000000..f30217c4033
|
|
--- /dev/null
|
|
+++ b/selftest/knownfail.d/ndr_dns_nbt
|
|
@@ -0,0 +1,4 @@
|
|
+librpc.ndr.ndr_dns_nbt.test_ndr_dns_string_all_dots
|
|
+librpc.ndr.ndr_dns_nbt.test_ndr_dns_string_half_dots
|
|
+librpc.ndr.ndr_dns_nbt.test_ndr_nbt_string_all_dots
|
|
+librpc.ndr.ndr_dns_nbt.test_ndr_nbt_string_half_dots
|
|
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
|
|
index 6281b7e8f12..e8dbed71a18 100755
|
|
--- a/source4/selftest/tests.py
|
|
+++ b/source4/selftest/tests.py
|
|
@@ -1337,6 +1337,8 @@ plantestsuite("samba4.dcerpc.dnsserver.dnsutils", "none",
|
|
[os.path.join(bindir(), "test_rpc_dns_server_dnsutils")])
|
|
plantestsuite("libcli.drsuapi.repl_decrypt", "none",
|
|
[os.path.join(bindir(), "test_repl_decrypt")])
|
|
+plantestsuite("librpc.ndr.ndr_dns_nbt", "none",
|
|
+ [os.path.join(bindir(), "test_ndr_dns_nbt")])
|
|
|
|
# process restart and limit tests, these break the environment so need to run
|
|
# in their own specific environment
|
|
--
|
|
2.17.1
|
|
|