CVE-2020-14323 torture4: Add a simple test for invalid lookup_sids winbind call

We can't add this test before the fix, add it to knownfail and have the fix
remove the knownfail entry again. As this crashes winbind, many tests after
this one will fail.

Reported by Bas Alberts of the GitHub Security Lab Team as GHSL-2020-134

Bug: https://bugzilla.samba.org/show_bug.cgi?id=14436
Signed-off-by: Volker Lendecke <vl@samba.org>

diff --git a/source4/torture/winbind/struct_based.c b/source4/torture/winbind/struct_based.c
index 90c70c61069c3819793773036530d575309d2620..724b14cbbb7e98d732535749e1c0cb2210659c7b 100644 (file)
--- a/source4/torture/winbind/struct_based.c
+++ b/source4/torture/winbind/struct_based.c
@@ -1111,6 +1111,29 @@ static bool torture_winbind_struct_lookup_name_sid(struct torture_context *tortu
        return true;
 }
 
+static bool torture_winbind_struct_lookup_sids_invalid(
+       struct torture_context *torture)
+{
+       struct winbindd_request req = {0};
+       struct winbindd_response rep = {0};
+       bool strict = torture_setting_bool(torture, "strict mode", false);
+       bool ok;
+
+       torture_comment(torture,
+                       "Running WINBINDD_LOOKUP_SIDS (struct based)\n");
+
+       ok = true;
+       DO_STRUCT_REQ_REP_EXT(WINBINDD_LOOKUPSIDS, &req, &rep,
+                             NSS_STATUS_NOTFOUND,
+                             strict,
+                             ok=false,
+                             talloc_asprintf(
+                                     torture,
+                                     "invalid lookupsids succeeded"));
+
+       return ok;
+}
+
 struct torture_suite *torture_winbind_struct_init(TALLOC_CTX *ctx)
 {
        struct torture_suite *suite = torture_suite_create(ctx, "struct");
@@ -1133,6 +1156,10 @@ struct torture_suite *torture_winbind_struct_init(TALLOC_CTX *ctx)
        torture_suite_add_simple_test(suite, "getpwent", torture_winbind_struct_getpwent);
        torture_suite_add_simple_test(suite, "endpwent", torture_winbind_struct_endpwent);
        torture_suite_add_simple_test(suite, "lookup_name_sid", torture_winbind_struct_lookup_name_sid);
+       torture_suite_add_simple_test(
+               suite,
+               "lookup_sids_invalid",
+               torture_winbind_struct_lookup_sids_invalid);
 
        suite->description = talloc_strdup(suite, "WINBIND - struct based protocol tests");