Context Navigation

source: branches/samba-3.2.x/source/smbd/process.c

Visit:

Last change on this file was 340, checked in by Herwig Bauernfeind, 16 years ago
Update 3.2 to 3.2.15 (security update)
File size: 60.8 KB

Rev	Line
[136]	1	/*
	2	Unix SMB/CIFS implementation.
	3	process incoming packets - main loop
	4	Copyright (C) Andrew Tridgell 1992-1998
	5	Copyright (C) Volker Lendecke 2005-2007
	6
	7	This program is free software; you can redistribute it and/or modify
	8	it under the terms of the GNU General Public License as published by
	9	the Free Software Foundation; either version 3 of the License, or
	10	(at your option) any later version.
	11
	12	This program is distributed in the hope that it will be useful,
	13	but WITHOUT ANY WARRANTY; without even the implied warranty of
	14	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	15	GNU General Public License for more details.
	16
	17	You should have received a copy of the GNU General Public License
	18	along with this program. If not, see <http://www.gnu.org/licenses/>.
	19	*/
	20
	21	#include "includes.h"
	22
	23	extern int smb_echo_count;
	24
	25	/*
	26	* Size of data we can send to client. Set
	27	* by the client for all protocols above CORE.
	28	* Set by us for CORE protocol.
	29	*/
	30	int max_send = BUFFER_SIZE;
	31	/*
	32	* Size of the data we can receive. Set by us.
	33	* Can be modified by the max xmit parameter.
	34	*/
	35	int max_recv = BUFFER_SIZE;
	36
	37	SIG_ATOMIC_T reload_after_sighup = 0;
	38	SIG_ATOMIC_T got_sig_term = 0;
	39	extern bool global_machine_password_needs_changing;
	40	extern int max_send;
	41
	42	/* Accessor function for smb_read_error for smbd functions. */
	43
	44	/****************************************************************************
	45	Send an smb to a fd.
	46	****************************************************************************/
	47
	48	bool srv_send_smb(int fd, char *buffer, bool do_encrypt)
	49	{
	50	size_t len;
	51	size_t nwritten=0;
	52	ssize_t ret;
	53	char *buf_out = buffer;
	54
	55	/* Sign the outgoing packet if required. */
	56	srv_calculate_sign_mac(buf_out);
	57
	58	if (do_encrypt) {
	59	NTSTATUS status = srv_encrypt_buffer(buffer, &buf_out);
	60	if (!NT_STATUS_IS_OK(status)) {
	61	DEBUG(0, ("send_smb: SMB encryption failed "
	62	"on outgoing packet! Error %s\n",
	63	nt_errstr(status) ));
	64	return false;
	65	}
	66	}
	67
	68	len = smb_len(buf_out) + 4;
	69
	70	while (nwritten < len) {
	71	ret = write_data(fd,buf_out+nwritten,len - nwritten);
	72	if (ret <= 0) {
	73	DEBUG(0,("Error writing %d bytes to client. %d. (%s)\n",
	74	(int)len,(int)ret, strerror(errno) ));
	75	srv_free_enc_buffer(buf_out);
	76	return false;
	77	}
	78	nwritten += ret;
	79	}
	80
	81	srv_free_enc_buffer(buf_out);
	82	return true;
	83	}
	84
	85	/*******************************************************************
	86	Setup the word count and byte count for a smb message.
	87	********************************************************************/
	88
	89	int srv_set_message(char *buf,
	90	int num_words,
	91	int num_bytes,
	92	bool zero)
	93	{
	94	if (zero && (num_words \|\| num_bytes)) {
	95	memset(buf + smb_size,'\0',num_words*2 + num_bytes);
	96	}
	97	SCVAL(buf,smb_wct,num_words);
	98	SSVAL(buf,smb_vwv + num_words*SIZEOFWORD,num_bytes);
	99	smb_setlen(buf,(smb_size + num_words*2 + num_bytes - 4));
	100	return (smb_size + num_words*2 + num_bytes);
	101	}
	102
	103	static bool valid_smb_header(const uint8_t *inbuf)
	104	{
	105	if (is_encrypted_packet(inbuf)) {
	106	return true;
	107	}
	108	return (strncmp(smb_base(inbuf),"\377SMB",4) == 0);
	109	}
	110
	111	/* Socket functions for smbd packet processing. */
	112
	113	static bool valid_packet_size(size_t len)
	114	{
	115	/*
	116	* A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
	117	* of header. Don't print the error if this fits.... JRA.
	118	*/
	119
	120	if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
	121	DEBUG(0,("Invalid packet length! (%lu bytes).\n",
	122	(unsigned long)len));
[137]	123	return false;
[136]	124	}
	125	return true;
	126	}
	127
	128	static NTSTATUS read_packet_remainder(int fd, char *buffer,
	129	unsigned int timeout, ssize_t len)
	130	{
	131	if (len <= 0) {
	132	return NT_STATUS_OK;
	133	}
	134
	135	return read_socket_with_timeout(fd, buffer, len, len, timeout, NULL);
	136	}
	137
	138	/****************************************************************************
	139	Attempt a zerocopy writeX read. We know here that len > smb_size-4
	140	****************************************************************************/
	141
	142	/*
	143	* Unfortunately, earlier versions of smbclient/libsmbclient
	144	* don't send this "standard" writeX header. I've fixed this
	145	* for 3.2 but we'll use the old method with earlier versions.
	146	* Windows and CIFSFS at least use this standard size. Not
	147	* sure about MacOSX.
	148	*/
	149
	150	#define STANDARD_WRITE_AND_X_HEADER_SIZE (smb_size - 4 + /* basic header */ \
	151	(214) + / word count (including bcc) */ \
	152	1 /* pad byte */)
	153
	154	static NTSTATUS receive_smb_raw_talloc_partial_read(TALLOC_CTX *mem_ctx,
	155	const char lenbuf[4],
	156	int fd, char **buffer,
	157	unsigned int timeout,
	158	size_t *p_unread,
	159	size_t *len_ret)
	160	{
	161	/* Size of a WRITEX call (+4 byte len). */
	162	char writeX_header[4 + STANDARD_WRITE_AND_X_HEADER_SIZE];
	163	ssize_t len = smb_len_large(lenbuf); /* Could be a UNIX large writeX. */
	164	ssize_t toread;
	165	NTSTATUS status;
	166
[204]	167	memcpy(writeX_header, lenbuf, 4);
[136]	168
	169	status = read_socket_with_timeout(
	170	fd, writeX_header + 4,
	171	STANDARD_WRITE_AND_X_HEADER_SIZE,
	172	STANDARD_WRITE_AND_X_HEADER_SIZE,
	173	timeout, NULL);
	174
	175	if (!NT_STATUS_IS_OK(status)) {
	176	return status;
	177	}
	178
	179	/*
	180	* Ok - now try and see if this is a possible
	181	* valid writeX call.
	182	*/
	183
	184	if (is_valid_writeX_buffer((uint8_t *)writeX_header)) {
	185	/*
	186	* If the data offset is beyond what
	187	* we've read, drain the extra bytes.
	188	*/
	189	uint16_t doff = SVAL(writeX_header,smb_vwv11);
	190	ssize_t newlen;
	191
	192	if (doff > STANDARD_WRITE_AND_X_HEADER_SIZE) {
	193	size_t drain = doff - STANDARD_WRITE_AND_X_HEADER_SIZE;
	194	if (drain_socket(smbd_server_fd(), drain) != drain) {
	195	smb_panic("receive_smb_raw_talloc_partial_read:"
	196	" failed to drain pending bytes");
	197	}
	198	} else {
	199	doff = STANDARD_WRITE_AND_X_HEADER_SIZE;
	200	}
	201
	202	/* Spoof down the length and null out the bcc. */
	203	set_message_bcc(writeX_header, 0);
	204	newlen = smb_len(writeX_header);
	205
	206	/* Copy the header we've written. */
	207
	208	buffer = (char )TALLOC_MEMDUP(mem_ctx,
	209	writeX_header,
	210	sizeof(writeX_header));
	211
	212	if (*buffer == NULL) {
	213	DEBUG(0, ("Could not allocate inbuf of length %d\n",
	214	(int)sizeof(writeX_header)));
	215	return NT_STATUS_NO_MEMORY;
	216	}
	217
	218	/* Work out the remaining bytes. */
	219	*p_unread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
	220	*len_ret = newlen + 4;
	221	return NT_STATUS_OK;
	222	}
	223
	224	if (!valid_packet_size(len)) {
	225	return NT_STATUS_INVALID_PARAMETER;
	226	}
	227
	228	/*
	229	* Not a valid writeX call. Just do the standard
	230	* talloc and return.
	231	*/
	232
	233	*buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
	234
	235	if (*buffer == NULL) {
	236	DEBUG(0, ("Could not allocate inbuf of length %d\n",
	237	(int)len+4));
	238	return NT_STATUS_NO_MEMORY;
	239	}
	240
	241	/* Copy in what we already read. */
	242	memcpy(*buffer,
	243	writeX_header,
	244	4 + STANDARD_WRITE_AND_X_HEADER_SIZE);
	245	toread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
	246
	247	if(toread > 0) {
	248	status = read_packet_remainder(
	249	fd, (*buffer) + 4 + STANDARD_WRITE_AND_X_HEADER_SIZE,
	250	timeout, toread);
	251
	252	if (!NT_STATUS_IS_OK(status)) {
	253	DEBUG(10, ("receive_smb_raw_talloc_partial_read: %s\n",
	254	nt_errstr(status)));
	255	return status;
	256	}
	257	}
	258
	259	*len_ret = len + 4;
	260	return NT_STATUS_OK;
	261	}
	262
	263	static NTSTATUS receive_smb_raw_talloc(TALLOC_CTX *mem_ctx, int fd,
	264	char **buffer, unsigned int timeout,
	265	size_t p_unread, size_t plen)
	266	{
	267	char lenbuf[4];
	268	size_t len;
	269	int min_recv_size = lp_min_receive_file_size();
	270	NTSTATUS status;
	271
	272	*p_unread = 0;
	273
	274	status = read_smb_length_return_keepalive(fd, lenbuf, timeout, &len);
	275	if (!NT_STATUS_IS_OK(status)) {
	276	DEBUG(10, ("receive_smb_raw: %s\n", nt_errstr(status)));
	277	return status;
	278	}
	279
	280	if (CVAL(lenbuf,0) == 0 &&
	281	min_recv_size &&
[232]	282	smb_len_large(lenbuf) > (min_recv_size + STANDARD_WRITE_AND_X_HEADER_SIZE) && /* Could be a UNIX large writeX. */
[136]	283	!srv_is_signing_active()) {
	284
	285	return receive_smb_raw_talloc_partial_read(
	286	mem_ctx, lenbuf, fd, buffer, timeout, p_unread, plen);
	287	}
	288
	289	if (!valid_packet_size(len)) {
	290	return NT_STATUS_INVALID_PARAMETER;
	291	}
	292
	293	/*
	294	* The +4 here can't wrap, we've checked the length above already.
	295	*/
	296
	297	*buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
	298
	299	if (*buffer == NULL) {
	300	DEBUG(0, ("Could not allocate inbuf of length %d\n",
	301	(int)len+4));
	302	return NT_STATUS_NO_MEMORY;
	303	}
	304
	305	memcpy(*buffer, lenbuf, sizeof(lenbuf));
	306
	307	status = read_packet_remainder(fd, (*buffer)+4, timeout, len);
	308	if (!NT_STATUS_IS_OK(status)) {
	309	return status;
	310	}
	311
	312	*plen = len + 4;
	313	return NT_STATUS_OK;
	314	}
	315
	316	static NTSTATUS receive_smb_talloc(TALLOC_CTX *mem_ctx, int fd,
	317	char **buffer, unsigned int timeout,
	318	size_t p_unread, bool p_encrypted,
	319	size_t *p_len)
	320	{
	321	size_t len = 0;
	322	NTSTATUS status;
	323
	324	*p_encrypted = false;
	325
	326	status = receive_smb_raw_talloc(mem_ctx, fd, buffer, timeout,
	327	p_unread, &len);
	328	if (!NT_STATUS_IS_OK(status)) {
	329	return status;
	330	}
	331
	332	if (is_encrypted_packet((uint8_t )buffer)) {
	333	status = srv_decrypt_buffer(*buffer);
	334	if (!NT_STATUS_IS_OK(status)) {
	335	DEBUG(0, ("receive_smb_talloc: SMB decryption failed on "
	336	"incoming packet! Error %s\n",
	337	nt_errstr(status) ));
	338	return status;
	339	}
	340	*p_encrypted = true;
	341	}
	342
	343	/* Check the incoming SMB signature. */
	344	if (!srv_check_sign_mac(*buffer, true)) {
	345	DEBUG(0, ("receive_smb: SMB Signature verification failed on "
	346	"incoming packet!\n"));
	347	return NT_STATUS_INVALID_NETWORK_RESPONSE;
	348	}
	349
	350	*p_len = len;
	351	return NT_STATUS_OK;
	352	}
	353
	354	/*
	355	* Initialize a struct smb_request from an inbuf
	356	*/
	357
	358	void init_smb_request(struct smb_request *req,
	359	const uint8 *inbuf,
	360	size_t unread_bytes,
	361	bool encrypted)
	362	{
	363	size_t req_size = smb_len(inbuf) + 4;
	364	/* Ensure we have at least smb_size bytes. */
	365	if (req_size < smb_size) {
	366	DEBUG(0,("init_smb_request: invalid request size %u\n",
	367	(unsigned int)req_size ));
	368	exit_server_cleanly("Invalid SMB request");
	369	}
	370	req->flags2 = SVAL(inbuf, smb_flg2);
	371	req->smbpid = SVAL(inbuf, smb_pid);
	372	req->mid = SVAL(inbuf, smb_mid);
	373	req->vuid = SVAL(inbuf, smb_uid);
	374	req->tid = SVAL(inbuf, smb_tid);
	375	req->wct = CVAL(inbuf, smb_wct);
	376	req->unread_bytes = unread_bytes;
	377	req->encrypted = encrypted;
	378	req->conn = conn_find(req->tid);
	379
	380	/* Ensure we have at least wct words and 2 bytes of bcc. */
	381	if (smb_size + req->wct*2 > req_size) {
	382	DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n",
	383	(unsigned int)req->wct,
	384	(unsigned int)req_size));
	385	exit_server_cleanly("Invalid SMB request");
	386	}
	387	/* Ensure bcc is correct. */
	388	if (((uint8 *)smb_buf(inbuf)) + smb_buflen(inbuf) > inbuf + req_size) {
	389	DEBUG(0,("init_smb_request: invalid bcc number %u "
	390	"(wct = %u, size %u)\n",
	391	(unsigned int)smb_buflen(inbuf),
	392	(unsigned int)req->wct,
	393	(unsigned int)req_size));
	394	exit_server_cleanly("Invalid SMB request");
	395	}
	396	req->inbuf = inbuf;
	397	req->outbuf = NULL;
	398	}
	399
	400	/****************************************************************************
	401	structure to hold a linked list of queued messages.
	402	for processing.
	403	****************************************************************************/
	404
	405	static struct pending_message_list *deferred_open_queue;
	406
	407	/****************************************************************************
	408	Function to push a message onto the tail of a linked list of smb messages ready
	409	for processing.
	410	****************************************************************************/
	411
	412	static bool push_queued_message(struct smb_request *req,
	413	struct timeval request_time,
	414	struct timeval end_time,
	415	char *private_data, size_t private_len)
	416	{
	417	int msg_len = smb_len(req->inbuf) + 4;
	418	struct pending_message_list *msg;
	419
	420	msg = TALLOC_ZERO_P(NULL, struct pending_message_list);
	421
	422	if(msg == NULL) {
	423	DEBUG(0,("push_message: malloc fail (1)\n"));
	424	return False;
	425	}
	426
	427	msg->buf = data_blob_talloc(msg, req->inbuf, msg_len);
	428	if(msg->buf.data == NULL) {
	429	DEBUG(0,("push_message: malloc fail (2)\n"));
	430	TALLOC_FREE(msg);
	431	return False;
	432	}
	433
	434	msg->request_time = request_time;
	435	msg->end_time = end_time;
	436	msg->encrypted = req->encrypted;
[340]	437	msg->processed = false;
[136]	438
	439	if (private_data) {
	440	msg->private_data = data_blob_talloc(msg, private_data,
	441	private_len);
	442	if (msg->private_data.data == NULL) {
	443	DEBUG(0,("push_message: malloc fail (3)\n"));
	444	TALLOC_FREE(msg);
	445	return False;
	446	}
	447	}
	448
	449	DLIST_ADD_END(deferred_open_queue, msg, struct pending_message_list *);
	450
	451	DEBUG(10,("push_message: pushed message length %u on "
	452	"deferred_open_queue\n", (unsigned int)msg_len));
	453
	454	return True;
	455	}
	456
	457	/****************************************************************************
	458	Function to delete a sharing violation open message by mid.
	459	****************************************************************************/
	460
	461	void remove_deferred_open_smb_message(uint16 mid)
	462	{
	463	struct pending_message_list *pml;
	464
	465	for (pml = deferred_open_queue; pml; pml = pml->next) {
	466	if (mid == SVAL(pml->buf.data,smb_mid)) {
	467	DEBUG(10,("remove_sharing_violation_open_smb_message: "
	468	"deleting mid %u len %u\n",
	469	(unsigned int)mid,
	470	(unsigned int)pml->buf.length ));
	471	DLIST_REMOVE(deferred_open_queue, pml);
	472	TALLOC_FREE(pml);
	473	return;
	474	}
	475	}
	476	}
	477
	478	/****************************************************************************
	479	Move a sharing violation open retry message to the front of the list and
	480	schedule it for immediate processing.
	481	****************************************************************************/
	482
	483	void schedule_deferred_open_smb_message(uint16 mid)
	484	{
	485	struct pending_message_list *pml;
	486	int i = 0;
	487
	488	for (pml = deferred_open_queue; pml; pml = pml->next) {
	489	uint16 msg_mid = SVAL(pml->buf.data,smb_mid);
	490	DEBUG(10,("schedule_deferred_open_smb_message: [%d] msg_mid = %u\n", i++,
	491	(unsigned int)msg_mid ));
	492	if (mid == msg_mid) {
[340]	493
	494	if (pml->processed) {
	495	/* A processed message should not be
	496	* rescheduled. */
	497	DEBUG(0,("schedule_deferred_open_smb_message: LOGIC ERROR "
	498	"message mid %u was already processed\n",
	499	(unsigned int)msg_mid ));
	500	continue;
	501	}
	502
[136]	503	DEBUG(10,("schedule_deferred_open_smb_message: scheduling mid %u\n",
	504	mid ));
	505	pml->end_time.tv_sec = 0;
	506	pml->end_time.tv_usec = 0;
	507	DLIST_PROMOTE(deferred_open_queue, pml);
	508	return;
	509	}
	510	}
	511
	512	DEBUG(10,("schedule_deferred_open_smb_message: failed to find message mid %u\n",
	513	mid ));
	514	}
	515
	516	/****************************************************************************
[340]	517	Return true if this mid is on the deferred queue and was not yet processed.
[136]	518	****************************************************************************/
	519
	520	bool open_was_deferred(uint16 mid)
	521	{
	522	struct pending_message_list *pml;
	523
	524	for (pml = deferred_open_queue; pml; pml = pml->next) {
[340]	525	if (SVAL(pml->buf.data,smb_mid) == mid && !pml->processed) {
[136]	526	return True;
	527	}
	528	}
	529	return False;
	530	}
	531
	532	/****************************************************************************
	533	Return the message queued by this mid.
	534	****************************************************************************/
	535
	536	struct pending_message_list *get_open_deferred_message(uint16 mid)
	537	{
	538	struct pending_message_list *pml;
	539
	540	for (pml = deferred_open_queue; pml; pml = pml->next) {
	541	if (SVAL(pml->buf.data,smb_mid) == mid) {
	542	return pml;
	543	}
	544	}
	545	return NULL;
	546	}
	547
	548	/****************************************************************************
	549	Function to push a deferred open smb message onto a linked list of local smb
	550	messages ready for processing.
	551	****************************************************************************/
	552
	553	bool push_deferred_smb_message(struct smb_request *req,
	554	struct timeval request_time,
	555	struct timeval timeout,
	556	char *private_data, size_t priv_len)
	557	{
	558	struct timeval end_time;
	559
	560	if (req->unread_bytes) {
	561	DEBUG(0,("push_deferred_smb_message: logic error ! "
	562	"unread_bytes = %u\n",
	563	(unsigned int)req->unread_bytes ));
	564	smb_panic("push_deferred_smb_message: "
	565	"logic error unread_bytes != 0" );
	566	}
	567
	568	end_time = timeval_sum(&request_time, &timeout);
	569
	570	DEBUG(10,("push_deferred_open_smb_message: pushing message len %u mid %u "
	571	"timeout time [%u.%06u]\n",
	572	(unsigned int) smb_len(req->inbuf)+4, (unsigned int)req->mid,
	573	(unsigned int)end_time.tv_sec,
	574	(unsigned int)end_time.tv_usec));
	575
	576	return push_queued_message(req, request_time, end_time,
	577	private_data, priv_len);
	578	}
	579
	580	struct idle_event {
	581	struct timed_event *te;
	582	struct timeval interval;
	583	char *name;
	584	bool (handler)(const struct timeval now, void *private_data);
	585	void *private_data;
	586	};
	587
	588	static void idle_event_handler(struct event_context *ctx,
	589	struct timed_event *te,
	590	const struct timeval *now,
	591	void *private_data)
	592	{
	593	struct idle_event *event =
	594	talloc_get_type_abort(private_data, struct idle_event);
	595
	596	TALLOC_FREE(event->te);
	597
	598	if (!event->handler(now, event->private_data)) {
	599	/* Don't repeat, delete ourselves */
	600	TALLOC_FREE(event);
	601	return;
	602	}
	603
	604	event->te = event_add_timed(ctx, event,
	605	timeval_sum(now, &event->interval),
	606	event->name,
	607	idle_event_handler, event);
	608
	609	/* We can't do much but fail here. */
	610	SMB_ASSERT(event->te != NULL);
	611	}
	612
	613	struct idle_event event_add_idle(struct event_context event_ctx,
	614	TALLOC_CTX *mem_ctx,
	615	struct timeval interval,
	616	const char *name,
	617	bool (handler)(const struct timeval now,
	618	void *private_data),
	619	void *private_data)
	620	{
	621	struct idle_event *result;
	622	struct timeval now = timeval_current();
	623
	624	result = TALLOC_P(mem_ctx, struct idle_event);
	625	if (result == NULL) {
	626	DEBUG(0, ("talloc failed\n"));
	627	return NULL;
	628	}
	629
	630	result->interval = interval;
	631	result->handler = handler;
	632	result->private_data = private_data;
	633
	634	if (!(result->name = talloc_asprintf(result, "idle_evt(%s)", name))) {
	635	DEBUG(0, ("talloc failed\n"));
	636	TALLOC_FREE(result);
	637	return NULL;
	638	}
	639
	640	result->te = event_add_timed(event_ctx, result,
	641	timeval_sum(&now, &interval),
	642	result->name,
	643	idle_event_handler, result);
	644	if (result->te == NULL) {
	645	DEBUG(0, ("event_add_timed failed\n"));
	646	TALLOC_FREE(result);
	647	return NULL;
	648	}
	649
	650	return result;
	651	}
	652
	653	/****************************************************************************
	654	Do all async processing in here. This includes kernel oplock messages, change
	655	notify events etc.
	656	****************************************************************************/
	657
	658	static void async_processing(fd_set *pfds)
	659	{
	660	DEBUG(10,("async_processing: Doing async processing.\n"));
	661
	662	process_aio_queue();
	663
	664	process_kernel_oplocks(smbd_messaging_context(), pfds);
	665
	666	/* Do the aio check again after receive_local_message as it does a
	667	select and may have eaten our signal. */
	668	/* Is this till true? -- vl */
	669	process_aio_queue();
	670
	671	if (got_sig_term) {
	672	exit_server_cleanly("termination signal");
	673	}
	674
	675	/* check for sighup processing */
	676	if (reload_after_sighup) {
	677	change_to_root_user();
	678	DEBUG(1,("Reloading services after SIGHUP\n"));
	679	reload_services(False);
	680	reload_after_sighup = 0;
	681	}
	682	}
	683
	684	/****************************************************************************
	685	Add a fd to the set we will be select(2)ing on.
	686	****************************************************************************/
	687
	688	static int select_on_fd(int fd, int maxfd, fd_set *fds)
	689	{
	690	if (fd != -1) {
	691	FD_SET(fd, fds);
	692	maxfd = MAX(maxfd, fd);
	693	}
	694
	695	return maxfd;
	696	}
	697
	698	/****************************************************************************
	699	Do a select on an two fd's - with timeout.
	700
	701	If a local udp message has been pushed onto the
	702	queue (this can only happen during oplock break
	703	processing) call async_processing()
	704
	705	If a pending smb message has been pushed onto the
	706	queue (this can only happen during oplock break
	707	processing) return this next.
	708
	709	If the first smbfd is ready then read an smb from it.
	710	if the second (loopback UDP) fd is ready then read a message
	711	from it and setup the buffer header to identify the length
	712	and from address.
	713	Returns False on timeout or error.
	714	Else returns True.
	715
	716	The timeout is in milliseconds
	717	****************************************************************************/
	718
	719	static NTSTATUS receive_message_or_smb(TALLOC_CTX mem_ctx, char *buffer,
	720	size_t *buffer_len, int timeout,
	721	size_t p_unread, bool p_encrypted)
	722	{
	723	fd_set r_fds, w_fds;
	724	int selrtn;
	725	struct timeval to;
	726	int maxfd = 0;
	727	size_t len = 0;
	728	NTSTATUS status;
	729
	730	*p_unread = 0;
	731
	732	again:
	733
	734	if (timeout >= 0) {
	735	to.tv_sec = timeout / 1000;
	736	to.tv_usec = (timeout % 1000) * 1000;
	737	} else {
	738	to.tv_sec = SMBD_SELECT_TIMEOUT;
	739	to.tv_usec = 0;
	740	}
	741
	742	/*
	743	* Note that this call must be before processing any SMB
	744	* messages as we need to synchronously process any messages
	745	* we may have sent to ourselves from the previous SMB.
	746	*/
	747	message_dispatch(smbd_messaging_context());
	748
	749	/*
	750	* Check to see if we already have a message on the deferred open queue
	751	* and it's time to schedule.
	752	*/
	753	if(deferred_open_queue != NULL) {
	754	bool pop_message = False;
	755	struct pending_message_list *msg = deferred_open_queue;
	756
	757	if (timeval_is_zero(&msg->end_time)) {
	758	pop_message = True;
	759	} else {
	760	struct timeval tv;
	761	SMB_BIG_INT tdif;
	762
	763	GetTimeOfDay(&tv);
	764	tdif = usec_time_diff(&msg->end_time, &tv);
	765	if (tdif <= 0) {
	766	/* Timed out. Schedule...*/
	767	pop_message = True;
	768	DEBUG(10,("receive_message_or_smb: queued message timed out.\n"));
	769	} else {
	770	/* Make a more accurate select timeout. */
	771	to.tv_sec = tdif / 1000000;
	772	to.tv_usec = tdif % 1000000;
	773	DEBUG(10,("receive_message_or_smb: select with timeout of [%u.%06u]\n",
	774	(unsigned int)to.tv_sec, (unsigned int)to.tv_usec ));
	775	}
	776	}
	777
	778	if (pop_message) {
	779
	780	buffer = (char )talloc_memdup(mem_ctx, msg->buf.data,
	781	msg->buf.length);
	782	if (*buffer == NULL) {
	783	DEBUG(0, ("talloc failed\n"));
	784	return NT_STATUS_NO_MEMORY;
	785	}
	786	*buffer_len = msg->buf.length;
	787	*p_encrypted = msg->encrypted;
	788
	789	/* We leave this message on the queue so the open code can
	790	know this is a retry. */
	791	DEBUG(5,("receive_message_or_smb: returning deferred open smb message.\n"));
[340]	792
	793	/* Mark the message as processed so this is not
	794	* re-processed in error. */
	795	msg->processed = true;
[136]	796	return NT_STATUS_OK;
	797	}
	798	}
	799
	800	/*
	801	* Setup the select fd sets.
	802	*/
	803
	804	FD_ZERO(&r_fds);
	805	FD_ZERO(&w_fds);
	806
	807	/*
	808	* Ensure we process oplock break messages by preference.
	809	* We have to do this before the select, after the select
	810	* and if the select returns EINTR. This is due to the fact
	811	* that the selects called from async_processing can eat an EINTR
	812	* caused by a signal (we can't take the break message there).
	813	* This is hideously complex - MUST be simplified for 3.0 ! JRA.
	814	*/
	815
	816	if (oplock_message_waiting(&r_fds)) {
	817	DEBUG(10,("receive_message_or_smb: oplock_message is waiting.\n"));
	818	async_processing(&r_fds);
	819	/*
	820	* After async processing we must go and do the select again, as
	821	* the state of the flag in fds for the server file descriptor is
	822	* indeterminate - we may have done I/O on it in the oplock processing. JRA.
	823	*/
	824	goto again;
	825	}
	826
	827	/*
	828	* Are there any timed events waiting ? If so, ensure we don't
	829	* select for longer than it would take to wait for them.
	830	*/
	831
	832	{
	833	struct timeval now;
	834	GetTimeOfDay(&now);
	835
	836	event_add_to_select_args(smbd_event_context(), &now,
	837	&r_fds, &w_fds, &to, &maxfd);
	838	}
	839
	840	if (timeval_is_zero(&to)) {
	841	/* Process a timed event now... */
	842	if (run_events(smbd_event_context(), 0, NULL, NULL)) {
	843	goto again;
	844	}
	845	}
	846
	847	{
	848	int sav;
	849	START_PROFILE(smbd_idle);
	850
	851	maxfd = select_on_fd(smbd_server_fd(), maxfd, &r_fds);
	852	maxfd = select_on_fd(oplock_notify_fd(), maxfd, &r_fds);
	853
	854	selrtn = sys_select(maxfd+1,&r_fds,&w_fds,NULL,&to);
	855	sav = errno;
	856
	857	END_PROFILE(smbd_idle);
	858	errno = sav;
	859	}
	860
	861	if (run_events(smbd_event_context(), selrtn, &r_fds, &w_fds)) {
	862	goto again;
	863	}
	864
	865	/* if we get EINTR then maybe we have received an oplock
	866	signal - treat this as select returning 1. This is ugly, but
	867	is the best we can do until the oplock code knows more about
	868	signals */
	869	if (selrtn == -1 && errno == EINTR) {
	870	async_processing(&r_fds);
	871	/*
	872	* After async processing we must go and do the select again, as
	873	* the state of the flag in fds for the server file descriptor is
	874	* indeterminate - we may have done I/O on it in the oplock processing. JRA.
	875	*/
	876	goto again;
	877	}
	878
	879	/* Check if error */
	880	if (selrtn == -1) {
	881	/* something is wrong. Maybe the socket is dead? */
	882	return map_nt_error_from_unix(errno);
	883	}
	884
	885	/* Did we timeout ? */
	886	if (selrtn == 0) {
	887	return NT_STATUS_IO_TIMEOUT;
	888	}
	889
	890	/*
	891	* Ensure we process oplock break messages by preference.
	892	* This is IMPORTANT ! Otherwise we can starve other processes
	893	* sending us an oplock break message. JRA.
	894	*/
	895
	896	if (oplock_message_waiting(&r_fds)) {
	897	async_processing(&r_fds);
	898	/*
	899	* After async processing we must go and do the select again, as
	900	* the state of the flag in fds for the server file descriptor is
	901	* indeterminate - we may have done I/O on it in the oplock processing. JRA.
	902	*/
	903	goto again;
	904	}
	905
	906	/*
	907	* We've just woken up from a protentially long select sleep.
	908	* Ensure we process local messages as we need to synchronously
	909	* process any messages from other smbd's to avoid file rename race
	910	* conditions. This call is cheap if there are no messages waiting.
	911	* JRA.
	912	*/
	913	message_dispatch(smbd_messaging_context());
	914
	915	status = receive_smb_talloc(mem_ctx, smbd_server_fd(), buffer, 0,
	916	p_unread, p_encrypted, &len);
	917
	918	if (!NT_STATUS_IS_OK(status)) {
	919	return status;
	920	}
	921
	922	*buffer_len = len;
	923
	924	return NT_STATUS_OK;
	925	}
	926
	927	/*
	928	* Only allow 5 outstanding trans requests. We're allocating memory, so
	929	* prevent a DoS.
	930	*/
	931
	932	NTSTATUS allow_new_trans(struct trans_state *list, int mid)
	933	{
	934	int count = 0;
	935	for (; list != NULL; list = list->next) {
	936
	937	if (list->mid == mid) {
	938	return NT_STATUS_INVALID_PARAMETER;
	939	}
	940
	941	count += 1;
	942	}
	943	if (count > 5) {
	944	return NT_STATUS_INSUFFICIENT_RESOURCES;
	945	}
	946
	947	return NT_STATUS_OK;
	948	}
	949
	950	/****************************************************************************
	951	We're terminating and have closed all our files/connections etc.
	952	If there are any pending local messages we need to respond to them
	953	before termination so that other smbds don't think we just died whilst
	954	holding oplocks.
	955	****************************************************************************/
	956
	957	void respond_to_all_remaining_local_messages(void)
	958	{
	959	/*
	960	* Assert we have no exclusive open oplocks.
	961	*/
	962
	963	if(get_number_of_exclusive_open_oplocks()) {
	964	DEBUG(0,("respond_to_all_remaining_local_messages: PANIC : we have %d exclusive oplocks.\n",
	965	get_number_of_exclusive_open_oplocks() ));
	966	return;
	967	}
	968
	969	process_kernel_oplocks(smbd_messaging_context(), NULL);
	970
	971	return;
	972	}
	973
	974
	975	/*
	976	These flags determine some of the permissions required to do an operation
	977
	978	Note that I don't set NEED_WRITE on some write operations because they
	979	are used by some brain-dead clients when printing, and I don't want to
	980	force write permissions on print services.
	981	*/
	982	#define AS_USER (1<<0)
	983	#define NEED_WRITE (1<<1) /* Must be paired with AS_USER */
	984	#define TIME_INIT (1<<2)
	985	#define CAN_IPC (1<<3) /* Must be paired with AS_USER */
	986	#define AS_GUEST (1<<5) /* Must NOT be paired with AS_USER */
	987	#define DO_CHDIR (1<<6)
	988
	989	/*
	990	define a list of possible SMB messages and their corresponding
	991	functions. Any message that has a NULL function is unimplemented -
	992	please feel free to contribute implementations!
	993	*/
	994	static const struct smb_message_struct {
	995	const char *name;
	996	void (fn_new)(struct smb_request req);
	997	int flags;
	998	} smb_messages[256] = {
	999
	1000	/* 0x00 */ { "SMBmkdir",reply_mkdir,AS_USER \| NEED_WRITE},
	1001	/* 0x01 */ { "SMBrmdir",reply_rmdir,AS_USER \| NEED_WRITE},
	1002	/* 0x02 */ { "SMBopen",reply_open,AS_USER },
	1003	/* 0x03 */ { "SMBcreate",reply_mknew,AS_USER},
	1004	/* 0x04 */ { "SMBclose",reply_close,AS_USER \| CAN_IPC },
	1005	/* 0x05 */ { "SMBflush",reply_flush,AS_USER},
	1006	/* 0x06 */ { "SMBunlink",reply_unlink,AS_USER \| NEED_WRITE },
	1007	/* 0x07 */ { "SMBmv",reply_mv,AS_USER \| NEED_WRITE },
	1008	/* 0x08 */ { "SMBgetatr",reply_getatr,AS_USER},
	1009	/* 0x09 */ { "SMBsetatr",reply_setatr,AS_USER \| NEED_WRITE},
	1010	/* 0x0a */ { "SMBread",reply_read,AS_USER},
	1011	/* 0x0b */ { "SMBwrite",reply_write,AS_USER \| CAN_IPC },
	1012	/* 0x0c */ { "SMBlock",reply_lock,AS_USER},
	1013	/* 0x0d */ { "SMBunlock",reply_unlock,AS_USER},
	1014	/* 0x0e */ { "SMBctemp",reply_ctemp,AS_USER },
	1015	/* 0x0f */ { "SMBmknew",reply_mknew,AS_USER},
	1016	/* 0x10 */ { "SMBcheckpath",reply_checkpath,AS_USER},
	1017	/* 0x11 */ { "SMBexit",reply_exit,DO_CHDIR},
	1018	/* 0x12 */ { "SMBlseek",reply_lseek,AS_USER},
	1019	/* 0x13 */ { "SMBlockread",reply_lockread,AS_USER},
	1020	/* 0x14 */ { "SMBwriteunlock",reply_writeunlock,AS_USER},
	1021	/* 0x15 */ { NULL, NULL, 0 },
	1022	/* 0x16 */ { NULL, NULL, 0 },
	1023	/* 0x17 */ { NULL, NULL, 0 },
	1024	/* 0x18 */ { NULL, NULL, 0 },
	1025	/* 0x19 */ { NULL, NULL, 0 },
	1026	/* 0x1a */ { "SMBreadbraw",reply_readbraw,AS_USER},
	1027	/* 0x1b */ { "SMBreadBmpx",reply_readbmpx,AS_USER},
	1028	/* 0x1c */ { "SMBreadBs",reply_readbs,AS_USER },
	1029	/* 0x1d */ { "SMBwritebraw",reply_writebraw,AS_USER},
	1030	/* 0x1e */ { "SMBwriteBmpx",reply_writebmpx,AS_USER},
	1031	/* 0x1f */ { "SMBwriteBs",reply_writebs,AS_USER},
	1032	/* 0x20 */ { "SMBwritec", NULL,0},
	1033	/* 0x21 */ { NULL, NULL, 0 },
	1034	/* 0x22 */ { "SMBsetattrE",reply_setattrE,AS_USER \| NEED_WRITE },
	1035	/* 0x23 */ { "SMBgetattrE",reply_getattrE,AS_USER },
	1036	/* 0x24 */ { "SMBlockingX",reply_lockingX,AS_USER },
	1037	/* 0x25 */ { "SMBtrans",reply_trans,AS_USER \| CAN_IPC },
	1038	/* 0x26 */ { "SMBtranss",reply_transs,AS_USER \| CAN_IPC},
	1039	/* 0x27 */ { "SMBioctl",reply_ioctl,0},
	1040	/* 0x28 */ { "SMBioctls", NULL,AS_USER},
	1041	/* 0x29 */ { "SMBcopy",reply_copy,AS_USER \| NEED_WRITE },
	1042	/* 0x2a */ { "SMBmove", NULL,AS_USER \| NEED_WRITE },
	1043	/* 0x2b */ { "SMBecho",reply_echo,0},
	1044	/* 0x2c */ { "SMBwriteclose",reply_writeclose,AS_USER},
	1045	/* 0x2d */ { "SMBopenX",reply_open_and_X,AS_USER \| CAN_IPC },
	1046	/* 0x2e */ { "SMBreadX",reply_read_and_X,AS_USER \| CAN_IPC },
	1047	/* 0x2f */ { "SMBwriteX",reply_write_and_X,AS_USER \| CAN_IPC },
	1048	/* 0x30 */ { NULL, NULL, 0 },
	1049	/* 0x31 */ { NULL, NULL, 0 },
	1050	/* 0x32 */ { "SMBtrans2",reply_trans2, AS_USER \| CAN_IPC },
[233]	1051	/* 0x33 */ { "SMBtranss2",reply_transs2, AS_USER \| CAN_IPC},
[136]	1052	/* 0x34 */ { "SMBfindclose",reply_findclose,AS_USER},
	1053	/* 0x35 */ { "SMBfindnclose",reply_findnclose,AS_USER},
	1054	/* 0x36 */ { NULL, NULL, 0 },
	1055	/* 0x37 */ { NULL, NULL, 0 },
	1056	/* 0x38 */ { NULL, NULL, 0 },
	1057	/* 0x39 */ { NULL, NULL, 0 },
	1058	/* 0x3a */ { NULL, NULL, 0 },
	1059	/* 0x3b */ { NULL, NULL, 0 },
	1060	/* 0x3c */ { NULL, NULL, 0 },
	1061	/* 0x3d */ { NULL, NULL, 0 },
	1062	/* 0x3e */ { NULL, NULL, 0 },
	1063	/* 0x3f */ { NULL, NULL, 0 },
	1064	/* 0x40 */ { NULL, NULL, 0 },
	1065	/* 0x41 */ { NULL, NULL, 0 },
	1066	/* 0x42 */ { NULL, NULL, 0 },
	1067	/* 0x43 */ { NULL, NULL, 0 },
	1068	/* 0x44 */ { NULL, NULL, 0 },
	1069	/* 0x45 */ { NULL, NULL, 0 },
	1070	/* 0x46 */ { NULL, NULL, 0 },
	1071	/* 0x47 */ { NULL, NULL, 0 },
	1072	/* 0x48 */ { NULL, NULL, 0 },
	1073	/* 0x49 */ { NULL, NULL, 0 },
	1074	/* 0x4a */ { NULL, NULL, 0 },
	1075	/* 0x4b */ { NULL, NULL, 0 },
	1076	/* 0x4c */ { NULL, NULL, 0 },
	1077	/* 0x4d */ { NULL, NULL, 0 },
	1078	/* 0x4e */ { NULL, NULL, 0 },
	1079	/* 0x4f */ { NULL, NULL, 0 },
	1080	/* 0x50 */ { NULL, NULL, 0 },
	1081	/* 0x51 */ { NULL, NULL, 0 },
	1082	/* 0x52 */ { NULL, NULL, 0 },
	1083	/* 0x53 */ { NULL, NULL, 0 },
	1084	/* 0x54 */ { NULL, NULL, 0 },
	1085	/* 0x55 */ { NULL, NULL, 0 },
	1086	/* 0x56 */ { NULL, NULL, 0 },
	1087	/* 0x57 */ { NULL, NULL, 0 },
	1088	/* 0x58 */ { NULL, NULL, 0 },
	1089	/* 0x59 */ { NULL, NULL, 0 },
	1090	/* 0x5a */ { NULL, NULL, 0 },
	1091	/* 0x5b */ { NULL, NULL, 0 },
	1092	/* 0x5c */ { NULL, NULL, 0 },
	1093	/* 0x5d */ { NULL, NULL, 0 },
	1094	/* 0x5e */ { NULL, NULL, 0 },
	1095	/* 0x5f */ { NULL, NULL, 0 },
	1096	/* 0x60 */ { NULL, NULL, 0 },
	1097	/* 0x61 */ { NULL, NULL, 0 },
	1098	/* 0x62 */ { NULL, NULL, 0 },
	1099	/* 0x63 */ { NULL, NULL, 0 },
	1100	/* 0x64 */ { NULL, NULL, 0 },
	1101	/* 0x65 */ { NULL, NULL, 0 },
	1102	/* 0x66 */ { NULL, NULL, 0 },
	1103	/* 0x67 */ { NULL, NULL, 0 },
	1104	/* 0x68 */ { NULL, NULL, 0 },
	1105	/* 0x69 */ { NULL, NULL, 0 },
	1106	/* 0x6a */ { NULL, NULL, 0 },
	1107	/* 0x6b */ { NULL, NULL, 0 },
	1108	/* 0x6c */ { NULL, NULL, 0 },
	1109	/* 0x6d */ { NULL, NULL, 0 },
	1110	/* 0x6e */ { NULL, NULL, 0 },
	1111	/* 0x6f */ { NULL, NULL, 0 },
	1112	/* 0x70 */ { "SMBtcon",reply_tcon,0},
	1113	/* 0x71 */ { "SMBtdis",reply_tdis,DO_CHDIR},
	1114	/* 0x72 */ { "SMBnegprot",reply_negprot,0},
	1115	/* 0x73 */ { "SMBsesssetupX",reply_sesssetup_and_X,0},
	1116	/* 0x74 / { "SMBulogoffX",reply_ulogoffX, 0}, / ulogoff doesn't give a valid TID */
	1117	/* 0x75 */ { "SMBtconX",reply_tcon_and_X,0},
	1118	/* 0x76 */ { NULL, NULL, 0 },
	1119	/* 0x77 */ { NULL, NULL, 0 },
	1120	/* 0x78 */ { NULL, NULL, 0 },
	1121	/* 0x79 */ { NULL, NULL, 0 },
	1122	/* 0x7a */ { NULL, NULL, 0 },
	1123	/* 0x7b */ { NULL, NULL, 0 },
	1124	/* 0x7c */ { NULL, NULL, 0 },
	1125	/* 0x7d */ { NULL, NULL, 0 },
	1126	/* 0x7e */ { NULL, NULL, 0 },
	1127	/* 0x7f */ { NULL, NULL, 0 },
	1128	/* 0x80 */ { "SMBdskattr",reply_dskattr,AS_USER},
	1129	/* 0x81 */ { "SMBsearch",reply_search,AS_USER},
	1130	/* 0x82 */ { "SMBffirst",reply_search,AS_USER},
	1131	/* 0x83 */ { "SMBfunique",reply_search,AS_USER},
	1132	/* 0x84 */ { "SMBfclose",reply_fclose,AS_USER},
	1133	/* 0x85 */ { NULL, NULL, 0 },
	1134	/* 0x86 */ { NULL, NULL, 0 },
	1135	/* 0x87 */ { NULL, NULL, 0 },
	1136	/* 0x88 */ { NULL, NULL, 0 },
	1137	/* 0x89 */ { NULL, NULL, 0 },
	1138	/* 0x8a */ { NULL, NULL, 0 },
	1139	/* 0x8b */ { NULL, NULL, 0 },
	1140	/* 0x8c */ { NULL, NULL, 0 },
	1141	/* 0x8d */ { NULL, NULL, 0 },
	1142	/* 0x8e */ { NULL, NULL, 0 },
	1143	/* 0x8f */ { NULL, NULL, 0 },
	1144	/* 0x90 */ { NULL, NULL, 0 },
	1145	/* 0x91 */ { NULL, NULL, 0 },
	1146	/* 0x92 */ { NULL, NULL, 0 },
	1147	/* 0x93 */ { NULL, NULL, 0 },
	1148	/* 0x94 */ { NULL, NULL, 0 },
	1149	/* 0x95 */ { NULL, NULL, 0 },
	1150	/* 0x96 */ { NULL, NULL, 0 },
	1151	/* 0x97 */ { NULL, NULL, 0 },
	1152	/* 0x98 */ { NULL, NULL, 0 },
	1153	/* 0x99 */ { NULL, NULL, 0 },
	1154	/* 0x9a */ { NULL, NULL, 0 },
	1155	/* 0x9b */ { NULL, NULL, 0 },
	1156	/* 0x9c */ { NULL, NULL, 0 },
	1157	/* 0x9d */ { NULL, NULL, 0 },
	1158	/* 0x9e */ { NULL, NULL, 0 },
	1159	/* 0x9f */ { NULL, NULL, 0 },
	1160	/* 0xa0 */ { "SMBnttrans",reply_nttrans, AS_USER \| CAN_IPC },
	1161	/* 0xa1 */ { "SMBnttranss",reply_nttranss, AS_USER \| CAN_IPC },
	1162	/* 0xa2 */ { "SMBntcreateX",reply_ntcreate_and_X, AS_USER \| CAN_IPC },
	1163	/* 0xa3 */ { NULL, NULL, 0 },
	1164	/* 0xa4 */ { "SMBntcancel",reply_ntcancel, 0 },
	1165	/* 0xa5 */ { "SMBntrename",reply_ntrename, AS_USER \| NEED_WRITE },
	1166	/* 0xa6 */ { NULL, NULL, 0 },
	1167	/* 0xa7 */ { NULL, NULL, 0 },
	1168	/* 0xa8 */ { NULL, NULL, 0 },
	1169	/* 0xa9 */ { NULL, NULL, 0 },
	1170	/* 0xaa */ { NULL, NULL, 0 },
	1171	/* 0xab */ { NULL, NULL, 0 },
	1172	/* 0xac */ { NULL, NULL, 0 },
	1173	/* 0xad */ { NULL, NULL, 0 },
	1174	/* 0xae */ { NULL, NULL, 0 },
	1175	/* 0xaf */ { NULL, NULL, 0 },
	1176	/* 0xb0 */ { NULL, NULL, 0 },
	1177	/* 0xb1 */ { NULL, NULL, 0 },
	1178	/* 0xb2 */ { NULL, NULL, 0 },
	1179	/* 0xb3 */ { NULL, NULL, 0 },
	1180	/* 0xb4 */ { NULL, NULL, 0 },
	1181	/* 0xb5 */ { NULL, NULL, 0 },
	1182	/* 0xb6 */ { NULL, NULL, 0 },
	1183	/* 0xb7 */ { NULL, NULL, 0 },
	1184	/* 0xb8 */ { NULL, NULL, 0 },
	1185	/* 0xb9 */ { NULL, NULL, 0 },
	1186	/* 0xba */ { NULL, NULL, 0 },
	1187	/* 0xbb */ { NULL, NULL, 0 },
	1188	/* 0xbc */ { NULL, NULL, 0 },
	1189	/* 0xbd */ { NULL, NULL, 0 },
	1190	/* 0xbe */ { NULL, NULL, 0 },
	1191	/* 0xbf */ { NULL, NULL, 0 },
	1192	/* 0xc0 */ { "SMBsplopen",reply_printopen,AS_USER},
	1193	/* 0xc1 */ { "SMBsplwr",reply_printwrite,AS_USER},
	1194	/* 0xc2 */ { "SMBsplclose",reply_printclose,AS_USER},
	1195	/* 0xc3 */ { "SMBsplretq",reply_printqueue,AS_USER},
	1196	/* 0xc4 */ { NULL, NULL, 0 },
	1197	/* 0xc5 */ { NULL, NULL, 0 },
	1198	/* 0xc6 */ { NULL, NULL, 0 },
	1199	/* 0xc7 */ { NULL, NULL, 0 },
	1200	/* 0xc8 */ { NULL, NULL, 0 },
	1201	/* 0xc9 */ { NULL, NULL, 0 },
	1202	/* 0xca */ { NULL, NULL, 0 },
	1203	/* 0xcb */ { NULL, NULL, 0 },
	1204	/* 0xcc */ { NULL, NULL, 0 },
	1205	/* 0xcd */ { NULL, NULL, 0 },
	1206	/* 0xce */ { NULL, NULL, 0 },
	1207	/* 0xcf */ { NULL, NULL, 0 },
	1208	/* 0xd0 */ { "SMBsends",reply_sends,AS_GUEST},
	1209	/* 0xd1 */ { "SMBsendb", NULL,AS_GUEST},
	1210	/* 0xd2 */ { "SMBfwdname", NULL,AS_GUEST},
	1211	/* 0xd3 */ { "SMBcancelf", NULL,AS_GUEST},
	1212	/* 0xd4 */ { "SMBgetmac", NULL,AS_GUEST},
	1213	/* 0xd5 */ { "SMBsendstrt",reply_sendstrt,AS_GUEST},
	1214	/* 0xd6 */ { "SMBsendend",reply_sendend,AS_GUEST},
	1215	/* 0xd7 */ { "SMBsendtxt",reply_sendtxt,AS_GUEST},
	1216	/* 0xd8 */ { NULL, NULL, 0 },
	1217	/* 0xd9 */ { NULL, NULL, 0 },
	1218	/* 0xda */ { NULL, NULL, 0 },
	1219	/* 0xdb */ { NULL, NULL, 0 },
	1220	/* 0xdc */ { NULL, NULL, 0 },
	1221	/* 0xdd */ { NULL, NULL, 0 },
	1222	/* 0xde */ { NULL, NULL, 0 },
	1223	/* 0xdf */ { NULL, NULL, 0 },
	1224	/* 0xe0 */ { NULL, NULL, 0 },
	1225	/* 0xe1 */ { NULL, NULL, 0 },
	1226	/* 0xe2 */ { NULL, NULL, 0 },
	1227	/* 0xe3 */ { NULL, NULL, 0 },
	1228	/* 0xe4 */ { NULL, NULL, 0 },
	1229	/* 0xe5 */ { NULL, NULL, 0 },
	1230	/* 0xe6 */ { NULL, NULL, 0 },
	1231	/* 0xe7 */ { NULL, NULL, 0 },
	1232	/* 0xe8 */ { NULL, NULL, 0 },
	1233	/* 0xe9 */ { NULL, NULL, 0 },
	1234	/* 0xea */ { NULL, NULL, 0 },
	1235	/* 0xeb */ { NULL, NULL, 0 },
	1236	/* 0xec */ { NULL, NULL, 0 },
	1237	/* 0xed */ { NULL, NULL, 0 },
	1238	/* 0xee */ { NULL, NULL, 0 },
	1239	/* 0xef */ { NULL, NULL, 0 },
	1240	/* 0xf0 */ { NULL, NULL, 0 },
	1241	/* 0xf1 */ { NULL, NULL, 0 },
	1242	/* 0xf2 */ { NULL, NULL, 0 },
	1243	/* 0xf3 */ { NULL, NULL, 0 },
	1244	/* 0xf4 */ { NULL, NULL, 0 },
	1245	/* 0xf5 */ { NULL, NULL, 0 },
	1246	/* 0xf6 */ { NULL, NULL, 0 },
	1247	/* 0xf7 */ { NULL, NULL, 0 },
	1248	/* 0xf8 */ { NULL, NULL, 0 },
	1249	/* 0xf9 */ { NULL, NULL, 0 },
	1250	/* 0xfa */ { NULL, NULL, 0 },
	1251	/* 0xfb */ { NULL, NULL, 0 },
	1252	/* 0xfc */ { NULL, NULL, 0 },
	1253	/* 0xfd */ { NULL, NULL, 0 },
	1254	/* 0xfe */ { NULL, NULL, 0 },
	1255	/* 0xff */ { NULL, NULL, 0 }
	1256
	1257	};
	1258
	1259	/*******************************************************************
	1260	allocate and initialize a reply packet
	1261	********************************************************************/
	1262
	1263	void reply_outbuf(struct smb_request *req, uint8 num_words, uint32 num_bytes)
	1264	{
	1265	/*
	1266	* Protect against integer wrap
	1267	*/
	1268	if ((num_bytes > 0xffffff)
	1269	\|\| ((num_bytes + smb_size + num_words*2) > 0xffffff)) {
	1270	char *msg;
	1271	if (asprintf(&msg, "num_bytes too large: %u",
	1272	(unsigned)num_bytes) == -1) {
	1273	msg = CONST_DISCARD(char *, "num_bytes too large");
	1274	}
	1275	smb_panic(msg);
	1276	}
	1277
	1278	if (!(req->outbuf = TALLOC_ARRAY(
	1279	req, uint8,
	1280	smb_size + num_words*2 + num_bytes))) {
	1281	smb_panic("could not allocate output buffer\n");
	1282	}
	1283
	1284	construct_reply_common((char )req->inbuf, (char )req->outbuf);
	1285	srv_set_message((char *)req->outbuf, num_words, num_bytes, false);
	1286	/*
	1287	* Zero out the word area, the caller has to take care of the bcc area
	1288	* himself
	1289	*/
	1290	if (num_words != 0) {
	1291	memset(req->outbuf + smb_vwv0, 0, num_words*2);
	1292	}
	1293
	1294	return;
	1295	}
	1296
	1297
	1298	/*******************************************************************
	1299	Dump a packet to a file.
	1300	********************************************************************/
	1301
	1302	static void smb_dump(const char name, int type, const char data, ssize_t len)
	1303	{
	1304	int fd, i;
	1305	char *fname = NULL;
	1306	if (DEBUGLEVEL < 50) {
	1307	return;
	1308	}
	1309
	1310	if (len < 4) len = smb_len(data)+4;
	1311	for (i=1;i<100;i++) {
	1312	if (asprintf(&fname, "/tmp/%s.%d.%s", name, i,
	1313	type ? "req" : "resp") == -1) {
	1314	return;
	1315	}
	1316	fd = open(fname, O_WRONLY\|O_CREAT\|O_EXCL, 0644);
	1317	if (fd != -1 \|\| errno != EEXIST) break;
	1318	}
	1319	if (fd != -1) {
	1320	ssize_t ret = write(fd, data, len);
	1321	if (ret != len)
	1322	DEBUG(0,("smb_dump: problem: write returned %d\n", (int)ret ));
	1323	close(fd);
	1324	DEBUG(0,("created %s len %lu\n", fname, (unsigned long)len));
	1325	}
	1326	SAFE_FREE(fname);
	1327	}
	1328
	1329	/****************************************************************************
	1330	Prepare everything for calling the actual request function, and potentially
	1331	call the request function via the "new" interface.
	1332
	1333	Return False if the "legacy" function needs to be called, everything is
	1334	prepared.
	1335
	1336	Return True if we're done.
	1337
	1338	I know this API sucks, but it is the one with the least code change I could
	1339	find.
	1340	****************************************************************************/
	1341
	1342	static connection_struct switch_message(uint8 type, struct smb_request req, int size)
	1343	{
	1344	int flags;
	1345	uint16 session_tag;
	1346	connection_struct *conn = NULL;
	1347
	1348	static uint16 last_session_tag = UID_FIELD_INVALID;
	1349
	1350	errno = 0;
	1351
	1352	/* Make sure this is an SMB packet. smb_size contains NetBIOS header
	1353	* so subtract 4 from it. */
	1354	if (!valid_smb_header(req->inbuf)
	1355	\|\| (size < (smb_size - 4))) {
	1356	DEBUG(2,("Non-SMB packet of length %d. Terminating server\n",
	1357	smb_len(req->inbuf)));
	1358	exit_server_cleanly("Non-SMB packet");
	1359	}
	1360
	1361	if (smb_messages[type].fn_new == NULL) {
	1362	DEBUG(0,("Unknown message type %d!\n",type));
	1363	smb_dump("Unknown", 1, (char *)req->inbuf, size);
	1364	reply_unknown_new(req, type);
	1365	return NULL;
	1366	}
	1367
	1368	flags = smb_messages[type].flags;
	1369
	1370	/* In share mode security we must ignore the vuid. */
	1371	session_tag = (lp_security() == SEC_SHARE)
	1372	? UID_FIELD_INVALID : req->vuid;
	1373	conn = req->conn;
	1374
	1375	DEBUG(3,("switch message %s (pid %d) conn 0x%lx\n", smb_fn_name(type),
	1376	(int)sys_getpid(), (unsigned long)conn));
	1377
	1378	smb_dump(smb_fn_name(type), 1, (char *)req->inbuf, size);
	1379
	1380	/* Ensure this value is replaced in the incoming packet. */
	1381	SSVAL(req->inbuf,smb_uid,session_tag);
	1382
	1383	/*
	1384	* Ensure the correct username is in current_user_info. This is a
	1385	* really ugly bugfix for problems with multiple session_setup_and_X's
	1386	* being done and allowing %U and %G substitutions to work correctly.
	1387	* There is a reason this code is done here, don't move it unless you
	1388	* know what you're doing... :-).
	1389	* JRA.
	1390	*/
	1391
	1392	if (session_tag != last_session_tag) {
	1393	user_struct *vuser = NULL;
	1394
	1395	last_session_tag = session_tag;
	1396	if(session_tag != UID_FIELD_INVALID) {
	1397	vuser = get_valid_user_struct(session_tag);
	1398	if (vuser) {
	1399	set_current_user_info(&vuser->user);
	1400	}
	1401	}
	1402	}
	1403
	1404	/* Does this call need to be run as the connected user? */
	1405	if (flags & AS_USER) {
	1406
	1407	/* Does this call need a valid tree connection? */
	1408	if (!conn) {
	1409	/*
	1410	* Amazingly, the error code depends on the command
	1411	* (from Samba4).
	1412	*/
	1413	if (type == SMBntcreateX) {
	1414	reply_nterror(req, NT_STATUS_INVALID_HANDLE);
	1415	} else {
	1416	reply_doserror(req, ERRSRV, ERRinvnid);
	1417	}
	1418	return NULL;
	1419	}
	1420
	1421	if (!change_to_user(conn,session_tag)) {
	1422	reply_nterror(req, NT_STATUS_DOS(ERRSRV, ERRbaduid));
	1423	return conn;
	1424	}
	1425
	1426	/* All NEED_WRITE and CAN_IPC flags must also have AS_USER. */
	1427
	1428	/* Does it need write permission? */
	1429	if ((flags & NEED_WRITE) && !CAN_WRITE(conn)) {
	1430	reply_nterror(req, NT_STATUS_MEDIA_WRITE_PROTECTED);
	1431	return conn;
	1432	}
	1433
	1434	/* IPC services are limited */
	1435	if (IS_IPC(conn) && !(flags & CAN_IPC)) {
	1436	reply_doserror(req, ERRSRV,ERRaccess);
	1437	return conn;
	1438	}
	1439	} else {
	1440	/* This call needs to be run as root */
	1441	change_to_root_user();
	1442	}
	1443
	1444	/* load service specific parameters */
	1445	if (conn) {
	1446	if (req->encrypted) {
	1447	conn->encrypted_tid = true;
	1448	/* encrypted required from now on. */
	1449	conn->encrypt_level = Required;
	1450	} else if (ENCRYPTION_REQUIRED(conn)) {
	1451	uint8 com = CVAL(req->inbuf,smb_com);
	1452	if (com != SMBtrans2 && com != SMBtranss2) {
	1453	exit_server_cleanly("encryption required "
	1454	"on connection");
	1455	return conn;
	1456	}
	1457	}
	1458
	1459	if (!set_current_service(conn,SVAL(req->inbuf,smb_flg),
	1460	(flags & (AS_USER\|DO_CHDIR)
	1461	?True:False))) {
	1462	reply_doserror(req, ERRSRV, ERRaccess);
	1463	return conn;
	1464	}
	1465	conn->num_smb_operations++;
	1466	}
	1467
	1468	/* does this protocol need to be run as guest? */
	1469	if ((flags & AS_GUEST)
	1470	&& (!change_to_guest() \|\|
	1471	!check_access(smbd_server_fd(), lp_hostsallow(-1),
	1472	lp_hostsdeny(-1)))) {
	1473	reply_doserror(req, ERRSRV, ERRaccess);
	1474	return conn;
	1475	}
	1476
	1477	smb_messages[type].fn_new(req);
	1478	return req->conn;
	1479	}
	1480
	1481	/****************************************************************************
	1482	Construct a reply to the incoming packet.
	1483	****************************************************************************/
	1484
	1485	static void construct_reply(char *inbuf, int size, size_t unread_bytes, bool encrypted)
	1486	{
[340]	1487	struct pending_message_list *pml = NULL;
[136]	1488	uint8 type = CVAL(inbuf,smb_com);
	1489	connection_struct *conn;
	1490	struct smb_request *req;
	1491
	1492	chain_size = 0;
	1493	file_chain_reset();
	1494	reset_chain_p();
	1495
	1496	if (!(req = talloc(talloc_tos(), struct smb_request))) {
	1497	smb_panic("could not allocate smb_request");
	1498	}
	1499	init_smb_request(req, (uint8 *)inbuf, unread_bytes, encrypted);
	1500
	1501	conn = switch_message(type, req, size);
	1502
[340]	1503	/* If this was a deferred message and it's still there and
	1504	* was processed, remove it. */
	1505	pml = get_open_deferred_message(req->mid);
	1506	if (pml && pml->processed) {
	1507	remove_deferred_open_smb_message(req->mid);
	1508	}
	1509
[136]	1510	if (req->unread_bytes) {
	1511	/* writeX failed. drain socket. */
	1512	if (drain_socket(smbd_server_fd(), req->unread_bytes) !=
	1513	req->unread_bytes) {
	1514	smb_panic("failed to drain pending bytes");
	1515	}
	1516	req->unread_bytes = 0;
	1517	}
	1518
	1519	if (req->outbuf == NULL) {
	1520	return;
	1521	}
	1522
	1523	if (CVAL(req->outbuf,0) == 0) {
	1524	show_msg((char *)req->outbuf);
	1525	}
	1526
	1527	if (!srv_send_smb(smbd_server_fd(),
	1528	(char *)req->outbuf,
	1529	IS_CONN_ENCRYPTED(conn)\|\|req->encrypted)) {
	1530	exit_server_cleanly("construct_reply: srv_send_smb failed.");
	1531	}
	1532
	1533	TALLOC_FREE(req);
	1534
	1535	return;
	1536	}
	1537
	1538	/****************************************************************************
	1539	Process an smb from the client
	1540	****************************************************************************/
	1541
	1542	static void process_smb(char *inbuf, size_t nread, size_t unread_bytes, bool encrypted)
	1543	{
	1544	static int trans_num;
	1545	int msg_type = CVAL(inbuf,0);
	1546
	1547	DO_PROFILE_INC(smb_count);
	1548
	1549	if (trans_num == 0) {
	1550	char addr[INET6_ADDRSTRLEN];
	1551
	1552	/* on the first packet, check the global hosts allow/ hosts
	1553	deny parameters before doing any parsing of the packet
	1554	passed to us by the client. This prevents attacks on our
	1555	parsing code from hosts not in the hosts allow list */
	1556
	1557	if (!check_access(smbd_server_fd(), lp_hostsallow(-1),
	1558	lp_hostsdeny(-1))) {
	1559	/* send a negative session response "not listening on calling name" */
	1560	static unsigned char buf[5] = {0x83, 0, 0, 1, 0x81};
	1561	DEBUG( 1, ( "Connection denied from %s\n",
	1562	client_addr(get_client_fd(),addr,sizeof(addr)) ) );
	1563	(void)srv_send_smb(smbd_server_fd(),(char *)buf,false);
	1564	exit_server_cleanly("connection denied");
	1565	}
	1566	}
	1567
	1568	DEBUG( 6, ( "got message type 0x%x of len 0x%x\n", msg_type,
	1569	smb_len(inbuf) ) );
	1570	DEBUG( 3, ( "Transaction %d of length %d (%u toread)\n", trans_num,
	1571	(int)nread,
	1572	(unsigned int)unread_bytes ));
	1573
	1574	if (msg_type != 0) {
	1575	/*
	1576	* NetBIOS session request, keepalive, etc.
	1577	*/
	1578	reply_special(inbuf);
	1579	return;
	1580	}
	1581
	1582	show_msg(inbuf);
	1583
	1584	construct_reply(inbuf,nread,unread_bytes,encrypted);
	1585
	1586	trans_num++;
	1587	}
	1588
	1589	/****************************************************************************
	1590	Return a string containing the function name of a SMB command.
	1591	****************************************************************************/
	1592
	1593	const char *smb_fn_name(int type)
	1594	{
	1595	const char *unknown_name = "SMBunknown";
	1596
	1597	if (smb_messages[type].name == NULL)
	1598	return(unknown_name);
	1599
	1600	return(smb_messages[type].name);
	1601	}
	1602
	1603	/****************************************************************************
	1604	Helper functions for contruct_reply.
	1605	****************************************************************************/
	1606
	1607	static uint32 common_flags2 = FLAGS2_LONG_PATH_COMPONENTS\|FLAGS2_32_BIT_ERROR_CODES;
	1608
	1609	void add_to_common_flags2(uint32 v)
	1610	{
	1611	common_flags2 \|= v;
	1612	}
	1613
	1614	void remove_from_common_flags2(uint32 v)
	1615	{
	1616	common_flags2 &= ~v;
	1617	}
	1618
	1619	void construct_reply_common(const char inbuf, char outbuf)
	1620	{
	1621	srv_set_message(outbuf,0,0,false);
	1622
	1623	SCVAL(outbuf,smb_com,CVAL(inbuf,smb_com));
	1624	SIVAL(outbuf,smb_rcls,0);
	1625	SCVAL(outbuf,smb_flg, FLAG_REPLY \| (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES));
	1626	SSVAL(outbuf,smb_flg2,
	1627	(SVAL(inbuf,smb_flg2) & FLAGS2_UNICODE_STRINGS) \|
	1628	common_flags2);
	1629	memset(outbuf+smb_pidhigh,'\0',(smb_tid-smb_pidhigh));
	1630
	1631	SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid));
	1632	SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid));
	1633	SSVAL(outbuf,smb_uid,SVAL(inbuf,smb_uid));
	1634	SSVAL(outbuf,smb_mid,SVAL(inbuf,smb_mid));
	1635	}
	1636
	1637	/****************************************************************************
	1638	Construct a chained reply and add it to the already made reply
	1639	****************************************************************************/
	1640
	1641	void chain_reply(struct smb_request *req)
	1642	{
	1643	static char *orig_inbuf;
	1644
	1645	/*
	1646	* Dirty little const_discard: We mess with req->inbuf, which is
	1647	* declared as const. If maybe at some point this routine gets
	1648	* rewritten, this const_discard could go away.
	1649	*/
	1650	char inbuf = CONST_DISCARD(char , req->inbuf);
	1651	int size = smb_len(req->inbuf)+4;
	1652
	1653	int smb_com1, smb_com2 = CVAL(inbuf,smb_vwv0);
	1654	unsigned smb_off2 = SVAL(inbuf,smb_vwv1);
	1655	char *inbuf2;
	1656	int outsize2;
	1657	int new_size;
	1658	char inbuf_saved[smb_wct];
	1659	char outbuf = (char )req->outbuf;
	1660	size_t outsize = smb_len(outbuf) + 4;
	1661	size_t outsize_padded;
[149]	1662	size_t padding;
[136]	1663	size_t ofs, to_move;
	1664
	1665	struct smb_request *req2;
	1666	size_t caller_outputlen;
	1667	char *caller_output;
	1668
	1669	/* Maybe its not chained, or it's an error packet. */
	1670	if (smb_com2 == 0xFF \|\| SVAL(outbuf,smb_rcls) != 0) {
	1671	SCVAL(outbuf,smb_vwv0,0xFF);
	1672	return;
	1673	}
	1674
	1675	if (chain_size == 0) {
	1676	/* this is the first part of the chain */
	1677	orig_inbuf = inbuf;
	1678	}
	1679
	1680	/*
	1681	* We need to save the output the caller added to the chain so that we
	1682	* can splice it into the final output buffer later.
	1683	*/
	1684
	1685	caller_outputlen = outsize - smb_wct;
	1686
	1687	caller_output = (char *)memdup(outbuf + smb_wct, caller_outputlen);
	1688
	1689	if (caller_output == NULL) {
	1690	/* TODO: NT_STATUS_NO_MEMORY */
	1691	smb_panic("could not dup outbuf");
	1692	}
	1693
	1694	/*
	1695	* The original Win95 redirector dies on a reply to
	1696	* a lockingX and read chain unless the chain reply is
	1697	* 4 byte aligned. JRA.
	1698	*/
	1699
	1700	outsize_padded = (outsize + 3) & ~3;
[149]	1701	padding = outsize_padded - outsize;
[136]	1702
	1703	/*
	1704	* remember how much the caller added to the chain, only counting
	1705	* stuff after the parameter words
	1706	*/
[149]	1707	chain_size += (outsize_padded - smb_wct);
[136]	1708
	1709	/*
	1710	* work out pointers into the original packets. The
	1711	* headers on these need to be filled in
	1712	*/
	1713	inbuf2 = orig_inbuf + smb_off2 + 4 - smb_wct;
	1714
	1715	/* remember the original command type */
	1716	smb_com1 = CVAL(orig_inbuf,smb_com);
	1717
	1718	/* save the data which will be overwritten by the new headers */
	1719	memcpy(inbuf_saved,inbuf2,smb_wct);
	1720
	1721	/* give the new packet the same header as the last part of the SMB */
	1722	memmove(inbuf2,inbuf,smb_wct);
	1723
	1724	/* create the in buffer */
	1725	SCVAL(inbuf2,smb_com,smb_com2);
	1726
	1727	/* work out the new size for the in buffer. */
	1728	new_size = size - (inbuf2 - inbuf);
	1729	if (new_size < 0) {
	1730	DEBUG(0,("chain_reply: chain packet size incorrect "
	1731	"(orig size = %d, offset = %d)\n",
	1732	size, (int)(inbuf2 - inbuf) ));
	1733	exit_server_cleanly("Bad chained packet");
	1734	return;
	1735	}
	1736
	1737	/* And set it in the header. */
	1738	smb_setlen(inbuf2, new_size - 4);
	1739
	1740	DEBUG(3,("Chained message\n"));
	1741	show_msg(inbuf2);
	1742
	1743	if (!(req2 = talloc(talloc_tos(), struct smb_request))) {
	1744	smb_panic("could not allocate smb_request");
	1745	}
	1746	init_smb_request(req2, (uint8 *)inbuf2,0, req->encrypted);
	1747
	1748	/* process the request */
	1749	switch_message(smb_com2, req2, new_size);
	1750
	1751	/*
	1752	* We don't accept deferred operations in chained requests.
	1753	*/
	1754	SMB_ASSERT(req2->outbuf != NULL);
	1755	outsize2 = smb_len(req2->outbuf)+4;
	1756
	1757	/*
	1758	* Move away the new command output so that caller_output fits in,
	1759	* copy in the caller_output saved above.
	1760	*/
	1761
	1762	SMB_ASSERT(outsize_padded >= smb_wct);
	1763
	1764	/*
	1765	* "ofs" is the space we need for caller_output. Equal to
	1766	* caller_outputlen plus the padding.
	1767	*/
	1768
	1769	ofs = outsize_padded - smb_wct;
	1770
	1771	/*
	1772	* "to_move" is the amount of bytes the secondary routine gave us
	1773	*/
	1774
	1775	to_move = outsize2 - smb_wct;
	1776
	1777	if (to_move + ofs + smb_wct + chain_size > max_send) {
	1778	smb_panic("replies too large -- would have to cut");
	1779	}
	1780
	1781	/*
	1782	* In the "new" API "outbuf" is allocated via reply_outbuf, just for
	1783	* the first request in the chain. So we have to re-allocate it. In
	1784	* the "old" API the only outbuf ever used is the global OutBuffer
	1785	* which is always large enough.
	1786	*/
	1787
	1788	outbuf = TALLOC_REALLOC_ARRAY(NULL, outbuf, char,
	1789	to_move + ofs + smb_wct);
	1790	if (outbuf == NULL) {
	1791	smb_panic("could not realloc outbuf");
	1792	}
	1793
	1794	req->outbuf = (uint8 *)outbuf;
	1795
	1796	memmove(outbuf + smb_wct + ofs, req2->outbuf + smb_wct, to_move);
	1797	memcpy(outbuf + smb_wct, caller_output, caller_outputlen);
	1798
	1799	/*
	1800	* copy the new reply header over the old one but preserve the smb_com
	1801	* field
	1802	*/
	1803	memmove(outbuf, req2->outbuf, smb_wct);
	1804	SCVAL(outbuf, smb_com, smb_com1);
	1805
	1806	/*
	1807	* We've just copied in the whole "wct" area from the secondary
	1808	* function. Fix up the chaining: com2 and the offset need to be
	1809	* readjusted.
	1810	*/
	1811
	1812	SCVAL(outbuf, smb_vwv0, smb_com2);
	1813	SSVAL(outbuf, smb_vwv1, chain_size + smb_wct - 4);
	1814
[149]	1815	if (padding != 0) {
[136]	1816
	1817	/*
	1818	* Due to padding we have some uninitialized bytes after the
	1819	* caller's output
	1820	*/
	1821
[149]	1822	memset(outbuf + outsize, 0, padding);
[136]	1823	}
	1824
[149]	1825	smb_setlen(outbuf, outsize2 + caller_outputlen + padding - 4);
[136]	1826
	1827	/*
	1828	* restore the saved data, being careful not to overwrite any data
	1829	* from the reply header
	1830	*/
	1831	memcpy(inbuf2,inbuf_saved,smb_wct);
	1832
	1833	SAFE_FREE(caller_output);
	1834	TALLOC_FREE(req2);
	1835
[149]	1836	/*
	1837	* Reset the chain_size for our caller's offset calculations
	1838	*/
	1839
	1840	chain_size -= (outsize_padded - smb_wct);
	1841
[136]	1842	return;
	1843	}
	1844
	1845	/****************************************************************************
	1846	Setup the needed select timeout in milliseconds.
	1847	****************************************************************************/
	1848
	1849	static int setup_select_timeout(void)
	1850	{
	1851	int select_timeout;
	1852
	1853	select_timeout = SMBD_SELECT_TIMEOUT*1000;
	1854
	1855	if (print_notify_messages_pending()) {
	1856	select_timeout = MIN(select_timeout, 1000);
	1857	}
	1858
	1859	return select_timeout;
	1860	}
	1861
	1862	/****************************************************************************
	1863	Check if services need reloading.
	1864	****************************************************************************/
	1865
	1866	void check_reload(time_t t)
	1867	{
	1868	static pid_t mypid = 0;
	1869	static time_t last_smb_conf_reload_time = 0;
	1870	static time_t last_printer_reload_time = 0;
	1871	time_t printcap_cache_time = (time_t)lp_printcap_cache_time();
	1872
	1873	if(last_smb_conf_reload_time == 0) {
	1874	last_smb_conf_reload_time = t;
	1875	/* Our printing subsystem might not be ready at smbd start up.
	1876	Then no printer is available till the first printers check
	1877	is performed. A lower initial interval circumvents this. */
	1878	if ( printcap_cache_time > 60 )
	1879	last_printer_reload_time = t - printcap_cache_time + 60;
	1880	else
	1881	last_printer_reload_time = t;
	1882	}
	1883
	1884	if (mypid != getpid()) { /* First time or fork happened meanwhile */
	1885	/* randomize over 60 second the printcap reload to avoid all
	1886	* process hitting cupsd at the same time */
	1887	int time_range = 60;
	1888
	1889	last_printer_reload_time += random() % time_range;
	1890	mypid = getpid();
	1891	}
	1892
	1893	if (reload_after_sighup \|\| (t >= last_smb_conf_reload_time+SMBD_RELOAD_CHECK)) {
	1894	reload_services(True);
	1895	reload_after_sighup = False;
	1896	last_smb_conf_reload_time = t;
	1897	}
	1898
	1899	/* 'printcap cache time = 0' disable the feature */
	1900
	1901	if ( printcap_cache_time != 0 )
	1902	{
	1903	/* see if it's time to reload or if the clock has been set back */
	1904
	1905	if ( (t >= last_printer_reload_time+printcap_cache_time)
	1906	\|\| (t-last_printer_reload_time < 0) )
	1907	{
	1908	DEBUG( 3,( "Printcap cache time expired.\n"));
	1909	reload_printers();
	1910	last_printer_reload_time = t;
	1911	}
	1912	}
	1913	}
	1914
	1915	/****************************************************************************
	1916	Process any timeout housekeeping. Return False if the caller should exit.
	1917	****************************************************************************/
	1918
	1919	static void timeout_processing(int *select_timeout,
	1920	time_t *last_timeout_processing_time)
	1921	{
	1922	time_t t;
	1923
	1924	*last_timeout_processing_time = t = time(NULL);
	1925
	1926	/* become root again if waiting */
	1927	change_to_root_user();
	1928
	1929	/* check if we need to reload services */
	1930	check_reload(t);
	1931
	1932	if(global_machine_password_needs_changing &&
	1933	/* for ADS we need to do a regular ADS password change, not a domain
	1934	password change */
	1935	lp_security() == SEC_DOMAIN) {
	1936
	1937	unsigned char trust_passwd_hash[16];
	1938	time_t lct;
	1939	void *lock;
	1940
	1941	/*
	1942	* We're in domain level security, and the code that
	1943	* read the machine password flagged that the machine
	1944	* password needs changing.
	1945	*/
	1946
	1947	/*
	1948	* First, open the machine password file with an exclusive lock.
	1949	*/
	1950
	1951	lock = secrets_get_trust_account_lock(NULL, lp_workgroup());
	1952
	1953	if (lock == NULL) {
	1954	DEBUG(0,("process: unable to lock the machine account password for \
	1955	machine %s in domain %s.\n", global_myname(), lp_workgroup() ));
	1956	return;
	1957	}
	1958
	1959	if(!secrets_fetch_trust_account_password(lp_workgroup(), trust_passwd_hash, &lct, NULL)) {
	1960	DEBUG(0,("process: unable to read the machine account password for \
	1961	machine %s in domain %s.\n", global_myname(), lp_workgroup()));
	1962	TALLOC_FREE(lock);
	1963	return;
	1964	}
	1965
	1966	/*
	1967	* Make sure someone else hasn't already done this.
	1968	*/
	1969
	1970	if(t < lct + lp_machine_password_timeout()) {
	1971	global_machine_password_needs_changing = False;
	1972	TALLOC_FREE(lock);
	1973	return;
	1974	}
	1975
	1976	/* always just contact the PDC here */
	1977
	1978	change_trust_account_password( lp_workgroup(), NULL);
	1979	global_machine_password_needs_changing = False;
	1980	TALLOC_FREE(lock);
	1981	}
	1982
	1983	/* update printer queue caches if necessary */
	1984
	1985	update_monitored_printq_cache();
	1986
	1987	/*
	1988	* Now we are root, check if the log files need pruning.
	1989	* Force a log file check.
	1990	*/
	1991	force_check_log_size();
	1992	check_log_size();
	1993
	1994	/* Send any queued printer notify message to interested smbd's. */
	1995
	1996	print_notify_send_messages(smbd_messaging_context(), 0);
	1997
	1998	/*
	1999	* Modify the select timeout depending upon
	2000	* what we have remaining in our queues.
	2001	*/
	2002
	2003	*select_timeout = setup_select_timeout();
	2004
	2005	return;
	2006	}
	2007
	2008	/****************************************************************************
	2009	Process commands from the client
	2010	****************************************************************************/
	2011
	2012	void smbd_process(void)
	2013	{
	2014	time_t last_timeout_processing_time = time(NULL);
	2015	unsigned int num_smbs = 0;
	2016	size_t unread_bytes = 0;
	2017
	2018	max_recv = MIN(lp_maxxmit(),BUFFER_SIZE);
	2019
	2020	while (True) {
	2021	int select_timeout = setup_select_timeout();
	2022	int num_echos;
	2023	char *inbuf = NULL;
	2024	size_t inbuf_len = 0;
	2025	bool encrypted = false;
	2026	TALLOC_CTX *frame = talloc_stackframe_pool(8192);
	2027
	2028	errno = 0;
	2029
	2030	/* Did someone ask for immediate checks on things like blocking locks ? */
	2031	if (select_timeout == 0) {
	2032	timeout_processing(&select_timeout,
	2033	&last_timeout_processing_time);
	2034	num_smbs = 0; /* Reset smb counter. */
	2035	}
	2036
	2037	run_events(smbd_event_context(), 0, NULL, NULL);
	2038
	2039	while (True) {
	2040	NTSTATUS status;
	2041
	2042	status = receive_message_or_smb(
	2043	talloc_tos(), &inbuf, &inbuf_len,
	2044	select_timeout, &unread_bytes, &encrypted);
	2045
	2046	if (NT_STATUS_IS_OK(status)) {
	2047	break;
	2048	}
	2049
	2050	if (NT_STATUS_EQUAL(status, NT_STATUS_IO_TIMEOUT)) {
	2051	timeout_processing(
	2052	&select_timeout,
	2053	&last_timeout_processing_time);
	2054	continue;
	2055	}
	2056
	2057	DEBUG(3, ("receive_message_or_smb failed: %s, "
	2058	"exiting\n", nt_errstr(status)));
	2059	return;
	2060
	2061	num_smbs = 0; /* Reset smb counter. */
	2062	}
	2063
	2064
	2065	/*
	2066	* Ensure we do timeout processing if the SMB we just got was
	2067	* only an echo request. This allows us to set the select
	2068	* timeout in 'receive_message_or_smb()' to any value we like
	2069	* without worrying that the client will send echo requests
	2070	* faster than the select timeout, thus starving out the
	2071	* essential processing (change notify, blocking locks) that
	2072	* the timeout code does. JRA.
	2073	*/
	2074	num_echos = smb_echo_count;
	2075
	2076	process_smb(inbuf, inbuf_len, unread_bytes, encrypted);
	2077
	2078	TALLOC_FREE(inbuf);
	2079
	2080	if (smb_echo_count != num_echos) {
	2081	timeout_processing(&select_timeout,
	2082	&last_timeout_processing_time);
	2083	num_smbs = 0; /* Reset smb counter. */
	2084	}
	2085
	2086	num_smbs++;
	2087
	2088	/*
	2089	* If we are getting smb requests in a constant stream
	2090	* with no echos, make sure we attempt timeout processing
	2091	* every select_timeout milliseconds - but only check for this
	2092	* every 200 smb requests.
	2093	*/
	2094
	2095	if ((num_smbs % 200) == 0) {
	2096	time_t new_check_time = time(NULL);
	2097	if(new_check_time - last_timeout_processing_time >= (select_timeout/1000)) {
	2098	timeout_processing(
	2099	&select_timeout,
	2100	&last_timeout_processing_time);
	2101	num_smbs = 0; /* Reset smb counter. */
	2102	last_timeout_processing_time = new_check_time; /* Reset time. */
	2103	}
	2104	}
	2105
	2106	/* The timeout_processing function isn't run nearly
	2107	often enough to implement 'max log size' without
	2108	overrunning the size of the file by many megabytes.
	2109	This is especially true if we are running at debug
	2110	level 10. Checking every 50 SMBs is a nice
	2111	tradeoff of performance vs log file size overrun. */
	2112
	2113	if ((num_smbs % 50) == 0 && need_to_check_log_size()) {
	2114	change_to_root_user();
	2115	check_log_size();
	2116	}
	2117	TALLOC_FREE(frame);
	2118	}
	2119	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: