From 16851785550adfd913592dc4db76a7c5d2d7165e Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Mon, 25 Sep 2023 10:30:30 +0100
Subject: [PATCH 1/3] s4/torture: Prepare to handle Level 4 check with unknown
 func code

A future (next) commit will change the NETLOGON_CONTROL_SET_DBFLAG test
to use levels 1 - 4 (current test just tests 1 - 3). A side affect of
this test is that the following test will now test passing an unknown
function code against against Level 4 (previously level 3).

Unfortunately s4 and s3 netlogon server results differ when handling
a level 4 request with an unknown function code.
  s3 server returns WERR_NOT_SUPPORTED and
  s4 server returns WERR_INVALID_PARAMETER.

For level 3 both return WERR_NOT_SUPPORTED.

MS-NRPC doesn't seem to specifically indicate the required response in
this case.

this commit modifies the test to cater for either response (for either
level) A future commit could explore the test response combinations more
thorougly.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465
Signed-off-by: Noel Power <noel.power@suse.com>
---
 source4/torture/rpc/netlogon.c | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
index 07e63612e81..35eda5f99f5 100644
--- a/source4/torture/rpc/netlogon.c
+++ b/source4/torture/rpc/netlogon.c
@@ -4087,7 +4087,10 @@ static bool test_LogonControl2Ex(struct torture_context *tctx,
 	torture_assert_ntstatus_ok(tctx, status, "LogonControl2Ex");
 	switch (secure_channel_type) {
 	case SEC_CHAN_NULL:
-		torture_assert_werr_equal(tctx, r.out.result, WERR_NOT_SUPPORTED, "LogonControl2Ex");
+		torture_assert(tctx,
+			W_ERROR_EQUAL(r.out.result, WERR_NOT_SUPPORTED) ||
+			W_ERROR_EQUAL(r.out.result, WERR_INVALID_PARAMETER),
+			"LogonControl2Ex");
 		break;
 	default:
 		torture_assert_werr_equal(tctx, r.out.result, WERR_ACCESS_DENIED, "LogonControl2Ex");
-- 
2.35.3


From b8483f7f09db23be11970b8745cd886f81548cf4 Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Sun, 24 Sep 2023 01:03:37 +0100
Subject: [PATCH 2/3] s4/torture: Test with level 4 with
 NETLOGON_CONTROL_SET_DBFLAG function

Change levels tested from 1 - 3 to 1 - 4 for NETLOGON_CONTROL_SET_DBFLAG

This change triggers a core dump in the server and so we add a knownfail
here. Following commit will fix (and remove known fail)

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465
Signed-off-by: Noel Power <noel.power@suse.com>
---
 selftest/knownfail.d/netlogon.admin | 1 +
 source4/torture/rpc/netlogon.c      | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 selftest/knownfail.d/netlogon.admin

diff --git a/selftest/knownfail.d/netlogon.admin b/selftest/knownfail.d/netlogon.admin
new file mode 100644
index 00000000000..054eefb3186
--- /dev/null
+++ b/selftest/knownfail.d/netlogon.admin
@@ -0,0 +1 @@
+^samba3.rpc.netlogon.admin.admin.LogonControl2Ex.nt4_dc
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
index 35eda5f99f5..5572d8abe82 100644
--- a/source4/torture/rpc/netlogon.c
+++ b/source4/torture/rpc/netlogon.c
@@ -3993,6 +3993,7 @@ static bool test_DatabaseSync2(struct torture_context *tctx,
 /*
   try a netlogon LogonControl2Ex
 */
+
 static bool test_LogonControl2Ex(struct torture_context *tctx,
 				 struct dcerpc_pipe *p,
 				 struct cli_credentials *machine_credentials)
@@ -4066,7 +4067,7 @@ static bool test_LogonControl2Ex(struct torture_context *tctx,
 	r.in.function_code = NETLOGON_CONTROL_SET_DBFLAG;
 	r.in.data = &data;
 
-	for (i=1;i<4;i++) {
+	for (i=1;i<=4;i++) {
 		r.in.level = i;
 
 		torture_comment(tctx, "Testing LogonControl2Ex function code %s (%d) level %d\n",
-- 
2.35.3


From 74da37f25356c4ae26bf9e162882911ebd00d31f Mon Sep 17 00:00:00 2001
From: Noel Power <noel.power@suse.com>
Date: Mon, 25 Sep 2023 09:58:33 +0100
Subject: [PATCH 3/3] s3/rpc_server: Fix dereference of client pointer

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15465
Signed-off-by: Noel Power <noel.power@suse.com>
---
 selftest/knownfail.d/netlogon.admin         | 1 -
 source3/rpc_server/netlogon/srv_netlog_nt.c | 3 +++
 2 files changed, 3 insertions(+), 1 deletion(-)
 delete mode 100644 selftest/knownfail.d/netlogon.admin

diff --git a/selftest/knownfail.d/netlogon.admin b/selftest/knownfail.d/netlogon.admin
deleted file mode 100644
index 054eefb3186..00000000000
--- a/selftest/knownfail.d/netlogon.admin
+++ /dev/null
@@ -1 +0,0 @@
-^samba3.rpc.netlogon.admin.admin.LogonControl2Ex.nt4_dc
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 7c4b3b92983..0992ad4ef3a 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -389,6 +389,9 @@ WERROR _netr_LogonControl2Ex(struct pipes_struct *p,
 		r->out.query->info3 = info3;
 		break;
 	case 4:
+		if (r->in.function_code != NETLOGON_CONTROL_FIND_USER) {
+			return WERR_INVALID_PARAMETER;
+		}
 		info4 = talloc_zero(p->mem_ctx, struct netr_NETLOGON_INFO_4);
 		W_ERROR_HAVE_NO_MEMORY(info4);
 
-- 
2.35.3