Context Navigation

process.c@ 733

Visit:

Last change on this file since 733 was 733, checked in by Silvan Scherrer, 13 years ago
Samba Server 3.5: update branche to 3.5.13
File size: 70.1 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	process incoming packets - main loop
4	Copyright (C) Andrew Tridgell 1992-1998
5	Copyright (C) Volker Lendecke 2005-2007
6
7	This program is free software; you can redistribute it and/or modify
8	it under the terms of the GNU General Public License as published by
9	the Free Software Foundation; either version 3 of the License, or
10	(at your option) any later version.
11
12	This program is distributed in the hope that it will be useful,
13	but WITHOUT ANY WARRANTY; without even the implied warranty of
14	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15	GNU General Public License for more details.
16
17	You should have received a copy of the GNU General Public License
18	along with this program. If not, see <http://www.gnu.org/licenses/>.
19	*/
20
21	#include "includes.h"
22	#include "smbd/globals.h"
23	#include "../librpc/gen_ndr/srv_dfs.h"
24	#include "../librpc/gen_ndr/srv_dssetup.h"
25	#include "../librpc/gen_ndr/srv_echo.h"
26	#include "../librpc/gen_ndr/srv_eventlog.h"
27	#include "../librpc/gen_ndr/srv_initshutdown.h"
28	#include "../librpc/gen_ndr/srv_lsa.h"
29	#include "../librpc/gen_ndr/srv_netlogon.h"
30	#include "../librpc/gen_ndr/srv_ntsvcs.h"
31	#include "../librpc/gen_ndr/srv_samr.h"
32	#include "../librpc/gen_ndr/srv_spoolss.h"
33	#include "../librpc/gen_ndr/srv_srvsvc.h"
34	#include "../librpc/gen_ndr/srv_svcctl.h"
35	#include "../librpc/gen_ndr/srv_winreg.h"
36	#include "../librpc/gen_ndr/srv_wkssvc.h"
37
38	extern bool global_machine_password_needs_changing;
39
40	static void construct_reply_common(struct smb_request req, const char inbuf,
41	char *outbuf);
42
43	/* Accessor function for smb_read_error for smbd functions. */
44
45	/****************************************************************************
46	Send an smb to a fd.
47	****************************************************************************/
48
49	bool srv_send_smb(int fd, char *buffer,
50	bool do_signing, uint32_t seqnum,
51	bool do_encrypt,
52	struct smb_perfcount_data *pcd)
53	{
54	size_t len = 0;
55	size_t nwritten=0;
56	ssize_t ret;
57	char *buf_out = buffer;
58
59	if (do_signing) {
60	/* Sign the outgoing packet if required. */
61	srv_calculate_sign_mac(smbd_server_conn, buf_out, seqnum);
62	}
63
64	if (do_encrypt) {
65	NTSTATUS status = srv_encrypt_buffer(buffer, &buf_out);
66	if (!NT_STATUS_IS_OK(status)) {
67	DEBUG(0, ("send_smb: SMB encryption failed "
68	"on outgoing packet! Error %s\n",
69	nt_errstr(status) ));
70	goto out;
71	}
72	}
73
74	len = smb_len(buf_out) + 4;
75
76	ret = write_data(fd,buf_out+nwritten,len - nwritten);
77	if (ret <= 0) {
78	DEBUG(0,("Error writing %d bytes to client. %d. (%s)\n",
79	(int)len,(int)ret, strerror(errno) ));
80	srv_free_enc_buffer(buf_out);
81	goto out;
82	}
83
84	SMB_PERFCOUNT_SET_MSGLEN_OUT(pcd, len);
85	srv_free_enc_buffer(buf_out);
86	out:
87	SMB_PERFCOUNT_END(pcd);
88	return true;
89	}
90
91	/*******************************************************************
92	Setup the word count and byte count for a smb message.
93	********************************************************************/
94
95	int srv_set_message(char *buf,
96	int num_words,
97	int num_bytes,
98	bool zero)
99	{
100	if (zero && (num_words \|\| num_bytes)) {
101	memset(buf + smb_size,'\0',num_words*2 + num_bytes);
102	}
103	SCVAL(buf,smb_wct,num_words);
104	SSVAL(buf,smb_vwv + num_words*SIZEOFWORD,num_bytes);
105	smb_setlen(buf,(smb_size + num_words*2 + num_bytes - 4));
106	return (smb_size + num_words*2 + num_bytes);
107	}
108
109	static bool valid_smb_header(const uint8_t *inbuf)
110	{
111	if (is_encrypted_packet(inbuf)) {
112	return true;
113	}
114	/*
115	* This used to be (strncmp(smb_base(inbuf),"\377SMB",4) == 0)
116	* but it just looks weird to call strncmp for this one.
117	*/
118	return (IVAL(smb_base(inbuf), 0) == 0x424D53FF);
119	}
120
121	/* Socket functions for smbd packet processing. */
122
123	static bool valid_packet_size(size_t len)
124	{
125	/*
126	* A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
127	* of header. Don't print the error if this fits.... JRA.
128	*/
129
130	if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
131	DEBUG(0,("Invalid packet length! (%lu bytes).\n",
132	(unsigned long)len));
133	return false;
134	}
135	return true;
136	}
137
138	static NTSTATUS read_packet_remainder(int fd, char *buffer,
139	unsigned int timeout, ssize_t len)
140	{
141	if (len <= 0) {
142	return NT_STATUS_OK;
143	}
144
145	return read_fd_with_timeout(fd, buffer, len, len, timeout, NULL);
146	}
147
148	/****************************************************************************
149	Attempt a zerocopy writeX read. We know here that len > smb_size-4
150	****************************************************************************/
151
152	/*
153	* Unfortunately, earlier versions of smbclient/libsmbclient
154	* don't send this "standard" writeX header. I've fixed this
155	* for 3.2 but we'll use the old method with earlier versions.
156	* Windows and CIFSFS at least use this standard size. Not
157	* sure about MacOSX.
158	*/
159
160	#define STANDARD_WRITE_AND_X_HEADER_SIZE (smb_size - 4 + /* basic header */ \
161	(214) + / word count (including bcc) */ \
162	1 /* pad byte */)
163
164	static NTSTATUS receive_smb_raw_talloc_partial_read(TALLOC_CTX *mem_ctx,
165	const char lenbuf[4],
166	int fd, char **buffer,
167	unsigned int timeout,
168	size_t *p_unread,
169	size_t *len_ret)
170	{
171	/* Size of a WRITEX call (+4 byte len). */
172	char writeX_header[4 + STANDARD_WRITE_AND_X_HEADER_SIZE];
173	ssize_t len = smb_len_large(lenbuf); /* Could be a UNIX large writeX. */
174	ssize_t toread;
175	NTSTATUS status;
176
177	memcpy(writeX_header, lenbuf, 4);
178
179	status = read_fd_with_timeout(
180	fd, writeX_header + 4,
181	STANDARD_WRITE_AND_X_HEADER_SIZE,
182	STANDARD_WRITE_AND_X_HEADER_SIZE,
183	timeout, NULL);
184
185	if (!NT_STATUS_IS_OK(status)) {
186	return status;
187	}
188
189	/*
190	* Ok - now try and see if this is a possible
191	* valid writeX call.
192	*/
193
194	if (is_valid_writeX_buffer((uint8_t *)writeX_header)) {
195	/*
196	* If the data offset is beyond what
197	* we've read, drain the extra bytes.
198	*/
199	uint16_t doff = SVAL(writeX_header,smb_vwv11);
200	ssize_t newlen;
201
202	if (doff > STANDARD_WRITE_AND_X_HEADER_SIZE) {
203	size_t drain = doff - STANDARD_WRITE_AND_X_HEADER_SIZE;
204	if (drain_socket(smbd_server_fd(), drain) != drain) {
205	smb_panic("receive_smb_raw_talloc_partial_read:"
206	" failed to drain pending bytes");
207	}
208	} else {
209	doff = STANDARD_WRITE_AND_X_HEADER_SIZE;
210	}
211
212	/* Spoof down the length and null out the bcc. */
213	set_message_bcc(writeX_header, 0);
214	newlen = smb_len(writeX_header);
215
216	/* Copy the header we've written. */
217
218	buffer = (char )TALLOC_MEMDUP(mem_ctx,
219	writeX_header,
220	sizeof(writeX_header));
221
222	if (*buffer == NULL) {
223	DEBUG(0, ("Could not allocate inbuf of length %d\n",
224	(int)sizeof(writeX_header)));
225	return NT_STATUS_NO_MEMORY;
226	}
227
228	/* Work out the remaining bytes. */
229	*p_unread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
230	*len_ret = newlen + 4;
231	return NT_STATUS_OK;
232	}
233
234	if (!valid_packet_size(len)) {
235	return NT_STATUS_INVALID_PARAMETER;
236	}
237
238	/*
239	* Not a valid writeX call. Just do the standard
240	* talloc and return.
241	*/
242
243	*buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
244
245	if (*buffer == NULL) {
246	DEBUG(0, ("Could not allocate inbuf of length %d\n",
247	(int)len+4));
248	return NT_STATUS_NO_MEMORY;
249	}
250
251	/* Copy in what we already read. */
252	memcpy(*buffer,
253	writeX_header,
254	4 + STANDARD_WRITE_AND_X_HEADER_SIZE);
255	toread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
256
257	if(toread > 0) {
258	status = read_packet_remainder(
259	fd, (*buffer) + 4 + STANDARD_WRITE_AND_X_HEADER_SIZE,
260	timeout, toread);
261
262	if (!NT_STATUS_IS_OK(status)) {
263	DEBUG(10, ("receive_smb_raw_talloc_partial_read: %s\n",
264	nt_errstr(status)));
265	return status;
266	}
267	}
268
269	*len_ret = len + 4;
270	return NT_STATUS_OK;
271	}
272
273	static NTSTATUS receive_smb_raw_talloc(TALLOC_CTX *mem_ctx, int fd,
274	char **buffer, unsigned int timeout,
275	size_t p_unread, size_t plen)
276	{
277	char lenbuf[4];
278	size_t len;
279	int min_recv_size = lp_min_receive_file_size();
280	NTSTATUS status;
281
282	*p_unread = 0;
283
284	status = read_smb_length_return_keepalive(fd, lenbuf, timeout, &len);
285	if (!NT_STATUS_IS_OK(status)) {
286	DEBUG(10, ("receive_smb_raw: %s\n", nt_errstr(status)));
287	return status;
288	}
289
290	if (CVAL(lenbuf,0) == 0 && min_recv_size &&
291	(smb_len_large(lenbuf) > /* Could be a UNIX large writeX. */
292	(min_recv_size + STANDARD_WRITE_AND_X_HEADER_SIZE)) &&
293	!srv_is_signing_active(smbd_server_conn)) {
294
295	return receive_smb_raw_talloc_partial_read(
296	mem_ctx, lenbuf, fd, buffer, timeout, p_unread, plen);
297	}
298
299	if (!valid_packet_size(len)) {
300	return NT_STATUS_INVALID_PARAMETER;
301	}
302
303	/*
304	* The +4 here can't wrap, we've checked the length above already.
305	*/
306
307	*buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
308
309	if (*buffer == NULL) {
310	DEBUG(0, ("Could not allocate inbuf of length %d\n",
311	(int)len+4));
312	return NT_STATUS_NO_MEMORY;
313	}
314
315	memcpy(*buffer, lenbuf, sizeof(lenbuf));
316
317	status = read_packet_remainder(fd, (*buffer)+4, timeout, len);
318	if (!NT_STATUS_IS_OK(status)) {
319	return status;
320	}
321
322	*plen = len + 4;
323	return NT_STATUS_OK;
324	}
325
326	static NTSTATUS receive_smb_talloc(TALLOC_CTX *mem_ctx, int fd,
327	char **buffer, unsigned int timeout,
328	size_t p_unread, bool p_encrypted,
329	size_t *p_len,
330	uint32_t *seqnum)
331	{
332	size_t len = 0;
333	NTSTATUS status;
334
335	*p_encrypted = false;
336
337	status = receive_smb_raw_talloc(mem_ctx, fd, buffer, timeout,
338	p_unread, &len);
339	if (!NT_STATUS_IS_OK(status)) {
340	return status;
341	}
342
343	if (is_encrypted_packet((uint8_t )buffer)) {
344	status = srv_decrypt_buffer(*buffer);
345	if (!NT_STATUS_IS_OK(status)) {
346	DEBUG(0, ("receive_smb_talloc: SMB decryption failed on "
347	"incoming packet! Error %s\n",
348	nt_errstr(status) ));
349	return status;
350	}
351	*p_encrypted = true;
352	}
353
354	/* Check the incoming SMB signature. */
355	if (!srv_check_sign_mac(smbd_server_conn, *buffer, seqnum)) {
356	DEBUG(0, ("receive_smb: SMB Signature verification failed on "
357	"incoming packet!\n"));
358	return NT_STATUS_INVALID_NETWORK_RESPONSE;
359	}
360
361	*p_len = len;
362	return NT_STATUS_OK;
363	}
364
365	/*
366	* Initialize a struct smb_request from an inbuf
367	*/
368
369	void init_smb_request(struct smb_request *req,
370	const uint8 *inbuf,
371	size_t unread_bytes,
372	bool encrypted)
373	{
374	struct smbd_server_connection *sconn = smbd_server_conn;
375	size_t req_size = smb_len(inbuf) + 4;
376	/* Ensure we have at least smb_size bytes. */
377	if (req_size < smb_size) {
378	DEBUG(0,("init_smb_request: invalid request size %u\n",
379	(unsigned int)req_size ));
380	exit_server_cleanly("Invalid SMB request");
381	}
382	req->cmd = CVAL(inbuf, smb_com);
383	req->flags2 = SVAL(inbuf, smb_flg2);
384	req->smbpid = SVAL(inbuf, smb_pid);
385	req->mid = SVAL(inbuf, smb_mid);
386	req->seqnum = 0;
387	req->vuid = SVAL(inbuf, smb_uid);
388	req->tid = SVAL(inbuf, smb_tid);
389	req->wct = CVAL(inbuf, smb_wct);
390	req->vwv = (uint16_t *)(inbuf+smb_vwv);
391	req->buflen = smb_buflen(inbuf);
392	req->buf = (const uint8_t *)smb_buf(inbuf);
393	req->unread_bytes = unread_bytes;
394	req->encrypted = encrypted;
395	req->conn = conn_find(sconn,req->tid);
396	req->chain_fsp = NULL;
397	req->chain_outbuf = NULL;
398	req->done = false;
399	smb_init_perfcount_data(&req->pcd);
400
401	/* Ensure we have at least wct words and 2 bytes of bcc. */
402	if (smb_size + req->wct*2 > req_size) {
403	DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n",
404	(unsigned int)req->wct,
405	(unsigned int)req_size));
406	exit_server_cleanly("Invalid SMB request");
407	}
408	/* Ensure bcc is correct. */
409	if (((uint8 *)smb_buf(inbuf)) + req->buflen > inbuf + req_size) {
410	DEBUG(0,("init_smb_request: invalid bcc number %u "
411	"(wct = %u, size %u)\n",
412	(unsigned int)req->buflen,
413	(unsigned int)req->wct,
414	(unsigned int)req_size));
415	exit_server_cleanly("Invalid SMB request");
416	}
417
418	req->outbuf = NULL;
419	}
420
421	static void process_smb(struct smbd_server_connection *conn,
422	uint8_t *inbuf, size_t nread, size_t unread_bytes,
423	uint32_t seqnum, bool encrypted,
424	struct smb_perfcount_data *deferred_pcd);
425
426	static void smbd_deferred_open_timer(struct event_context *ev,
427	struct timed_event *te,
428	struct timeval _tval,
429	void *private_data)
430	{
431	struct pending_message_list *msg = talloc_get_type(private_data,
432	struct pending_message_list);
433	TALLOC_CTX *mem_ctx = talloc_tos();
434	uint16_t mid = SVAL(msg->buf.data,smb_mid);
435	uint8_t *inbuf;
436
437	inbuf = (uint8_t *)talloc_memdup(mem_ctx, msg->buf.data,
438	msg->buf.length);
439	if (inbuf == NULL) {
440	exit_server("smbd_deferred_open_timer: talloc failed\n");
441	return;
442	}
443
444	/* We leave this message on the queue so the open code can
445	know this is a retry. */
446	DEBUG(5,("smbd_deferred_open_timer: trigger mid %u.\n",
447	(unsigned int)mid ));
448
449	/* Mark the message as processed so this is not
450	* re-processed in error. */
451	msg->processed = true;
452
453	process_smb(smbd_server_conn, inbuf,
454	msg->buf.length, 0,
455	msg->seqnum, msg->encrypted, &msg->pcd);
456
457	/* If it's still there and was processed, remove it. */
458	msg = get_open_deferred_message(mid);
459	if (msg && msg->processed) {
460	remove_deferred_open_smb_message(mid);
461	}
462	}
463
464	/****************************************************************************
465	Function to push a message onto the tail of a linked list of smb messages ready
466	for processing.
467	****************************************************************************/
468
469	static bool push_queued_message(struct smb_request *req,
470	struct timeval request_time,
471	struct timeval end_time,
472	char *private_data, size_t private_len)
473	{
474	int msg_len = smb_len(req->inbuf) + 4;
475	struct pending_message_list *msg;
476
477	msg = TALLOC_ZERO_P(NULL, struct pending_message_list);
478
479	if(msg == NULL) {
480	DEBUG(0,("push_message: malloc fail (1)\n"));
481	return False;
482	}
483
484	msg->buf = data_blob_talloc(msg, req->inbuf, msg_len);
485	if(msg->buf.data == NULL) {
486	DEBUG(0,("push_message: malloc fail (2)\n"));
487	TALLOC_FREE(msg);
488	return False;
489	}
490
491	msg->request_time = request_time;
492	msg->seqnum = req->seqnum;
493	msg->encrypted = req->encrypted;
494	msg->processed = false;
495	SMB_PERFCOUNT_DEFER_OP(&req->pcd, &msg->pcd);
496
497	if (private_data) {
498	msg->private_data = data_blob_talloc(msg, private_data,
499	private_len);
500	if (msg->private_data.data == NULL) {
501	DEBUG(0,("push_message: malloc fail (3)\n"));
502	TALLOC_FREE(msg);
503	return False;
504	}
505	}
506
507	msg->te = event_add_timed(smbd_event_context(),
508	msg,
509	end_time,
510	smbd_deferred_open_timer,
511	msg);
512	if (!msg->te) {
513	DEBUG(0,("push_message: event_add_timed failed\n"));
514	TALLOC_FREE(msg);
515	return false;
516	}
517
518	DLIST_ADD_END(deferred_open_queue, msg, struct pending_message_list *);
519
520	DEBUG(10,("push_message: pushed message length %u on "
521	"deferred_open_queue\n", (unsigned int)msg_len));
522
523	return True;
524	}
525
526	/****************************************************************************
527	Function to delete a sharing violation open message by mid.
528	****************************************************************************/
529
530	void remove_deferred_open_smb_message(uint16 mid)
531	{
532	struct pending_message_list *pml;
533
534	for (pml = deferred_open_queue; pml; pml = pml->next) {
535	if (mid == SVAL(pml->buf.data,smb_mid)) {
536	DEBUG(10,("remove_deferred_open_smb_message: "
537	"deleting mid %u len %u\n",
538	(unsigned int)mid,
539	(unsigned int)pml->buf.length ));
540	DLIST_REMOVE(deferred_open_queue, pml);
541	TALLOC_FREE(pml);
542	return;
543	}
544	}
545	}
546
547	/****************************************************************************
548	Move a sharing violation open retry message to the front of the list and
549	schedule it for immediate processing.
550	****************************************************************************/
551
552	void schedule_deferred_open_smb_message(uint16 mid)
553	{
554	struct pending_message_list *pml;
555	int i = 0;
556
557	for (pml = deferred_open_queue; pml; pml = pml->next) {
558	uint16 msg_mid = SVAL(pml->buf.data,smb_mid);
559
560	DEBUG(10,("schedule_deferred_open_smb_message: [%d] msg_mid = %u\n", i++,
561	(unsigned int)msg_mid ));
562
563	if (mid == msg_mid) {
564	struct timed_event *te;
565
566	if (pml->processed) {
567	/* A processed message should not be
568	* rescheduled. */
569	DEBUG(0,("schedule_deferred_open_smb_message: LOGIC ERROR "
570	"message mid %u was already processed\n",
571	msg_mid ));
572	continue;
573	}
574
575	DEBUG(10,("schedule_deferred_open_smb_message: scheduling mid %u\n",
576	mid ));
577
578	te = event_add_timed(smbd_event_context(),
579	pml,
580	timeval_zero(),
581	smbd_deferred_open_timer,
582	pml);
583	if (!te) {
584	DEBUG(10,("schedule_deferred_open_smb_message: "
585	"event_add_timed() failed, skipping mid %u\n",
586	mid ));
587	}
588
589	TALLOC_FREE(pml->te);
590	pml->te = te;
591	DLIST_PROMOTE(deferred_open_queue, pml);
592	return;
593	}
594	}
595
596	DEBUG(10,("schedule_deferred_open_smb_message: failed to find message mid %u\n",
597	mid ));
598	}
599
600	/****************************************************************************
601	Return true if this mid is on the deferred queue and was not yet processed.
602	****************************************************************************/
603
604	bool open_was_deferred(uint16 mid)
605	{
606	struct pending_message_list *pml;
607
608	for (pml = deferred_open_queue; pml; pml = pml->next) {
609	if (SVAL(pml->buf.data,smb_mid) == mid && !pml->processed) {
610	return True;
611	}
612	}
613	return False;
614	}
615
616	/****************************************************************************
617	Return the message queued by this mid.
618	****************************************************************************/
619
620	struct pending_message_list *get_open_deferred_message(uint16 mid)
621	{
622	struct pending_message_list *pml;
623
624	for (pml = deferred_open_queue; pml; pml = pml->next) {
625	if (SVAL(pml->buf.data,smb_mid) == mid) {
626	return pml;
627	}
628	}
629	return NULL;
630	}
631
632	/****************************************************************************
633	Function to push a deferred open smb message onto a linked list of local smb
634	messages ready for processing.
635	****************************************************************************/
636
637	bool push_deferred_smb_message(struct smb_request *req,
638	struct timeval request_time,
639	struct timeval timeout,
640	char *private_data, size_t priv_len)
641	{
642	struct timeval end_time;
643
644	if (req->unread_bytes) {
645	DEBUG(0,("push_deferred_smb_message: logic error ! "
646	"unread_bytes = %u\n",
647	(unsigned int)req->unread_bytes ));
648	smb_panic("push_deferred_smb_message: "
649	"logic error unread_bytes != 0" );
650	}
651
652	end_time = timeval_sum(&request_time, &timeout);
653
654	DEBUG(10,("push_deferred_open_smb_message: pushing message len %u mid %u "
655	"timeout time [%u.%06u]\n",
656	(unsigned int) smb_len(req->inbuf)+4, (unsigned int)req->mid,
657	(unsigned int)end_time.tv_sec,
658	(unsigned int)end_time.tv_usec));
659
660	return push_queued_message(req, request_time, end_time,
661	private_data, priv_len);
662	}
663
664	struct idle_event {
665	struct timed_event *te;
666	struct timeval interval;
667	char *name;
668	bool (handler)(const struct timeval now, void *private_data);
669	void *private_data;
670	};
671
672	static void smbd_idle_event_handler(struct event_context *ctx,
673	struct timed_event *te,
674	struct timeval now,
675	void *private_data)
676	{
677	struct idle_event *event =
678	talloc_get_type_abort(private_data, struct idle_event);
679
680	TALLOC_FREE(event->te);
681
682	DEBUG(10,("smbd_idle_event_handler: %s %p called\n",
683	event->name, event->te));
684
685	if (!event->handler(&now, event->private_data)) {
686	DEBUG(10,("smbd_idle_event_handler: %s %p stopped\n",
687	event->name, event->te));
688	/* Don't repeat, delete ourselves */
689	TALLOC_FREE(event);
690	return;
691	}
692
693	DEBUG(10,("smbd_idle_event_handler: %s %p rescheduled\n",
694	event->name, event->te));
695
696	event->te = event_add_timed(ctx, event,
697	timeval_sum(&now, &event->interval),
698	smbd_idle_event_handler, event);
699
700	/* We can't do much but fail here. */
701	SMB_ASSERT(event->te != NULL);
702	}
703
704	struct idle_event event_add_idle(struct event_context event_ctx,
705	TALLOC_CTX *mem_ctx,
706	struct timeval interval,
707	const char *name,
708	bool (handler)(const struct timeval now,
709	void *private_data),
710	void *private_data)
711	{
712	struct idle_event *result;
713	struct timeval now = timeval_current();
714
715	result = TALLOC_P(mem_ctx, struct idle_event);
716	if (result == NULL) {
717	DEBUG(0, ("talloc failed\n"));
718	return NULL;
719	}
720
721	result->interval = interval;
722	result->handler = handler;
723	result->private_data = private_data;
724
725	if (!(result->name = talloc_asprintf(result, "idle_evt(%s)", name))) {
726	DEBUG(0, ("talloc failed\n"));
727	TALLOC_FREE(result);
728	return NULL;
729	}
730
731	result->te = event_add_timed(event_ctx, result,
732	timeval_sum(&now, &interval),
733	smbd_idle_event_handler, result);
734	if (result->te == NULL) {
735	DEBUG(0, ("event_add_timed failed\n"));
736	TALLOC_FREE(result);
737	return NULL;
738	}
739
740	DEBUG(10,("event_add_idle: %s %p\n", result->name, result->te));
741	return result;
742	}
743
744	static void smbd_sig_term_handler(struct tevent_context *ev,
745	struct tevent_signal *se,
746	int signum,
747	int count,
748	void *siginfo,
749	void *private_data)
750	{
751	exit_server_cleanly("termination signal");
752	}
753
754	void smbd_setup_sig_term_handler(void)
755	{
756	struct tevent_signal *se;
757
758	se = tevent_add_signal(smbd_event_context(),
759	smbd_event_context(),
760	SIGTERM, 0,
761	smbd_sig_term_handler,
762	NULL);
763	if (!se) {
764	exit_server("failed to setup SIGTERM handler");
765	}
766	}
767
768	static void smbd_sig_hup_handler(struct tevent_context *ev,
769	struct tevent_signal *se,
770	int signum,
771	int count,
772	void *siginfo,
773	void *private_data)
774	{
775	change_to_root_user();
776	DEBUG(1,("Reloading services after SIGHUP\n"));
777	reload_services(False);
778	}
779
780	void smbd_setup_sig_hup_handler(void)
781	{
782	struct tevent_signal *se;
783
784	se = tevent_add_signal(smbd_event_context(),
785	smbd_event_context(),
786	SIGHUP, 0,
787	smbd_sig_hup_handler,
788	NULL);
789	if (!se) {
790	exit_server("failed to setup SIGHUP handler");
791	}
792	}
793
794	static NTSTATUS smbd_server_connection_loop_once(struct smbd_server_connection *conn)
795	{
796	fd_set r_fds, w_fds;
797	int selrtn;
798	struct timeval to;
799	int maxfd = 0;
800
801	to.tv_sec = SMBD_SELECT_TIMEOUT;
802	to.tv_usec = 0;
803
804	/*
805	* Setup the select fd sets.
806	*/
807
808	FD_ZERO(&r_fds);
809	FD_ZERO(&w_fds);
810
811	/*
812	* Are there any timed events waiting ? If so, ensure we don't
813	* select for longer than it would take to wait for them.
814	*/
815
816	{
817	struct timeval now;
818	GetTimeOfDay(&now);
819
820	event_add_to_select_args(smbd_event_context(), &now,
821	&r_fds, &w_fds, &to, &maxfd);
822	}
823
824	/* Process a signal and timed events now... */
825	if (run_events(smbd_event_context(), 0, NULL, NULL)) {
826	return NT_STATUS_RETRY;
827	}
828
829	{
830	int sav;
831	START_PROFILE(smbd_idle);
832
833	selrtn = sys_select(maxfd+1,&r_fds,&w_fds,NULL,&to);
834	sav = errno;
835
836	END_PROFILE(smbd_idle);
837	errno = sav;
838	}
839
840	if (selrtn == -1 && errno != EINTR) {
841	return map_nt_error_from_unix(errno);
842	}
843
844	if (run_events(smbd_event_context(), selrtn, &r_fds, &w_fds)) {
845	return NT_STATUS_RETRY;
846	}
847
848	/* Check if error */
849	if (selrtn == -1) {
850	/* something is wrong. Maybe the socket is dead? */
851	return map_nt_error_from_unix(errno);
852	}
853
854	/* Did we timeout ? */
855	if (selrtn == 0) {
856	return NT_STATUS_RETRY;
857	}
858
859	/* should not be reached */
860	return NT_STATUS_INTERNAL_ERROR;
861	}
862
863	/*
864	* Only allow 5 outstanding trans requests. We're allocating memory, so
865	* prevent a DoS.
866	*/
867
868	NTSTATUS allow_new_trans(struct trans_state *list, int mid)
869	{
870	int count = 0;
871	for (; list != NULL; list = list->next) {
872
873	if (list->mid == mid) {
874	return NT_STATUS_INVALID_PARAMETER;
875	}
876
877	count += 1;
878	}
879	if (count > 5) {
880	return NT_STATUS_INSUFFICIENT_RESOURCES;
881	}
882
883	return NT_STATUS_OK;
884	}
885
886	/*
887	These flags determine some of the permissions required to do an operation
888
889	Note that I don't set NEED_WRITE on some write operations because they
890	are used by some brain-dead clients when printing, and I don't want to
891	force write permissions on print services.
892	*/
893	#define AS_USER (1<<0)
894	#define NEED_WRITE (1<<1) /* Must be paired with AS_USER */
895	#define TIME_INIT (1<<2)
896	#define CAN_IPC (1<<3) /* Must be paired with AS_USER */
897	#define AS_GUEST (1<<5) /* Must NOT be paired with AS_USER */
898	#define DO_CHDIR (1<<6)
899
900	/*
901	define a list of possible SMB messages and their corresponding
902	functions. Any message that has a NULL function is unimplemented -
903	please feel free to contribute implementations!
904	*/
905	static const struct smb_message_struct {
906	const char *name;
907	void (fn)(struct smb_request req);
908	int flags;
909	} smb_messages[256] = {
910
911	/* 0x00 */ { "SMBmkdir",reply_mkdir,AS_USER \| NEED_WRITE},
912	/* 0x01 */ { "SMBrmdir",reply_rmdir,AS_USER \| NEED_WRITE},
913	/* 0x02 */ { "SMBopen",reply_open,AS_USER },
914	/* 0x03 */ { "SMBcreate",reply_mknew,AS_USER},
915	/* 0x04 */ { "SMBclose",reply_close,AS_USER \| CAN_IPC },
916	/* 0x05 */ { "SMBflush",reply_flush,AS_USER},
917	/* 0x06 */ { "SMBunlink",reply_unlink,AS_USER \| NEED_WRITE },
918	/* 0x07 */ { "SMBmv",reply_mv,AS_USER \| NEED_WRITE },
919	/* 0x08 */ { "SMBgetatr",reply_getatr,AS_USER},
920	/* 0x09 */ { "SMBsetatr",reply_setatr,AS_USER \| NEED_WRITE},
921	/* 0x0a */ { "SMBread",reply_read,AS_USER},
922	/* 0x0b */ { "SMBwrite",reply_write,AS_USER \| CAN_IPC },
923	/* 0x0c */ { "SMBlock",reply_lock,AS_USER},
924	/* 0x0d */ { "SMBunlock",reply_unlock,AS_USER},
925	/* 0x0e */ { "SMBctemp",reply_ctemp,AS_USER },
926	/* 0x0f */ { "SMBmknew",reply_mknew,AS_USER},
927	/* 0x10 */ { "SMBcheckpath",reply_checkpath,AS_USER},
928	/* 0x11 */ { "SMBexit",reply_exit,DO_CHDIR},
929	/* 0x12 */ { "SMBlseek",reply_lseek,AS_USER},
930	/* 0x13 */ { "SMBlockread",reply_lockread,AS_USER},
931	/* 0x14 */ { "SMBwriteunlock",reply_writeunlock,AS_USER},
932	/* 0x15 */ { NULL, NULL, 0 },
933	/* 0x16 */ { NULL, NULL, 0 },
934	/* 0x17 */ { NULL, NULL, 0 },
935	/* 0x18 */ { NULL, NULL, 0 },
936	/* 0x19 */ { NULL, NULL, 0 },
937	/* 0x1a */ { "SMBreadbraw",reply_readbraw,AS_USER},
938	/* 0x1b */ { "SMBreadBmpx",reply_readbmpx,AS_USER},
939	/* 0x1c */ { "SMBreadBs",reply_readbs,AS_USER },
940	/* 0x1d */ { "SMBwritebraw",reply_writebraw,AS_USER},
941	/* 0x1e */ { "SMBwriteBmpx",reply_writebmpx,AS_USER},
942	/* 0x1f */ { "SMBwriteBs",reply_writebs,AS_USER},
943	/* 0x20 */ { "SMBwritec", NULL,0},
944	/* 0x21 */ { NULL, NULL, 0 },
945	/* 0x22 */ { "SMBsetattrE",reply_setattrE,AS_USER \| NEED_WRITE },
946	/* 0x23 */ { "SMBgetattrE",reply_getattrE,AS_USER },
947	/* 0x24 */ { "SMBlockingX",reply_lockingX,AS_USER },
948	/* 0x25 */ { "SMBtrans",reply_trans,AS_USER \| CAN_IPC },
949	/* 0x26 */ { "SMBtranss",reply_transs,AS_USER \| CAN_IPC},
950	/* 0x27 */ { "SMBioctl",reply_ioctl,0},
951	/* 0x28 */ { "SMBioctls", NULL,AS_USER},
952	/* 0x29 */ { "SMBcopy",reply_copy,AS_USER \| NEED_WRITE },
953	/* 0x2a */ { "SMBmove", NULL,AS_USER \| NEED_WRITE },
954	/* 0x2b */ { "SMBecho",reply_echo,0},
955	/* 0x2c */ { "SMBwriteclose",reply_writeclose,AS_USER},
956	/* 0x2d */ { "SMBopenX",reply_open_and_X,AS_USER \| CAN_IPC },
957	/* 0x2e */ { "SMBreadX",reply_read_and_X,AS_USER \| CAN_IPC },
958	/* 0x2f */ { "SMBwriteX",reply_write_and_X,AS_USER \| CAN_IPC },
959	/* 0x30 */ { NULL, NULL, 0 },
960	/* 0x31 */ { NULL, NULL, 0 },
961	/* 0x32 */ { "SMBtrans2",reply_trans2, AS_USER \| CAN_IPC },
962	/* 0x33 */ { "SMBtranss2",reply_transs2, AS_USER \| CAN_IPC },
963	/* 0x34 */ { "SMBfindclose",reply_findclose,AS_USER},
964	/* 0x35 */ { "SMBfindnclose",reply_findnclose,AS_USER},
965	/* 0x36 */ { NULL, NULL, 0 },
966	/* 0x37 */ { NULL, NULL, 0 },
967	/* 0x38 */ { NULL, NULL, 0 },
968	/* 0x39 */ { NULL, NULL, 0 },
969	/* 0x3a */ { NULL, NULL, 0 },
970	/* 0x3b */ { NULL, NULL, 0 },
971	/* 0x3c */ { NULL, NULL, 0 },
972	/* 0x3d */ { NULL, NULL, 0 },
973	/* 0x3e */ { NULL, NULL, 0 },
974	/* 0x3f */ { NULL, NULL, 0 },
975	/* 0x40 */ { NULL, NULL, 0 },
976	/* 0x41 */ { NULL, NULL, 0 },
977	/* 0x42 */ { NULL, NULL, 0 },
978	/* 0x43 */ { NULL, NULL, 0 },
979	/* 0x44 */ { NULL, NULL, 0 },
980	/* 0x45 */ { NULL, NULL, 0 },
981	/* 0x46 */ { NULL, NULL, 0 },
982	/* 0x47 */ { NULL, NULL, 0 },
983	/* 0x48 */ { NULL, NULL, 0 },
984	/* 0x49 */ { NULL, NULL, 0 },
985	/* 0x4a */ { NULL, NULL, 0 },
986	/* 0x4b */ { NULL, NULL, 0 },
987	/* 0x4c */ { NULL, NULL, 0 },
988	/* 0x4d */ { NULL, NULL, 0 },
989	/* 0x4e */ { NULL, NULL, 0 },
990	/* 0x4f */ { NULL, NULL, 0 },
991	/* 0x50 */ { NULL, NULL, 0 },
992	/* 0x51 */ { NULL, NULL, 0 },
993	/* 0x52 */ { NULL, NULL, 0 },
994	/* 0x53 */ { NULL, NULL, 0 },
995	/* 0x54 */ { NULL, NULL, 0 },
996	/* 0x55 */ { NULL, NULL, 0 },
997	/* 0x56 */ { NULL, NULL, 0 },
998	/* 0x57 */ { NULL, NULL, 0 },
999	/* 0x58 */ { NULL, NULL, 0 },
1000	/* 0x59 */ { NULL, NULL, 0 },
1001	/* 0x5a */ { NULL, NULL, 0 },
1002	/* 0x5b */ { NULL, NULL, 0 },
1003	/* 0x5c */ { NULL, NULL, 0 },
1004	/* 0x5d */ { NULL, NULL, 0 },
1005	/* 0x5e */ { NULL, NULL, 0 },
1006	/* 0x5f */ { NULL, NULL, 0 },
1007	/* 0x60 */ { NULL, NULL, 0 },
1008	/* 0x61 */ { NULL, NULL, 0 },
1009	/* 0x62 */ { NULL, NULL, 0 },
1010	/* 0x63 */ { NULL, NULL, 0 },
1011	/* 0x64 */ { NULL, NULL, 0 },
1012	/* 0x65 */ { NULL, NULL, 0 },
1013	/* 0x66 */ { NULL, NULL, 0 },
1014	/* 0x67 */ { NULL, NULL, 0 },
1015	/* 0x68 */ { NULL, NULL, 0 },
1016	/* 0x69 */ { NULL, NULL, 0 },
1017	/* 0x6a */ { NULL, NULL, 0 },
1018	/* 0x6b */ { NULL, NULL, 0 },
1019	/* 0x6c */ { NULL, NULL, 0 },
1020	/* 0x6d */ { NULL, NULL, 0 },
1021	/* 0x6e */ { NULL, NULL, 0 },
1022	/* 0x6f */ { NULL, NULL, 0 },
1023	/* 0x70 */ { "SMBtcon",reply_tcon,0},
1024	/* 0x71 */ { "SMBtdis",reply_tdis,DO_CHDIR},
1025	/* 0x72 */ { "SMBnegprot",reply_negprot,0},
1026	/* 0x73 */ { "SMBsesssetupX",reply_sesssetup_and_X,0},
1027	/* 0x74 / { "SMBulogoffX",reply_ulogoffX, 0}, / ulogoff doesn't give a valid TID */
1028	/* 0x75 */ { "SMBtconX",reply_tcon_and_X,0},
1029	/* 0x76 */ { NULL, NULL, 0 },
1030	/* 0x77 */ { NULL, NULL, 0 },
1031	/* 0x78 */ { NULL, NULL, 0 },
1032	/* 0x79 */ { NULL, NULL, 0 },
1033	/* 0x7a */ { NULL, NULL, 0 },
1034	/* 0x7b */ { NULL, NULL, 0 },
1035	/* 0x7c */ { NULL, NULL, 0 },
1036	/* 0x7d */ { NULL, NULL, 0 },
1037	/* 0x7e */ { NULL, NULL, 0 },
1038	/* 0x7f */ { NULL, NULL, 0 },
1039	/* 0x80 */ { "SMBdskattr",reply_dskattr,AS_USER},
1040	/* 0x81 */ { "SMBsearch",reply_search,AS_USER},
1041	/* 0x82 */ { "SMBffirst",reply_search,AS_USER},
1042	/* 0x83 */ { "SMBfunique",reply_search,AS_USER},
1043	/* 0x84 */ { "SMBfclose",reply_fclose,AS_USER},
1044	/* 0x85 */ { NULL, NULL, 0 },
1045	/* 0x86 */ { NULL, NULL, 0 },
1046	/* 0x87 */ { NULL, NULL, 0 },
1047	/* 0x88 */ { NULL, NULL, 0 },
1048	/* 0x89 */ { NULL, NULL, 0 },
1049	/* 0x8a */ { NULL, NULL, 0 },
1050	/* 0x8b */ { NULL, NULL, 0 },
1051	/* 0x8c */ { NULL, NULL, 0 },
1052	/* 0x8d */ { NULL, NULL, 0 },
1053	/* 0x8e */ { NULL, NULL, 0 },
1054	/* 0x8f */ { NULL, NULL, 0 },
1055	/* 0x90 */ { NULL, NULL, 0 },
1056	/* 0x91 */ { NULL, NULL, 0 },
1057	/* 0x92 */ { NULL, NULL, 0 },
1058	/* 0x93 */ { NULL, NULL, 0 },
1059	/* 0x94 */ { NULL, NULL, 0 },
1060	/* 0x95 */ { NULL, NULL, 0 },
1061	/* 0x96 */ { NULL, NULL, 0 },
1062	/* 0x97 */ { NULL, NULL, 0 },
1063	/* 0x98 */ { NULL, NULL, 0 },
1064	/* 0x99 */ { NULL, NULL, 0 },
1065	/* 0x9a */ { NULL, NULL, 0 },
1066	/* 0x9b */ { NULL, NULL, 0 },
1067	/* 0x9c */ { NULL, NULL, 0 },
1068	/* 0x9d */ { NULL, NULL, 0 },
1069	/* 0x9e */ { NULL, NULL, 0 },
1070	/* 0x9f */ { NULL, NULL, 0 },
1071	/* 0xa0 */ { "SMBnttrans",reply_nttrans, AS_USER \| CAN_IPC },
1072	/* 0xa1 */ { "SMBnttranss",reply_nttranss, AS_USER \| CAN_IPC },
1073	/* 0xa2 */ { "SMBntcreateX",reply_ntcreate_and_X, AS_USER \| CAN_IPC },
1074	/* 0xa3 */ { NULL, NULL, 0 },
1075	/* 0xa4 */ { "SMBntcancel",reply_ntcancel, 0 },
1076	/* 0xa5 */ { "SMBntrename",reply_ntrename, AS_USER \| NEED_WRITE },
1077	/* 0xa6 */ { NULL, NULL, 0 },
1078	/* 0xa7 */ { NULL, NULL, 0 },
1079	/* 0xa8 */ { NULL, NULL, 0 },
1080	/* 0xa9 */ { NULL, NULL, 0 },
1081	/* 0xaa */ { NULL, NULL, 0 },
1082	/* 0xab */ { NULL, NULL, 0 },
1083	/* 0xac */ { NULL, NULL, 0 },
1084	/* 0xad */ { NULL, NULL, 0 },
1085	/* 0xae */ { NULL, NULL, 0 },
1086	/* 0xaf */ { NULL, NULL, 0 },
1087	/* 0xb0 */ { NULL, NULL, 0 },
1088	/* 0xb1 */ { NULL, NULL, 0 },
1089	/* 0xb2 */ { NULL, NULL, 0 },
1090	/* 0xb3 */ { NULL, NULL, 0 },
1091	/* 0xb4 */ { NULL, NULL, 0 },
1092	/* 0xb5 */ { NULL, NULL, 0 },
1093	/* 0xb6 */ { NULL, NULL, 0 },
1094	/* 0xb7 */ { NULL, NULL, 0 },
1095	/* 0xb8 */ { NULL, NULL, 0 },
1096	/* 0xb9 */ { NULL, NULL, 0 },
1097	/* 0xba */ { NULL, NULL, 0 },
1098	/* 0xbb */ { NULL, NULL, 0 },
1099	/* 0xbc */ { NULL, NULL, 0 },
1100	/* 0xbd */ { NULL, NULL, 0 },
1101	/* 0xbe */ { NULL, NULL, 0 },
1102	/* 0xbf */ { NULL, NULL, 0 },
1103	/* 0xc0 */ { "SMBsplopen",reply_printopen,AS_USER},
1104	/* 0xc1 */ { "SMBsplwr",reply_printwrite,AS_USER},
1105	/* 0xc2 */ { "SMBsplclose",reply_printclose,AS_USER},
1106	/* 0xc3 */ { "SMBsplretq",reply_printqueue,AS_USER},
1107	/* 0xc4 */ { NULL, NULL, 0 },
1108	/* 0xc5 */ { NULL, NULL, 0 },
1109	/* 0xc6 */ { NULL, NULL, 0 },
1110	/* 0xc7 */ { NULL, NULL, 0 },
1111	/* 0xc8 */ { NULL, NULL, 0 },
1112	/* 0xc9 */ { NULL, NULL, 0 },
1113	/* 0xca */ { NULL, NULL, 0 },
1114	/* 0xcb */ { NULL, NULL, 0 },
1115	/* 0xcc */ { NULL, NULL, 0 },
1116	/* 0xcd */ { NULL, NULL, 0 },
1117	/* 0xce */ { NULL, NULL, 0 },
1118	/* 0xcf */ { NULL, NULL, 0 },
1119	/* 0xd0 */ { "SMBsends",reply_sends,AS_GUEST},
1120	/* 0xd1 */ { "SMBsendb", NULL,AS_GUEST},
1121	/* 0xd2 */ { "SMBfwdname", NULL,AS_GUEST},
1122	/* 0xd3 */ { "SMBcancelf", NULL,AS_GUEST},
1123	/* 0xd4 */ { "SMBgetmac", NULL,AS_GUEST},
1124	/* 0xd5 */ { "SMBsendstrt",reply_sendstrt,AS_GUEST},
1125	/* 0xd6 */ { "SMBsendend",reply_sendend,AS_GUEST},
1126	/* 0xd7 */ { "SMBsendtxt",reply_sendtxt,AS_GUEST},
1127	/* 0xd8 */ { NULL, NULL, 0 },
1128	/* 0xd9 */ { NULL, NULL, 0 },
1129	/* 0xda */ { NULL, NULL, 0 },
1130	/* 0xdb */ { NULL, NULL, 0 },
1131	/* 0xdc */ { NULL, NULL, 0 },
1132	/* 0xdd */ { NULL, NULL, 0 },
1133	/* 0xde */ { NULL, NULL, 0 },
1134	/* 0xdf */ { NULL, NULL, 0 },
1135	/* 0xe0 */ { NULL, NULL, 0 },
1136	/* 0xe1 */ { NULL, NULL, 0 },
1137	/* 0xe2 */ { NULL, NULL, 0 },
1138	/* 0xe3 */ { NULL, NULL, 0 },
1139	/* 0xe4 */ { NULL, NULL, 0 },
1140	/* 0xe5 */ { NULL, NULL, 0 },
1141	/* 0xe6 */ { NULL, NULL, 0 },
1142	/* 0xe7 */ { NULL, NULL, 0 },
1143	/* 0xe8 */ { NULL, NULL, 0 },
1144	/* 0xe9 */ { NULL, NULL, 0 },
1145	/* 0xea */ { NULL, NULL, 0 },
1146	/* 0xeb */ { NULL, NULL, 0 },
1147	/* 0xec */ { NULL, NULL, 0 },
1148	/* 0xed */ { NULL, NULL, 0 },
1149	/* 0xee */ { NULL, NULL, 0 },
1150	/* 0xef */ { NULL, NULL, 0 },
1151	/* 0xf0 */ { NULL, NULL, 0 },
1152	/* 0xf1 */ { NULL, NULL, 0 },
1153	/* 0xf2 */ { NULL, NULL, 0 },
1154	/* 0xf3 */ { NULL, NULL, 0 },
1155	/* 0xf4 */ { NULL, NULL, 0 },
1156	/* 0xf5 */ { NULL, NULL, 0 },
1157	/* 0xf6 */ { NULL, NULL, 0 },
1158	/* 0xf7 */ { NULL, NULL, 0 },
1159	/* 0xf8 */ { NULL, NULL, 0 },
1160	/* 0xf9 */ { NULL, NULL, 0 },
1161	/* 0xfa */ { NULL, NULL, 0 },
1162	/* 0xfb */ { NULL, NULL, 0 },
1163	/* 0xfc */ { NULL, NULL, 0 },
1164	/* 0xfd */ { NULL, NULL, 0 },
1165	/* 0xfe */ { NULL, NULL, 0 },
1166	/* 0xff */ { NULL, NULL, 0 }
1167
1168	};
1169
1170	/*******************************************************************
1171	allocate and initialize a reply packet
1172	********************************************************************/
1173
1174	static bool create_outbuf(TALLOC_CTX mem_ctx, struct smb_request req,
1175	const char inbuf, char *outbuf, uint8_t num_words,
1176	uint32_t num_bytes)
1177	{
1178	/*
1179	* Protect against integer wrap
1180	*/
1181	if ((num_bytes > 0xffffff)
1182	\|\| ((num_bytes + smb_size + num_words*2) > 0xffffff)) {
1183	char *msg;
1184	if (asprintf(&msg, "num_bytes too large: %u",
1185	(unsigned)num_bytes) == -1) {
1186	msg = CONST_DISCARD(char *, "num_bytes too large");
1187	}
1188	smb_panic(msg);
1189	}
1190
1191	*outbuf = TALLOC_ARRAY(mem_ctx, char,
1192	smb_size + num_words*2 + num_bytes);
1193	if (*outbuf == NULL) {
1194	return false;
1195	}
1196
1197	construct_reply_common(req, inbuf, *outbuf);
1198	srv_set_message(*outbuf, num_words, num_bytes, false);
1199	/*
1200	* Zero out the word area, the caller has to take care of the bcc area
1201	* himself
1202	*/
1203	if (num_words != 0) {
1204	memset(outbuf + smb_vwv0, 0, num_words2);
1205	}
1206
1207	return true;
1208	}
1209
1210	void reply_outbuf(struct smb_request *req, uint8 num_words, uint32 num_bytes)
1211	{
1212	char *outbuf;
1213	if (!create_outbuf(req, req, (char *)req->inbuf, &outbuf, num_words,
1214	num_bytes)) {
1215	smb_panic("could not allocate output buffer\n");
1216	}
1217	req->outbuf = (uint8_t *)outbuf;
1218	}
1219
1220
1221	/*******************************************************************
1222	Dump a packet to a file.
1223	********************************************************************/
1224
1225	static void smb_dump(const char name, int type, const char data, ssize_t len)
1226	{
1227	int fd, i;
1228	char *fname = NULL;
1229	if (DEBUGLEVEL < 50) {
1230	return;
1231	}
1232
1233	if (len < 4) len = smb_len(data)+4;
1234	for (i=1;i<100;i++) {
1235	if (asprintf(&fname, "/tmp/%s.%d.%s", name, i,
1236	type ? "req" : "resp") == -1) {
1237	return;
1238	}
1239	fd = open(fname, O_WRONLY\|O_CREAT\|O_EXCL, 0644);
1240	if (fd != -1 \|\| errno != EEXIST) break;
1241	}
1242	if (fd != -1) {
1243	ssize_t ret = write(fd, data, len);
1244	if (ret != len)
1245	DEBUG(0,("smb_dump: problem: write returned %d\n", (int)ret ));
1246	close(fd);
1247	DEBUG(0,("created %s len %lu\n", fname, (unsigned long)len));
1248	}
1249	SAFE_FREE(fname);
1250	}
1251
1252	/****************************************************************************
1253	Prepare everything for calling the actual request function, and potentially
1254	call the request function via the "new" interface.
1255
1256	Return False if the "legacy" function needs to be called, everything is
1257	prepared.
1258
1259	Return True if we're done.
1260
1261	I know this API sucks, but it is the one with the least code change I could
1262	find.
1263	****************************************************************************/
1264
1265	static connection_struct switch_message(uint8 type, struct smb_request req, int size)
1266	{
1267	int flags;
1268	uint16 session_tag;
1269	connection_struct *conn = NULL;
1270	struct smbd_server_connection *sconn = smbd_server_conn;
1271
1272	errno = 0;
1273
1274	/* Make sure this is an SMB packet. smb_size contains NetBIOS header
1275	* so subtract 4 from it. */
1276	if ((size < (smb_size - 4)) \|\|
1277	!valid_smb_header(req->inbuf)) {
1278	DEBUG(2,("Non-SMB packet of length %d. Terminating server\n",
1279	smb_len(req->inbuf)));
1280	exit_server_cleanly("Non-SMB packet");
1281	}
1282
1283	if (smb_messages[type].fn == NULL) {
1284	DEBUG(0,("Unknown message type %d!\n",type));
1285	smb_dump("Unknown", 1, (char *)req->inbuf, size);
1286	reply_unknown_new(req, type);
1287	return NULL;
1288	}
1289
1290	flags = smb_messages[type].flags;
1291
1292	/* In share mode security we must ignore the vuid. */
1293	session_tag = (lp_security() == SEC_SHARE)
1294	? UID_FIELD_INVALID : req->vuid;
1295	conn = req->conn;
1296
1297	DEBUG(3,("switch message %s (pid %d) conn 0x%lx\n", smb_fn_name(type),
1298	(int)sys_getpid(), (unsigned long)conn));
1299
1300	smb_dump(smb_fn_name(type), 1, (char *)req->inbuf, size);
1301
1302	/* Ensure this value is replaced in the incoming packet. */
1303	SSVAL(req->inbuf,smb_uid,session_tag);
1304
1305	/*
1306	* Ensure the correct username is in current_user_info. This is a
1307	* really ugly bugfix for problems with multiple session_setup_and_X's
1308	* being done and allowing %U and %G substitutions to work correctly.
1309	* There is a reason this code is done here, don't move it unless you
1310	* know what you're doing... :-).
1311	* JRA.
1312	*/
1313
1314	if (session_tag != sconn->smb1.sessions.last_session_tag) {
1315	user_struct *vuser = NULL;
1316
1317	sconn->smb1.sessions.last_session_tag = session_tag;
1318	if(session_tag != UID_FIELD_INVALID) {
1319	vuser = get_valid_user_struct(sconn, session_tag);
1320	if (vuser) {
1321	set_current_user_info(
1322	vuser->server_info->sanitized_username,
1323	vuser->server_info->unix_name,
1324	pdb_get_domain(vuser->server_info
1325	->sam_account));
1326	}
1327	}
1328	}
1329
1330	/* Does this call need to be run as the connected user? */
1331	if (flags & AS_USER) {
1332
1333	/* Does this call need a valid tree connection? */
1334	if (!conn) {
1335	/*
1336	* Amazingly, the error code depends on the command
1337	* (from Samba4).
1338	*/
1339	if (type == SMBntcreateX) {
1340	reply_nterror(req, NT_STATUS_INVALID_HANDLE);
1341	} else {
1342	reply_nterror(req, NT_STATUS_NETWORK_NAME_DELETED);
1343	}
1344	return NULL;
1345	}
1346
1347	if (!change_to_user(conn,session_tag)) {
1348	DEBUG(0, ("Error: Could not change to user. Removing "
1349	"deferred open, mid=%d.\n", req->mid));
1350	reply_force_doserror(req, ERRSRV, ERRbaduid);
1351	return conn;
1352	}
1353
1354	/* All NEED_WRITE and CAN_IPC flags must also have AS_USER. */
1355
1356	/* Does it need write permission? */
1357	if ((flags & NEED_WRITE) && !CAN_WRITE(conn)) {
1358	reply_nterror(req, NT_STATUS_MEDIA_WRITE_PROTECTED);
1359	return conn;
1360	}
1361
1362	/* IPC services are limited */
1363	if (IS_IPC(conn) && !(flags & CAN_IPC)) {
1364	reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1365	return conn;
1366	}
1367	} else {
1368	/* This call needs to be run as root */
1369	change_to_root_user();
1370	}
1371
1372	/* load service specific parameters */
1373	if (conn) {
1374	if (req->encrypted) {
1375	conn->encrypted_tid = true;
1376	/* encrypted required from now on. */
1377	conn->encrypt_level = Required;
1378	} else if (ENCRYPTION_REQUIRED(conn)) {
1379	if (req->cmd != SMBtrans2 && req->cmd != SMBtranss2) {
1380	exit_server_cleanly("encryption required "
1381	"on connection");
1382	return conn;
1383	}
1384	}
1385
1386	if (!set_current_service(conn,SVAL(req->inbuf,smb_flg),
1387	(flags & (AS_USER\|DO_CHDIR)
1388	?True:False))) {
1389	reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1390	return conn;
1391	}
1392	conn->num_smb_operations++;
1393	}
1394
1395	/* does this protocol need to be run as guest? */
1396	if ((flags & AS_GUEST)
1397	&& (!change_to_guest() \|\|
1398	!check_access(smbd_server_fd(), lp_hostsallow(-1),
1399	lp_hostsdeny(-1)))) {
1400	reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1401	return conn;
1402	}
1403
1404	smb_messages[type].fn(req);
1405	return req->conn;
1406	}
1407
1408	/****************************************************************************
1409	Construct a reply to the incoming packet.
1410	****************************************************************************/
1411
1412	static void construct_reply(char *inbuf, int size, size_t unread_bytes,
1413	uint32_t seqnum, bool encrypted,
1414	struct smb_perfcount_data *deferred_pcd)
1415	{
1416	connection_struct *conn;
1417	struct smb_request *req;
1418
1419	if (!(req = talloc(talloc_tos(), struct smb_request))) {
1420	smb_panic("could not allocate smb_request");
1421	}
1422
1423	init_smb_request(req, (uint8 *)inbuf, unread_bytes, encrypted);
1424	req->inbuf = (uint8_t *)talloc_move(req, &inbuf);
1425	req->seqnum = seqnum;
1426
1427	/* we popped this message off the queue - keep original perf data */
1428	if (deferred_pcd)
1429	req->pcd = *deferred_pcd;
1430	else {
1431	SMB_PERFCOUNT_START(&req->pcd);
1432	SMB_PERFCOUNT_SET_OP(&req->pcd, req->cmd);
1433	SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, size);
1434	}
1435
1436	conn = switch_message(req->cmd, req, size);
1437
1438	if (req->unread_bytes) {
1439	/* writeX failed. drain socket. */
1440	if (drain_socket(smbd_server_fd(), req->unread_bytes) !=
1441	req->unread_bytes) {
1442	smb_panic("failed to drain pending bytes");
1443	}
1444	req->unread_bytes = 0;
1445	}
1446
1447	if (req->done) {
1448	TALLOC_FREE(req);
1449	return;
1450	}
1451
1452	if (req->outbuf == NULL) {
1453	return;
1454	}
1455
1456	if (CVAL(req->outbuf,0) == 0) {
1457	show_msg((char *)req->outbuf);
1458	}
1459
1460	if (!srv_send_smb(smbd_server_fd(),
1461	(char *)req->outbuf,
1462	true, req->seqnum+1,
1463	IS_CONN_ENCRYPTED(conn)\|\|req->encrypted,
1464	&req->pcd)) {
1465	exit_server_cleanly("construct_reply: srv_send_smb failed.");
1466	}
1467
1468	TALLOC_FREE(req);
1469
1470	return;
1471	}
1472
1473	/****************************************************************************
1474	Process an smb from the client
1475	****************************************************************************/
1476	static void process_smb(struct smbd_server_connection *conn,
1477	uint8_t *inbuf, size_t nread, size_t unread_bytes,
1478	uint32_t seqnum, bool encrypted,
1479	struct smb_perfcount_data *deferred_pcd)
1480	{
1481	int msg_type = CVAL(inbuf,0);
1482
1483	DO_PROFILE_INC(smb_count);
1484
1485	DEBUG( 6, ( "got message type 0x%x of len 0x%x\n", msg_type,
1486	smb_len(inbuf) ) );
1487	DEBUG( 3, ( "Transaction %d of length %d (%u toread)\n", trans_num,
1488	(int)nread,
1489	(unsigned int)unread_bytes ));
1490
1491	if (msg_type != 0) {
1492	/*
1493	* NetBIOS session request, keepalive, etc.
1494	*/
1495	reply_special((char *)inbuf, nread);
1496	goto done;
1497	}
1498
1499	if (smbd_server_conn->allow_smb2) {
1500	if (smbd_is_smb2_header(inbuf, nread)) {
1501	smbd_smb2_first_negprot(smbd_server_conn, inbuf, nread);
1502	return;
1503	}
1504	smbd_server_conn->allow_smb2 = false;
1505	}
1506
1507	show_msg((char *)inbuf);
1508
1509	construct_reply((char *)inbuf,nread,unread_bytes,seqnum,encrypted,deferred_pcd);
1510	trans_num++;
1511
1512	done:
1513	conn->smb1.num_requests++;
1514
1515	/* The timeout_processing function isn't run nearly
1516	often enough to implement 'max log size' without
1517	overrunning the size of the file by many megabytes.
1518	This is especially true if we are running at debug
1519	level 10. Checking every 50 SMBs is a nice
1520	tradeoff of performance vs log file size overrun. */
1521
1522	if ((conn->smb1.num_requests % 50) == 0 &&
1523	need_to_check_log_size()) {
1524	change_to_root_user();
1525	check_log_size();
1526	}
1527	}
1528
1529	/****************************************************************************
1530	Return a string containing the function name of a SMB command.
1531	****************************************************************************/
1532
1533	const char *smb_fn_name(int type)
1534	{
1535	const char *unknown_name = "SMBunknown";
1536
1537	if (smb_messages[type].name == NULL)
1538	return(unknown_name);
1539
1540	return(smb_messages[type].name);
1541	}
1542
1543	/****************************************************************************
1544	Helper functions for contruct_reply.
1545	****************************************************************************/
1546
1547	void add_to_common_flags2(uint32 v)
1548	{
1549	common_flags2 \|= v;
1550	}
1551
1552	void remove_from_common_flags2(uint32 v)
1553	{
1554	common_flags2 &= ~v;
1555	}
1556
1557	static void construct_reply_common(struct smb_request req, const char inbuf,
1558	char *outbuf)
1559	{
1560	srv_set_message(outbuf,0,0,false);
1561
1562	SCVAL(outbuf, smb_com, req->cmd);
1563	SIVAL(outbuf,smb_rcls,0);
1564	SCVAL(outbuf,smb_flg, FLAG_REPLY \| (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES));
1565	SSVAL(outbuf,smb_flg2,
1566	(SVAL(inbuf,smb_flg2) & FLAGS2_UNICODE_STRINGS) \|
1567	common_flags2);
1568	memset(outbuf+smb_pidhigh,'\0',(smb_tid-smb_pidhigh));
1569
1570	SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid));
1571	SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid));
1572	SSVAL(outbuf,smb_uid,SVAL(inbuf,smb_uid));
1573	SSVAL(outbuf,smb_mid,SVAL(inbuf,smb_mid));
1574	}
1575
1576	void construct_reply_common_req(struct smb_request req, char outbuf)
1577	{
1578	construct_reply_common(req, (char *)req->inbuf, outbuf);
1579	}
1580
1581	/*
1582	* How many bytes have we already accumulated up to the current wct field
1583	* offset?
1584	*/
1585
1586	size_t req_wct_ofs(struct smb_request *req)
1587	{
1588	size_t buf_size;
1589
1590	if (req->chain_outbuf == NULL) {
1591	return smb_wct - 4;
1592	}
1593	buf_size = talloc_get_size(req->chain_outbuf);
1594	if ((buf_size % 4) != 0) {
1595	buf_size += (4 - (buf_size % 4));
1596	}
1597	return buf_size - 4;
1598	}
1599
1600	/*
1601	* Hack around reply_nterror & friends not being aware of chained requests,
1602	* generating illegal (i.e. wct==0) chain replies.
1603	*/
1604
1605	static void fixup_chain_error_packet(struct smb_request *req)
1606	{
1607	uint8_t *outbuf = req->outbuf;
1608	req->outbuf = NULL;
1609	reply_outbuf(req, 2, 0);
1610	memcpy(req->outbuf, outbuf, smb_wct);
1611	TALLOC_FREE(outbuf);
1612	SCVAL(req->outbuf, smb_vwv0, 0xff);
1613	}
1614
1615	/**
1616	* @brief Find the smb_cmd offset of the last command pushed
1617	* @param[in] buf The buffer we're building up
1618	* @retval Where can we put our next andx cmd?
1619	*
1620	* While chaining requests, the "next" request we're looking at needs to put
1621	* its SMB_Command before the data the previous request already built up added
1622	* to the chain. Find the offset to the place where we have to put our cmd.
1623	*/
1624
1625	static bool find_andx_cmd_ofs(uint8_t buf, size_t pofs)
1626	{
1627	uint8_t cmd;
1628	size_t ofs;
1629
1630	cmd = CVAL(buf, smb_com);
1631
1632	SMB_ASSERT(is_andx_req(cmd));
1633
1634	ofs = smb_vwv0;
1635
1636	while (CVAL(buf, ofs) != 0xff) {
1637
1638	if (!is_andx_req(CVAL(buf, ofs))) {
1639	return false;
1640	}
1641
1642	/*
1643	* ofs is from start of smb header, so add the 4 length
1644	* bytes. The next cmd is right after the wct field.
1645	*/
1646	ofs = SVAL(buf, ofs+2) + 4 + 1;
1647
1648	SMB_ASSERT(ofs+4 < talloc_get_size(buf));
1649	}
1650
1651	*pofs = ofs;
1652	return true;
1653	}
1654
1655	/**
1656	* @brief Do the smb chaining at a buffer level
1657	* @param[in] poutbuf Pointer to the talloc'ed buffer to be modified
1658	* @param[in] smb_command The command that we want to issue
1659	* @param[in] wct How many words?
1660	* @param[in] vwv The words, already in network order
1661	* @param[in] bytes_alignment How shall we align "bytes"?
1662	* @param[in] num_bytes How many bytes?
1663	* @param[in] bytes The data the request ships
1664	*
1665	* smb_splice_chain() adds the vwv and bytes to the request already present in
1666	* *poutbuf.
1667	*/
1668
1669	static bool smb_splice_chain(uint8_t **poutbuf, uint8_t smb_command,
1670	uint8_t wct, const uint16_t *vwv,
1671	size_t bytes_alignment,
1672	uint32_t num_bytes, const uint8_t *bytes)
1673	{
1674	uint8_t *outbuf;
1675	size_t old_size, new_size;
1676	size_t ofs;
1677	size_t chain_padding = 0;
1678	size_t bytes_padding = 0;
1679	bool first_request;
1680
1681	old_size = talloc_get_size(*poutbuf);
1682
1683	/*
1684	* old_size == smb_wct means we're pushing the first request in for
1685	* libsmb/
1686	*/
1687
1688	first_request = (old_size == smb_wct);
1689
1690	if (!first_request && ((old_size % 4) != 0)) {
1691	/*
1692	* Align the wct field of subsequent requests to a 4-byte
1693	* boundary
1694	*/
1695	chain_padding = 4 - (old_size % 4);
1696	}
1697
1698	/*
1699	* After the old request comes the new wct field (1 byte), the vwv's
1700	* and the num_bytes field. After at we might need to align the bytes
1701	* given to us to "bytes_alignment", increasing the num_bytes value.
1702	*/
1703
1704	new_size = old_size + chain_padding + 1 + wct * sizeof(uint16_t) + 2;
1705
1706	if ((bytes_alignment != 0) && ((new_size % bytes_alignment) != 0)) {
1707	bytes_padding = bytes_alignment - (new_size % bytes_alignment);
1708	}
1709
1710	new_size += bytes_padding + num_bytes;
1711
1712	if ((smb_command != SMBwriteX) && (new_size > 0xffff)) {
1713	DEBUG(1, ("splice_chain: %u bytes won't fit\n",
1714	(unsigned)new_size));
1715	return false;
1716	}
1717
1718	outbuf = TALLOC_REALLOC_ARRAY(NULL, *poutbuf, uint8_t, new_size);
1719	if (outbuf == NULL) {
1720	DEBUG(0, ("talloc failed\n"));
1721	return false;
1722	}
1723	*poutbuf = outbuf;
1724
1725	if (first_request) {
1726	SCVAL(outbuf, smb_com, smb_command);
1727	} else {
1728	size_t andx_cmd_ofs;
1729
1730	if (!find_andx_cmd_ofs(outbuf, &andx_cmd_ofs)) {
1731	DEBUG(1, ("invalid command chain\n"));
1732	*poutbuf = TALLOC_REALLOC_ARRAY(
1733	NULL, *poutbuf, uint8_t, old_size);
1734	return false;
1735	}
1736
1737	if (chain_padding != 0) {
1738	memset(outbuf + old_size, 0, chain_padding);
1739	old_size += chain_padding;
1740	}
1741
1742	SCVAL(outbuf, andx_cmd_ofs, smb_command);
1743	SSVAL(outbuf, andx_cmd_ofs + 2, old_size - 4);
1744	}
1745
1746	ofs = old_size;
1747
1748	/*
1749	* Push the chained request:
1750	*
1751	* wct field
1752	*/
1753
1754	SCVAL(outbuf, ofs, wct);
1755	ofs += 1;
1756
1757	/*
1758	* vwv array
1759	*/
1760
1761	memcpy(outbuf + ofs, vwv, sizeof(uint16_t) * wct);
1762	ofs += sizeof(uint16_t) * wct;
1763
1764	/*
1765	* bcc (byte count)
1766	*/
1767
1768	SSVAL(outbuf, ofs, num_bytes + bytes_padding);
1769	ofs += sizeof(uint16_t);
1770
1771	/*
1772	* padding
1773	*/
1774
1775	if (bytes_padding != 0) {
1776	memset(outbuf + ofs, 0, bytes_padding);
1777	ofs += bytes_padding;
1778	}
1779
1780	/*
1781	* The bytes field
1782	*/
1783
1784	memcpy(outbuf + ofs, bytes, num_bytes);
1785
1786	return true;
1787	}
1788
1789	/****************************************************************************
1790	Construct a chained reply and add it to the already made reply
1791	****************************************************************************/
1792
1793	void chain_reply(struct smb_request *req)
1794	{
1795	size_t smblen = smb_len(req->inbuf);
1796	size_t already_used, length_needed;
1797	uint8_t chain_cmd;
1798	uint32_t chain_offset; /* uint32_t to avoid overflow */
1799
1800	uint8_t wct;
1801	uint16_t *vwv;
1802	uint16_t buflen;
1803	uint8_t *buf;
1804
1805	if (IVAL(req->outbuf, smb_rcls) != 0) {
1806	fixup_chain_error_packet(req);
1807	}
1808
1809	/*
1810	* Any of the AndX requests and replies have at least a wct of
1811	* 2. vwv[0] is the next command, vwv[1] is the offset from the
1812	* beginning of the SMB header to the next wct field.
1813	*
1814	* None of the AndX requests put anything valuable in vwv[0] and [1],
1815	* so we can overwrite it here to form the chain.
1816	*/
1817
1818	if ((req->wct < 2) \|\| (CVAL(req->outbuf, smb_wct) < 2)) {
1819	if (req->chain_outbuf == NULL) {
1820	req->chain_outbuf = TALLOC_REALLOC_ARRAY(
1821	req, req->outbuf, uint8_t,
1822	smb_len(req->outbuf) + 4);
1823	if (req->chain_outbuf == NULL) {
1824	smb_panic("talloc failed");
1825	}
1826	}
1827	req->outbuf = NULL;
1828	goto error;
1829	}
1830
1831	/*
1832	* Here we assume that this is the end of the chain. For that we need
1833	* to set "next command" to 0xff and the offset to 0. If we later find
1834	* more commands in the chain, this will be overwritten again.
1835	*/
1836
1837	SCVAL(req->outbuf, smb_vwv0, 0xff);
1838	SCVAL(req->outbuf, smb_vwv0+1, 0);
1839	SSVAL(req->outbuf, smb_vwv1, 0);
1840
1841	if (req->chain_outbuf == NULL) {
1842	/*
1843	* In req->chain_outbuf we collect all the replies. Start the
1844	* chain by copying in the first reply.
1845	*
1846	* We do the realloc because later on we depend on
1847	* talloc_get_size to determine the length of
1848	* chain_outbuf. The reply_xxx routines might have
1849	* over-allocated (reply_pipe_read_and_X used to be such an
1850	* example).
1851	*/
1852	req->chain_outbuf = TALLOC_REALLOC_ARRAY(
1853	req, req->outbuf, uint8_t, smb_len(req->outbuf) + 4);
1854	if (req->chain_outbuf == NULL) {
1855	smb_panic("talloc failed");
1856	}
1857	req->outbuf = NULL;
1858	} else {
1859	/*
1860	* Update smb headers where subsequent chained commands
1861	* may have updated them.
1862	*/
1863	SSVAL(req->chain_outbuf, smb_tid, SVAL(req->outbuf, smb_tid));
1864	SSVAL(req->chain_outbuf, smb_uid, SVAL(req->outbuf, smb_uid));
1865
1866	if (!smb_splice_chain(&req->chain_outbuf,
1867	CVAL(req->outbuf, smb_com),
1868	CVAL(req->outbuf, smb_wct),
1869	(uint16_t *)(req->outbuf + smb_vwv),
1870	0, smb_buflen(req->outbuf),
1871	(uint8_t *)smb_buf(req->outbuf))) {
1872	goto error;
1873	}
1874	TALLOC_FREE(req->outbuf);
1875	}
1876
1877	/*
1878	* We use the old request's vwv field to grab the next chained command
1879	* and offset into the chained fields.
1880	*/
1881
1882	chain_cmd = CVAL(req->vwv+0, 0);
1883	chain_offset = SVAL(req->vwv+1, 0);
1884
1885	if (chain_cmd == 0xff) {
1886	/*
1887	* End of chain, no more requests from the client. So ship the
1888	* replies.
1889	*/
1890	smb_setlen((char *)(req->chain_outbuf),
1891	talloc_get_size(req->chain_outbuf) - 4);
1892
1893	if (!srv_send_smb(smbd_server_fd(), (char *)req->chain_outbuf,
1894	true, req->seqnum+1,
1895	IS_CONN_ENCRYPTED(req->conn)
1896	\|\|req->encrypted,
1897	&req->pcd)) {
1898	exit_server_cleanly("chain_reply: srv_send_smb "
1899	"failed.");
1900	}
1901	TALLOC_FREE(req->chain_outbuf);
1902	req->done = true;
1903	return;
1904	}
1905
1906	/* add a new perfcounter for this element of chain */
1907	SMB_PERFCOUNT_ADD(&req->pcd);
1908	SMB_PERFCOUNT_SET_OP(&req->pcd, chain_cmd);
1909	SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, smblen);
1910
1911	/*
1912	* Check if the client tries to fool us. The chain offset
1913	* needs to point beyond the current request in the chain, it
1914	* needs to strictly grow. Otherwise we might be tricked into
1915	* an endless loop always processing the same request over and
1916	* over again. We used to assume that vwv and the byte buffer
1917	* array in a chain are always attached, but OS/2 the
1918	* Write&X/Read&X chain puts the Read&X vwv array right behind
1919	* the Write&X vwv chain. The Write&X bcc array is put behind
1920	* the Read&X vwv array. So now we check whether the chain
1921	* offset points strictly behind the previous vwv
1922	* array. req->buf points right after the vwv array of the
1923	* previous request. See
1924	* https://bugzilla.samba.org/show_bug.cgi?id=8360 for more
1925	* information.
1926	*/
1927
1928	already_used = PTR_DIFF(req->buf, smb_base(req->inbuf));
1929	if (chain_offset <= already_used) {
1930	goto error;
1931	}
1932
1933	/*
1934	* Next check: Make sure the chain offset does not point beyond the
1935	* overall smb request length.
1936	*/
1937
1938	length_needed = chain_offset+1; /* wct */
1939	if (length_needed > smblen) {
1940	goto error;
1941	}
1942
1943	/*
1944	* Now comes the pointer magic. Goal here is to set up req->vwv and
1945	* req->buf correctly again to be able to call the subsequent
1946	* switch_message(). The chain offset (the former vwv[1]) points at
1947	* the new wct field.
1948	*/
1949
1950	wct = CVAL(smb_base(req->inbuf), chain_offset);
1951
1952	/*
1953	* Next consistency check: Make the new vwv array fits in the overall
1954	* smb request.
1955	*/
1956
1957	length_needed += (wct+1)sizeof(uint16_t); / vwv+buflen */
1958	if (length_needed > smblen) {
1959	goto error;
1960	}
1961	vwv = (uint16_t *)(smb_base(req->inbuf) + chain_offset + 1);
1962
1963	/*
1964	* Now grab the new byte buffer....
1965	*/
1966
1967	buflen = SVAL(vwv+wct, 0);
1968
1969	/*
1970	* .. and check that it fits.
1971	*/
1972
1973	length_needed += buflen;
1974	if (length_needed > smblen) {
1975	goto error;
1976	}
1977	buf = (uint8_t *)(vwv+wct+1);
1978
1979	req->cmd = chain_cmd;
1980	req->wct = wct;
1981	req->vwv = vwv;
1982	req->buflen = buflen;
1983	req->buf = buf;
1984
1985	switch_message(chain_cmd, req, smblen);
1986
1987	if (req->outbuf == NULL) {
1988	/*
1989	* This happens if the chained command has suspended itself or
1990	* if it has called srv_send_smb() itself.
1991	*/
1992	return;
1993	}
1994
1995	/*
1996	* We end up here if the chained command was not itself chained or
1997	* suspended, but for example a close() command. We now need to splice
1998	* the chained commands' outbuf into the already built up chain_outbuf
1999	* and ship the result.
2000	*/
2001	goto done;
2002
2003	error:
2004	/*
2005	* We end up here if there's any error in the chain syntax. Report a
2006	* DOS error, just like Windows does.
2007	*/
2008	reply_force_doserror(req, ERRSRV, ERRerror);
2009	fixup_chain_error_packet(req);
2010
2011	done:
2012	/*
2013	* This scary statement intends to set the
2014	* FLAGS2_32_BIT_ERROR_CODES flg2 field in req->chain_outbuf
2015	* to the value req->outbuf carries
2016	*/
2017	SSVAL(req->chain_outbuf, smb_flg2,
2018	(SVAL(req->chain_outbuf, smb_flg2) & ~FLAGS2_32_BIT_ERROR_CODES)
2019	\| (SVAL(req->outbuf, smb_flg2) & FLAGS2_32_BIT_ERROR_CODES));
2020
2021	/*
2022	* Transfer the error codes from the subrequest to the main one
2023	*/
2024	SSVAL(req->chain_outbuf, smb_rcls, SVAL(req->outbuf, smb_rcls));
2025	SSVAL(req->chain_outbuf, smb_err, SVAL(req->outbuf, smb_err));
2026
2027	if (!smb_splice_chain(&req->chain_outbuf,
2028	CVAL(req->outbuf, smb_com),
2029	CVAL(req->outbuf, smb_wct),
2030	(uint16_t *)(req->outbuf + smb_vwv),
2031	0, smb_buflen(req->outbuf),
2032	(uint8_t *)smb_buf(req->outbuf))) {
2033	exit_server_cleanly("chain_reply: smb_splice_chain failed\n");
2034	}
2035	TALLOC_FREE(req->outbuf);
2036
2037	smb_setlen((char *)(req->chain_outbuf),
2038	talloc_get_size(req->chain_outbuf) - 4);
2039
2040	show_msg((char *)(req->chain_outbuf));
2041
2042	if (!srv_send_smb(smbd_server_fd(), (char *)req->chain_outbuf,
2043	true, req->seqnum+1,
2044	IS_CONN_ENCRYPTED(req->conn)\|\|req->encrypted,
2045	&req->pcd)) {
2046	exit_server_cleanly("construct_reply: srv_send_smb failed.");
2047	}
2048	TALLOC_FREE(req->chain_outbuf);
2049	req->done = true;
2050	}
2051
2052	/****************************************************************************
2053	Check if services need reloading.
2054	****************************************************************************/
2055
2056	void check_reload(time_t t)
2057	{
2058	time_t printcap_cache_time = (time_t)lp_printcap_cache_time();
2059
2060	if(last_smb_conf_reload_time == 0) {
2061	last_smb_conf_reload_time = t;
2062	/* Our printing subsystem might not be ready at smbd start up.
2063	Then no printer is available till the first printers check
2064	is performed. A lower initial interval circumvents this. */
2065	if ( printcap_cache_time > 60 )
2066	last_printer_reload_time = t - printcap_cache_time + 60;
2067	else
2068	last_printer_reload_time = t;
2069	}
2070
2071	if (mypid != getpid()) { /* First time or fork happened meanwhile */
2072	/* randomize over 60 second the printcap reload to avoid all
2073	* process hitting cupsd at the same time */
2074	int time_range = 60;
2075
2076	last_printer_reload_time += random() % time_range;
2077	mypid = getpid();
2078	}
2079
2080	if (t >= last_smb_conf_reload_time+SMBD_RELOAD_CHECK) {
2081	reload_services(True);
2082	last_smb_conf_reload_time = t;
2083	}
2084
2085	/* 'printcap cache time = 0' disable the feature */
2086
2087	if ( printcap_cache_time != 0 )
2088	{
2089	/* see if it's time to reload or if the clock has been set back */
2090
2091	if ( (t >= last_printer_reload_time+printcap_cache_time)
2092	\|\| (t-last_printer_reload_time < 0) )
2093	{
2094	DEBUG( 3,( "Printcap cache time expired.\n"));
2095	pcap_cache_reload(&reload_printers);
2096	last_printer_reload_time = t;
2097	}
2098	}
2099	}
2100
2101	static void smbd_server_connection_write_handler(struct smbd_server_connection *conn)
2102	{
2103	/* TODO: make write nonblocking */
2104	}
2105
2106	static void smbd_server_connection_read_handler(struct smbd_server_connection *conn)
2107	{
2108	uint8_t *inbuf = NULL;
2109	size_t inbuf_len = 0;
2110	size_t unread_bytes = 0;
2111	bool encrypted = false;
2112	TALLOC_CTX *mem_ctx = talloc_tos();
2113	NTSTATUS status;
2114	uint32_t seqnum;
2115
2116	/* TODO: make this completely nonblocking */
2117
2118	status = receive_smb_talloc(mem_ctx, smbd_server_fd(),
2119	(char *)(void )&inbuf,
2120	0, /* timeout */
2121	&unread_bytes,
2122	&encrypted,
2123	&inbuf_len, &seqnum);
2124	if (NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
2125	goto process;
2126	}
2127	if (NT_STATUS_IS_ERR(status)) {
2128	exit_server_cleanly("failed to receive smb request");
2129	}
2130	if (!NT_STATUS_IS_OK(status)) {
2131	return;
2132	}
2133
2134	process:
2135	process_smb(conn, inbuf, inbuf_len, unread_bytes,
2136	seqnum, encrypted, NULL);
2137	}
2138
2139	static void smbd_server_connection_handler(struct event_context *ev,
2140	struct fd_event *fde,
2141	uint16_t flags,
2142	void *private_data)
2143	{
2144	struct smbd_server_connection *conn = talloc_get_type(private_data,
2145	struct smbd_server_connection);
2146
2147	if (flags & EVENT_FD_WRITE) {
2148	smbd_server_connection_write_handler(conn);
2149	} else if (flags & EVENT_FD_READ) {
2150	smbd_server_connection_read_handler(conn);
2151	}
2152	}
2153
2154
2155	/****************************************************************************
2156	received when we should release a specific IP
2157	****************************************************************************/
2158	static void release_ip(const char ip, void priv)
2159	{
2160	char addr[INET6_ADDRSTRLEN];
2161	char *p = addr;
2162
2163	client_socket_addr(get_client_fd(),addr,sizeof(addr));
2164
2165	if (strncmp("::ffff:", addr, 7) == 0) {
2166	p = addr + 7;
2167	}
2168
2169	if ((strcmp(p, ip) == 0) \|\| ((p != addr) && strcmp(addr, ip) == 0)) {
2170	/* we can't afford to do a clean exit - that involves
2171	database writes, which would potentially mean we
2172	are still running after the failover has finished -
2173	we have to get rid of this process ID straight
2174	away */
2175	DEBUG(0,("Got release IP message for our IP %s - exiting immediately\n",
2176	ip));
2177	/* note we must exit with non-zero status so the unclean handler gets
2178	called in the parent, so that the brl database is tickled */
2179	_exit(1);
2180	}
2181	}
2182
2183	static void msg_release_ip(struct messaging_context msg_ctx, void private_data,
2184	uint32_t msg_type, struct server_id server_id, DATA_BLOB *data)
2185	{
2186	release_ip((char *)data->data, NULL);
2187	}
2188
2189	#ifdef CLUSTER_SUPPORT
2190	static int client_get_tcp_info(struct sockaddr_storage *server,
2191	struct sockaddr_storage *client)
2192	{
2193	socklen_t length;
2194	if (server_fd == -1) {
2195	return -1;
2196	}
2197	length = sizeof(*server);
2198	if (getsockname(server_fd, (struct sockaddr *)server, &length) != 0) {
2199	return -1;
2200	}
2201	length = sizeof(*client);
2202	if (getpeername(server_fd, (struct sockaddr *)client, &length) != 0) {
2203	return -1;
2204	}
2205	return 0;
2206	}
2207	#endif
2208
2209	/*
2210	* Send keepalive packets to our client
2211	*/
2212	static bool keepalive_fn(const struct timeval now, void private_data)
2213	{
2214	if (!send_keepalive(smbd_server_fd())) {
2215	DEBUG( 2, ( "Keepalive failed - exiting.\n" ) );
2216	return False;
2217	}
2218	return True;
2219	}
2220
2221	/*
2222	* Do the recurring check if we're idle
2223	*/
2224	static bool deadtime_fn(const struct timeval now, void private_data)
2225	{
2226	struct smbd_server_connection *sconn = smbd_server_conn;
2227	if ((conn_num_open(sconn) == 0)
2228	\|\| (conn_idle_all(sconn, now->tv_sec))) {
2229	DEBUG( 2, ( "Closing idle connection\n" ) );
2230	messaging_send(smbd_messaging_context(), procid_self(),
2231	MSG_SHUTDOWN, &data_blob_null);
2232	return False;
2233	}
2234
2235	return True;
2236	}
2237
2238	/*
2239	* Do the recurring log file and smb.conf reload checks.
2240	*/
2241
2242	static bool housekeeping_fn(const struct timeval now, void private_data)
2243	{
2244	change_to_root_user();
2245
2246	/* update printer queue caches if necessary */
2247	update_monitored_printq_cache();
2248
2249	/* check if we need to reload services */
2250	check_reload(time(NULL));
2251
2252	/* Change machine password if neccessary. */
2253	attempt_machine_password_change();
2254
2255	/*
2256	* Force a log file check.
2257	*/
2258	force_check_log_size();
2259	check_log_size();
2260	return true;
2261	}
2262
2263	/****************************************************************************
2264	Process commands from the client
2265	****************************************************************************/
2266
2267	void smbd_process(void)
2268	{
2269	TALLOC_CTX *frame = talloc_stackframe();
2270	char remaddr[INET6_ADDRSTRLEN];
2271
2272	if (lp_maxprotocol() == PROTOCOL_SMB2 &&
2273	lp_security() != SEC_SHARE) {
2274	smbd_server_conn->allow_smb2 = true;
2275	}
2276
2277	/* Ensure child is set to blocking mode */
2278	set_blocking(smbd_server_fd(),True);
2279
2280	set_socket_options(smbd_server_fd(),"SO_KEEPALIVE");
2281	set_socket_options(smbd_server_fd(), lp_socket_options());
2282
2283	/* this is needed so that we get decent entries
2284	in smbstatus for port 445 connects */
2285	set_remote_machine_name(get_peer_addr(smbd_server_fd(),
2286	remaddr,
2287	sizeof(remaddr)),
2288	false);
2289	reload_services(true);
2290
2291	/*
2292	* Before the first packet, check the global hosts allow/ hosts deny
2293	* parameters before doing any parsing of packets passed to us by the
2294	* client. This prevents attacks on our parsing code from hosts not in
2295	* the hosts allow list.
2296	*/
2297
2298	if (!check_access(smbd_server_fd(), lp_hostsallow(-1),
2299	lp_hostsdeny(-1))) {
2300	char addr[INET6_ADDRSTRLEN];
2301
2302	/*
2303	* send a negative session response "not listening on calling
2304	* name"
2305	*/
2306	unsigned char buf[5] = {0x83, 0, 0, 1, 0x81};
2307	DEBUG( 1, ("Connection denied from %s\n",
2308	client_addr(get_client_fd(),addr,sizeof(addr)) ) );
2309	(void)srv_send_smb(smbd_server_fd(),(char *)buf, false,
2310	0, false, NULL);
2311	exit_server_cleanly("connection denied");
2312	}
2313
2314	static_init_rpc;
2315
2316	init_modules();
2317
2318	smb_perfcount_init();
2319
2320	if (!init_account_policy()) {
2321	exit_server("Could not open account policy tdb.\n");
2322	}
2323
2324	if (*lp_rootdir()) {
2325	if (chroot(lp_rootdir()) != 0) {
2326	DEBUG(0,("Failed to change root to %s\n", lp_rootdir()));
2327	exit_server("Failed to chroot()");
2328	}
2329	if (chdir("/") == -1) {
2330	DEBUG(0,("Failed to chdir to / on chroot to %s\n", lp_rootdir()));
2331	exit_server("Failed to chroot()");
2332	}
2333	DEBUG(0,("Changed root to %s\n", lp_rootdir()));
2334	}
2335
2336	if (!srv_init_signing(smbd_server_conn)) {
2337	exit_server("Failed to init smb_signing");
2338	}
2339
2340	/* Setup oplocks */
2341	if (!init_oplocks(smbd_messaging_context()))
2342	exit_server("Failed to init oplocks");
2343
2344	/* Setup aio signal handler. */
2345	initialize_async_io_handler();
2346
2347	/* register our message handlers */
2348	messaging_register(smbd_messaging_context(), NULL,
2349	MSG_SMB_FORCE_TDIS, msg_force_tdis);
2350	messaging_register(smbd_messaging_context(), NULL,
2351	MSG_SMB_RELEASE_IP, msg_release_ip);
2352	messaging_register(smbd_messaging_context(), NULL,
2353	MSG_SMB_CLOSE_FILE, msg_close_file);
2354
2355	/*
2356	* Use the default MSG_DEBUG handler to avoid rebroadcasting
2357	* MSGs to all child processes
2358	*/
2359	messaging_deregister(smbd_messaging_context(),
2360	MSG_DEBUG, NULL);
2361	messaging_register(smbd_messaging_context(), NULL,
2362	MSG_DEBUG, debug_message);
2363
2364	if ((lp_keepalive() != 0)
2365	&& !(event_add_idle(smbd_event_context(), NULL,
2366	timeval_set(lp_keepalive(), 0),
2367	"keepalive", keepalive_fn,
2368	NULL))) {
2369	DEBUG(0, ("Could not add keepalive event\n"));
2370	exit(1);
2371	}
2372
2373	if (!(event_add_idle(smbd_event_context(), NULL,
2374	timeval_set(IDLE_CLOSED_TIMEOUT, 0),
2375	"deadtime", deadtime_fn, NULL))) {
2376	DEBUG(0, ("Could not add deadtime event\n"));
2377	exit(1);
2378	}
2379
2380	if (!(event_add_idle(smbd_event_context(), NULL,
2381	timeval_set(SMBD_HOUSEKEEPING_INTERVAL, 0),
2382	"housekeeping", housekeeping_fn, NULL))) {
2383	DEBUG(0, ("Could not add housekeeping event\n"));
2384	exit(1);
2385	}
2386
2387	#ifdef CLUSTER_SUPPORT
2388
2389	if (lp_clustering()) {
2390	/*
2391	* We need to tell ctdb about our client's TCP
2392	* connection, so that for failover ctdbd can send
2393	* tickle acks, triggering a reconnection by the
2394	* client.
2395	*/
2396
2397	struct sockaddr_storage srv, clnt;
2398
2399	if (client_get_tcp_info(&srv, &clnt) == 0) {
2400
2401	NTSTATUS status;
2402
2403	status = ctdbd_register_ips(
2404	messaging_ctdbd_connection(),
2405	&srv, &clnt, release_ip, NULL);
2406
2407	if (!NT_STATUS_IS_OK(status)) {
2408	DEBUG(0, ("ctdbd_register_ips failed: %s\n",
2409	nt_errstr(status)));
2410	}
2411	} else
2412	{
2413	DEBUG(0,("Unable to get tcp info for "
2414	"CTDB_CONTROL_TCP_CLIENT: %s\n",
2415	strerror(errno)));
2416	}
2417	}
2418
2419	#endif
2420
2421	smbd_server_conn->nbt.got_session = false;
2422
2423	smbd_server_conn->smb1.negprot.max_recv = MIN(lp_maxxmit(),BUFFER_SIZE);
2424
2425	smbd_server_conn->smb1.sessions.done_sesssetup = false;
2426	smbd_server_conn->smb1.sessions.max_send = BUFFER_SIZE;
2427	smbd_server_conn->smb1.sessions.last_session_tag = UID_FIELD_INVALID;
2428	/* users from session setup */
2429	smbd_server_conn->smb1.sessions.session_userlist = NULL;
2430	/* workgroup from session setup. */
2431	smbd_server_conn->smb1.sessions.session_workgroup = NULL;
2432	/* this holds info on user ids that are already validated for this VC */
2433	smbd_server_conn->smb1.sessions.validated_users = NULL;
2434	smbd_server_conn->smb1.sessions.next_vuid = VUID_OFFSET;
2435	smbd_server_conn->smb1.sessions.num_validated_vuids = 0;
2436	#ifdef HAVE_NETGROUP
2437	smbd_server_conn->smb1.sessions.my_yp_domain = NULL;
2438	#endif
2439
2440	conn_init(smbd_server_conn);
2441	if (!init_dptrs(smbd_server_conn)) {
2442	exit_server("init_dptrs() failed");
2443	}
2444
2445	smbd_server_conn->smb1.fde = event_add_fd(smbd_event_context(),
2446	smbd_server_conn,
2447	smbd_server_fd(),
2448	EVENT_FD_READ,
2449	smbd_server_connection_handler,
2450	smbd_server_conn);
2451	if (!smbd_server_conn->smb1.fde) {
2452	exit_server("failed to create smbd_server_connection fde");
2453	}
2454
2455	TALLOC_FREE(frame);
2456
2457	while (True) {
2458	NTSTATUS status;
2459
2460	frame = talloc_stackframe_pool(8192);
2461
2462	errno = 0;
2463
2464	status = smbd_server_connection_loop_once(smbd_server_conn);
2465	if (!NT_STATUS_EQUAL(status, NT_STATUS_RETRY) &&
2466	!NT_STATUS_IS_OK(status)) {
2467	DEBUG(3, ("smbd_server_connection_loop_once failed: %s,"
2468	" exiting\n", nt_errstr(status)));
2469	break;
2470	}
2471
2472	TALLOC_FREE(frame);
2473	}
2474
2475	exit_server_cleanly(NULL);
2476	}
2477
2478	bool req_is_in_chain(struct smb_request *req)
2479	{
2480	if (req->vwv != (uint16_t *)(req->inbuf+smb_vwv)) {
2481	/*
2482	* We're right now handling a subsequent request, so we must
2483	* be in a chain
2484	*/
2485	return true;
2486	}
2487
2488	if (!is_andx_req(req->cmd)) {
2489	return false;
2490	}
2491
2492	if (req->wct < 2) {
2493	/*
2494	* Okay, an illegal request, but definitely not chained :-)
2495	*/
2496	return false;
2497	}
2498
2499	return (CVAL(req->vwv+0, 0) != 0xFF);
2500	}

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: branches/samba-3.5.x/source3/smbd/process.c@ 733

Download in other formats: