Context Navigation

← Previous Revision
Latest Revision
Next Revision →
Blame
Revision Log

source: trunk/server/source3/smbd/process.c@ 421

Visit:

Last change on this file since 421 was 414, checked in by Herwig Bauernfeind, 15 years ago
Samba 3.5.0: Initial import
File size: 66.8 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	process incoming packets - main loop
4	Copyright (C) Andrew Tridgell 1992-1998
5	Copyright (C) Volker Lendecke 2005-2007
6
7	This program is free software; you can redistribute it and/or modify
8	it under the terms of the GNU General Public License as published by
9	the Free Software Foundation; either version 3 of the License, or
10	(at your option) any later version.
11
12	This program is distributed in the hope that it will be useful,
13	but WITHOUT ANY WARRANTY; without even the implied warranty of
14	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15	GNU General Public License for more details.
16
17	You should have received a copy of the GNU General Public License
18	along with this program. If not, see <http://www.gnu.org/licenses/>.
19	*/
20
21	#include "includes.h"
22	#include "smbd/globals.h"
23	#include "../librpc/gen_ndr/srv_dfs.h"
24	#include "../librpc/gen_ndr/srv_dssetup.h"
25	#include "../librpc/gen_ndr/srv_echo.h"
26	#include "../librpc/gen_ndr/srv_eventlog.h"
27	#include "../librpc/gen_ndr/srv_initshutdown.h"
28	#include "../librpc/gen_ndr/srv_lsa.h"
29	#include "../librpc/gen_ndr/srv_netlogon.h"
30	#include "../librpc/gen_ndr/srv_ntsvcs.h"
31	#include "../librpc/gen_ndr/srv_samr.h"
32	#include "../librpc/gen_ndr/srv_spoolss.h"
33	#include "../librpc/gen_ndr/srv_srvsvc.h"
34	#include "../librpc/gen_ndr/srv_svcctl.h"
35	#include "../librpc/gen_ndr/srv_winreg.h"
36	#include "../librpc/gen_ndr/srv_wkssvc.h"
37
38	extern bool global_machine_password_needs_changing;
39
40	static void construct_reply_common(struct smb_request req, const char inbuf,
41	char *outbuf);
42
43	/* Accessor function for smb_read_error for smbd functions. */
44
45	/****************************************************************************
46	Send an smb to a fd.
47	****************************************************************************/
48
49	bool srv_send_smb(int fd, char *buffer,
50	bool do_signing, uint32_t seqnum,
51	bool do_encrypt,
52	struct smb_perfcount_data *pcd)
53	{
54	size_t len = 0;
55	size_t nwritten=0;
56	ssize_t ret;
57	char *buf_out = buffer;
58
59	if (do_signing) {
60	/* Sign the outgoing packet if required. */
61	srv_calculate_sign_mac(smbd_server_conn, buf_out, seqnum);
62	}
63
64	if (do_encrypt) {
65	NTSTATUS status = srv_encrypt_buffer(buffer, &buf_out);
66	if (!NT_STATUS_IS_OK(status)) {
67	DEBUG(0, ("send_smb: SMB encryption failed "
68	"on outgoing packet! Error %s\n",
69	nt_errstr(status) ));
70	goto out;
71	}
72	}
73
74	len = smb_len(buf_out) + 4;
75
76	ret = write_data(fd,buf_out+nwritten,len - nwritten);
77	if (ret <= 0) {
78	DEBUG(0,("Error writing %d bytes to client. %d. (%s)\n",
79	(int)len,(int)ret, strerror(errno) ));
80	srv_free_enc_buffer(buf_out);
81	goto out;
82	}
83
84	SMB_PERFCOUNT_SET_MSGLEN_OUT(pcd, len);
85	srv_free_enc_buffer(buf_out);
86	out:
87	SMB_PERFCOUNT_END(pcd);
88	return true;
89	}
90
91	/*******************************************************************
92	Setup the word count and byte count for a smb message.
93	********************************************************************/
94
95	int srv_set_message(char *buf,
96	int num_words,
97	int num_bytes,
98	bool zero)
99	{
100	if (zero && (num_words \|\| num_bytes)) {
101	memset(buf + smb_size,'\0',num_words*2 + num_bytes);
102	}
103	SCVAL(buf,smb_wct,num_words);
104	SSVAL(buf,smb_vwv + num_words*SIZEOFWORD,num_bytes);
105	smb_setlen(buf,(smb_size + num_words*2 + num_bytes - 4));
106	return (smb_size + num_words*2 + num_bytes);
107	}
108
109	static bool valid_smb_header(const uint8_t *inbuf)
110	{
111	if (is_encrypted_packet(inbuf)) {
112	return true;
113	}
114	/*
115	* This used to be (strncmp(smb_base(inbuf),"\377SMB",4) == 0)
116	* but it just looks weird to call strncmp for this one.
117	*/
118	return (IVAL(smb_base(inbuf), 0) == 0x424D53FF);
119	}
120
121	/* Socket functions for smbd packet processing. */
122
123	static bool valid_packet_size(size_t len)
124	{
125	/*
126	* A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
127	* of header. Don't print the error if this fits.... JRA.
128	*/
129
130	if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
131	DEBUG(0,("Invalid packet length! (%lu bytes).\n",
132	(unsigned long)len));
133	return false;
134	}
135	return true;
136	}
137
138	static NTSTATUS read_packet_remainder(int fd, char *buffer,
139	unsigned int timeout, ssize_t len)
140	{
141	if (len <= 0) {
142	return NT_STATUS_OK;
143	}
144
145	return read_fd_with_timeout(fd, buffer, len, len, timeout, NULL);
146	}
147
148	/****************************************************************************
149	Attempt a zerocopy writeX read. We know here that len > smb_size-4
150	****************************************************************************/
151
152	/*
153	* Unfortunately, earlier versions of smbclient/libsmbclient
154	* don't send this "standard" writeX header. I've fixed this
155	* for 3.2 but we'll use the old method with earlier versions.
156	* Windows and CIFSFS at least use this standard size. Not
157	* sure about MacOSX.
158	*/
159
160	#define STANDARD_WRITE_AND_X_HEADER_SIZE (smb_size - 4 + /* basic header */ \
161	(214) + / word count (including bcc) */ \
162	1 /* pad byte */)
163
164	static NTSTATUS receive_smb_raw_talloc_partial_read(TALLOC_CTX *mem_ctx,
165	const char lenbuf[4],
166	int fd, char **buffer,
167	unsigned int timeout,
168	size_t *p_unread,
169	size_t *len_ret)
170	{
171	/* Size of a WRITEX call (+4 byte len). */
172	char writeX_header[4 + STANDARD_WRITE_AND_X_HEADER_SIZE];
173	ssize_t len = smb_len_large(lenbuf); /* Could be a UNIX large writeX. */
174	ssize_t toread;
175	NTSTATUS status;
176
177	memcpy(writeX_header, lenbuf, 4);
178
179	status = read_fd_with_timeout(
180	fd, writeX_header + 4,
181	STANDARD_WRITE_AND_X_HEADER_SIZE,
182	STANDARD_WRITE_AND_X_HEADER_SIZE,
183	timeout, NULL);
184
185	if (!NT_STATUS_IS_OK(status)) {
186	return status;
187	}
188
189	/*
190	* Ok - now try and see if this is a possible
191	* valid writeX call.
192	*/
193
194	if (is_valid_writeX_buffer((uint8_t *)writeX_header)) {
195	/*
196	* If the data offset is beyond what
197	* we've read, drain the extra bytes.
198	*/
199	uint16_t doff = SVAL(writeX_header,smb_vwv11);
200	ssize_t newlen;
201
202	if (doff > STANDARD_WRITE_AND_X_HEADER_SIZE) {
203	size_t drain = doff - STANDARD_WRITE_AND_X_HEADER_SIZE;
204	if (drain_socket(smbd_server_fd(), drain) != drain) {
205	smb_panic("receive_smb_raw_talloc_partial_read:"
206	" failed to drain pending bytes");
207	}
208	} else {
209	doff = STANDARD_WRITE_AND_X_HEADER_SIZE;
210	}
211
212	/* Spoof down the length and null out the bcc. */
213	set_message_bcc(writeX_header, 0);
214	newlen = smb_len(writeX_header);
215
216	/* Copy the header we've written. */
217
218	buffer = (char )TALLOC_MEMDUP(mem_ctx,
219	writeX_header,
220	sizeof(writeX_header));
221
222	if (*buffer == NULL) {
223	DEBUG(0, ("Could not allocate inbuf of length %d\n",
224	(int)sizeof(writeX_header)));
225	return NT_STATUS_NO_MEMORY;
226	}
227
228	/* Work out the remaining bytes. */
229	*p_unread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
230	*len_ret = newlen + 4;
231	return NT_STATUS_OK;
232	}
233
234	if (!valid_packet_size(len)) {
235	return NT_STATUS_INVALID_PARAMETER;
236	}
237
238	/*
239	* Not a valid writeX call. Just do the standard
240	* talloc and return.
241	*/
242
243	*buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
244
245	if (*buffer == NULL) {
246	DEBUG(0, ("Could not allocate inbuf of length %d\n",
247	(int)len+4));
248	return NT_STATUS_NO_MEMORY;
249	}
250
251	/* Copy in what we already read. */
252	memcpy(*buffer,
253	writeX_header,
254	4 + STANDARD_WRITE_AND_X_HEADER_SIZE);
255	toread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
256
257	if(toread > 0) {
258	status = read_packet_remainder(
259	fd, (*buffer) + 4 + STANDARD_WRITE_AND_X_HEADER_SIZE,
260	timeout, toread);
261
262	if (!NT_STATUS_IS_OK(status)) {
263	DEBUG(10, ("receive_smb_raw_talloc_partial_read: %s\n",
264	nt_errstr(status)));
265	return status;
266	}
267	}
268
269	*len_ret = len + 4;
270	return NT_STATUS_OK;
271	}
272
273	static NTSTATUS receive_smb_raw_talloc(TALLOC_CTX *mem_ctx, int fd,
274	char **buffer, unsigned int timeout,
275	size_t p_unread, size_t plen)
276	{
277	char lenbuf[4];
278	size_t len;
279	int min_recv_size = lp_min_receive_file_size();
280	NTSTATUS status;
281
282	*p_unread = 0;
283
284	status = read_smb_length_return_keepalive(fd, lenbuf, timeout, &len);
285	if (!NT_STATUS_IS_OK(status)) {
286	DEBUG(10, ("receive_smb_raw: %s\n", nt_errstr(status)));
287	return status;
288	}
289
290	if (CVAL(lenbuf,0) == 0 && min_recv_size &&
291	(smb_len_large(lenbuf) > /* Could be a UNIX large writeX. */
292	(min_recv_size + STANDARD_WRITE_AND_X_HEADER_SIZE)) &&
293	!srv_is_signing_active(smbd_server_conn)) {
294
295	return receive_smb_raw_talloc_partial_read(
296	mem_ctx, lenbuf, fd, buffer, timeout, p_unread, plen);
297	}
298
299	if (!valid_packet_size(len)) {
300	return NT_STATUS_INVALID_PARAMETER;
301	}
302
303	/*
304	* The +4 here can't wrap, we've checked the length above already.
305	*/
306
307	*buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
308
309	if (*buffer == NULL) {
310	DEBUG(0, ("Could not allocate inbuf of length %d\n",
311	(int)len+4));
312	return NT_STATUS_NO_MEMORY;
313	}
314
315	memcpy(*buffer, lenbuf, sizeof(lenbuf));
316
317	status = read_packet_remainder(fd, (*buffer)+4, timeout, len);
318	if (!NT_STATUS_IS_OK(status)) {
319	return status;
320	}
321
322	*plen = len + 4;
323	return NT_STATUS_OK;
324	}
325
326	static NTSTATUS receive_smb_talloc(TALLOC_CTX *mem_ctx, int fd,
327	char **buffer, unsigned int timeout,
328	size_t p_unread, bool p_encrypted,
329	size_t *p_len,
330	uint32_t *seqnum)
331	{
332	size_t len = 0;
333	NTSTATUS status;
334
335	*p_encrypted = false;
336
337	status = receive_smb_raw_talloc(mem_ctx, fd, buffer, timeout,
338	p_unread, &len);
339	if (!NT_STATUS_IS_OK(status)) {
340	return status;
341	}
342
343	if (is_encrypted_packet((uint8_t )buffer)) {
344	status = srv_decrypt_buffer(*buffer);
345	if (!NT_STATUS_IS_OK(status)) {
346	DEBUG(0, ("receive_smb_talloc: SMB decryption failed on "
347	"incoming packet! Error %s\n",
348	nt_errstr(status) ));
349	return status;
350	}
351	*p_encrypted = true;
352	}
353
354	/* Check the incoming SMB signature. */
355	if (!srv_check_sign_mac(smbd_server_conn, *buffer, seqnum)) {
356	DEBUG(0, ("receive_smb: SMB Signature verification failed on "
357	"incoming packet!\n"));
358	return NT_STATUS_INVALID_NETWORK_RESPONSE;
359	}
360
361	*p_len = len;
362	return NT_STATUS_OK;
363	}
364
365	/*
366	* Initialize a struct smb_request from an inbuf
367	*/
368
369	void init_smb_request(struct smb_request *req,
370	const uint8 *inbuf,
371	size_t unread_bytes,
372	bool encrypted)
373	{
374	struct smbd_server_connection *sconn = smbd_server_conn;
375	size_t req_size = smb_len(inbuf) + 4;
376	/* Ensure we have at least smb_size bytes. */
377	if (req_size < smb_size) {
378	DEBUG(0,("init_smb_request: invalid request size %u\n",
379	(unsigned int)req_size ));
380	exit_server_cleanly("Invalid SMB request");
381	}
382	req->cmd = CVAL(inbuf, smb_com);
383	req->flags2 = SVAL(inbuf, smb_flg2);
384	req->smbpid = SVAL(inbuf, smb_pid);
385	req->mid = SVAL(inbuf, smb_mid);
386	req->seqnum = 0;
387	req->vuid = SVAL(inbuf, smb_uid);
388	req->tid = SVAL(inbuf, smb_tid);
389	req->wct = CVAL(inbuf, smb_wct);
390	req->vwv = (uint16_t *)(inbuf+smb_vwv);
391	req->buflen = smb_buflen(inbuf);
392	req->buf = (const uint8_t *)smb_buf(inbuf);
393	req->unread_bytes = unread_bytes;
394	req->encrypted = encrypted;
395	req->conn = conn_find(sconn,req->tid);
396	req->chain_fsp = NULL;
397	req->chain_outbuf = NULL;
398	req->done = false;
399	smb_init_perfcount_data(&req->pcd);
400
401	/* Ensure we have at least wct words and 2 bytes of bcc. */
402	if (smb_size + req->wct*2 > req_size) {
403	DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n",
404	(unsigned int)req->wct,
405	(unsigned int)req_size));
406	exit_server_cleanly("Invalid SMB request");
407	}
408	/* Ensure bcc is correct. */
409	if (((uint8 *)smb_buf(inbuf)) + req->buflen > inbuf + req_size) {
410	DEBUG(0,("init_smb_request: invalid bcc number %u "
411	"(wct = %u, size %u)\n",
412	(unsigned int)req->buflen,
413	(unsigned int)req->wct,
414	(unsigned int)req_size));
415	exit_server_cleanly("Invalid SMB request");
416	}
417
418	req->outbuf = NULL;
419	}
420
421	static void process_smb(struct smbd_server_connection *conn,
422	uint8_t *inbuf, size_t nread, size_t unread_bytes,
423	uint32_t seqnum, bool encrypted,
424	struct smb_perfcount_data *deferred_pcd);
425
426	static void smbd_deferred_open_timer(struct event_context *ev,
427	struct timed_event *te,
428	struct timeval _tval,
429	void *private_data)
430	{
431	struct pending_message_list *msg = talloc_get_type(private_data,
432	struct pending_message_list);
433	TALLOC_CTX *mem_ctx = talloc_tos();
434	uint16_t mid = SVAL(msg->buf.data,smb_mid);
435	uint8_t *inbuf;
436
437	inbuf = (uint8_t *)talloc_memdup(mem_ctx, msg->buf.data,
438	msg->buf.length);
439	if (inbuf == NULL) {
440	exit_server("smbd_deferred_open_timer: talloc failed\n");
441	return;
442	}
443
444	/* We leave this message on the queue so the open code can
445	know this is a retry. */
446	DEBUG(5,("smbd_deferred_open_timer: trigger mid %u.\n",
447	(unsigned int)mid ));
448
449	/* Mark the message as processed so this is not
450	* re-processed in error. */
451	msg->processed = true;
452
453	process_smb(smbd_server_conn, inbuf,
454	msg->buf.length, 0,
455	msg->seqnum, msg->encrypted, &msg->pcd);
456
457	/* If it's still there and was processed, remove it. */
458	msg = get_open_deferred_message(mid);
459	if (msg && msg->processed) {
460	remove_deferred_open_smb_message(mid);
461	}
462	}
463
464	/****************************************************************************
465	Function to push a message onto the tail of a linked list of smb messages ready
466	for processing.
467	****************************************************************************/
468
469	static bool push_queued_message(struct smb_request *req,
470	struct timeval request_time,
471	struct timeval end_time,
472	char *private_data, size_t private_len)
473	{
474	int msg_len = smb_len(req->inbuf) + 4;
475	struct pending_message_list *msg;
476
477	msg = TALLOC_ZERO_P(NULL, struct pending_message_list);
478
479	if(msg == NULL) {
480	DEBUG(0,("push_message: malloc fail (1)\n"));
481	return False;
482	}
483
484	msg->buf = data_blob_talloc(msg, req->inbuf, msg_len);
485	if(msg->buf.data == NULL) {
486	DEBUG(0,("push_message: malloc fail (2)\n"));
487	TALLOC_FREE(msg);
488	return False;
489	}
490
491	msg->request_time = request_time;
492	msg->seqnum = req->seqnum;
493	msg->encrypted = req->encrypted;
494	msg->processed = false;
495	SMB_PERFCOUNT_DEFER_OP(&req->pcd, &msg->pcd);
496
497	if (private_data) {
498	msg->private_data = data_blob_talloc(msg, private_data,
499	private_len);
500	if (msg->private_data.data == NULL) {
501	DEBUG(0,("push_message: malloc fail (3)\n"));
502	TALLOC_FREE(msg);
503	return False;
504	}
505	}
506
507	msg->te = event_add_timed(smbd_event_context(),
508	msg,
509	end_time,
510	smbd_deferred_open_timer,
511	msg);
512	if (!msg->te) {
513	DEBUG(0,("push_message: event_add_timed failed\n"));
514	TALLOC_FREE(msg);
515	return false;
516	}
517
518	DLIST_ADD_END(deferred_open_queue, msg, struct pending_message_list *);
519
520	DEBUG(10,("push_message: pushed message length %u on "
521	"deferred_open_queue\n", (unsigned int)msg_len));
522
523	return True;
524	}
525
526	/****************************************************************************
527	Function to delete a sharing violation open message by mid.
528	****************************************************************************/
529
530	void remove_deferred_open_smb_message(uint16 mid)
531	{
532	struct pending_message_list *pml;
533
534	for (pml = deferred_open_queue; pml; pml = pml->next) {
535	if (mid == SVAL(pml->buf.data,smb_mid)) {
536	DEBUG(10,("remove_deferred_open_smb_message: "
537	"deleting mid %u len %u\n",
538	(unsigned int)mid,
539	(unsigned int)pml->buf.length ));
540	DLIST_REMOVE(deferred_open_queue, pml);
541	TALLOC_FREE(pml);
542	return;
543	}
544	}
545	}
546
547	/****************************************************************************
548	Move a sharing violation open retry message to the front of the list and
549	schedule it for immediate processing.
550	****************************************************************************/
551
552	void schedule_deferred_open_smb_message(uint16 mid)
553	{
554	struct pending_message_list *pml;
555	int i = 0;
556
557	for (pml = deferred_open_queue; pml; pml = pml->next) {
558	uint16 msg_mid = SVAL(pml->buf.data,smb_mid);
559
560	DEBUG(10,("schedule_deferred_open_smb_message: [%d] msg_mid = %u\n", i++,
561	(unsigned int)msg_mid ));
562
563	if (mid == msg_mid) {
564	struct timed_event *te;
565
566	if (pml->processed) {
567	/* A processed message should not be
568	* rescheduled. */
569	DEBUG(0,("schedule_deferred_open_smb_message: LOGIC ERROR "
570	"message mid %u was already processed\n",
571	msg_mid ));
572	continue;
573	}
574
575	DEBUG(10,("schedule_deferred_open_smb_message: scheduling mid %u\n",
576	mid ));
577
578	te = event_add_timed(smbd_event_context(),
579	pml,
580	timeval_zero(),
581	smbd_deferred_open_timer,
582	pml);
583	if (!te) {
584	DEBUG(10,("schedule_deferred_open_smb_message: "
585	"event_add_timed() failed, skipping mid %u\n",
586	mid ));
587	}
588
589	TALLOC_FREE(pml->te);
590	pml->te = te;
591	DLIST_PROMOTE(deferred_open_queue, pml);
592	return;
593	}
594	}
595
596	DEBUG(10,("schedule_deferred_open_smb_message: failed to find message mid %u\n",
597	mid ));
598	}
599
600	/****************************************************************************
601	Return true if this mid is on the deferred queue and was not yet processed.
602	****************************************************************************/
603
604	bool open_was_deferred(uint16 mid)
605	{
606	struct pending_message_list *pml;
607
608	for (pml = deferred_open_queue; pml; pml = pml->next) {
609	if (SVAL(pml->buf.data,smb_mid) == mid && !pml->processed) {
610	return True;
611	}
612	}
613	return False;
614	}
615
616	/****************************************************************************
617	Return the message queued by this mid.
618	****************************************************************************/
619
620	struct pending_message_list *get_open_deferred_message(uint16 mid)
621	{
622	struct pending_message_list *pml;
623
624	for (pml = deferred_open_queue; pml; pml = pml->next) {
625	if (SVAL(pml->buf.data,smb_mid) == mid) {
626	return pml;
627	}
628	}
629	return NULL;
630	}
631
632	/****************************************************************************
633	Function to push a deferred open smb message onto a linked list of local smb
634	messages ready for processing.
635	****************************************************************************/
636
637	bool push_deferred_smb_message(struct smb_request *req,
638	struct timeval request_time,
639	struct timeval timeout,
640	char *private_data, size_t priv_len)
641	{
642	struct timeval end_time;
643
644	if (req->unread_bytes) {
645	DEBUG(0,("push_deferred_smb_message: logic error ! "
646	"unread_bytes = %u\n",
647	(unsigned int)req->unread_bytes ));
648	smb_panic("push_deferred_smb_message: "
649	"logic error unread_bytes != 0" );
650	}
651
652	end_time = timeval_sum(&request_time, &timeout);
653
654	DEBUG(10,("push_deferred_open_smb_message: pushing message len %u mid %u "
655	"timeout time [%u.%06u]\n",
656	(unsigned int) smb_len(req->inbuf)+4, (unsigned int)req->mid,
657	(unsigned int)end_time.tv_sec,
658	(unsigned int)end_time.tv_usec));
659
660	return push_queued_message(req, request_time, end_time,
661	private_data, priv_len);
662	}
663
664	struct idle_event {
665	struct timed_event *te;
666	struct timeval interval;
667	char *name;
668	bool (handler)(const struct timeval now, void *private_data);
669	void *private_data;
670	};
671
672	static void smbd_idle_event_handler(struct event_context *ctx,
673	struct timed_event *te,
674	struct timeval now,
675	void *private_data)
676	{
677	struct idle_event *event =
678	talloc_get_type_abort(private_data, struct idle_event);
679
680	TALLOC_FREE(event->te);
681
682	DEBUG(10,("smbd_idle_event_handler: %s %p called\n",
683	event->name, event->te));
684
685	if (!event->handler(&now, event->private_data)) {
686	DEBUG(10,("smbd_idle_event_handler: %s %p stopped\n",
687	event->name, event->te));
688	/* Don't repeat, delete ourselves */
689	TALLOC_FREE(event);
690	return;
691	}
692
693	DEBUG(10,("smbd_idle_event_handler: %s %p rescheduled\n",
694	event->name, event->te));
695
696	event->te = event_add_timed(ctx, event,
697	timeval_sum(&now, &event->interval),
698	smbd_idle_event_handler, event);
699
700	/* We can't do much but fail here. */
701	SMB_ASSERT(event->te != NULL);
702	}
703
704	struct idle_event event_add_idle(struct event_context event_ctx,
705	TALLOC_CTX *mem_ctx,
706	struct timeval interval,
707	const char *name,
708	bool (handler)(const struct timeval now,
709	void *private_data),
710	void *private_data)
711	{
712	struct idle_event *result;
713	struct timeval now = timeval_current();
714
715	result = TALLOC_P(mem_ctx, struct idle_event);
716	if (result == NULL) {
717	DEBUG(0, ("talloc failed\n"));
718	return NULL;
719	}
720
721	result->interval = interval;
722	result->handler = handler;
723	result->private_data = private_data;
724
725	if (!(result->name = talloc_asprintf(result, "idle_evt(%s)", name))) {
726	DEBUG(0, ("talloc failed\n"));
727	TALLOC_FREE(result);
728	return NULL;
729	}
730
731	result->te = event_add_timed(event_ctx, result,
732	timeval_sum(&now, &interval),
733	smbd_idle_event_handler, result);
734	if (result->te == NULL) {
735	DEBUG(0, ("event_add_timed failed\n"));
736	TALLOC_FREE(result);
737	return NULL;
738	}
739
740	DEBUG(10,("event_add_idle: %s %p\n", result->name, result->te));
741	return result;
742	}
743
744	static void smbd_sig_term_handler(struct tevent_context *ev,
745	struct tevent_signal *se,
746	int signum,
747	int count,
748	void *siginfo,
749	void *private_data)
750	{
751	exit_server_cleanly("termination signal");
752	}
753
754	void smbd_setup_sig_term_handler(void)
755	{
756	struct tevent_signal *se;
757
758	se = tevent_add_signal(smbd_event_context(),
759	smbd_event_context(),
760	SIGTERM, 0,
761	smbd_sig_term_handler,
762	NULL);
763	if (!se) {
764	exit_server("failed to setup SIGTERM handler");
765	}
766	}
767
768	static void smbd_sig_hup_handler(struct tevent_context *ev,
769	struct tevent_signal *se,
770	int signum,
771	int count,
772	void *siginfo,
773	void *private_data)
774	{
775	change_to_root_user();
776	DEBUG(1,("Reloading services after SIGHUP\n"));
777	reload_services(False);
778	}
779
780	void smbd_setup_sig_hup_handler(void)
781	{
782	struct tevent_signal *se;
783
784	se = tevent_add_signal(smbd_event_context(),
785	smbd_event_context(),
786	SIGHUP, 0,
787	smbd_sig_hup_handler,
788	NULL);
789	if (!se) {
790	exit_server("failed to setup SIGHUP handler");
791	}
792	}
793
794	static NTSTATUS smbd_server_connection_loop_once(struct smbd_server_connection *conn)
795	{
796	fd_set r_fds, w_fds;
797	int selrtn;
798	struct timeval to;
799	int maxfd = 0;
800
801	to.tv_sec = SMBD_SELECT_TIMEOUT;
802	to.tv_usec = 0;
803
804	/*
805	* Setup the select fd sets.
806	*/
807
808	FD_ZERO(&r_fds);
809	FD_ZERO(&w_fds);
810
811	/*
812	* Are there any timed events waiting ? If so, ensure we don't
813	* select for longer than it would take to wait for them.
814	*/
815
816	{
817	struct timeval now;
818	GetTimeOfDay(&now);
819
820	event_add_to_select_args(smbd_event_context(), &now,
821	&r_fds, &w_fds, &to, &maxfd);
822	}
823
824	/* Process a signal and timed events now... */
825	if (run_events(smbd_event_context(), 0, NULL, NULL)) {
826	return NT_STATUS_RETRY;
827	}
828
829	{
830	int sav;
831	START_PROFILE(smbd_idle);
832
833	selrtn = sys_select(maxfd+1,&r_fds,&w_fds,NULL,&to);
834	sav = errno;
835
836	END_PROFILE(smbd_idle);
837	errno = sav;
838	}
839
840	if (run_events(smbd_event_context(), selrtn, &r_fds, &w_fds)) {
841	return NT_STATUS_RETRY;
842	}
843
844	/* Check if error */
845	if (selrtn == -1) {
846	/* something is wrong. Maybe the socket is dead? */
847	return map_nt_error_from_unix(errno);
848	}
849
850	/* Did we timeout ? */
851	if (selrtn == 0) {
852	return NT_STATUS_RETRY;
853	}
854
855	/* should not be reached */
856	return NT_STATUS_INTERNAL_ERROR;
857	}
858
859	/*
860	* Only allow 5 outstanding trans requests. We're allocating memory, so
861	* prevent a DoS.
862	*/
863
864	NTSTATUS allow_new_trans(struct trans_state *list, int mid)
865	{
866	int count = 0;
867	for (; list != NULL; list = list->next) {
868
869	if (list->mid == mid) {
870	return NT_STATUS_INVALID_PARAMETER;
871	}
872
873	count += 1;
874	}
875	if (count > 5) {
876	return NT_STATUS_INSUFFICIENT_RESOURCES;
877	}
878
879	return NT_STATUS_OK;
880	}
881
882	/*
883	These flags determine some of the permissions required to do an operation
884
885	Note that I don't set NEED_WRITE on some write operations because they
886	are used by some brain-dead clients when printing, and I don't want to
887	force write permissions on print services.
888	*/
889	#define AS_USER (1<<0)
890	#define NEED_WRITE (1<<1) /* Must be paired with AS_USER */
891	#define TIME_INIT (1<<2)
892	#define CAN_IPC (1<<3) /* Must be paired with AS_USER */
893	#define AS_GUEST (1<<5) /* Must NOT be paired with AS_USER */
894	#define DO_CHDIR (1<<6)
895
896	/*
897	define a list of possible SMB messages and their corresponding
898	functions. Any message that has a NULL function is unimplemented -
899	please feel free to contribute implementations!
900	*/
901	static const struct smb_message_struct {
902	const char *name;
903	void (fn)(struct smb_request req);
904	int flags;
905	} smb_messages[256] = {
906
907	/* 0x00 */ { "SMBmkdir",reply_mkdir,AS_USER \| NEED_WRITE},
908	/* 0x01 */ { "SMBrmdir",reply_rmdir,AS_USER \| NEED_WRITE},
909	/* 0x02 */ { "SMBopen",reply_open,AS_USER },
910	/* 0x03 */ { "SMBcreate",reply_mknew,AS_USER},
911	/* 0x04 */ { "SMBclose",reply_close,AS_USER \| CAN_IPC },
912	/* 0x05 */ { "SMBflush",reply_flush,AS_USER},
913	/* 0x06 */ { "SMBunlink",reply_unlink,AS_USER \| NEED_WRITE },
914	/* 0x07 */ { "SMBmv",reply_mv,AS_USER \| NEED_WRITE },
915	/* 0x08 */ { "SMBgetatr",reply_getatr,AS_USER},
916	/* 0x09 */ { "SMBsetatr",reply_setatr,AS_USER \| NEED_WRITE},
917	/* 0x0a */ { "SMBread",reply_read,AS_USER},
918	/* 0x0b */ { "SMBwrite",reply_write,AS_USER \| CAN_IPC },
919	/* 0x0c */ { "SMBlock",reply_lock,AS_USER},
920	/* 0x0d */ { "SMBunlock",reply_unlock,AS_USER},
921	/* 0x0e */ { "SMBctemp",reply_ctemp,AS_USER },
922	/* 0x0f */ { "SMBmknew",reply_mknew,AS_USER},
923	/* 0x10 */ { "SMBcheckpath",reply_checkpath,AS_USER},
924	/* 0x11 */ { "SMBexit",reply_exit,DO_CHDIR},
925	/* 0x12 */ { "SMBlseek",reply_lseek,AS_USER},
926	/* 0x13 */ { "SMBlockread",reply_lockread,AS_USER},
927	/* 0x14 */ { "SMBwriteunlock",reply_writeunlock,AS_USER},
928	/* 0x15 */ { NULL, NULL, 0 },
929	/* 0x16 */ { NULL, NULL, 0 },
930	/* 0x17 */ { NULL, NULL, 0 },
931	/* 0x18 */ { NULL, NULL, 0 },
932	/* 0x19 */ { NULL, NULL, 0 },
933	/* 0x1a */ { "SMBreadbraw",reply_readbraw,AS_USER},
934	/* 0x1b */ { "SMBreadBmpx",reply_readbmpx,AS_USER},
935	/* 0x1c */ { "SMBreadBs",reply_readbs,AS_USER },
936	/* 0x1d */ { "SMBwritebraw",reply_writebraw,AS_USER},
937	/* 0x1e */ { "SMBwriteBmpx",reply_writebmpx,AS_USER},
938	/* 0x1f */ { "SMBwriteBs",reply_writebs,AS_USER},
939	/* 0x20 */ { "SMBwritec", NULL,0},
940	/* 0x21 */ { NULL, NULL, 0 },
941	/* 0x22 */ { "SMBsetattrE",reply_setattrE,AS_USER \| NEED_WRITE },
942	/* 0x23 */ { "SMBgetattrE",reply_getattrE,AS_USER },
943	/* 0x24 */ { "SMBlockingX",reply_lockingX,AS_USER },
944	/* 0x25 */ { "SMBtrans",reply_trans,AS_USER \| CAN_IPC },
945	/* 0x26 */ { "SMBtranss",reply_transs,AS_USER \| CAN_IPC},
946	/* 0x27 */ { "SMBioctl",reply_ioctl,0},
947	/* 0x28 */ { "SMBioctls", NULL,AS_USER},
948	/* 0x29 */ { "SMBcopy",reply_copy,AS_USER \| NEED_WRITE },
949	/* 0x2a */ { "SMBmove", NULL,AS_USER \| NEED_WRITE },
950	/* 0x2b */ { "SMBecho",reply_echo,0},
951	/* 0x2c */ { "SMBwriteclose",reply_writeclose,AS_USER},
952	/* 0x2d */ { "SMBopenX",reply_open_and_X,AS_USER \| CAN_IPC },
953	/* 0x2e */ { "SMBreadX",reply_read_and_X,AS_USER \| CAN_IPC },
954	/* 0x2f */ { "SMBwriteX",reply_write_and_X,AS_USER \| CAN_IPC },
955	/* 0x30 */ { NULL, NULL, 0 },
956	/* 0x31 */ { NULL, NULL, 0 },
957	/* 0x32 */ { "SMBtrans2",reply_trans2, AS_USER \| CAN_IPC },
958	/* 0x33 */ { "SMBtranss2",reply_transs2, AS_USER \| CAN_IPC },
959	/* 0x34 */ { "SMBfindclose",reply_findclose,AS_USER},
960	/* 0x35 */ { "SMBfindnclose",reply_findnclose,AS_USER},
961	/* 0x36 */ { NULL, NULL, 0 },
962	/* 0x37 */ { NULL, NULL, 0 },
963	/* 0x38 */ { NULL, NULL, 0 },
964	/* 0x39 */ { NULL, NULL, 0 },
965	/* 0x3a */ { NULL, NULL, 0 },
966	/* 0x3b */ { NULL, NULL, 0 },
967	/* 0x3c */ { NULL, NULL, 0 },
968	/* 0x3d */ { NULL, NULL, 0 },
969	/* 0x3e */ { NULL, NULL, 0 },
970	/* 0x3f */ { NULL, NULL, 0 },
971	/* 0x40 */ { NULL, NULL, 0 },
972	/* 0x41 */ { NULL, NULL, 0 },
973	/* 0x42 */ { NULL, NULL, 0 },
974	/* 0x43 */ { NULL, NULL, 0 },
975	/* 0x44 */ { NULL, NULL, 0 },
976	/* 0x45 */ { NULL, NULL, 0 },
977	/* 0x46 */ { NULL, NULL, 0 },
978	/* 0x47 */ { NULL, NULL, 0 },
979	/* 0x48 */ { NULL, NULL, 0 },
980	/* 0x49 */ { NULL, NULL, 0 },
981	/* 0x4a */ { NULL, NULL, 0 },
982	/* 0x4b */ { NULL, NULL, 0 },
983	/* 0x4c */ { NULL, NULL, 0 },
984	/* 0x4d */ { NULL, NULL, 0 },
985	/* 0x4e */ { NULL, NULL, 0 },
986	/* 0x4f */ { NULL, NULL, 0 },
987	/* 0x50 */ { NULL, NULL, 0 },
988	/* 0x51 */ { NULL, NULL, 0 },
989	/* 0x52 */ { NULL, NULL, 0 },
990	/* 0x53 */ { NULL, NULL, 0 },
991	/* 0x54 */ { NULL, NULL, 0 },
992	/* 0x55 */ { NULL, NULL, 0 },
993	/* 0x56 */ { NULL, NULL, 0 },
994	/* 0x57 */ { NULL, NULL, 0 },
995	/* 0x58 */ { NULL, NULL, 0 },
996	/* 0x59 */ { NULL, NULL, 0 },
997	/* 0x5a */ { NULL, NULL, 0 },
998	/* 0x5b */ { NULL, NULL, 0 },
999	/* 0x5c */ { NULL, NULL, 0 },
1000	/* 0x5d */ { NULL, NULL, 0 },
1001	/* 0x5e */ { NULL, NULL, 0 },
1002	/* 0x5f */ { NULL, NULL, 0 },
1003	/* 0x60 */ { NULL, NULL, 0 },
1004	/* 0x61 */ { NULL, NULL, 0 },
1005	/* 0x62 */ { NULL, NULL, 0 },
1006	/* 0x63 */ { NULL, NULL, 0 },
1007	/* 0x64 */ { NULL, NULL, 0 },
1008	/* 0x65 */ { NULL, NULL, 0 },
1009	/* 0x66 */ { NULL, NULL, 0 },
1010	/* 0x67 */ { NULL, NULL, 0 },
1011	/* 0x68 */ { NULL, NULL, 0 },
1012	/* 0x69 */ { NULL, NULL, 0 },
1013	/* 0x6a */ { NULL, NULL, 0 },
1014	/* 0x6b */ { NULL, NULL, 0 },
1015	/* 0x6c */ { NULL, NULL, 0 },
1016	/* 0x6d */ { NULL, NULL, 0 },
1017	/* 0x6e */ { NULL, NULL, 0 },
1018	/* 0x6f */ { NULL, NULL, 0 },
1019	/* 0x70 */ { "SMBtcon",reply_tcon,0},
1020	/* 0x71 */ { "SMBtdis",reply_tdis,DO_CHDIR},
1021	/* 0x72 */ { "SMBnegprot",reply_negprot,0},
1022	/* 0x73 */ { "SMBsesssetupX",reply_sesssetup_and_X,0},
1023	/* 0x74 / { "SMBulogoffX",reply_ulogoffX, 0}, / ulogoff doesn't give a valid TID */
1024	/* 0x75 */ { "SMBtconX",reply_tcon_and_X,0},
1025	/* 0x76 */ { NULL, NULL, 0 },
1026	/* 0x77 */ { NULL, NULL, 0 },
1027	/* 0x78 */ { NULL, NULL, 0 },
1028	/* 0x79 */ { NULL, NULL, 0 },
1029	/* 0x7a */ { NULL, NULL, 0 },
1030	/* 0x7b */ { NULL, NULL, 0 },
1031	/* 0x7c */ { NULL, NULL, 0 },
1032	/* 0x7d */ { NULL, NULL, 0 },
1033	/* 0x7e */ { NULL, NULL, 0 },
1034	/* 0x7f */ { NULL, NULL, 0 },
1035	/* 0x80 */ { "SMBdskattr",reply_dskattr,AS_USER},
1036	/* 0x81 */ { "SMBsearch",reply_search,AS_USER},
1037	/* 0x82 */ { "SMBffirst",reply_search,AS_USER},
1038	/* 0x83 */ { "SMBfunique",reply_search,AS_USER},
1039	/* 0x84 */ { "SMBfclose",reply_fclose,AS_USER},
1040	/* 0x85 */ { NULL, NULL, 0 },
1041	/* 0x86 */ { NULL, NULL, 0 },
1042	/* 0x87 */ { NULL, NULL, 0 },
1043	/* 0x88 */ { NULL, NULL, 0 },
1044	/* 0x89 */ { NULL, NULL, 0 },
1045	/* 0x8a */ { NULL, NULL, 0 },
1046	/* 0x8b */ { NULL, NULL, 0 },
1047	/* 0x8c */ { NULL, NULL, 0 },
1048	/* 0x8d */ { NULL, NULL, 0 },
1049	/* 0x8e */ { NULL, NULL, 0 },
1050	/* 0x8f */ { NULL, NULL, 0 },
1051	/* 0x90 */ { NULL, NULL, 0 },
1052	/* 0x91 */ { NULL, NULL, 0 },
1053	/* 0x92 */ { NULL, NULL, 0 },
1054	/* 0x93 */ { NULL, NULL, 0 },
1055	/* 0x94 */ { NULL, NULL, 0 },
1056	/* 0x95 */ { NULL, NULL, 0 },
1057	/* 0x96 */ { NULL, NULL, 0 },
1058	/* 0x97 */ { NULL, NULL, 0 },
1059	/* 0x98 */ { NULL, NULL, 0 },
1060	/* 0x99 */ { NULL, NULL, 0 },
1061	/* 0x9a */ { NULL, NULL, 0 },
1062	/* 0x9b */ { NULL, NULL, 0 },
1063	/* 0x9c */ { NULL, NULL, 0 },
1064	/* 0x9d */ { NULL, NULL, 0 },
1065	/* 0x9e */ { NULL, NULL, 0 },
1066	/* 0x9f */ { NULL, NULL, 0 },
1067	/* 0xa0 */ { "SMBnttrans",reply_nttrans, AS_USER \| CAN_IPC },
1068	/* 0xa1 */ { "SMBnttranss",reply_nttranss, AS_USER \| CAN_IPC },
1069	/* 0xa2 */ { "SMBntcreateX",reply_ntcreate_and_X, AS_USER \| CAN_IPC },
1070	/* 0xa3 */ { NULL, NULL, 0 },
1071	/* 0xa4 */ { "SMBntcancel",reply_ntcancel, 0 },
1072	/* 0xa5 */ { "SMBntrename",reply_ntrename, AS_USER \| NEED_WRITE },
1073	/* 0xa6 */ { NULL, NULL, 0 },
1074	/* 0xa7 */ { NULL, NULL, 0 },
1075	/* 0xa8 */ { NULL, NULL, 0 },
1076	/* 0xa9 */ { NULL, NULL, 0 },
1077	/* 0xaa */ { NULL, NULL, 0 },
1078	/* 0xab */ { NULL, NULL, 0 },
1079	/* 0xac */ { NULL, NULL, 0 },
1080	/* 0xad */ { NULL, NULL, 0 },
1081	/* 0xae */ { NULL, NULL, 0 },
1082	/* 0xaf */ { NULL, NULL, 0 },
1083	/* 0xb0 */ { NULL, NULL, 0 },
1084	/* 0xb1 */ { NULL, NULL, 0 },
1085	/* 0xb2 */ { NULL, NULL, 0 },
1086	/* 0xb3 */ { NULL, NULL, 0 },
1087	/* 0xb4 */ { NULL, NULL, 0 },
1088	/* 0xb5 */ { NULL, NULL, 0 },
1089	/* 0xb6 */ { NULL, NULL, 0 },
1090	/* 0xb7 */ { NULL, NULL, 0 },
1091	/* 0xb8 */ { NULL, NULL, 0 },
1092	/* 0xb9 */ { NULL, NULL, 0 },
1093	/* 0xba */ { NULL, NULL, 0 },
1094	/* 0xbb */ { NULL, NULL, 0 },
1095	/* 0xbc */ { NULL, NULL, 0 },
1096	/* 0xbd */ { NULL, NULL, 0 },
1097	/* 0xbe */ { NULL, NULL, 0 },
1098	/* 0xbf */ { NULL, NULL, 0 },
1099	/* 0xc0 */ { "SMBsplopen",reply_printopen,AS_USER},
1100	/* 0xc1 */ { "SMBsplwr",reply_printwrite,AS_USER},
1101	/* 0xc2 */ { "SMBsplclose",reply_printclose,AS_USER},
1102	/* 0xc3 */ { "SMBsplretq",reply_printqueue,AS_USER},
1103	/* 0xc4 */ { NULL, NULL, 0 },
1104	/* 0xc5 */ { NULL, NULL, 0 },
1105	/* 0xc6 */ { NULL, NULL, 0 },
1106	/* 0xc7 */ { NULL, NULL, 0 },
1107	/* 0xc8 */ { NULL, NULL, 0 },
1108	/* 0xc9 */ { NULL, NULL, 0 },
1109	/* 0xca */ { NULL, NULL, 0 },
1110	/* 0xcb */ { NULL, NULL, 0 },
1111	/* 0xcc */ { NULL, NULL, 0 },
1112	/* 0xcd */ { NULL, NULL, 0 },
1113	/* 0xce */ { NULL, NULL, 0 },
1114	/* 0xcf */ { NULL, NULL, 0 },
1115	/* 0xd0 */ { "SMBsends",reply_sends,AS_GUEST},
1116	/* 0xd1 */ { "SMBsendb", NULL,AS_GUEST},
1117	/* 0xd2 */ { "SMBfwdname", NULL,AS_GUEST},
1118	/* 0xd3 */ { "SMBcancelf", NULL,AS_GUEST},
1119	/* 0xd4 */ { "SMBgetmac", NULL,AS_GUEST},
1120	/* 0xd5 */ { "SMBsendstrt",reply_sendstrt,AS_GUEST},
1121	/* 0xd6 */ { "SMBsendend",reply_sendend,AS_GUEST},
1122	/* 0xd7 */ { "SMBsendtxt",reply_sendtxt,AS_GUEST},
1123	/* 0xd8 */ { NULL, NULL, 0 },
1124	/* 0xd9 */ { NULL, NULL, 0 },
1125	/* 0xda */ { NULL, NULL, 0 },
1126	/* 0xdb */ { NULL, NULL, 0 },
1127	/* 0xdc */ { NULL, NULL, 0 },
1128	/* 0xdd */ { NULL, NULL, 0 },
1129	/* 0xde */ { NULL, NULL, 0 },
1130	/* 0xdf */ { NULL, NULL, 0 },
1131	/* 0xe0 */ { NULL, NULL, 0 },
1132	/* 0xe1 */ { NULL, NULL, 0 },
1133	/* 0xe2 */ { NULL, NULL, 0 },
1134	/* 0xe3 */ { NULL, NULL, 0 },
1135	/* 0xe4 */ { NULL, NULL, 0 },
1136	/* 0xe5 */ { NULL, NULL, 0 },
1137	/* 0xe6 */ { NULL, NULL, 0 },
1138	/* 0xe7 */ { NULL, NULL, 0 },
1139	/* 0xe8 */ { NULL, NULL, 0 },
1140	/* 0xe9 */ { NULL, NULL, 0 },
1141	/* 0xea */ { NULL, NULL, 0 },
1142	/* 0xeb */ { NULL, NULL, 0 },
1143	/* 0xec */ { NULL, NULL, 0 },
1144	/* 0xed */ { NULL, NULL, 0 },
1145	/* 0xee */ { NULL, NULL, 0 },
1146	/* 0xef */ { NULL, NULL, 0 },
1147	/* 0xf0 */ { NULL, NULL, 0 },
1148	/* 0xf1 */ { NULL, NULL, 0 },
1149	/* 0xf2 */ { NULL, NULL, 0 },
1150	/* 0xf3 */ { NULL, NULL, 0 },
1151	/* 0xf4 */ { NULL, NULL, 0 },
1152	/* 0xf5 */ { NULL, NULL, 0 },
1153	/* 0xf6 */ { NULL, NULL, 0 },
1154	/* 0xf7 */ { NULL, NULL, 0 },
1155	/* 0xf8 */ { NULL, NULL, 0 },
1156	/* 0xf9 */ { NULL, NULL, 0 },
1157	/* 0xfa */ { NULL, NULL, 0 },
1158	/* 0xfb */ { NULL, NULL, 0 },
1159	/* 0xfc */ { NULL, NULL, 0 },
1160	/* 0xfd */ { NULL, NULL, 0 },
1161	/* 0xfe */ { NULL, NULL, 0 },
1162	/* 0xff */ { NULL, NULL, 0 }
1163
1164	};
1165
1166	/*******************************************************************
1167	allocate and initialize a reply packet
1168	********************************************************************/
1169
1170	static bool create_outbuf(TALLOC_CTX mem_ctx, struct smb_request req,
1171	const char inbuf, char *outbuf, uint8_t num_words,
1172	uint32_t num_bytes)
1173	{
1174	/*
1175	* Protect against integer wrap
1176	*/
1177	if ((num_bytes > 0xffffff)
1178	\|\| ((num_bytes + smb_size + num_words*2) > 0xffffff)) {
1179	char *msg;
1180	if (asprintf(&msg, "num_bytes too large: %u",
1181	(unsigned)num_bytes) == -1) {
1182	msg = CONST_DISCARD(char *, "num_bytes too large");
1183	}
1184	smb_panic(msg);
1185	}
1186
1187	*outbuf = TALLOC_ARRAY(mem_ctx, char,
1188	smb_size + num_words*2 + num_bytes);
1189	if (*outbuf == NULL) {
1190	return false;
1191	}
1192
1193	construct_reply_common(req, inbuf, *outbuf);
1194	srv_set_message(*outbuf, num_words, num_bytes, false);
1195	/*
1196	* Zero out the word area, the caller has to take care of the bcc area
1197	* himself
1198	*/
1199	if (num_words != 0) {
1200	memset(outbuf + smb_vwv0, 0, num_words2);
1201	}
1202
1203	return true;
1204	}
1205
1206	void reply_outbuf(struct smb_request *req, uint8 num_words, uint32 num_bytes)
1207	{
1208	char *outbuf;
1209	if (!create_outbuf(req, req, (char *)req->inbuf, &outbuf, num_words,
1210	num_bytes)) {
1211	smb_panic("could not allocate output buffer\n");
1212	}
1213	req->outbuf = (uint8_t *)outbuf;
1214	}
1215
1216
1217	/*******************************************************************
1218	Dump a packet to a file.
1219	********************************************************************/
1220
1221	static void smb_dump(const char name, int type, const char data, ssize_t len)
1222	{
1223	int fd, i;
1224	char *fname = NULL;
1225	if (DEBUGLEVEL < 50) {
1226	return;
1227	}
1228
1229	if (len < 4) len = smb_len(data)+4;
1230	for (i=1;i<100;i++) {
1231	if (asprintf(&fname, "/tmp/%s.%d.%s", name, i,
1232	type ? "req" : "resp") == -1) {
1233	return;
1234	}
1235	fd = open(fname, O_WRONLY\|O_CREAT\|O_EXCL, 0644);
1236	if (fd != -1 \|\| errno != EEXIST) break;
1237	}
1238	if (fd != -1) {
1239	ssize_t ret = write(fd, data, len);
1240	if (ret != len)
1241	DEBUG(0,("smb_dump: problem: write returned %d\n", (int)ret ));
1242	close(fd);
1243	DEBUG(0,("created %s len %lu\n", fname, (unsigned long)len));
1244	}
1245	SAFE_FREE(fname);
1246	}
1247
1248	/****************************************************************************
1249	Prepare everything for calling the actual request function, and potentially
1250	call the request function via the "new" interface.
1251
1252	Return False if the "legacy" function needs to be called, everything is
1253	prepared.
1254
1255	Return True if we're done.
1256
1257	I know this API sucks, but it is the one with the least code change I could
1258	find.
1259	****************************************************************************/
1260
1261	static connection_struct switch_message(uint8 type, struct smb_request req, int size)
1262	{
1263	int flags;
1264	uint16 session_tag;
1265	connection_struct *conn = NULL;
1266	struct smbd_server_connection *sconn = smbd_server_conn;
1267
1268	errno = 0;
1269
1270	/* Make sure this is an SMB packet. smb_size contains NetBIOS header
1271	* so subtract 4 from it. */
1272	if (!valid_smb_header(req->inbuf)
1273	\|\| (size < (smb_size - 4))) {
1274	DEBUG(2,("Non-SMB packet of length %d. Terminating server\n",
1275	smb_len(req->inbuf)));
1276	exit_server_cleanly("Non-SMB packet");
1277	}
1278
1279	if (smb_messages[type].fn == NULL) {
1280	DEBUG(0,("Unknown message type %d!\n",type));
1281	smb_dump("Unknown", 1, (char *)req->inbuf, size);
1282	reply_unknown_new(req, type);
1283	return NULL;
1284	}
1285
1286	flags = smb_messages[type].flags;
1287
1288	/* In share mode security we must ignore the vuid. */
1289	session_tag = (lp_security() == SEC_SHARE)
1290	? UID_FIELD_INVALID : req->vuid;
1291	conn = req->conn;
1292
1293	DEBUG(3,("switch message %s (pid %d) conn 0x%lx\n", smb_fn_name(type),
1294	(int)sys_getpid(), (unsigned long)conn));
1295
1296	smb_dump(smb_fn_name(type), 1, (char *)req->inbuf, size);
1297
1298	/* Ensure this value is replaced in the incoming packet. */
1299	SSVAL(req->inbuf,smb_uid,session_tag);
1300
1301	/*
1302	* Ensure the correct username is in current_user_info. This is a
1303	* really ugly bugfix for problems with multiple session_setup_and_X's
1304	* being done and allowing %U and %G substitutions to work correctly.
1305	* There is a reason this code is done here, don't move it unless you
1306	* know what you're doing... :-).
1307	* JRA.
1308	*/
1309
1310	if (session_tag != sconn->smb1.sessions.last_session_tag) {
1311	user_struct *vuser = NULL;
1312
1313	sconn->smb1.sessions.last_session_tag = session_tag;
1314	if(session_tag != UID_FIELD_INVALID) {
1315	vuser = get_valid_user_struct(sconn, session_tag);
1316	if (vuser) {
1317	set_current_user_info(
1318	vuser->server_info->sanitized_username,
1319	vuser->server_info->unix_name,
1320	pdb_get_domain(vuser->server_info
1321	->sam_account));
1322	}
1323	}
1324	}
1325
1326	/* Does this call need to be run as the connected user? */
1327	if (flags & AS_USER) {
1328
1329	/* Does this call need a valid tree connection? */
1330	if (!conn) {
1331	/*
1332	* Amazingly, the error code depends on the command
1333	* (from Samba4).
1334	*/
1335	if (type == SMBntcreateX) {
1336	reply_nterror(req, NT_STATUS_INVALID_HANDLE);
1337	} else {
1338	reply_nterror(req, NT_STATUS_NETWORK_NAME_DELETED);
1339	}
1340	return NULL;
1341	}
1342
1343	if (!change_to_user(conn,session_tag)) {
1344	DEBUG(0, ("Error: Could not change to user. Removing "
1345	"deferred open, mid=%d.\n", req->mid));
1346	reply_force_doserror(req, ERRSRV, ERRbaduid);
1347	return conn;
1348	}
1349
1350	/* All NEED_WRITE and CAN_IPC flags must also have AS_USER. */
1351
1352	/* Does it need write permission? */
1353	if ((flags & NEED_WRITE) && !CAN_WRITE(conn)) {
1354	reply_nterror(req, NT_STATUS_MEDIA_WRITE_PROTECTED);
1355	return conn;
1356	}
1357
1358	/* IPC services are limited */
1359	if (IS_IPC(conn) && !(flags & CAN_IPC)) {
1360	reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1361	return conn;
1362	}
1363	} else {
1364	/* This call needs to be run as root */
1365	change_to_root_user();
1366	}
1367
1368	/* load service specific parameters */
1369	if (conn) {
1370	if (req->encrypted) {
1371	conn->encrypted_tid = true;
1372	/* encrypted required from now on. */
1373	conn->encrypt_level = Required;
1374	} else if (ENCRYPTION_REQUIRED(conn)) {
1375	if (req->cmd != SMBtrans2 && req->cmd != SMBtranss2) {
1376	exit_server_cleanly("encryption required "
1377	"on connection");
1378	return conn;
1379	}
1380	}
1381
1382	if (!set_current_service(conn,SVAL(req->inbuf,smb_flg),
1383	(flags & (AS_USER\|DO_CHDIR)
1384	?True:False))) {
1385	reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1386	return conn;
1387	}
1388	conn->num_smb_operations++;
1389	}
1390
1391	/* does this protocol need to be run as guest? */
1392	if ((flags & AS_GUEST)
1393	&& (!change_to_guest() \|\|
1394	!check_access(smbd_server_fd(), lp_hostsallow(-1),
1395	lp_hostsdeny(-1)))) {
1396	reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1397	return conn;
1398	}
1399
1400	smb_messages[type].fn(req);
1401	return req->conn;
1402	}
1403
1404	/****************************************************************************
1405	Construct a reply to the incoming packet.
1406	****************************************************************************/
1407
1408	static void construct_reply(char *inbuf, int size, size_t unread_bytes,
1409	uint32_t seqnum, bool encrypted,
1410	struct smb_perfcount_data *deferred_pcd)
1411	{
1412	connection_struct *conn;
1413	struct smb_request *req;
1414
1415	if (!(req = talloc(talloc_tos(), struct smb_request))) {
1416	smb_panic("could not allocate smb_request");
1417	}
1418
1419	init_smb_request(req, (uint8 *)inbuf, unread_bytes, encrypted);
1420	req->inbuf = (uint8_t *)talloc_move(req, &inbuf);
1421	req->seqnum = seqnum;
1422
1423	/* we popped this message off the queue - keep original perf data */
1424	if (deferred_pcd)
1425	req->pcd = *deferred_pcd;
1426	else {
1427	SMB_PERFCOUNT_START(&req->pcd);
1428	SMB_PERFCOUNT_SET_OP(&req->pcd, req->cmd);
1429	SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, size);
1430	}
1431
1432	conn = switch_message(req->cmd, req, size);
1433
1434	if (req->unread_bytes) {
1435	/* writeX failed. drain socket. */
1436	if (drain_socket(smbd_server_fd(), req->unread_bytes) !=
1437	req->unread_bytes) {
1438	smb_panic("failed to drain pending bytes");
1439	}
1440	req->unread_bytes = 0;
1441	}
1442
1443	if (req->done) {
1444	TALLOC_FREE(req);
1445	return;
1446	}
1447
1448	if (req->outbuf == NULL) {
1449	return;
1450	}
1451
1452	if (CVAL(req->outbuf,0) == 0) {
1453	show_msg((char *)req->outbuf);
1454	}
1455
1456	if (!srv_send_smb(smbd_server_fd(),
1457	(char *)req->outbuf,
1458	true, req->seqnum+1,
1459	IS_CONN_ENCRYPTED(conn)\|\|req->encrypted,
1460	&req->pcd)) {
1461	exit_server_cleanly("construct_reply: srv_send_smb failed.");
1462	}
1463
1464	TALLOC_FREE(req);
1465
1466	return;
1467	}
1468
1469	/****************************************************************************
1470	Process an smb from the client
1471	****************************************************************************/
1472	static void process_smb(struct smbd_server_connection *conn,
1473	uint8_t *inbuf, size_t nread, size_t unread_bytes,
1474	uint32_t seqnum, bool encrypted,
1475	struct smb_perfcount_data *deferred_pcd)
1476	{
1477	int msg_type = CVAL(inbuf,0);
1478
1479	DO_PROFILE_INC(smb_count);
1480
1481	DEBUG( 6, ( "got message type 0x%x of len 0x%x\n", msg_type,
1482	smb_len(inbuf) ) );
1483	DEBUG( 3, ( "Transaction %d of length %d (%u toread)\n", trans_num,
1484	(int)nread,
1485	(unsigned int)unread_bytes ));
1486
1487	if (msg_type != 0) {
1488	/*
1489	* NetBIOS session request, keepalive, etc.
1490	*/
1491	reply_special((char *)inbuf);
1492	goto done;
1493	}
1494
1495	if (smbd_server_conn->allow_smb2) {
1496	if (smbd_is_smb2_header(inbuf, nread)) {
1497	smbd_smb2_first_negprot(smbd_server_conn, inbuf, nread);
1498	return;
1499	}
1500	smbd_server_conn->allow_smb2 = false;
1501	}
1502
1503	show_msg((char *)inbuf);
1504
1505	construct_reply((char *)inbuf,nread,unread_bytes,seqnum,encrypted,deferred_pcd);
1506	trans_num++;
1507
1508	done:
1509	conn->smb1.num_requests++;
1510
1511	/* The timeout_processing function isn't run nearly
1512	often enough to implement 'max log size' without
1513	overrunning the size of the file by many megabytes.
1514	This is especially true if we are running at debug
1515	level 10. Checking every 50 SMBs is a nice
1516	tradeoff of performance vs log file size overrun. */
1517
1518	if ((conn->smb1.num_requests % 50) == 0 &&
1519	need_to_check_log_size()) {
1520	change_to_root_user();
1521	check_log_size();
1522	}
1523	}
1524
1525	/****************************************************************************
1526	Return a string containing the function name of a SMB command.
1527	****************************************************************************/
1528
1529	const char *smb_fn_name(int type)
1530	{
1531	const char *unknown_name = "SMBunknown";
1532
1533	if (smb_messages[type].name == NULL)
1534	return(unknown_name);
1535
1536	return(smb_messages[type].name);
1537	}
1538
1539	/****************************************************************************
1540	Helper functions for contruct_reply.
1541	****************************************************************************/
1542
1543	void add_to_common_flags2(uint32 v)
1544	{
1545	common_flags2 \|= v;
1546	}
1547
1548	void remove_from_common_flags2(uint32 v)
1549	{
1550	common_flags2 &= ~v;
1551	}
1552
1553	static void construct_reply_common(struct smb_request req, const char inbuf,
1554	char *outbuf)
1555	{
1556	srv_set_message(outbuf,0,0,false);
1557
1558	SCVAL(outbuf, smb_com, req->cmd);
1559	SIVAL(outbuf,smb_rcls,0);
1560	SCVAL(outbuf,smb_flg, FLAG_REPLY \| (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES));
1561	SSVAL(outbuf,smb_flg2,
1562	(SVAL(inbuf,smb_flg2) & FLAGS2_UNICODE_STRINGS) \|
1563	common_flags2);
1564	memset(outbuf+smb_pidhigh,'\0',(smb_tid-smb_pidhigh));
1565
1566	SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid));
1567	SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid));
1568	SSVAL(outbuf,smb_uid,SVAL(inbuf,smb_uid));
1569	SSVAL(outbuf,smb_mid,SVAL(inbuf,smb_mid));
1570	}
1571
1572	void construct_reply_common_req(struct smb_request req, char outbuf)
1573	{
1574	construct_reply_common(req, (char *)req->inbuf, outbuf);
1575	}
1576
1577	/*
1578	* How many bytes have we already accumulated up to the current wct field
1579	* offset?
1580	*/
1581
1582	size_t req_wct_ofs(struct smb_request *req)
1583	{
1584	size_t buf_size;
1585
1586	if (req->chain_outbuf == NULL) {
1587	return smb_wct - 4;
1588	}
1589	buf_size = talloc_get_size(req->chain_outbuf);
1590	if ((buf_size % 4) != 0) {
1591	buf_size += (4 - (buf_size % 4));
1592	}
1593	return buf_size - 4;
1594	}
1595
1596	/*
1597	* Hack around reply_nterror & friends not being aware of chained requests,
1598	* generating illegal (i.e. wct==0) chain replies.
1599	*/
1600
1601	static void fixup_chain_error_packet(struct smb_request *req)
1602	{
1603	uint8_t *outbuf = req->outbuf;
1604	req->outbuf = NULL;
1605	reply_outbuf(req, 2, 0);
1606	memcpy(req->outbuf, outbuf, smb_wct);
1607	TALLOC_FREE(outbuf);
1608	SCVAL(req->outbuf, smb_vwv0, 0xff);
1609	}
1610
1611	/**
1612	* @brief Find the smb_cmd offset of the last command pushed
1613	* @param[in] buf The buffer we're building up
1614	* @retval Where can we put our next andx cmd?
1615	*
1616	* While chaining requests, the "next" request we're looking at needs to put
1617	* its SMB_Command before the data the previous request already built up added
1618	* to the chain. Find the offset to the place where we have to put our cmd.
1619	*/
1620
1621	static bool find_andx_cmd_ofs(uint8_t buf, size_t pofs)
1622	{
1623	uint8_t cmd;
1624	size_t ofs;
1625
1626	cmd = CVAL(buf, smb_com);
1627
1628	SMB_ASSERT(is_andx_req(cmd));
1629
1630	ofs = smb_vwv0;
1631
1632	while (CVAL(buf, ofs) != 0xff) {
1633
1634	if (!is_andx_req(CVAL(buf, ofs))) {
1635	return false;
1636	}
1637
1638	/*
1639	* ofs is from start of smb header, so add the 4 length
1640	* bytes. The next cmd is right after the wct field.
1641	*/
1642	ofs = SVAL(buf, ofs+2) + 4 + 1;
1643
1644	SMB_ASSERT(ofs+4 < talloc_get_size(buf));
1645	}
1646
1647	*pofs = ofs;
1648	return true;
1649	}
1650
1651	/**
1652	* @brief Do the smb chaining at a buffer level
1653	* @param[in] poutbuf Pointer to the talloc'ed buffer to be modified
1654	* @param[in] smb_command The command that we want to issue
1655	* @param[in] wct How many words?
1656	* @param[in] vwv The words, already in network order
1657	* @param[in] bytes_alignment How shall we align "bytes"?
1658	* @param[in] num_bytes How many bytes?
1659	* @param[in] bytes The data the request ships
1660	*
1661	* smb_splice_chain() adds the vwv and bytes to the request already present in
1662	* *poutbuf.
1663	*/
1664
1665	static bool smb_splice_chain(uint8_t **poutbuf, uint8_t smb_command,
1666	uint8_t wct, const uint16_t *vwv,
1667	size_t bytes_alignment,
1668	uint32_t num_bytes, const uint8_t *bytes)
1669	{
1670	uint8_t *outbuf;
1671	size_t old_size, new_size;
1672	size_t ofs;
1673	size_t chain_padding = 0;
1674	size_t bytes_padding = 0;
1675	bool first_request;
1676
1677	old_size = talloc_get_size(*poutbuf);
1678
1679	/*
1680	* old_size == smb_wct means we're pushing the first request in for
1681	* libsmb/
1682	*/
1683
1684	first_request = (old_size == smb_wct);
1685
1686	if (!first_request && ((old_size % 4) != 0)) {
1687	/*
1688	* Align the wct field of subsequent requests to a 4-byte
1689	* boundary
1690	*/
1691	chain_padding = 4 - (old_size % 4);
1692	}
1693
1694	/*
1695	* After the old request comes the new wct field (1 byte), the vwv's
1696	* and the num_bytes field. After at we might need to align the bytes
1697	* given to us to "bytes_alignment", increasing the num_bytes value.
1698	*/
1699
1700	new_size = old_size + chain_padding + 1 + wct * sizeof(uint16_t) + 2;
1701
1702	if ((bytes_alignment != 0) && ((new_size % bytes_alignment) != 0)) {
1703	bytes_padding = bytes_alignment - (new_size % bytes_alignment);
1704	}
1705
1706	new_size += bytes_padding + num_bytes;
1707
1708	if ((smb_command != SMBwriteX) && (new_size > 0xffff)) {
1709	DEBUG(1, ("splice_chain: %u bytes won't fit\n",
1710	(unsigned)new_size));
1711	return false;
1712	}
1713
1714	outbuf = TALLOC_REALLOC_ARRAY(NULL, *poutbuf, uint8_t, new_size);
1715	if (outbuf == NULL) {
1716	DEBUG(0, ("talloc failed\n"));
1717	return false;
1718	}
1719	*poutbuf = outbuf;
1720
1721	if (first_request) {
1722	SCVAL(outbuf, smb_com, smb_command);
1723	} else {
1724	size_t andx_cmd_ofs;
1725
1726	if (!find_andx_cmd_ofs(outbuf, &andx_cmd_ofs)) {
1727	DEBUG(1, ("invalid command chain\n"));
1728	*poutbuf = TALLOC_REALLOC_ARRAY(
1729	NULL, *poutbuf, uint8_t, old_size);
1730	return false;
1731	}
1732
1733	if (chain_padding != 0) {
1734	memset(outbuf + old_size, 0, chain_padding);
1735	old_size += chain_padding;
1736	}
1737
1738	SCVAL(outbuf, andx_cmd_ofs, smb_command);
1739	SSVAL(outbuf, andx_cmd_ofs + 2, old_size - 4);
1740	}
1741
1742	ofs = old_size;
1743
1744	/*
1745	* Push the chained request:
1746	*
1747	* wct field
1748	*/
1749
1750	SCVAL(outbuf, ofs, wct);
1751	ofs += 1;
1752
1753	/*
1754	* vwv array
1755	*/
1756
1757	memcpy(outbuf + ofs, vwv, sizeof(uint16_t) * wct);
1758	ofs += sizeof(uint16_t) * wct;
1759
1760	/*
1761	* bcc (byte count)
1762	*/
1763
1764	SSVAL(outbuf, ofs, num_bytes + bytes_padding);
1765	ofs += sizeof(uint16_t);
1766
1767	/*
1768	* padding
1769	*/
1770
1771	if (bytes_padding != 0) {
1772	memset(outbuf + ofs, 0, bytes_padding);
1773	ofs += bytes_padding;
1774	}
1775
1776	/*
1777	* The bytes field
1778	*/
1779
1780	memcpy(outbuf + ofs, bytes, num_bytes);
1781
1782	return true;
1783	}
1784
1785	/****************************************************************************
1786	Construct a chained reply and add it to the already made reply
1787	****************************************************************************/
1788
1789	void chain_reply(struct smb_request *req)
1790	{
1791	size_t smblen = smb_len(req->inbuf);
1792	size_t already_used, length_needed;
1793	uint8_t chain_cmd;
1794	uint32_t chain_offset; /* uint32_t to avoid overflow */
1795
1796	uint8_t wct;
1797	uint16_t *vwv;
1798	uint16_t buflen;
1799	uint8_t *buf;
1800
1801	if (IVAL(req->outbuf, smb_rcls) != 0) {
1802	fixup_chain_error_packet(req);
1803	}
1804
1805	/*
1806	* Any of the AndX requests and replies have at least a wct of
1807	* 2. vwv[0] is the next command, vwv[1] is the offset from the
1808	* beginning of the SMB header to the next wct field.
1809	*
1810	* None of the AndX requests put anything valuable in vwv[0] and [1],
1811	* so we can overwrite it here to form the chain.
1812	*/
1813
1814	if ((req->wct < 2) \|\| (CVAL(req->outbuf, smb_wct) < 2)) {
1815	goto error;
1816	}
1817
1818	/*
1819	* Here we assume that this is the end of the chain. For that we need
1820	* to set "next command" to 0xff and the offset to 0. If we later find
1821	* more commands in the chain, this will be overwritten again.
1822	*/
1823
1824	SCVAL(req->outbuf, smb_vwv0, 0xff);
1825	SCVAL(req->outbuf, smb_vwv0+1, 0);
1826	SSVAL(req->outbuf, smb_vwv1, 0);
1827
1828	if (req->chain_outbuf == NULL) {
1829	/*
1830	* In req->chain_outbuf we collect all the replies. Start the
1831	* chain by copying in the first reply.
1832	*
1833	* We do the realloc because later on we depend on
1834	* talloc_get_size to determine the length of
1835	* chain_outbuf. The reply_xxx routines might have
1836	* over-allocated (reply_pipe_read_and_X used to be such an
1837	* example).
1838	*/
1839	req->chain_outbuf = TALLOC_REALLOC_ARRAY(
1840	req, req->outbuf, uint8_t, smb_len(req->outbuf) + 4);
1841	if (req->chain_outbuf == NULL) {
1842	goto error;
1843	}
1844	req->outbuf = NULL;
1845	} else {
1846	/*
1847	* Update smb headers where subsequent chained commands
1848	* may have updated them.
1849	*/
1850	SCVAL(req->chain_outbuf, smb_tid, CVAL(req->outbuf, smb_tid));
1851	SCVAL(req->chain_outbuf, smb_uid, CVAL(req->outbuf, smb_uid));
1852
1853	if (!smb_splice_chain(&req->chain_outbuf,
1854	CVAL(req->outbuf, smb_com),
1855	CVAL(req->outbuf, smb_wct),
1856	(uint16_t *)(req->outbuf + smb_vwv),
1857	0, smb_buflen(req->outbuf),
1858	(uint8_t *)smb_buf(req->outbuf))) {
1859	goto error;
1860	}
1861	TALLOC_FREE(req->outbuf);
1862	}
1863
1864	/*
1865	* We use the old request's vwv field to grab the next chained command
1866	* and offset into the chained fields.
1867	*/
1868
1869	chain_cmd = CVAL(req->vwv+0, 0);
1870	chain_offset = SVAL(req->vwv+1, 0);
1871
1872	if (chain_cmd == 0xff) {
1873	/*
1874	* End of chain, no more requests from the client. So ship the
1875	* replies.
1876	*/
1877	smb_setlen((char *)(req->chain_outbuf),
1878	talloc_get_size(req->chain_outbuf) - 4);
1879
1880	if (!srv_send_smb(smbd_server_fd(), (char *)req->chain_outbuf,
1881	true, req->seqnum+1,
1882	IS_CONN_ENCRYPTED(req->conn)
1883	\|\|req->encrypted,
1884	&req->pcd)) {
1885	exit_server_cleanly("chain_reply: srv_send_smb "
1886	"failed.");
1887	}
1888	TALLOC_FREE(req->chain_outbuf);
1889	req->done = true;
1890	return;
1891	}
1892
1893	/* add a new perfcounter for this element of chain */
1894	SMB_PERFCOUNT_ADD(&req->pcd);
1895	SMB_PERFCOUNT_SET_OP(&req->pcd, chain_cmd);
1896	SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, smblen);
1897
1898	/*
1899	* Check if the client tries to fool us. The request so far uses the
1900	* space to the end of the byte buffer in the request just
1901	* processed. The chain_offset can't point into that area. If that was
1902	* the case, we could end up with an endless processing of the chain,
1903	* we would always handle the same request.
1904	*/
1905
1906	already_used = PTR_DIFF(req->buf+req->buflen, smb_base(req->inbuf));
1907	if (chain_offset < already_used) {
1908	goto error;
1909	}
1910
1911	/*
1912	* Next check: Make sure the chain offset does not point beyond the
1913	* overall smb request length.
1914	*/
1915
1916	length_needed = chain_offset+1; /* wct */
1917	if (length_needed > smblen) {
1918	goto error;
1919	}
1920
1921	/*
1922	* Now comes the pointer magic. Goal here is to set up req->vwv and
1923	* req->buf correctly again to be able to call the subsequent
1924	* switch_message(). The chain offset (the former vwv[1]) points at
1925	* the new wct field.
1926	*/
1927
1928	wct = CVAL(smb_base(req->inbuf), chain_offset);
1929
1930	/*
1931	* Next consistency check: Make the new vwv array fits in the overall
1932	* smb request.
1933	*/
1934
1935	length_needed += (wct+1)sizeof(uint16_t); / vwv+buflen */
1936	if (length_needed > smblen) {
1937	goto error;
1938	}
1939	vwv = (uint16_t *)(smb_base(req->inbuf) + chain_offset + 1);
1940
1941	/*
1942	* Now grab the new byte buffer....
1943	*/
1944
1945	buflen = SVAL(vwv+wct, 0);
1946
1947	/*
1948	* .. and check that it fits.
1949	*/
1950
1951	length_needed += buflen;
1952	if (length_needed > smblen) {
1953	goto error;
1954	}
1955	buf = (uint8_t *)(vwv+wct+1);
1956
1957	req->cmd = chain_cmd;
1958	req->wct = wct;
1959	req->vwv = vwv;
1960	req->buflen = buflen;
1961	req->buf = buf;
1962
1963	switch_message(chain_cmd, req, smblen);
1964
1965	if (req->outbuf == NULL) {
1966	/*
1967	* This happens if the chained command has suspended itself or
1968	* if it has called srv_send_smb() itself.
1969	*/
1970	return;
1971	}
1972
1973	/*
1974	* We end up here if the chained command was not itself chained or
1975	* suspended, but for example a close() command. We now need to splice
1976	* the chained commands' outbuf into the already built up chain_outbuf
1977	* and ship the result.
1978	*/
1979	goto done;
1980
1981	error:
1982	/*
1983	* We end up here if there's any error in the chain syntax. Report a
1984	* DOS error, just like Windows does.
1985	*/
1986	reply_force_doserror(req, ERRSRV, ERRerror);
1987	fixup_chain_error_packet(req);
1988
1989	done:
1990	/*
1991	* This scary statement intends to set the
1992	* FLAGS2_32_BIT_ERROR_CODES flg2 field in req->chain_outbuf
1993	* to the value req->outbuf carries
1994	*/
1995	SSVAL(req->chain_outbuf, smb_flg2,
1996	(SVAL(req->chain_outbuf, smb_flg2) & ~FLAGS2_32_BIT_ERROR_CODES)
1997	\| (SVAL(req->outbuf, smb_flg2) & FLAGS2_32_BIT_ERROR_CODES));
1998
1999	/*
2000	* Transfer the error codes from the subrequest to the main one
2001	*/
2002	SSVAL(req->chain_outbuf, smb_rcls, SVAL(req->outbuf, smb_rcls));
2003	SSVAL(req->chain_outbuf, smb_err, SVAL(req->outbuf, smb_err));
2004
2005	if (!smb_splice_chain(&req->chain_outbuf,
2006	CVAL(req->outbuf, smb_com),
2007	CVAL(req->outbuf, smb_wct),
2008	(uint16_t *)(req->outbuf + smb_vwv),
2009	0, smb_buflen(req->outbuf),
2010	(uint8_t *)smb_buf(req->outbuf))) {
2011	exit_server_cleanly("chain_reply: smb_splice_chain failed\n");
2012	}
2013	TALLOC_FREE(req->outbuf);
2014
2015	smb_setlen((char *)(req->chain_outbuf),
2016	talloc_get_size(req->chain_outbuf) - 4);
2017
2018	show_msg((char *)(req->chain_outbuf));
2019
2020	if (!srv_send_smb(smbd_server_fd(), (char *)req->chain_outbuf,
2021	true, req->seqnum+1,
2022	IS_CONN_ENCRYPTED(req->conn)\|\|req->encrypted,
2023	&req->pcd)) {
2024	exit_server_cleanly("construct_reply: srv_send_smb failed.");
2025	}
2026	TALLOC_FREE(req->chain_outbuf);
2027	req->done = true;
2028	}
2029
2030	/****************************************************************************
2031	Check if services need reloading.
2032	****************************************************************************/
2033
2034	void check_reload(time_t t)
2035	{
2036	time_t printcap_cache_time = (time_t)lp_printcap_cache_time();
2037
2038	if(last_smb_conf_reload_time == 0) {
2039	last_smb_conf_reload_time = t;
2040	/* Our printing subsystem might not be ready at smbd start up.
2041	Then no printer is available till the first printers check
2042	is performed. A lower initial interval circumvents this. */
2043	if ( printcap_cache_time > 60 )
2044	last_printer_reload_time = t - printcap_cache_time + 60;
2045	else
2046	last_printer_reload_time = t;
2047	}
2048
2049	if (mypid != getpid()) { /* First time or fork happened meanwhile */
2050	/* randomize over 60 second the printcap reload to avoid all
2051	* process hitting cupsd at the same time */
2052	int time_range = 60;
2053
2054	last_printer_reload_time += random() % time_range;
2055	mypid = getpid();
2056	}
2057
2058	if (t >= last_smb_conf_reload_time+SMBD_RELOAD_CHECK) {
2059	reload_services(True);
2060	last_smb_conf_reload_time = t;
2061	}
2062
2063	/* 'printcap cache time = 0' disable the feature */
2064
2065	if ( printcap_cache_time != 0 )
2066	{
2067	/* see if it's time to reload or if the clock has been set back */
2068
2069	if ( (t >= last_printer_reload_time+printcap_cache_time)
2070	\|\| (t-last_printer_reload_time < 0) )
2071	{
2072	DEBUG( 3,( "Printcap cache time expired.\n"));
2073	reload_printers();
2074	last_printer_reload_time = t;
2075	}
2076	}
2077	}
2078
2079	static void smbd_server_connection_write_handler(struct smbd_server_connection *conn)
2080	{
2081	/* TODO: make write nonblocking */
2082	}
2083
2084	static void smbd_server_connection_read_handler(struct smbd_server_connection *conn)
2085	{
2086	uint8_t *inbuf = NULL;
2087	size_t inbuf_len = 0;
2088	size_t unread_bytes = 0;
2089	bool encrypted = false;
2090	TALLOC_CTX *mem_ctx = talloc_tos();
2091	NTSTATUS status;
2092	uint32_t seqnum;
2093
2094	/* TODO: make this completely nonblocking */
2095
2096	status = receive_smb_talloc(mem_ctx, smbd_server_fd(),
2097	(char *)(void )&inbuf,
2098	0, /* timeout */
2099	&unread_bytes,
2100	&encrypted,
2101	&inbuf_len, &seqnum);
2102	if (NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
2103	goto process;
2104	}
2105	if (NT_STATUS_IS_ERR(status)) {
2106	exit_server_cleanly("failed to receive smb request");
2107	}
2108	if (!NT_STATUS_IS_OK(status)) {
2109	return;
2110	}
2111
2112	process:
2113	process_smb(conn, inbuf, inbuf_len, unread_bytes,
2114	seqnum, encrypted, NULL);
2115	}
2116
2117	static void smbd_server_connection_handler(struct event_context *ev,
2118	struct fd_event *fde,
2119	uint16_t flags,
2120	void *private_data)
2121	{
2122	struct smbd_server_connection *conn = talloc_get_type(private_data,
2123	struct smbd_server_connection);
2124
2125	if (flags & EVENT_FD_WRITE) {
2126	smbd_server_connection_write_handler(conn);
2127	} else if (flags & EVENT_FD_READ) {
2128	smbd_server_connection_read_handler(conn);
2129	}
2130	}
2131
2132
2133	/****************************************************************************
2134	received when we should release a specific IP
2135	****************************************************************************/
2136	static void release_ip(const char ip, void priv)
2137	{
2138	char addr[INET6_ADDRSTRLEN];
2139	char *p = addr;
2140
2141	client_socket_addr(get_client_fd(),addr,sizeof(addr));
2142
2143	if (strncmp("::ffff:", addr, 7) == 0) {
2144	p = addr + 7;
2145	}
2146
2147	if ((strcmp(p, ip) == 0) \|\| ((p != addr) && strcmp(addr, ip) == 0)) {
2148	/* we can't afford to do a clean exit - that involves
2149	database writes, which would potentially mean we
2150	are still running after the failover has finished -
2151	we have to get rid of this process ID straight
2152	away */
2153	DEBUG(0,("Got release IP message for our IP %s - exiting immediately\n",
2154	ip));
2155	/* note we must exit with non-zero status so the unclean handler gets
2156	called in the parent, so that the brl database is tickled */
2157	_exit(1);
2158	}
2159	}
2160
2161	static void msg_release_ip(struct messaging_context msg_ctx, void private_data,
2162	uint32_t msg_type, struct server_id server_id, DATA_BLOB *data)
2163	{
2164	release_ip((char *)data->data, NULL);
2165	}
2166
2167	#ifdef CLUSTER_SUPPORT
2168	static int client_get_tcp_info(struct sockaddr_storage *server,
2169	struct sockaddr_storage *client)
2170	{
2171	socklen_t length;
2172	if (server_fd == -1) {
2173	return -1;
2174	}
2175	length = sizeof(*server);
2176	if (getsockname(server_fd, (struct sockaddr *)server, &length) != 0) {
2177	return -1;
2178	}
2179	length = sizeof(*client);
2180	if (getpeername(server_fd, (struct sockaddr *)client, &length) != 0) {
2181	return -1;
2182	}
2183	return 0;
2184	}
2185	#endif
2186
2187	/*
2188	* Send keepalive packets to our client
2189	*/
2190	static bool keepalive_fn(const struct timeval now, void private_data)
2191	{
2192	if (!send_keepalive(smbd_server_fd())) {
2193	DEBUG( 2, ( "Keepalive failed - exiting.\n" ) );
2194	return False;
2195	}
2196	return True;
2197	}
2198
2199	/*
2200	* Do the recurring check if we're idle
2201	*/
2202	static bool deadtime_fn(const struct timeval now, void private_data)
2203	{
2204	struct smbd_server_connection *sconn = smbd_server_conn;
2205	if ((conn_num_open(sconn) == 0)
2206	\|\| (conn_idle_all(sconn, now->tv_sec))) {
2207	DEBUG( 2, ( "Closing idle connection\n" ) );
2208	messaging_send(smbd_messaging_context(), procid_self(),
2209	MSG_SHUTDOWN, &data_blob_null);
2210	return False;
2211	}
2212
2213	return True;
2214	}
2215
2216	/*
2217	* Do the recurring log file and smb.conf reload checks.
2218	*/
2219
2220	static bool housekeeping_fn(const struct timeval now, void private_data)
2221	{
2222	change_to_root_user();
2223
2224	/* update printer queue caches if necessary */
2225	update_monitored_printq_cache();
2226
2227	/* check if we need to reload services */
2228	check_reload(time(NULL));
2229
2230	/* Change machine password if neccessary. */
2231	attempt_machine_password_change();
2232
2233	/*
2234	* Force a log file check.
2235	*/
2236	force_check_log_size();
2237	check_log_size();
2238	return true;
2239	}
2240
2241	/****************************************************************************
2242	Process commands from the client
2243	****************************************************************************/
2244
2245	void smbd_process(void)
2246	{
2247	TALLOC_CTX *frame = talloc_stackframe();
2248	char remaddr[INET6_ADDRSTRLEN];
2249
2250	if (lp_maxprotocol() == PROTOCOL_SMB2 &&
2251	lp_security() != SEC_SHARE) {
2252	smbd_server_conn->allow_smb2 = true;
2253	}
2254
2255	/* Ensure child is set to blocking mode */
2256	set_blocking(smbd_server_fd(),True);
2257
2258	set_socket_options(smbd_server_fd(),"SO_KEEPALIVE");
2259	set_socket_options(smbd_server_fd(), lp_socket_options());
2260
2261	/* this is needed so that we get decent entries
2262	in smbstatus for port 445 connects */
2263	set_remote_machine_name(get_peer_addr(smbd_server_fd(),
2264	remaddr,
2265	sizeof(remaddr)),
2266	false);
2267	reload_services(true);
2268
2269	/*
2270	* Before the first packet, check the global hosts allow/ hosts deny
2271	* parameters before doing any parsing of packets passed to us by the
2272	* client. This prevents attacks on our parsing code from hosts not in
2273	* the hosts allow list.
2274	*/
2275
2276	if (!check_access(smbd_server_fd(), lp_hostsallow(-1),
2277	lp_hostsdeny(-1))) {
2278	char addr[INET6_ADDRSTRLEN];
2279
2280	/*
2281	* send a negative session response "not listening on calling
2282	* name"
2283	*/
2284	unsigned char buf[5] = {0x83, 0, 0, 1, 0x81};
2285	DEBUG( 1, ("Connection denied from %s\n",
2286	client_addr(get_client_fd(),addr,sizeof(addr)) ) );
2287	(void)srv_send_smb(smbd_server_fd(),(char *)buf, false,
2288	0, false, NULL);
2289	exit_server_cleanly("connection denied");
2290	}
2291
2292	static_init_rpc;
2293
2294	init_modules();
2295
2296	smb_perfcount_init();
2297
2298	if (!init_account_policy()) {
2299	exit_server("Could not open account policy tdb.\n");
2300	}
2301
2302	if (*lp_rootdir()) {
2303	if (chroot(lp_rootdir()) != 0) {
2304	DEBUG(0,("Failed to change root to %s\n", lp_rootdir()));
2305	exit_server("Failed to chroot()");
2306	}
2307	if (chdir("/") == -1) {
2308	DEBUG(0,("Failed to chdir to / on chroot to %s\n", lp_rootdir()));
2309	exit_server("Failed to chroot()");
2310	}
2311	DEBUG(0,("Changed root to %s\n", lp_rootdir()));
2312	}
2313
2314	if (!srv_init_signing(smbd_server_conn)) {
2315	exit_server("Failed to init smb_signing");
2316	}
2317
2318	/* Setup oplocks */
2319	if (!init_oplocks(smbd_messaging_context()))
2320	exit_server("Failed to init oplocks");
2321
2322	/* Setup aio signal handler. */
2323	initialize_async_io_handler();
2324
2325	/* register our message handlers */
2326	messaging_register(smbd_messaging_context(), NULL,
2327	MSG_SMB_FORCE_TDIS, msg_force_tdis);
2328	messaging_register(smbd_messaging_context(), NULL,
2329	MSG_SMB_RELEASE_IP, msg_release_ip);
2330	messaging_register(smbd_messaging_context(), NULL,
2331	MSG_SMB_CLOSE_FILE, msg_close_file);
2332
2333	/*
2334	* Use the default MSG_DEBUG handler to avoid rebroadcasting
2335	* MSGs to all child processes
2336	*/
2337	messaging_deregister(smbd_messaging_context(),
2338	MSG_DEBUG, NULL);
2339	messaging_register(smbd_messaging_context(), NULL,
2340	MSG_DEBUG, debug_message);
2341
2342	if ((lp_keepalive() != 0)
2343	&& !(event_add_idle(smbd_event_context(), NULL,
2344	timeval_set(lp_keepalive(), 0),
2345	"keepalive", keepalive_fn,
2346	NULL))) {
2347	DEBUG(0, ("Could not add keepalive event\n"));
2348	exit(1);
2349	}
2350
2351	if (!(event_add_idle(smbd_event_context(), NULL,
2352	timeval_set(IDLE_CLOSED_TIMEOUT, 0),
2353	"deadtime", deadtime_fn, NULL))) {
2354	DEBUG(0, ("Could not add deadtime event\n"));
2355	exit(1);
2356	}
2357
2358	if (!(event_add_idle(smbd_event_context(), NULL,
2359	timeval_set(SMBD_SELECT_TIMEOUT, 0),
2360	"housekeeping", housekeeping_fn, NULL))) {
2361	DEBUG(0, ("Could not add housekeeping event\n"));
2362	exit(1);
2363	}
2364
2365	#ifdef CLUSTER_SUPPORT
2366
2367	if (lp_clustering()) {
2368	/*
2369	* We need to tell ctdb about our client's TCP
2370	* connection, so that for failover ctdbd can send
2371	* tickle acks, triggering a reconnection by the
2372	* client.
2373	*/
2374
2375	struct sockaddr_storage srv, clnt;
2376
2377	if (client_get_tcp_info(&srv, &clnt) == 0) {
2378
2379	NTSTATUS status;
2380
2381	status = ctdbd_register_ips(
2382	messaging_ctdbd_connection(),
2383	&srv, &clnt, release_ip, NULL);
2384
2385	if (!NT_STATUS_IS_OK(status)) {
2386	DEBUG(0, ("ctdbd_register_ips failed: %s\n",
2387	nt_errstr(status)));
2388	}
2389	} else
2390	{
2391	DEBUG(0,("Unable to get tcp info for "
2392	"CTDB_CONTROL_TCP_CLIENT: %s\n",
2393	strerror(errno)));
2394	}
2395	}
2396
2397	#endif
2398
2399	smbd_server_conn->nbt.got_session = false;
2400
2401	smbd_server_conn->smb1.negprot.max_recv = MIN(lp_maxxmit(),BUFFER_SIZE);
2402
2403	smbd_server_conn->smb1.sessions.done_sesssetup = false;
2404	smbd_server_conn->smb1.sessions.max_send = BUFFER_SIZE;
2405	smbd_server_conn->smb1.sessions.last_session_tag = UID_FIELD_INVALID;
2406	/* users from session setup */
2407	smbd_server_conn->smb1.sessions.session_userlist = NULL;
2408	/* workgroup from session setup. */
2409	smbd_server_conn->smb1.sessions.session_workgroup = NULL;
2410	/* this holds info on user ids that are already validated for this VC */
2411	smbd_server_conn->smb1.sessions.validated_users = NULL;
2412	smbd_server_conn->smb1.sessions.next_vuid = VUID_OFFSET;
2413	smbd_server_conn->smb1.sessions.num_validated_vuids = 0;
2414	#ifdef HAVE_NETGROUP
2415	smbd_server_conn->smb1.sessions.my_yp_domain = NULL;
2416	#endif
2417
2418	conn_init(smbd_server_conn);
2419	if (!init_dptrs(smbd_server_conn)) {
2420	exit_server("init_dptrs() failed");
2421	}
2422
2423	smbd_server_conn->smb1.fde = event_add_fd(smbd_event_context(),
2424	smbd_server_conn,
2425	smbd_server_fd(),
2426	EVENT_FD_READ,
2427	smbd_server_connection_handler,
2428	smbd_server_conn);
2429	if (!smbd_server_conn->smb1.fde) {
2430	exit_server("failed to create smbd_server_connection fde");
2431	}
2432
2433	TALLOC_FREE(frame);
2434
2435	while (True) {
2436	NTSTATUS status;
2437
2438	frame = talloc_stackframe_pool(8192);
2439
2440	errno = 0;
2441
2442	status = smbd_server_connection_loop_once(smbd_server_conn);
2443	if (!NT_STATUS_EQUAL(status, NT_STATUS_RETRY) &&
2444	!NT_STATUS_IS_OK(status)) {
2445	DEBUG(3, ("smbd_server_connection_loop_once failed: %s,"
2446	" exiting\n", nt_errstr(status)));
2447	break;
2448	}
2449
2450	TALLOC_FREE(frame);
2451	}
2452
2453	exit_server_cleanly(NULL);
2454	}
2455
2456	bool req_is_in_chain(struct smb_request *req)
2457	{
2458	if (req->vwv != (uint16_t *)(req->inbuf+smb_vwv)) {
2459	/*
2460	* We're right now handling a subsequent request, so we must
2461	* be in a chain
2462	*/
2463	return true;
2464	}
2465
2466	if (!is_andx_req(req->cmd)) {
2467	return false;
2468	}
2469
2470	if (req->wct < 2) {
2471	/*
2472	* Okay, an illegal request, but definitely not chained :-)
2473	*/
2474	return false;
2475	}
2476
2477	return (CVAL(req->vwv+0, 0) != 0xFF);
2478	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: