CVE-2023-3961:s3:torture: Add test SMB2-INVALID-PIPENAME to show we a…

…llow bad pipenames with unix separators through to the UNIX domain socket code.

The raw SMB2-INVALID-PIPENAME test passes against Windows 2022,
as it just returns NT_STATUS_OBJECT_NAME_NOT_FOUND.

Add the knownfail.

BUG:https://bugzilla.samba.org/show_bug.cgi?id=15422

Signed-off-by: Jeremy Allison <[email protected]>

selftest/knownfail.d/badpipename

@@ -0,0 +1 @@
+^samba3.smbtorture_s3.smb2.SMB2-INVALID-PIPENAME.smbtorture\(fileserver\)

source3/selftest/tests.py

@@ -309,6 +309,20 @@ def is_module_enabled(module):
                 smbtorture3,
                 "-mSMB2"])
 
+# BUG: https://bugzilla.samba.org/show_bug.cgi?id=15422
+# Prevent bad pipenames.
+#
+plantestsuite("samba3.smbtorture_s3.smb2.SMB2-INVALID-PIPENAME",
+                "fileserver",
+                [os.path.join(samba3srcdir,
+                              "script/tests/test_smbtorture_s3.sh"),
+                'SMB2-INVALID-PIPENAME',
+                '//$SERVER_IP/tmp',
+                '$USERNAME',
+                '$PASSWORD',
+                smbtorture3,
+                "-mSMB2"])
+
 #
 # SMB2-NON-DFS-SHARE needs to run against a special share non-msdfs-pathname-share
 # This is an empty non-DFS share with no links, used merely to test

source3/torture/proto.h

@@ -133,6 +133,7 @@ bool run_smb2_non_dfs_share(int dummy);
 bool run_smb2_dfs_share_non_dfs_path(int dummy);
 bool run_smb2_dfs_filename_leading_backslash(int dummy);
 bool run_smb2_pipe_read_async_disconnect(int dummy);
+bool run_smb2_invalid_pipename(int dummy);
 bool run_smb1_dfs_paths(int dummy);
 bool run_smb1_dfs_search_paths(int dummy);
 bool run_smb1_dfs_operations(int dummy);

source3/torture/test_smb2.c

@@ -5359,3 +5359,113 @@ bool run_smb2_pipe_read_async_disconnect(int dummy)
 	}
 	return retval;
 }
+
+bool run_smb2_invalid_pipename(int dummy)
+{
+	struct cli_state *cli = NULL;
+	NTSTATUS status;
+	uint64_t fid_persistent = 0;
+	uint64_t fid_volatile = 0;
+	const char *unknown_pipe = "badpipe";
+	const char *invalid_pipe = "../../../../../../../../../badpipe";
+
+	printf("Starting SMB2-INVALID-PIPENAME\n");
+
+	if (!torture_init_connection(&cli)) {
+		return false;
+	}
+
+	status = smbXcli_negprot(cli->conn,
+				cli->timeout,
+				PROTOCOL_SMB2_02,
+				PROTOCOL_SMB3_11,
+				NULL,
+				NULL,
+				NULL);
+	if (!NT_STATUS_IS_OK(status)) {
+		printf("smbXcli_negprot returned %s\n", nt_errstr(status));
+		return false;
+	}
+
+	status = cli_session_setup_creds(cli, torture_creds);
+	if (!NT_STATUS_IS_OK(status)) {
+		printf("cli_session_setup returned %s\n", nt_errstr(status));
+		return false;
+	}
+
+	status = cli_tree_connect(cli, "IPC$", "?????", NULL);
+	if (!NT_STATUS_IS_OK(status)) {
+		printf("cli_tree_connect returned %s\n", nt_errstr(status));
+		return false;
+	}
+
+	/* Try and connect to an unknown pipename. */
+	status = smb2cli_create(cli->conn,
+				cli->timeout,
+				cli->smb2.session,
+				cli->smb2.tcon,
+				unknown_pipe,
+				SMB2_OPLOCK_LEVEL_NONE, /* oplock_level, */
+				SMB2_IMPERSONATION_IMPERSONATION, /* impersonation_level, */
+				SEC_STD_SYNCHRONIZE|
+					SEC_FILE_READ_DATA|
+					SEC_FILE_WRITE_DATA|
+					SEC_FILE_READ_ATTRIBUTE, /* desired_access, */
+				FILE_ATTRIBUTE_NORMAL, /* file_attributes, */
+				FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, /* share_access, */
+				FILE_CREATE, /* create_disposition, */
+				0, /* create_options, */
+				NULL, /* smb2_create_blobs *blobs */
+				&fid_persistent,
+				&fid_volatile,
+				NULL, /* struct smb_create_returns * */
+				talloc_tos(), /* mem_ctx. */
+				NULL, /* struct smb2_create_blobs * */
+				NULL); /* struct symlink_reparse_struct */
+	/* We should get NT_STATUS_OBJECT_NAME_NOT_FOUND */
+	if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+		printf("%s:%d smb2cli_create on name %s returned %s\n",
+			__FILE__,
+			__LINE__,
+			unknown_pipe,
+			nt_errstr(status));
+		return false;
+	}
+
+	/* Try and connect to an invalid pipename containing unix separators. */
+	status = smb2cli_create(cli->conn,
+				cli->timeout,
+				cli->smb2.session,
+				cli->smb2.tcon,
+				invalid_pipe,
+				SMB2_OPLOCK_LEVEL_NONE, /* oplock_level, */
+				SMB2_IMPERSONATION_IMPERSONATION, /* impersonation_level, */
+				SEC_STD_SYNCHRONIZE|
+					SEC_FILE_READ_DATA|
+					SEC_FILE_WRITE_DATA|
+					SEC_FILE_READ_ATTRIBUTE, /* desired_access, */
+				FILE_ATTRIBUTE_NORMAL, /* file_attributes, */
+				FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, /* share_access, */
+				FILE_CREATE, /* create_disposition, */
+				0, /* create_options, */
+				NULL, /* smb2_create_blobs *blobs */
+				&fid_persistent,
+				&fid_volatile,
+				NULL, /* struct smb_create_returns * */
+				talloc_tos(), /* mem_ctx. */
+				NULL, /* struct smb2_create_blobs * */
+				NULL); /* struct symlink_reparse_struct */
+	/*
+	 * We should still get NT_STATUS_OBJECT_NAME_NOT_FOUND
+	 * (tested against Windows 2022).
+	 */
+	if (!NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
+		printf("%s:%d smb2cli_create on name %s returned %s\n",
+			__FILE__,
+			__LINE__,
+			invalid_pipe,
+			nt_errstr(status));
+		return false;
+	}
+	return true;
+}

source3/torture/torture.c

@@ -15844,6 +15844,10 @@ static struct {
 		.name  = "SMB2-QUOTA1",
 		.fn    = run_smb2_quota1,
 	},
+	{
+		.name  = "SMB2-INVALID-PIPENAME",
+		.fn    = run_smb2_invalid_pipename,
+	},
 	{
 		.name  = "SMB2-STREAM-ACL",
 		.fn    = run_smb2_stream_acl,