s4:torture/smb2: add smb2.session.ntlmssp_bug14932 test

This demonstrates that an invalid av_pair in NTLMv2_CLIENT_CHALLENGE
should result in NT_STATUS_INVALID_PARAMETER at the NTLMSSP layer.

This is different from the netr_LogonSamLogon*() case, where it is
ignored instead.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14932

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit e0b705d26f0b151ba52d1f9f5504f622fadf7d7c)

2 files changed, 56 insertions, 0 deletions

diff --git a/selftest/knownfail.d/smb2.session.tmp b/selftest/knownfail.d/smb2.session.tmp
new file mode 100644
index 00000000000..ef6a0d55ed2
--- /dev/null
+++ b/selftest/knownfail.d/smb2.session.tmp
@@ -0,0 +1,5 @@
+^samba3.smb2.session.plain.ntlmssp_bug14932\(nt4_dc\)
+^samba3.smb2.session.enc.ntlmssp_bug14932\(nt4_dc\)
+^samba3.smb2.session.ntlm.ntlmssp_bug14932\(ad_dc\)
+^samba3.smb2.session.krb5.ntlmssp_bug14932\(ad_dc\)
+^samba3.smb2.session.krb5.ntlmssp_bug14932\(ad_member_idmap_rid\)
diff --git a/source4/torture/smb2/session.c b/source4/torture/smb2/session.c
index 1bf8f83efcc..fdfd947d5e3 100644
--- a/source4/torture/smb2/session.c
+++ b/source4/torture/smb2/session.c
@@ -5371,6 +5371,56 @@ static bool test_session_encryption_aes_256_gcm(struct torture_context *tctx, st
 	return ret;
 }
 
+static bool test_session_ntlmssp_bug14932(struct torture_context *tctx, struct smb2_tree *tree)
+{
+	struct cli_credentials *ntlm_creds =
+		cli_credentials_shallow_copy(tctx, samba_cmdline_get_creds());
+	NTSTATUS status;
+	bool ret = true;
+	/*
+	 * This is a NTLMv2_RESPONSE with the strange
+	 * NTLMv2_CLIENT_CHALLENGE used by the net diag
+	 * tool.
+	 *
+	 * As we expect an error anyway we fill the
+	 * Response part with 0xab...
+	 */
+	static const char *netapp_magic =
+		"\xab\xab\xab\xab\xab\xab\xab\xab"
+		"\xab\xab\xab\xab\xab\xab\xab\xab"
+		"\x01\x01\x00\x00\x00\x00\x00\x00"
+		"\x3f\x3f\x3f\x3f\x3f\x3f\x3f\x3f"
+		"\xb8\x82\x3a\xf1\xb3\xdd\x08\x15"
+		"\x00\x00\x00\x00\x11\xa2\x08\x81"
+		"\x50\x38\x22\x78\x2b\x94\x47\xfe"
+		"\x54\x94\x7b\xff\x17\x27\x5a\xb4"
+		"\xf4\x18\xba\xdc\x2c\x38\xfd\x5b"
+		"\xfb\x0e\xc1\x85\x1e\xcc\x92\xbb"
+		"\x9b\xb1\xc4\xd5\x53\x14\xff\x8c"
+		"\x76\x49\xf5\x45\x90\x19\xa2";
+	DATA_BLOB lm_response = data_blob_talloc_zero(tctx, 24);
+	DATA_BLOB lm_session_key = data_blob_talloc_zero(tctx, 16);
+	DATA_BLOB nt_response = data_blob_const(netapp_magic, 95);
+	DATA_BLOB nt_session_key = data_blob_talloc_zero(tctx, 16);
+
+	cli_credentials_set_kerberos_state(ntlm_creds,
+					   CRED_USE_KERBEROS_DISABLED,
+					   CRED_SPECIFIED);
+	cli_credentials_set_ntlm_response(ntlm_creds,
+					  &lm_response,
+					  &lm_session_key,
+					  &nt_response,
+					  &nt_session_key,
+					  CRED_SPECIFIED);
+	status = smb2_session_setup_spnego(tree->session,
+					   ntlm_creds,
+					   0 /* previous_session_id */);
+	torture_assert_ntstatus_equal(tctx, status, NT_STATUS_INVALID_PARAMETER,
+				      "smb2_session_setup_spnego failed");
+
+	return ret;
+}
+
 struct torture_suite *torture_smb2_session_init(TALLOC_CTX *ctx)
 {
 	struct torture_suite *suite =
@@ -5442,6 +5492,7 @@ struct torture_suite *torture_smb2_session_init(TALLOC_CTX *ctx)
 	torture_suite_add_1smb2_test(suite, "encryption-aes-128-gcm", test_session_encryption_aes_128_gcm);
 	torture_suite_add_1smb2_test(suite, "encryption-aes-256-ccm", test_session_encryption_aes_256_ccm);
 	torture_suite_add_1smb2_test(suite, "encryption-aes-256-gcm", test_session_encryption_aes_256_gcm);
+	torture_suite_add_1smb2_test(suite, "ntlmssp_bug14932", test_session_ntlmssp_bug14932);
 
 	suite->description = talloc_strdup(suite, "SMB2-SESSION tests");