Context Navigation

source: vendor/3.6.23/source3/smbd/process.c

Visit:

Last change on this file was 860, checked in by Silvan Scherrer, 11 years ago
Samba 3.6: updated vendor to latest version
File size: 82.8 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	process incoming packets - main loop
4	Copyright (C) Andrew Tridgell 1992-1998
5	Copyright (C) Volker Lendecke 2005-2007
6
7	This program is free software; you can redistribute it and/or modify
8	it under the terms of the GNU General Public License as published by
9	the Free Software Foundation; either version 3 of the License, or
10	(at your option) any later version.
11
12	This program is distributed in the hope that it will be useful,
13	but WITHOUT ANY WARRANTY; without even the implied warranty of
14	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15	GNU General Public License for more details.
16
17	You should have received a copy of the GNU General Public License
18	along with this program. If not, see <http://www.gnu.org/licenses/>.
19	*/
20
21	#include "includes.h"
22	#include "../lib/tsocket/tsocket.h"
23	#include "system/filesys.h"
24	#include "smbd/smbd.h"
25	#include "smbd/globals.h"
26	#include "librpc/gen_ndr/netlogon.h"
27	#include "../lib/async_req/async_sock.h"
28	#include "ctdbd_conn.h"
29	#include "../lib/util/select.h"
30	#include "printing/pcap.h"
31	#include "system/select.h"
32	#include "passdb.h"
33	#include "auth.h"
34	#include "messages.h"
35	#include "smbprofile.h"
36	#include "rpc_server/spoolss/srv_spoolss_nt.h"
37	#include "libsmb/libsmb.h"
38
39	extern bool global_machine_password_needs_changing;
40
41	static void construct_reply_common(struct smb_request req, const char inbuf,
42	char *outbuf);
43	static struct pending_message_list *get_deferred_open_message_smb(uint64_t mid);
44
45	static bool smbd_lock_socket_internal(struct smbd_server_connection *sconn)
46	{
47	bool ok;
48
49	if (sconn->smb1.echo_handler.socket_lock_fd == -1) {
50	return true;
51	}
52
53	sconn->smb1.echo_handler.ref_count++;
54
55	if (sconn->smb1.echo_handler.ref_count > 1) {
56	return true;
57	}
58
59	DEBUG(10,("pid[%d] wait for socket lock\n", (int)sys_getpid()));
60
61	do {
62	ok = fcntl_lock(
63	sconn->smb1.echo_handler.socket_lock_fd,
64	SMB_F_SETLKW, 0, 0, F_WRLCK);
65	} while (!ok && (errno == EINTR));
66
67	if (!ok) {
68	DEBUG(1, ("fcntl_lock failed: %s\n", strerror(errno)));
69	return false;
70	}
71
72	DEBUG(10,("pid[%d] got for socket lock\n", (int)sys_getpid()));
73
74	return true;
75	}
76
77	void smbd_lock_socket(struct smbd_server_connection *sconn)
78	{
79	if (!smbd_lock_socket_internal(sconn)) {
80	exit_server_cleanly("failed to lock socket");
81	}
82	}
83
84	static bool smbd_unlock_socket_internal(struct smbd_server_connection *sconn)
85	{
86	bool ok;
87
88	if (sconn->smb1.echo_handler.socket_lock_fd == -1) {
89	return true;
90	}
91
92	sconn->smb1.echo_handler.ref_count--;
93
94	if (sconn->smb1.echo_handler.ref_count > 0) {
95	return true;
96	}
97
98	do {
99	ok = fcntl_lock(
100	sconn->smb1.echo_handler.socket_lock_fd,
101	SMB_F_SETLKW, 0, 0, F_UNLCK);
102	} while (!ok && (errno == EINTR));
103
104	if (!ok) {
105	DEBUG(1, ("fcntl_lock failed: %s\n", strerror(errno)));
106	return false;
107	}
108
109	DEBUG(10,("pid[%d] unlocked socket\n", (int)sys_getpid()));
110
111	return true;
112	}
113
114	void smbd_unlock_socket(struct smbd_server_connection *sconn)
115	{
116	if (!smbd_unlock_socket_internal(sconn)) {
117	exit_server_cleanly("failed to unlock socket");
118	}
119	}
120
121	/* Accessor function for smb_read_error for smbd functions. */
122
123	/****************************************************************************
124	Send an smb to a fd.
125	****************************************************************************/
126
127	bool srv_send_smb(struct smbd_server_connection sconn, char buffer,
128	bool do_signing, uint32_t seqnum,
129	bool do_encrypt,
130	struct smb_perfcount_data *pcd)
131	{
132	size_t len = 0;
133	size_t nwritten=0;
134	ssize_t ret;
135	char *buf_out = buffer;
136
137	smbd_lock_socket(sconn);
138
139	if (do_signing) {
140	/* Sign the outgoing packet if required. */
141	srv_calculate_sign_mac(sconn, buf_out, seqnum);
142	}
143
144	if (do_encrypt) {
145	NTSTATUS status = srv_encrypt_buffer(buffer, &buf_out);
146	if (!NT_STATUS_IS_OK(status)) {
147	DEBUG(0, ("send_smb: SMB encryption failed "
148	"on outgoing packet! Error %s\n",
149	nt_errstr(status) ));
150	goto out;
151	}
152	}
153
154	len = smb_len_large(buf_out) + 4;
155
156	ret = write_data(sconn->sock, buf_out+nwritten, len - nwritten);
157	if (ret <= 0) {
158
159	char addr[INET6_ADDRSTRLEN];
160	/*
161	* Try and give an error message saying what
162	* client failed.
163	*/
164	DEBUG(1,("pid[%d] Error writing %d bytes to client %s. %d. (%s)\n",
165	(int)sys_getpid(), (int)len,
166	get_peer_addr(sconn->sock, addr, sizeof(addr)),
167	(int)ret, strerror(errno) ));
168
169	srv_free_enc_buffer(buf_out);
170	goto out;
171	}
172
173	SMB_PERFCOUNT_SET_MSGLEN_OUT(pcd, len);
174	srv_free_enc_buffer(buf_out);
175	out:
176	SMB_PERFCOUNT_END(pcd);
177
178	smbd_unlock_socket(sconn);
179	return true;
180	}
181
182	/*******************************************************************
183	Setup the word count and byte count for a smb message.
184	********************************************************************/
185
186	int srv_set_message(char *buf,
187	int num_words,
188	int num_bytes,
189	bool zero)
190	{
191	if (zero && (num_words \|\| num_bytes)) {
192	memset(buf + smb_size,'\0',num_words*2 + num_bytes);
193	}
194	SCVAL(buf,smb_wct,num_words);
195	SSVAL(buf,smb_vwv + num_words*SIZEOFWORD,num_bytes);
196	smb_setlen(buf,(smb_size + num_words*2 + num_bytes - 4));
197	return (smb_size + num_words*2 + num_bytes);
198	}
199
200	static bool valid_smb_header(const uint8_t *inbuf)
201	{
202	if (is_encrypted_packet(inbuf)) {
203	return true;
204	}
205	/*
206	* This used to be (strncmp(smb_base(inbuf),"\377SMB",4) == 0)
207	* but it just looks weird to call strncmp for this one.
208	*/
209	return (IVAL(smb_base(inbuf), 0) == 0x424D53FF);
210	}
211
212	/* Socket functions for smbd packet processing. */
213
214	static bool valid_packet_size(size_t len)
215	{
216	/*
217	* A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
218	* of header. Don't print the error if this fits.... JRA.
219	*/
220
221	if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
222	DEBUG(0,("Invalid packet length! (%lu bytes).\n",
223	(unsigned long)len));
224	return false;
225	}
226	return true;
227	}
228
229	static NTSTATUS read_packet_remainder(int fd, char *buffer,
230	unsigned int timeout, ssize_t len)
231	{
232	NTSTATUS status;
233
234	if (len <= 0) {
235	return NT_STATUS_OK;
236	}
237
238	status = read_fd_with_timeout(fd, buffer, len, len, timeout, NULL);
239	if (!NT_STATUS_IS_OK(status)) {
240	char addr[INET6_ADDRSTRLEN];
241	DEBUG(0, ("read_fd_with_timeout failed for client %s read "
242	"error = %s.\n",
243	get_peer_addr(fd, addr, sizeof(addr)),
244	nt_errstr(status)));
245	}
246	return status;
247	}
248
249	/****************************************************************************
250	Attempt a zerocopy writeX read. We know here that len > smb_size-4
251	****************************************************************************/
252
253	/*
254	* Unfortunately, earlier versions of smbclient/libsmbclient
255	* don't send this "standard" writeX header. I've fixed this
256	* for 3.2 but we'll use the old method with earlier versions.
257	* Windows and CIFSFS at least use this standard size. Not
258	* sure about MacOSX.
259	*/
260
261	#define STANDARD_WRITE_AND_X_HEADER_SIZE (smb_size - 4 + /* basic header */ \
262	(214) + / word count (including bcc) */ \
263	1 /* pad byte */)
264
265	static NTSTATUS receive_smb_raw_talloc_partial_read(TALLOC_CTX *mem_ctx,
266	const char lenbuf[4],
267	struct smbd_server_connection *sconn,
268	int sock,
269	char **buffer,
270	unsigned int timeout,
271	size_t *p_unread,
272	size_t *len_ret)
273	{
274	/* Size of a WRITEX call (+4 byte len). */
275	char writeX_header[4 + STANDARD_WRITE_AND_X_HEADER_SIZE];
276	ssize_t len = smb_len_large(lenbuf); /* Could be a UNIX large writeX. */
277	ssize_t toread;
278	NTSTATUS status;
279
280	memcpy(writeX_header, lenbuf, 4);
281
282	status = read_fd_with_timeout(
283	sock, writeX_header + 4,
284	STANDARD_WRITE_AND_X_HEADER_SIZE,
285	STANDARD_WRITE_AND_X_HEADER_SIZE,
286	timeout, NULL);
287
288	if (!NT_STATUS_IS_OK(status)) {
289	DEBUG(0, ("read_fd_with_timeout failed for client %s read "
290	"error = %s.\n", sconn->client_id.addr,
291	nt_errstr(status)));
292	return status;
293	}
294
295	/*
296	* Ok - now try and see if this is a possible
297	* valid writeX call.
298	*/
299
300	if (is_valid_writeX_buffer(sconn, (uint8_t *)writeX_header)) {
301	/*
302	* If the data offset is beyond what
303	* we've read, drain the extra bytes.
304	*/
305	uint16_t doff = SVAL(writeX_header,smb_vwv11);
306	ssize_t newlen;
307
308	if (doff > STANDARD_WRITE_AND_X_HEADER_SIZE) {
309	size_t drain = doff - STANDARD_WRITE_AND_X_HEADER_SIZE;
310	if (drain_socket(sock, drain) != drain) {
311	smb_panic("receive_smb_raw_talloc_partial_read:"
312	" failed to drain pending bytes");
313	}
314	} else {
315	doff = STANDARD_WRITE_AND_X_HEADER_SIZE;
316	}
317
318	/* Spoof down the length and null out the bcc. */
319	set_message_bcc(writeX_header, 0);
320	newlen = smb_len(writeX_header);
321
322	/* Copy the header we've written. */
323
324	buffer = (char )TALLOC_MEMDUP(mem_ctx,
325	writeX_header,
326	sizeof(writeX_header));
327
328	if (*buffer == NULL) {
329	DEBUG(0, ("Could not allocate inbuf of length %d\n",
330	(int)sizeof(writeX_header)));
331	return NT_STATUS_NO_MEMORY;
332	}
333
334	/* Work out the remaining bytes. */
335	*p_unread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
336	*len_ret = newlen + 4;
337	return NT_STATUS_OK;
338	}
339
340	if (!valid_packet_size(len)) {
341	return NT_STATUS_INVALID_PARAMETER;
342	}
343
344	/*
345	* Not a valid writeX call. Just do the standard
346	* talloc and return.
347	*/
348
349	*buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
350
351	if (*buffer == NULL) {
352	DEBUG(0, ("Could not allocate inbuf of length %d\n",
353	(int)len+4));
354	return NT_STATUS_NO_MEMORY;
355	}
356
357	/* Copy in what we already read. */
358	memcpy(*buffer,
359	writeX_header,
360	4 + STANDARD_WRITE_AND_X_HEADER_SIZE);
361	toread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
362
363	if(toread > 0) {
364	status = read_packet_remainder(
365	sock,
366	(*buffer) + 4 + STANDARD_WRITE_AND_X_HEADER_SIZE,
367	timeout, toread);
368
369	if (!NT_STATUS_IS_OK(status)) {
370	DEBUG(10, ("receive_smb_raw_talloc_partial_read: %s\n",
371	nt_errstr(status)));
372	return status;
373	}
374	}
375
376	*len_ret = len + 4;
377	return NT_STATUS_OK;
378	}
379
380	static NTSTATUS receive_smb_raw_talloc(TALLOC_CTX *mem_ctx,
381	struct smbd_server_connection *sconn,
382	int sock,
383	char **buffer, unsigned int timeout,
384	size_t p_unread, size_t plen)
385	{
386	char lenbuf[4];
387	size_t len;
388	int min_recv_size = lp_min_receive_file_size();
389	NTSTATUS status;
390
391	*p_unread = 0;
392
393	status = read_smb_length_return_keepalive(sock, lenbuf, timeout,
394	&len);
395	if (!NT_STATUS_IS_OK(status)) {
396	return status;
397	}
398
399	if (CVAL(lenbuf,0) == 0 && min_recv_size &&
400	(smb_len_large(lenbuf) > /* Could be a UNIX large writeX. */
401	(min_recv_size + STANDARD_WRITE_AND_X_HEADER_SIZE)) &&
402	!srv_is_signing_active(sconn) &&
403	sconn->smb1.echo_handler.trusted_fde == NULL) {
404
405	return receive_smb_raw_talloc_partial_read(
406	mem_ctx, lenbuf, sconn, sock, buffer, timeout,
407	p_unread, plen);
408	}
409
410	if (!valid_packet_size(len)) {
411	return NT_STATUS_INVALID_PARAMETER;
412	}
413
414	/*
415	* The +4 here can't wrap, we've checked the length above already.
416	*/
417
418	*buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
419
420	if (*buffer == NULL) {
421	DEBUG(0, ("Could not allocate inbuf of length %d\n",
422	(int)len+4));
423	return NT_STATUS_NO_MEMORY;
424	}
425
426	memcpy(*buffer, lenbuf, sizeof(lenbuf));
427
428	status = read_packet_remainder(sock, (*buffer)+4, timeout, len);
429	if (!NT_STATUS_IS_OK(status)) {
430	return status;
431	}
432
433	*plen = len + 4;
434	return NT_STATUS_OK;
435	}
436
437	static NTSTATUS receive_smb_talloc(TALLOC_CTX *mem_ctx,
438	struct smbd_server_connection *sconn,
439	int sock,
440	char **buffer, unsigned int timeout,
441	size_t p_unread, bool p_encrypted,
442	size_t *p_len,
443	uint32_t *seqnum,
444	bool trusted_channel)
445	{
446	size_t len = 0;
447	NTSTATUS status;
448
449	*p_encrypted = false;
450
451	status = receive_smb_raw_talloc(mem_ctx, sconn, sock, buffer, timeout,
452	p_unread, &len);
453	if (!NT_STATUS_IS_OK(status)) {
454	DEBUG(NT_STATUS_EQUAL(status, NT_STATUS_END_OF_FILE)?5:1,
455	("receive_smb_raw_talloc failed for client %s "
456	"read error = %s.\n",
457	sconn->client_id.addr, nt_errstr(status)));
458	return status;
459	}
460
461	if (is_encrypted_packet((uint8_t )buffer)) {
462	status = srv_decrypt_buffer(*buffer);
463	if (!NT_STATUS_IS_OK(status)) {
464	DEBUG(0, ("receive_smb_talloc: SMB decryption failed on "
465	"incoming packet! Error %s\n",
466	nt_errstr(status) ));
467	return status;
468	}
469	*p_encrypted = true;
470	}
471
472	/* Check the incoming SMB signature. */
473	if (!srv_check_sign_mac(sconn, *buffer, seqnum, trusted_channel)) {
474	DEBUG(0, ("receive_smb: SMB Signature verification failed on "
475	"incoming packet!\n"));
476	return NT_STATUS_INVALID_NETWORK_RESPONSE;
477	}
478
479	*p_len = len;
480	return NT_STATUS_OK;
481	}
482
483	/*
484	* Initialize a struct smb_request from an inbuf
485	*/
486
487	static bool init_smb_request(struct smb_request *req,
488	struct smbd_server_connection *sconn,
489	const uint8 *inbuf,
490	size_t unread_bytes, bool encrypted,
491	uint32_t seqnum)
492	{
493	size_t req_size = smb_len(inbuf) + 4;
494	/* Ensure we have at least smb_size bytes. */
495	if (req_size < smb_size) {
496	DEBUG(0,("init_smb_request: invalid request size %u\n",
497	(unsigned int)req_size ));
498	return false;
499	}
500	req->cmd = CVAL(inbuf, smb_com);
501	req->flags2 = SVAL(inbuf, smb_flg2);
502	req->smbpid = SVAL(inbuf, smb_pid);
503	req->mid = (uint64_t)SVAL(inbuf, smb_mid);
504	req->seqnum = seqnum;
505	req->vuid = SVAL(inbuf, smb_uid);
506	req->tid = SVAL(inbuf, smb_tid);
507	req->wct = CVAL(inbuf, smb_wct);
508	req->vwv = (uint16_t *)(inbuf+smb_vwv);
509	req->buflen = smb_buflen(inbuf);
510	req->buf = (const uint8_t *)smb_buf(inbuf);
511	req->unread_bytes = unread_bytes;
512	req->encrypted = encrypted;
513	req->sconn = sconn;
514	req->conn = conn_find(sconn,req->tid);
515	req->chain_fsp = NULL;
516	req->chain_outbuf = NULL;
517	req->done = false;
518	req->smb2req = NULL;
519	smb_init_perfcount_data(&req->pcd);
520
521	/* Ensure we have at least wct words and 2 bytes of bcc. */
522	if (smb_size + req->wct*2 > req_size) {
523	DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n",
524	(unsigned int)req->wct,
525	(unsigned int)req_size));
526	return false;
527	}
528	/* Ensure bcc is correct. */
529	if (((uint8 *)smb_buf(inbuf)) + req->buflen > inbuf + req_size) {
530	DEBUG(0,("init_smb_request: invalid bcc number %u "
531	"(wct = %u, size %u)\n",
532	(unsigned int)req->buflen,
533	(unsigned int)req->wct,
534	(unsigned int)req_size));
535	return false;
536	}
537
538	req->outbuf = NULL;
539	return true;
540	}
541
542	static void process_smb(struct smbd_server_connection *conn,
543	uint8_t *inbuf, size_t nread, size_t unread_bytes,
544	uint32_t seqnum, bool encrypted,
545	struct smb_perfcount_data *deferred_pcd);
546
547	static void smbd_deferred_open_timer(struct event_context *ev,
548	struct timed_event *te,
549	struct timeval _tval,
550	void *private_data)
551	{
552	struct pending_message_list *msg = talloc_get_type(private_data,
553	struct pending_message_list);
554	TALLOC_CTX *mem_ctx = talloc_tos();
555	uint64_t mid = (uint64_t)SVAL(msg->buf.data,smb_mid);
556	uint8_t *inbuf;
557
558	inbuf = (uint8_t *)talloc_memdup(mem_ctx, msg->buf.data,
559	msg->buf.length);
560	if (inbuf == NULL) {
561	exit_server("smbd_deferred_open_timer: talloc failed\n");
562	return;
563	}
564
565	/* We leave this message on the queue so the open code can
566	know this is a retry. */
567	DEBUG(5,("smbd_deferred_open_timer: trigger mid %llu.\n",
568	(unsigned long long)mid ));
569
570	/* Mark the message as processed so this is not
571	* re-processed in error. */
572	msg->processed = true;
573
574	process_smb(smbd_server_conn, inbuf,
575	msg->buf.length, 0,
576	msg->seqnum, msg->encrypted, &msg->pcd);
577
578	/* If it's still there and was processed, remove it. */
579	msg = get_deferred_open_message_smb(mid);
580	if (msg && msg->processed) {
581	remove_deferred_open_message_smb(mid);
582	}
583	}
584
585	/****************************************************************************
586	Function to push a message onto the tail of a linked list of smb messages ready
587	for processing.
588	****************************************************************************/
589
590	static bool push_queued_message(struct smb_request *req,
591	struct timeval request_time,
592	struct timeval end_time,
593	char *private_data, size_t private_len)
594	{
595	int msg_len = smb_len(req->inbuf) + 4;
596	struct pending_message_list *msg;
597
598	msg = TALLOC_ZERO_P(NULL, struct pending_message_list);
599
600	if(msg == NULL) {
601	DEBUG(0,("push_message: malloc fail (1)\n"));
602	return False;
603	}
604
605	msg->buf = data_blob_talloc(msg, req->inbuf, msg_len);
606	if(msg->buf.data == NULL) {
607	DEBUG(0,("push_message: malloc fail (2)\n"));
608	TALLOC_FREE(msg);
609	return False;
610	}
611
612	msg->request_time = request_time;
613	msg->seqnum = req->seqnum;
614	msg->encrypted = req->encrypted;
615	msg->processed = false;
616	SMB_PERFCOUNT_DEFER_OP(&req->pcd, &msg->pcd);
617
618	if (private_data) {
619	msg->private_data = data_blob_talloc(msg, private_data,
620	private_len);
621	if (msg->private_data.data == NULL) {
622	DEBUG(0,("push_message: malloc fail (3)\n"));
623	TALLOC_FREE(msg);
624	return False;
625	}
626	}
627
628	msg->te = event_add_timed(smbd_event_context(),
629	msg,
630	end_time,
631	smbd_deferred_open_timer,
632	msg);
633	if (!msg->te) {
634	DEBUG(0,("push_message: event_add_timed failed\n"));
635	TALLOC_FREE(msg);
636	return false;
637	}
638
639	DLIST_ADD_END(deferred_open_queue, msg, struct pending_message_list *);
640
641	DEBUG(10,("push_message: pushed message length %u on "
642	"deferred_open_queue\n", (unsigned int)msg_len));
643
644	return True;
645	}
646
647	/****************************************************************************
648	Function to delete a sharing violation open message by mid.
649	****************************************************************************/
650
651	void remove_deferred_open_message_smb(uint64_t mid)
652	{
653	struct pending_message_list *pml;
654
655	if (smbd_server_conn->using_smb2) {
656	remove_deferred_open_message_smb2(smbd_server_conn, mid);
657	return;
658	}
659
660	for (pml = deferred_open_queue; pml; pml = pml->next) {
661	if (mid == (uint64_t)SVAL(pml->buf.data,smb_mid)) {
662	DEBUG(10,("remove_deferred_open_message_smb: "
663	"deleting mid %llu len %u\n",
664	(unsigned long long)mid,
665	(unsigned int)pml->buf.length ));
666	DLIST_REMOVE(deferred_open_queue, pml);
667	TALLOC_FREE(pml);
668	return;
669	}
670	}
671	}
672
673	/****************************************************************************
674	Move a sharing violation open retry message to the front of the list and
675	schedule it for immediate processing.
676	****************************************************************************/
677
678	void schedule_deferred_open_message_smb(uint64_t mid)
679	{
680	struct pending_message_list *pml;
681	int i = 0;
682
683	if (smbd_server_conn->using_smb2) {
684	schedule_deferred_open_message_smb2(smbd_server_conn, mid);
685	return;
686	}
687
688	for (pml = deferred_open_queue; pml; pml = pml->next) {
689	uint64_t msg_mid = (uint64_t)SVAL(pml->buf.data,smb_mid);
690
691	DEBUG(10,("schedule_deferred_open_message_smb: [%d] "
692	"msg_mid = %llu\n",
693	i++,
694	(unsigned long long)msg_mid ));
695
696	if (mid == msg_mid) {
697	struct timed_event *te;
698
699	if (pml->processed) {
700	/* A processed message should not be
701	* rescheduled. */
702	DEBUG(0,("schedule_deferred_open_message_smb: LOGIC ERROR "
703	"message mid %llu was already processed\n",
704	(unsigned long long)msg_mid ));
705	continue;
706	}
707
708	DEBUG(10,("schedule_deferred_open_message_smb: "
709	"scheduling mid %llu\n",
710	(unsigned long long)mid ));
711
712	te = event_add_timed(smbd_event_context(),
713	pml,
714	timeval_zero(),
715	smbd_deferred_open_timer,
716	pml);
717	if (!te) {
718	DEBUG(10,("schedule_deferred_open_message_smb: "
719	"event_add_timed() failed, "
720	"skipping mid %llu\n",
721	(unsigned long long)msg_mid ));
722	}
723
724	TALLOC_FREE(pml->te);
725	pml->te = te;
726	DLIST_PROMOTE(deferred_open_queue, pml);
727	return;
728	}
729	}
730
731	DEBUG(10,("schedule_deferred_open_message_smb: failed to "
732	"find message mid %llu\n",
733	(unsigned long long)mid ));
734	}
735
736	/****************************************************************************
737	Return true if this mid is on the deferred queue and was not yet processed.
738	****************************************************************************/
739
740	bool open_was_deferred(uint64_t mid)
741	{
742	struct pending_message_list *pml;
743
744	if (smbd_server_conn->using_smb2) {
745	return open_was_deferred_smb2(smbd_server_conn, mid);
746	}
747
748	for (pml = deferred_open_queue; pml; pml = pml->next) {
749	if (((uint64_t)SVAL(pml->buf.data,smb_mid)) == mid && !pml->processed) {
750	return True;
751	}
752	}
753	return False;
754	}
755
756	/****************************************************************************
757	Return the message queued by this mid.
758	****************************************************************************/
759
760	static struct pending_message_list *get_deferred_open_message_smb(uint64_t mid)
761	{
762	struct pending_message_list *pml;
763
764	for (pml = deferred_open_queue; pml; pml = pml->next) {
765	if (((uint64_t)SVAL(pml->buf.data,smb_mid)) == mid) {
766	return pml;
767	}
768	}
769	return NULL;
770	}
771
772	/****************************************************************************
773	Get the state data queued by this mid.
774	****************************************************************************/
775
776	bool get_deferred_open_message_state(struct smb_request *smbreq,
777	struct timeval *p_request_time,
778	void **pp_state)
779	{
780	struct pending_message_list *pml;
781
782	if (smbd_server_conn->using_smb2) {
783	return get_deferred_open_message_state_smb2(smbreq->smb2req,
784	p_request_time,
785	pp_state);
786	}
787
788	pml = get_deferred_open_message_smb(smbreq->mid);
789	if (!pml) {
790	return false;
791	}
792	if (p_request_time) {
793	*p_request_time = pml->request_time;
794	}
795	if (pp_state) {
796	pp_state = (void )pml->private_data.data;
797	}
798	return true;
799	}
800
801	/****************************************************************************
802	Function to push a deferred open smb message onto a linked list of local smb
803	messages ready for processing.
804	****************************************************************************/
805
806	bool push_deferred_open_message_smb(struct smb_request *req,
807	struct timeval request_time,
808	struct timeval timeout,
809	struct file_id id,
810	char *private_data, size_t priv_len)
811	{
812	struct timeval end_time;
813
814	if (req->smb2req) {
815	return push_deferred_open_message_smb2(req->smb2req,
816	request_time,
817	timeout,
818	id,
819	private_data,
820	priv_len);
821	}
822
823	if (req->unread_bytes) {
824	DEBUG(0,("push_deferred_open_message_smb: logic error ! "
825	"unread_bytes = %u\n",
826	(unsigned int)req->unread_bytes ));
827	smb_panic("push_deferred_open_message_smb: "
828	"logic error unread_bytes != 0" );
829	}
830
831	end_time = timeval_sum(&request_time, &timeout);
832
833	DEBUG(10,("push_deferred_open_message_smb: pushing message "
834	"len %u mid %llu timeout time [%u.%06u]\n",
835	(unsigned int) smb_len(req->inbuf)+4,
836	(unsigned long long)req->mid,
837	(unsigned int)end_time.tv_sec,
838	(unsigned int)end_time.tv_usec));
839
840	return push_queued_message(req, request_time, end_time,
841	private_data, priv_len);
842	}
843
844	struct idle_event {
845	struct timed_event *te;
846	struct timeval interval;
847	char *name;
848	bool (handler)(const struct timeval now, void *private_data);
849	void *private_data;
850	};
851
852	static void smbd_idle_event_handler(struct event_context *ctx,
853	struct timed_event *te,
854	struct timeval now,
855	void *private_data)
856	{
857	struct idle_event *event =
858	talloc_get_type_abort(private_data, struct idle_event);
859
860	TALLOC_FREE(event->te);
861
862	DEBUG(10,("smbd_idle_event_handler: %s %p called\n",
863	event->name, event->te));
864
865	if (!event->handler(&now, event->private_data)) {
866	DEBUG(10,("smbd_idle_event_handler: %s %p stopped\n",
867	event->name, event->te));
868	/* Don't repeat, delete ourselves */
869	TALLOC_FREE(event);
870	return;
871	}
872
873	DEBUG(10,("smbd_idle_event_handler: %s %p rescheduled\n",
874	event->name, event->te));
875
876	event->te = event_add_timed(ctx, event,
877	timeval_sum(&now, &event->interval),
878	smbd_idle_event_handler, event);
879
880	/* We can't do much but fail here. */
881	SMB_ASSERT(event->te != NULL);
882	}
883
884	struct idle_event event_add_idle(struct event_context event_ctx,
885	TALLOC_CTX *mem_ctx,
886	struct timeval interval,
887	const char *name,
888	bool (handler)(const struct timeval now,
889	void *private_data),
890	void *private_data)
891	{
892	struct idle_event *result;
893	struct timeval now = timeval_current();
894
895	result = TALLOC_P(mem_ctx, struct idle_event);
896	if (result == NULL) {
897	DEBUG(0, ("talloc failed\n"));
898	return NULL;
899	}
900
901	result->interval = interval;
902	result->handler = handler;
903	result->private_data = private_data;
904
905	if (!(result->name = talloc_asprintf(result, "idle_evt(%s)", name))) {
906	DEBUG(0, ("talloc failed\n"));
907	TALLOC_FREE(result);
908	return NULL;
909	}
910
911	result->te = event_add_timed(event_ctx, result,
912	timeval_sum(&now, &interval),
913	smbd_idle_event_handler, result);
914	if (result->te == NULL) {
915	DEBUG(0, ("event_add_timed failed\n"));
916	TALLOC_FREE(result);
917	return NULL;
918	}
919
920	DEBUG(10,("event_add_idle: %s %p\n", result->name, result->te));
921	return result;
922	}
923
924	static NTSTATUS smbd_server_connection_loop_once(struct smbd_server_connection *conn)
925	{
926	int timeout;
927	int num_pfds = 0;
928	int ret;
929	bool retry;
930
931	timeout = SMBD_SELECT_TIMEOUT * 1000;
932
933	/*
934	* Are there any timed events waiting ? If so, ensure we don't
935	* select for longer than it would take to wait for them.
936	*/
937
938	event_add_to_poll_args(smbd_event_context(), conn,
939	&conn->pfds, &num_pfds, &timeout);
940
941	/* Process a signal and timed events now... */
942	if (run_events_poll(smbd_event_context(), 0, NULL, 0)) {
943	return NT_STATUS_RETRY;
944	}
945
946	{
947	int sav;
948	START_PROFILE(smbd_idle);
949
950	ret = sys_poll(conn->pfds, num_pfds, timeout);
951	sav = errno;
952
953	END_PROFILE(smbd_idle);
954	errno = sav;
955	}
956
957	if (ret == -1) {
958	if (errno == EINTR) {
959	return NT_STATUS_RETRY;
960	}
961	return map_nt_error_from_unix(errno);
962	}
963
964	retry = run_events_poll(smbd_event_context(), ret, conn->pfds,
965	num_pfds);
966	if (retry) {
967	return NT_STATUS_RETRY;
968	}
969
970	/* Did we timeout ? */
971	if (ret == 0) {
972	return NT_STATUS_RETRY;
973	}
974
975	/* should not be reached */
976	return NT_STATUS_INTERNAL_ERROR;
977	}
978
979	/*
980	* Only allow 5 outstanding trans requests. We're allocating memory, so
981	* prevent a DoS.
982	*/
983
984	NTSTATUS allow_new_trans(struct trans_state *list, uint64_t mid)
985	{
986	int count = 0;
987	for (; list != NULL; list = list->next) {
988
989	if (list->mid == mid) {
990	return NT_STATUS_INVALID_PARAMETER;
991	}
992
993	count += 1;
994	}
995	if (count > 5) {
996	return NT_STATUS_INSUFFICIENT_RESOURCES;
997	}
998
999	return NT_STATUS_OK;
1000	}
1001
1002	/*
1003	These flags determine some of the permissions required to do an operation
1004
1005	Note that I don't set NEED_WRITE on some write operations because they
1006	are used by some brain-dead clients when printing, and I don't want to
1007	force write permissions on print services.
1008	*/
1009	#define AS_USER (1<<0)
1010	#define NEED_WRITE (1<<1) /* Must be paired with AS_USER */
1011	#define TIME_INIT (1<<2)
1012	#define CAN_IPC (1<<3) /* Must be paired with AS_USER */
1013	#define AS_GUEST (1<<5) /* Must NOT be paired with AS_USER */
1014	#define DO_CHDIR (1<<6)
1015
1016	/*
1017	define a list of possible SMB messages and their corresponding
1018	functions. Any message that has a NULL function is unimplemented -
1019	please feel free to contribute implementations!
1020	*/
1021	static const struct smb_message_struct {
1022	const char *name;
1023	void (fn)(struct smb_request req);
1024	int flags;
1025	} smb_messages[256] = {
1026
1027	/* 0x00 */ { "SMBmkdir",reply_mkdir,AS_USER \| NEED_WRITE},
1028	/* 0x01 */ { "SMBrmdir",reply_rmdir,AS_USER \| NEED_WRITE},
1029	/* 0x02 */ { "SMBopen",reply_open,AS_USER },
1030	/* 0x03 */ { "SMBcreate",reply_mknew,AS_USER},
1031	/* 0x04 */ { "SMBclose",reply_close,AS_USER \| CAN_IPC },
1032	/* 0x05 */ { "SMBflush",reply_flush,AS_USER},
1033	/* 0x06 */ { "SMBunlink",reply_unlink,AS_USER \| NEED_WRITE },
1034	/* 0x07 */ { "SMBmv",reply_mv,AS_USER \| NEED_WRITE },
1035	/* 0x08 */ { "SMBgetatr",reply_getatr,AS_USER},
1036	/* 0x09 */ { "SMBsetatr",reply_setatr,AS_USER \| NEED_WRITE},
1037	/* 0x0a */ { "SMBread",reply_read,AS_USER},
1038	/* 0x0b */ { "SMBwrite",reply_write,AS_USER \| CAN_IPC },
1039	/* 0x0c */ { "SMBlock",reply_lock,AS_USER},
1040	/* 0x0d */ { "SMBunlock",reply_unlock,AS_USER},
1041	/* 0x0e */ { "SMBctemp",reply_ctemp,AS_USER },
1042	/* 0x0f */ { "SMBmknew",reply_mknew,AS_USER},
1043	/* 0x10 */ { "SMBcheckpath",reply_checkpath,AS_USER},
1044	/* 0x11 */ { "SMBexit",reply_exit,DO_CHDIR},
1045	/* 0x12 */ { "SMBlseek",reply_lseek,AS_USER},
1046	/* 0x13 */ { "SMBlockread",reply_lockread,AS_USER},
1047	/* 0x14 */ { "SMBwriteunlock",reply_writeunlock,AS_USER},
1048	/* 0x15 */ { NULL, NULL, 0 },
1049	/* 0x16 */ { NULL, NULL, 0 },
1050	/* 0x17 */ { NULL, NULL, 0 },
1051	/* 0x18 */ { NULL, NULL, 0 },
1052	/* 0x19 */ { NULL, NULL, 0 },
1053	/* 0x1a */ { "SMBreadbraw",reply_readbraw,AS_USER},
1054	/* 0x1b */ { "SMBreadBmpx",reply_readbmpx,AS_USER},
1055	/* 0x1c */ { "SMBreadBs",reply_readbs,AS_USER },
1056	/* 0x1d */ { "SMBwritebraw",reply_writebraw,AS_USER},
1057	/* 0x1e */ { "SMBwriteBmpx",reply_writebmpx,AS_USER},
1058	/* 0x1f */ { "SMBwriteBs",reply_writebs,AS_USER},
1059	/* 0x20 */ { "SMBwritec", NULL,0},
1060	/* 0x21 */ { NULL, NULL, 0 },
1061	/* 0x22 */ { "SMBsetattrE",reply_setattrE,AS_USER \| NEED_WRITE },
1062	/* 0x23 */ { "SMBgetattrE",reply_getattrE,AS_USER },
1063	/* 0x24 */ { "SMBlockingX",reply_lockingX,AS_USER },
1064	/* 0x25 */ { "SMBtrans",reply_trans,AS_USER \| CAN_IPC },
1065	/* 0x26 */ { "SMBtranss",reply_transs,AS_USER \| CAN_IPC},
1066	/* 0x27 */ { "SMBioctl",reply_ioctl,0},
1067	/* 0x28 */ { "SMBioctls", NULL,AS_USER},
1068	/* 0x29 */ { "SMBcopy",reply_copy,AS_USER \| NEED_WRITE },
1069	/* 0x2a */ { "SMBmove", NULL,AS_USER \| NEED_WRITE },
1070	/* 0x2b */ { "SMBecho",reply_echo,0},
1071	/* 0x2c */ { "SMBwriteclose",reply_writeclose,AS_USER},
1072	/* 0x2d */ { "SMBopenX",reply_open_and_X,AS_USER \| CAN_IPC },
1073	/* 0x2e */ { "SMBreadX",reply_read_and_X,AS_USER \| CAN_IPC },
1074	/* 0x2f */ { "SMBwriteX",reply_write_and_X,AS_USER \| CAN_IPC },
1075	/* 0x30 */ { NULL, NULL, 0 },
1076	/* 0x31 */ { NULL, NULL, 0 },
1077	/* 0x32 */ { "SMBtrans2",reply_trans2, AS_USER \| CAN_IPC },
1078	/* 0x33 */ { "SMBtranss2",reply_transs2, AS_USER \| CAN_IPC },
1079	/* 0x34 */ { "SMBfindclose",reply_findclose,AS_USER},
1080	/* 0x35 */ { "SMBfindnclose",reply_findnclose,AS_USER},
1081	/* 0x36 */ { NULL, NULL, 0 },
1082	/* 0x37 */ { NULL, NULL, 0 },
1083	/* 0x38 */ { NULL, NULL, 0 },
1084	/* 0x39 */ { NULL, NULL, 0 },
1085	/* 0x3a */ { NULL, NULL, 0 },
1086	/* 0x3b */ { NULL, NULL, 0 },
1087	/* 0x3c */ { NULL, NULL, 0 },
1088	/* 0x3d */ { NULL, NULL, 0 },
1089	/* 0x3e */ { NULL, NULL, 0 },
1090	/* 0x3f */ { NULL, NULL, 0 },
1091	/* 0x40 */ { NULL, NULL, 0 },
1092	/* 0x41 */ { NULL, NULL, 0 },
1093	/* 0x42 */ { NULL, NULL, 0 },
1094	/* 0x43 */ { NULL, NULL, 0 },
1095	/* 0x44 */ { NULL, NULL, 0 },
1096	/* 0x45 */ { NULL, NULL, 0 },
1097	/* 0x46 */ { NULL, NULL, 0 },
1098	/* 0x47 */ { NULL, NULL, 0 },
1099	/* 0x48 */ { NULL, NULL, 0 },
1100	/* 0x49 */ { NULL, NULL, 0 },
1101	/* 0x4a */ { NULL, NULL, 0 },
1102	/* 0x4b */ { NULL, NULL, 0 },
1103	/* 0x4c */ { NULL, NULL, 0 },
1104	/* 0x4d */ { NULL, NULL, 0 },
1105	/* 0x4e */ { NULL, NULL, 0 },
1106	/* 0x4f */ { NULL, NULL, 0 },
1107	/* 0x50 */ { NULL, NULL, 0 },
1108	/* 0x51 */ { NULL, NULL, 0 },
1109	/* 0x52 */ { NULL, NULL, 0 },
1110	/* 0x53 */ { NULL, NULL, 0 },
1111	/* 0x54 */ { NULL, NULL, 0 },
1112	/* 0x55 */ { NULL, NULL, 0 },
1113	/* 0x56 */ { NULL, NULL, 0 },
1114	/* 0x57 */ { NULL, NULL, 0 },
1115	/* 0x58 */ { NULL, NULL, 0 },
1116	/* 0x59 */ { NULL, NULL, 0 },
1117	/* 0x5a */ { NULL, NULL, 0 },
1118	/* 0x5b */ { NULL, NULL, 0 },
1119	/* 0x5c */ { NULL, NULL, 0 },
1120	/* 0x5d */ { NULL, NULL, 0 },
1121	/* 0x5e */ { NULL, NULL, 0 },
1122	/* 0x5f */ { NULL, NULL, 0 },
1123	/* 0x60 */ { NULL, NULL, 0 },
1124	/* 0x61 */ { NULL, NULL, 0 },
1125	/* 0x62 */ { NULL, NULL, 0 },
1126	/* 0x63 */ { NULL, NULL, 0 },
1127	/* 0x64 */ { NULL, NULL, 0 },
1128	/* 0x65 */ { NULL, NULL, 0 },
1129	/* 0x66 */ { NULL, NULL, 0 },
1130	/* 0x67 */ { NULL, NULL, 0 },
1131	/* 0x68 */ { NULL, NULL, 0 },
1132	/* 0x69 */ { NULL, NULL, 0 },
1133	/* 0x6a */ { NULL, NULL, 0 },
1134	/* 0x6b */ { NULL, NULL, 0 },
1135	/* 0x6c */ { NULL, NULL, 0 },
1136	/* 0x6d */ { NULL, NULL, 0 },
1137	/* 0x6e */ { NULL, NULL, 0 },
1138	/* 0x6f */ { NULL, NULL, 0 },
1139	/* 0x70 */ { "SMBtcon",reply_tcon,0},
1140	/* 0x71 */ { "SMBtdis",reply_tdis,DO_CHDIR},
1141	/* 0x72 */ { "SMBnegprot",reply_negprot,0},
1142	/* 0x73 */ { "SMBsesssetupX",reply_sesssetup_and_X,0},
1143	/* 0x74 / { "SMBulogoffX",reply_ulogoffX, 0}, / ulogoff doesn't give a valid TID */
1144	/* 0x75 */ { "SMBtconX",reply_tcon_and_X,0},
1145	/* 0x76 */ { NULL, NULL, 0 },
1146	/* 0x77 */ { NULL, NULL, 0 },
1147	/* 0x78 */ { NULL, NULL, 0 },
1148	/* 0x79 */ { NULL, NULL, 0 },
1149	/* 0x7a */ { NULL, NULL, 0 },
1150	/* 0x7b */ { NULL, NULL, 0 },
1151	/* 0x7c */ { NULL, NULL, 0 },
1152	/* 0x7d */ { NULL, NULL, 0 },
1153	/* 0x7e */ { NULL, NULL, 0 },
1154	/* 0x7f */ { NULL, NULL, 0 },
1155	/* 0x80 */ { "SMBdskattr",reply_dskattr,AS_USER},
1156	/* 0x81 */ { "SMBsearch",reply_search,AS_USER},
1157	/* 0x82 */ { "SMBffirst",reply_search,AS_USER},
1158	/* 0x83 */ { "SMBfunique",reply_search,AS_USER},
1159	/* 0x84 */ { "SMBfclose",reply_fclose,AS_USER},
1160	/* 0x85 */ { NULL, NULL, 0 },
1161	/* 0x86 */ { NULL, NULL, 0 },
1162	/* 0x87 */ { NULL, NULL, 0 },
1163	/* 0x88 */ { NULL, NULL, 0 },
1164	/* 0x89 */ { NULL, NULL, 0 },
1165	/* 0x8a */ { NULL, NULL, 0 },
1166	/* 0x8b */ { NULL, NULL, 0 },
1167	/* 0x8c */ { NULL, NULL, 0 },
1168	/* 0x8d */ { NULL, NULL, 0 },
1169	/* 0x8e */ { NULL, NULL, 0 },
1170	/* 0x8f */ { NULL, NULL, 0 },
1171	/* 0x90 */ { NULL, NULL, 0 },
1172	/* 0x91 */ { NULL, NULL, 0 },
1173	/* 0x92 */ { NULL, NULL, 0 },
1174	/* 0x93 */ { NULL, NULL, 0 },
1175	/* 0x94 */ { NULL, NULL, 0 },
1176	/* 0x95 */ { NULL, NULL, 0 },
1177	/* 0x96 */ { NULL, NULL, 0 },
1178	/* 0x97 */ { NULL, NULL, 0 },
1179	/* 0x98 */ { NULL, NULL, 0 },
1180	/* 0x99 */ { NULL, NULL, 0 },
1181	/* 0x9a */ { NULL, NULL, 0 },
1182	/* 0x9b */ { NULL, NULL, 0 },
1183	/* 0x9c */ { NULL, NULL, 0 },
1184	/* 0x9d */ { NULL, NULL, 0 },
1185	/* 0x9e */ { NULL, NULL, 0 },
1186	/* 0x9f */ { NULL, NULL, 0 },
1187	/* 0xa0 */ { "SMBnttrans",reply_nttrans, AS_USER \| CAN_IPC },
1188	/* 0xa1 */ { "SMBnttranss",reply_nttranss, AS_USER \| CAN_IPC },
1189	/* 0xa2 */ { "SMBntcreateX",reply_ntcreate_and_X, AS_USER \| CAN_IPC },
1190	/* 0xa3 */ { NULL, NULL, 0 },
1191	/* 0xa4 */ { "SMBntcancel",reply_ntcancel, 0 },
1192	/* 0xa5 */ { "SMBntrename",reply_ntrename, AS_USER \| NEED_WRITE },
1193	/* 0xa6 */ { NULL, NULL, 0 },
1194	/* 0xa7 */ { NULL, NULL, 0 },
1195	/* 0xa8 */ { NULL, NULL, 0 },
1196	/* 0xa9 */ { NULL, NULL, 0 },
1197	/* 0xaa */ { NULL, NULL, 0 },
1198	/* 0xab */ { NULL, NULL, 0 },
1199	/* 0xac */ { NULL, NULL, 0 },
1200	/* 0xad */ { NULL, NULL, 0 },
1201	/* 0xae */ { NULL, NULL, 0 },
1202	/* 0xaf */ { NULL, NULL, 0 },
1203	/* 0xb0 */ { NULL, NULL, 0 },
1204	/* 0xb1 */ { NULL, NULL, 0 },
1205	/* 0xb2 */ { NULL, NULL, 0 },
1206	/* 0xb3 */ { NULL, NULL, 0 },
1207	/* 0xb4 */ { NULL, NULL, 0 },
1208	/* 0xb5 */ { NULL, NULL, 0 },
1209	/* 0xb6 */ { NULL, NULL, 0 },
1210	/* 0xb7 */ { NULL, NULL, 0 },
1211	/* 0xb8 */ { NULL, NULL, 0 },
1212	/* 0xb9 */ { NULL, NULL, 0 },
1213	/* 0xba */ { NULL, NULL, 0 },
1214	/* 0xbb */ { NULL, NULL, 0 },
1215	/* 0xbc */ { NULL, NULL, 0 },
1216	/* 0xbd */ { NULL, NULL, 0 },
1217	/* 0xbe */ { NULL, NULL, 0 },
1218	/* 0xbf */ { NULL, NULL, 0 },
1219	/* 0xc0 */ { "SMBsplopen",reply_printopen,AS_USER},
1220	/* 0xc1 */ { "SMBsplwr",reply_printwrite,AS_USER},
1221	/* 0xc2 */ { "SMBsplclose",reply_printclose,AS_USER},
1222	/* 0xc3 */ { "SMBsplretq",reply_printqueue,AS_USER},
1223	/* 0xc4 */ { NULL, NULL, 0 },
1224	/* 0xc5 */ { NULL, NULL, 0 },
1225	/* 0xc6 */ { NULL, NULL, 0 },
1226	/* 0xc7 */ { NULL, NULL, 0 },
1227	/* 0xc8 */ { NULL, NULL, 0 },
1228	/* 0xc9 */ { NULL, NULL, 0 },
1229	/* 0xca */ { NULL, NULL, 0 },
1230	/* 0xcb */ { NULL, NULL, 0 },
1231	/* 0xcc */ { NULL, NULL, 0 },
1232	/* 0xcd */ { NULL, NULL, 0 },
1233	/* 0xce */ { NULL, NULL, 0 },
1234	/* 0xcf */ { NULL, NULL, 0 },
1235	/* 0xd0 */ { "SMBsends",reply_sends,AS_GUEST},
1236	/* 0xd1 */ { "SMBsendb", NULL,AS_GUEST},
1237	/* 0xd2 */ { "SMBfwdname", NULL,AS_GUEST},
1238	/* 0xd3 */ { "SMBcancelf", NULL,AS_GUEST},
1239	/* 0xd4 */ { "SMBgetmac", NULL,AS_GUEST},
1240	/* 0xd5 */ { "SMBsendstrt",reply_sendstrt,AS_GUEST},
1241	/* 0xd6 */ { "SMBsendend",reply_sendend,AS_GUEST},
1242	/* 0xd7 */ { "SMBsendtxt",reply_sendtxt,AS_GUEST},
1243	/* 0xd8 */ { NULL, NULL, 0 },
1244	/* 0xd9 */ { NULL, NULL, 0 },
1245	/* 0xda */ { NULL, NULL, 0 },
1246	/* 0xdb */ { NULL, NULL, 0 },
1247	/* 0xdc */ { NULL, NULL, 0 },
1248	/* 0xdd */ { NULL, NULL, 0 },
1249	/* 0xde */ { NULL, NULL, 0 },
1250	/* 0xdf */ { NULL, NULL, 0 },
1251	/* 0xe0 */ { NULL, NULL, 0 },
1252	/* 0xe1 */ { NULL, NULL, 0 },
1253	/* 0xe2 */ { NULL, NULL, 0 },
1254	/* 0xe3 */ { NULL, NULL, 0 },
1255	/* 0xe4 */ { NULL, NULL, 0 },
1256	/* 0xe5 */ { NULL, NULL, 0 },
1257	/* 0xe6 */ { NULL, NULL, 0 },
1258	/* 0xe7 */ { NULL, NULL, 0 },
1259	/* 0xe8 */ { NULL, NULL, 0 },
1260	/* 0xe9 */ { NULL, NULL, 0 },
1261	/* 0xea */ { NULL, NULL, 0 },
1262	/* 0xeb */ { NULL, NULL, 0 },
1263	/* 0xec */ { NULL, NULL, 0 },
1264	/* 0xed */ { NULL, NULL, 0 },
1265	/* 0xee */ { NULL, NULL, 0 },
1266	/* 0xef */ { NULL, NULL, 0 },
1267	/* 0xf0 */ { NULL, NULL, 0 },
1268	/* 0xf1 */ { NULL, NULL, 0 },
1269	/* 0xf2 */ { NULL, NULL, 0 },
1270	/* 0xf3 */ { NULL, NULL, 0 },
1271	/* 0xf4 */ { NULL, NULL, 0 },
1272	/* 0xf5 */ { NULL, NULL, 0 },
1273	/* 0xf6 */ { NULL, NULL, 0 },
1274	/* 0xf7 */ { NULL, NULL, 0 },
1275	/* 0xf8 */ { NULL, NULL, 0 },
1276	/* 0xf9 */ { NULL, NULL, 0 },
1277	/* 0xfa */ { NULL, NULL, 0 },
1278	/* 0xfb */ { NULL, NULL, 0 },
1279	/* 0xfc */ { NULL, NULL, 0 },
1280	/* 0xfd */ { NULL, NULL, 0 },
1281	/* 0xfe */ { NULL, NULL, 0 },
1282	/* 0xff */ { NULL, NULL, 0 }
1283
1284	};
1285
1286	/*******************************************************************
1287	allocate and initialize a reply packet
1288	********************************************************************/
1289
1290	static bool create_outbuf(TALLOC_CTX mem_ctx, struct smb_request req,
1291	const char inbuf, char *outbuf, uint8_t num_words,
1292	uint32_t num_bytes)
1293	{
1294	/*
1295	* Protect against integer wrap
1296	*/
1297	if ((num_bytes > 0xffffff)
1298	\|\| ((num_bytes + smb_size + num_words*2) > 0xffffff)) {
1299	char *msg;
1300	if (asprintf(&msg, "num_bytes too large: %u",
1301	(unsigned)num_bytes) == -1) {
1302	msg = CONST_DISCARD(char *, "num_bytes too large");
1303	}
1304	smb_panic(msg);
1305	}
1306
1307	*outbuf = TALLOC_ARRAY(mem_ctx, char,
1308	smb_size + num_words*2 + num_bytes);
1309	if (*outbuf == NULL) {
1310	return false;
1311	}
1312
1313	construct_reply_common(req, inbuf, *outbuf);
1314	srv_set_message(*outbuf, num_words, num_bytes, false);
1315	/*
1316	* Zero out the word area, the caller has to take care of the bcc area
1317	* himself
1318	*/
1319	if (num_words != 0) {
1320	memset(outbuf + smb_vwv0, 0, num_words2);
1321	}
1322
1323	return true;
1324	}
1325
1326	void reply_outbuf(struct smb_request *req, uint8 num_words, uint32 num_bytes)
1327	{
1328	char *outbuf;
1329	if (!create_outbuf(req, req, (char *)req->inbuf, &outbuf, num_words,
1330	num_bytes)) {
1331	smb_panic("could not allocate output buffer\n");
1332	}
1333	req->outbuf = (uint8_t *)outbuf;
1334	}
1335
1336
1337	/*******************************************************************
1338	Dump a packet to a file.
1339	********************************************************************/
1340
1341	static void smb_dump(const char name, int type, const char data, ssize_t len)
1342	{
1343	int fd, i;
1344	char *fname = NULL;
1345	if (DEBUGLEVEL < 50) {
1346	return;
1347	}
1348
1349	if (len < 4) len = smb_len(data)+4;
1350	for (i=1;i<100;i++) {
1351	if (asprintf(&fname, "/tmp/%s.%d.%s", name, i,
1352	type ? "req" : "resp") == -1) {
1353	return;
1354	}
1355	fd = open(fname, O_WRONLY\|O_CREAT\|O_EXCL, 0644);
1356	if (fd != -1 \|\| errno != EEXIST) break;
1357	}
1358	if (fd != -1) {
1359	ssize_t ret = write(fd, data, len);
1360	if (ret != len)
1361	DEBUG(0,("smb_dump: problem: write returned %d\n", (int)ret ));
1362	close(fd);
1363	DEBUG(0,("created %s len %lu\n", fname, (unsigned long)len));
1364	}
1365	SAFE_FREE(fname);
1366	}
1367
1368	/****************************************************************************
1369	Prepare everything for calling the actual request function, and potentially
1370	call the request function via the "new" interface.
1371
1372	Return False if the "legacy" function needs to be called, everything is
1373	prepared.
1374
1375	Return True if we're done.
1376
1377	I know this API sucks, but it is the one with the least code change I could
1378	find.
1379	****************************************************************************/
1380
1381	static connection_struct switch_message(uint8 type, struct smb_request req, int size)
1382	{
1383	int flags;
1384	uint16 session_tag;
1385	connection_struct *conn = NULL;
1386	struct smbd_server_connection *sconn = req->sconn;
1387
1388	errno = 0;
1389
1390	/* Make sure this is an SMB packet. smb_size contains NetBIOS header
1391	* so subtract 4 from it. */
1392	if ((size < (smb_size - 4)) \|\|
1393	!valid_smb_header(req->inbuf)) {
1394	DEBUG(2,("Non-SMB packet of length %d. Terminating server\n",
1395	smb_len(req->inbuf)));
1396	exit_server_cleanly("Non-SMB packet");
1397	}
1398
1399	if (smb_messages[type].fn == NULL) {
1400	DEBUG(0,("Unknown message type %d!\n",type));
1401	smb_dump("Unknown", 1, (char *)req->inbuf, size);
1402	reply_unknown_new(req, type);
1403	return NULL;
1404	}
1405
1406	flags = smb_messages[type].flags;
1407
1408	/* In share mode security we must ignore the vuid. */
1409	session_tag = (lp_security() == SEC_SHARE)
1410	? UID_FIELD_INVALID : req->vuid;
1411	conn = req->conn;
1412
1413	DEBUG(3,("switch message %s (pid %d) conn 0x%lx\n", smb_fn_name(type),
1414	(int)sys_getpid(), (unsigned long)conn));
1415
1416	smb_dump(smb_fn_name(type), 1, (char *)req->inbuf, size);
1417
1418	/* Ensure this value is replaced in the incoming packet. */
1419	SSVAL(req->inbuf,smb_uid,session_tag);
1420
1421	/*
1422	* Ensure the correct username is in current_user_info. This is a
1423	* really ugly bugfix for problems with multiple session_setup_and_X's
1424	* being done and allowing %U and %G substitutions to work correctly.
1425	* There is a reason this code is done here, don't move it unless you
1426	* know what you're doing... :-).
1427	* JRA.
1428	*/
1429
1430	if (session_tag != sconn->smb1.sessions.last_session_tag) {
1431	user_struct *vuser = NULL;
1432
1433	sconn->smb1.sessions.last_session_tag = session_tag;
1434	if(session_tag != UID_FIELD_INVALID) {
1435	vuser = get_valid_user_struct(sconn, session_tag);
1436	if (vuser) {
1437	set_current_user_info(
1438	vuser->session_info->sanitized_username,
1439	vuser->session_info->unix_name,
1440	vuser->session_info->info3->base.domain.string);
1441	}
1442	}
1443	}
1444
1445	/* Does this call need to be run as the connected user? */
1446	if (flags & AS_USER) {
1447
1448	/* Does this call need a valid tree connection? */
1449	if (!conn) {
1450	/*
1451	* Amazingly, the error code depends on the command
1452	* (from Samba4).
1453	*/
1454	if (type == SMBntcreateX) {
1455	reply_nterror(req, NT_STATUS_INVALID_HANDLE);
1456	} else {
1457	reply_nterror(req, NT_STATUS_NETWORK_NAME_DELETED);
1458	}
1459	return NULL;
1460	}
1461
1462	if (!change_to_user(conn,session_tag)) {
1463	DEBUG(0, ("Error: Could not change to user. Removing "
1464	"deferred open, mid=%llu.\n",
1465	(unsigned long long)req->mid));
1466	reply_force_doserror(req, ERRSRV, ERRbaduid);
1467	return conn;
1468	}
1469
1470	/* All NEED_WRITE and CAN_IPC flags must also have AS_USER. */
1471
1472	/* Does it need write permission? */
1473	if ((flags & NEED_WRITE) && !CAN_WRITE(conn)) {
1474	reply_nterror(req, NT_STATUS_MEDIA_WRITE_PROTECTED);
1475	return conn;
1476	}
1477
1478	/* IPC services are limited */
1479	if (IS_IPC(conn) && !(flags & CAN_IPC)) {
1480	reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1481	return conn;
1482	}
1483	} else {
1484	/* This call needs to be run as root */
1485	change_to_root_user();
1486	}
1487
1488	/* load service specific parameters */
1489	if (conn) {
1490	if (req->encrypted) {
1491	conn->encrypted_tid = true;
1492	/* encrypted required from now on. */
1493	conn->encrypt_level = Required;
1494	} else if (ENCRYPTION_REQUIRED(conn)) {
1495	if (req->cmd != SMBtrans2 && req->cmd != SMBtranss2) {
1496	exit_server_cleanly("encryption required "
1497	"on connection");
1498	return conn;
1499	}
1500	}
1501
1502	if (!set_current_service(conn,SVAL(req->inbuf,smb_flg),
1503	(flags & (AS_USER\|DO_CHDIR)
1504	?True:False))) {
1505	reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1506	return conn;
1507	}
1508	conn->num_smb_operations++;
1509	}
1510
1511	/* does this protocol need to be run as guest? */
1512	if ((flags & AS_GUEST)
1513	&& (!change_to_guest() \|\|
1514	!allow_access(lp_hostsdeny(-1), lp_hostsallow(-1),
1515	sconn->client_id.name,
1516	sconn->client_id.addr))) {
1517	reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1518	return conn;
1519	}
1520
1521	smb_messages[type].fn(req);
1522	return req->conn;
1523	}
1524
1525	/****************************************************************************
1526	Construct a reply to the incoming packet.
1527	****************************************************************************/
1528
1529	static void construct_reply(struct smbd_server_connection *sconn,
1530	char *inbuf, int size, size_t unread_bytes,
1531	uint32_t seqnum, bool encrypted,
1532	struct smb_perfcount_data *deferred_pcd)
1533	{
1534	connection_struct *conn;
1535	struct smb_request *req;
1536
1537	if (!(req = talloc(talloc_tos(), struct smb_request))) {
1538	smb_panic("could not allocate smb_request");
1539	}
1540
1541	if (!init_smb_request(req, sconn, (uint8 *)inbuf, unread_bytes,
1542	encrypted, seqnum)) {
1543	exit_server_cleanly("Invalid SMB request");
1544	}
1545
1546	req->inbuf = (uint8_t *)talloc_move(req, &inbuf);
1547
1548	/* we popped this message off the queue - keep original perf data */
1549	if (deferred_pcd)
1550	req->pcd = *deferred_pcd;
1551	else {
1552	SMB_PERFCOUNT_START(&req->pcd);
1553	SMB_PERFCOUNT_SET_OP(&req->pcd, req->cmd);
1554	SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, size);
1555	}
1556
1557	conn = switch_message(req->cmd, req, size);
1558
1559	if (req->unread_bytes) {
1560	/* writeX failed. drain socket. */
1561	if (drain_socket(req->sconn->sock, req->unread_bytes) !=
1562	req->unread_bytes) {
1563	smb_panic("failed to drain pending bytes");
1564	}
1565	req->unread_bytes = 0;
1566	}
1567
1568	if (req->done) {
1569	TALLOC_FREE(req);
1570	return;
1571	}
1572
1573	if (req->outbuf == NULL) {
1574	return;
1575	}
1576
1577	if (CVAL(req->outbuf,0) == 0) {
1578	show_msg((char *)req->outbuf);
1579	}
1580
1581	if (!srv_send_smb(req->sconn,
1582	(char *)req->outbuf,
1583	true, req->seqnum+1,
1584	IS_CONN_ENCRYPTED(conn)\|\|req->encrypted,
1585	&req->pcd)) {
1586	exit_server_cleanly("construct_reply: srv_send_smb failed.");
1587	}
1588
1589	TALLOC_FREE(req);
1590
1591	return;
1592	}
1593
1594	/****************************************************************************
1595	Process an smb from the client
1596	****************************************************************************/
1597	static void process_smb(struct smbd_server_connection *sconn,
1598	uint8_t *inbuf, size_t nread, size_t unread_bytes,
1599	uint32_t seqnum, bool encrypted,
1600	struct smb_perfcount_data *deferred_pcd)
1601	{
1602	int msg_type = CVAL(inbuf,0);
1603
1604	DO_PROFILE_INC(smb_count);
1605
1606	DEBUG( 6, ( "got message type 0x%x of len 0x%x\n", msg_type,
1607	smb_len(inbuf) ) );
1608	DEBUG(3, ("Transaction %d of length %d (%u toread)\n",
1609	sconn->trans_num, (int)nread, (unsigned int)unread_bytes));
1610
1611	if (msg_type != 0) {
1612	/*
1613	* NetBIOS session request, keepalive, etc.
1614	*/
1615	reply_special(sconn, (char *)inbuf, nread);
1616	goto done;
1617	}
1618
1619	if (sconn->using_smb2) {
1620	/* At this point we're not really using smb2,
1621	* we make the decision here.. */
1622	if (smbd_is_smb2_header(inbuf, nread)) {
1623	smbd_smb2_first_negprot(sconn, inbuf, nread);
1624	return;
1625	} else if (nread >= smb_size && valid_smb_header(inbuf)
1626	&& CVAL(inbuf, smb_com) != 0x72) {
1627	/* This is a non-negprot SMB1 packet.
1628	Disable SMB2 from now on. */
1629	sconn->using_smb2 = false;
1630	}
1631	}
1632
1633	show_msg((char *)inbuf);
1634
1635	construct_reply(sconn, (char *)inbuf, nread, unread_bytes, seqnum,
1636	encrypted, deferred_pcd);
1637	sconn->trans_num++;
1638
1639	done:
1640	sconn->num_requests++;
1641
1642	/* The timeout_processing function isn't run nearly
1643	often enough to implement 'max log size' without
1644	overrunning the size of the file by many megabytes.
1645	This is especially true if we are running at debug
1646	level 10. Checking every 50 SMBs is a nice
1647	tradeoff of performance vs log file size overrun. */
1648
1649	if ((sconn->num_requests % 50) == 0 &&
1650	need_to_check_log_size()) {
1651	change_to_root_user();
1652	check_log_size();
1653	}
1654	}
1655
1656	/****************************************************************************
1657	Return a string containing the function name of a SMB command.
1658	****************************************************************************/
1659
1660	const char *smb_fn_name(int type)
1661	{
1662	const char *unknown_name = "SMBunknown";
1663
1664	if (smb_messages[type].name == NULL)
1665	return(unknown_name);
1666
1667	return(smb_messages[type].name);
1668	}
1669
1670	/****************************************************************************
1671	Helper functions for contruct_reply.
1672	****************************************************************************/
1673
1674	void add_to_common_flags2(uint32 v)
1675	{
1676	common_flags2 \|= v;
1677	}
1678
1679	void remove_from_common_flags2(uint32 v)
1680	{
1681	common_flags2 &= ~v;
1682	}
1683
1684	static void construct_reply_common(struct smb_request req, const char inbuf,
1685	char *outbuf)
1686	{
1687	srv_set_message(outbuf,0,0,false);
1688
1689	SCVAL(outbuf, smb_com, req->cmd);
1690	SIVAL(outbuf,smb_rcls,0);
1691	SCVAL(outbuf,smb_flg, FLAG_REPLY \| (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES));
1692	SSVAL(outbuf,smb_flg2,
1693	(SVAL(inbuf,smb_flg2) & FLAGS2_UNICODE_STRINGS) \|
1694	common_flags2);
1695	memset(outbuf+smb_pidhigh,'\0',(smb_tid-smb_pidhigh));
1696
1697	SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid));
1698	SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid));
1699	SSVAL(outbuf,smb_uid,SVAL(inbuf,smb_uid));
1700	SSVAL(outbuf,smb_mid,SVAL(inbuf,smb_mid));
1701	}
1702
1703	void construct_reply_common_req(struct smb_request req, char outbuf)
1704	{
1705	construct_reply_common(req, (char *)req->inbuf, outbuf);
1706	}
1707
1708	/*
1709	* How many bytes have we already accumulated up to the current wct field
1710	* offset?
1711	*/
1712
1713	size_t req_wct_ofs(struct smb_request *req)
1714	{
1715	size_t buf_size;
1716
1717	if (req->chain_outbuf == NULL) {
1718	return smb_wct - 4;
1719	}
1720	buf_size = talloc_get_size(req->chain_outbuf);
1721	if ((buf_size % 4) != 0) {
1722	buf_size += (4 - (buf_size % 4));
1723	}
1724	return buf_size - 4;
1725	}
1726
1727	/*
1728	* Hack around reply_nterror & friends not being aware of chained requests,
1729	* generating illegal (i.e. wct==0) chain replies.
1730	*/
1731
1732	static void fixup_chain_error_packet(struct smb_request *req)
1733	{
1734	uint8_t *outbuf = req->outbuf;
1735	req->outbuf = NULL;
1736	reply_outbuf(req, 2, 0);
1737	memcpy(req->outbuf, outbuf, smb_wct);
1738	TALLOC_FREE(outbuf);
1739	SCVAL(req->outbuf, smb_vwv0, 0xff);
1740	}
1741
1742	/**
1743	* @brief Find the smb_cmd offset of the last command pushed
1744	* @param[in] buf The buffer we're building up
1745	* @retval Where can we put our next andx cmd?
1746	*
1747	* While chaining requests, the "next" request we're looking at needs to put
1748	* its SMB_Command before the data the previous request already built up added
1749	* to the chain. Find the offset to the place where we have to put our cmd.
1750	*/
1751
1752	static bool find_andx_cmd_ofs(uint8_t buf, size_t pofs)
1753	{
1754	uint8_t cmd;
1755	size_t ofs;
1756
1757	cmd = CVAL(buf, smb_com);
1758
1759	SMB_ASSERT(is_andx_req(cmd));
1760
1761	ofs = smb_vwv0;
1762
1763	while (CVAL(buf, ofs) != 0xff) {
1764
1765	if (!is_andx_req(CVAL(buf, ofs))) {
1766	return false;
1767	}
1768
1769	/*
1770	* ofs is from start of smb header, so add the 4 length
1771	* bytes. The next cmd is right after the wct field.
1772	*/
1773	ofs = SVAL(buf, ofs+2) + 4 + 1;
1774
1775	SMB_ASSERT(ofs+4 < talloc_get_size(buf));
1776	}
1777
1778	*pofs = ofs;
1779	return true;
1780	}
1781
1782	/**
1783	* @brief Do the smb chaining at a buffer level
1784	* @param[in] poutbuf Pointer to the talloc'ed buffer to be modified
1785	* @param[in] smb_command The command that we want to issue
1786	* @param[in] wct How many words?
1787	* @param[in] vwv The words, already in network order
1788	* @param[in] bytes_alignment How shall we align "bytes"?
1789	* @param[in] num_bytes How many bytes?
1790	* @param[in] bytes The data the request ships
1791	*
1792	* smb_splice_chain() adds the vwv and bytes to the request already present in
1793	* *poutbuf.
1794	*/
1795
1796	static bool smb_splice_chain(uint8_t **poutbuf, uint8_t smb_command,
1797	uint8_t wct, const uint16_t *vwv,
1798	size_t bytes_alignment,
1799	uint32_t num_bytes, const uint8_t *bytes)
1800	{
1801	uint8_t *outbuf;
1802	size_t old_size, new_size;
1803	size_t ofs;
1804	size_t chain_padding = 0;
1805	size_t bytes_padding = 0;
1806	bool first_request;
1807
1808	old_size = talloc_get_size(*poutbuf);
1809
1810	/*
1811	* old_size == smb_wct means we're pushing the first request in for
1812	* libsmb/
1813	*/
1814
1815	first_request = (old_size == smb_wct);
1816
1817	if (!first_request && ((old_size % 4) != 0)) {
1818	/*
1819	* Align the wct field of subsequent requests to a 4-byte
1820	* boundary
1821	*/
1822	chain_padding = 4 - (old_size % 4);
1823	}
1824
1825	/*
1826	* After the old request comes the new wct field (1 byte), the vwv's
1827	* and the num_bytes field. After at we might need to align the bytes
1828	* given to us to "bytes_alignment", increasing the num_bytes value.
1829	*/
1830
1831	new_size = old_size + chain_padding + 1 + wct * sizeof(uint16_t) + 2;
1832
1833	if ((bytes_alignment != 0) && ((new_size % bytes_alignment) != 0)) {
1834	bytes_padding = bytes_alignment - (new_size % bytes_alignment);
1835	}
1836
1837	new_size += bytes_padding + num_bytes;
1838
1839	if ((smb_command != SMBwriteX) && (new_size > 0xffff)) {
1840	DEBUG(1, ("splice_chain: %u bytes won't fit\n",
1841	(unsigned)new_size));
1842	return false;
1843	}
1844
1845	outbuf = TALLOC_REALLOC_ARRAY(NULL, *poutbuf, uint8_t, new_size);
1846	if (outbuf == NULL) {
1847	DEBUG(0, ("talloc failed\n"));
1848	return false;
1849	}
1850	*poutbuf = outbuf;
1851
1852	if (first_request) {
1853	SCVAL(outbuf, smb_com, smb_command);
1854	} else {
1855	size_t andx_cmd_ofs;
1856
1857	if (!find_andx_cmd_ofs(outbuf, &andx_cmd_ofs)) {
1858	DEBUG(1, ("invalid command chain\n"));
1859	*poutbuf = TALLOC_REALLOC_ARRAY(
1860	NULL, *poutbuf, uint8_t, old_size);
1861	return false;
1862	}
1863
1864	if (chain_padding != 0) {
1865	memset(outbuf + old_size, 0, chain_padding);
1866	old_size += chain_padding;
1867	}
1868
1869	SCVAL(outbuf, andx_cmd_ofs, smb_command);
1870	SSVAL(outbuf, andx_cmd_ofs + 2, old_size - 4);
1871	}
1872
1873	ofs = old_size;
1874
1875	/*
1876	* Push the chained request:
1877	*
1878	* wct field
1879	*/
1880
1881	SCVAL(outbuf, ofs, wct);
1882	ofs += 1;
1883
1884	/*
1885	* vwv array
1886	*/
1887
1888	memcpy(outbuf + ofs, vwv, sizeof(uint16_t) * wct);
1889	ofs += sizeof(uint16_t) * wct;
1890
1891	/*
1892	* bcc (byte count)
1893	*/
1894
1895	SSVAL(outbuf, ofs, num_bytes + bytes_padding);
1896	ofs += sizeof(uint16_t);
1897
1898	/*
1899	* padding
1900	*/
1901
1902	if (bytes_padding != 0) {
1903	memset(outbuf + ofs, 0, bytes_padding);
1904	ofs += bytes_padding;
1905	}
1906
1907	/*
1908	* The bytes field
1909	*/
1910
1911	memcpy(outbuf + ofs, bytes, num_bytes);
1912
1913	return true;
1914	}
1915
1916	/****************************************************************************
1917	Construct a chained reply and add it to the already made reply
1918	****************************************************************************/
1919
1920	void chain_reply(struct smb_request *req)
1921	{
1922	size_t smblen = smb_len(req->inbuf);
1923	size_t already_used, length_needed;
1924	uint8_t chain_cmd;
1925	uint32_t chain_offset; /* uint32_t to avoid overflow */
1926
1927	uint8_t wct;
1928	uint16_t *vwv;
1929	uint16_t buflen;
1930	uint8_t *buf;
1931
1932	if (IVAL(req->outbuf, smb_rcls) != 0) {
1933	fixup_chain_error_packet(req);
1934	}
1935
1936	/*
1937	* Any of the AndX requests and replies have at least a wct of
1938	* 2. vwv[0] is the next command, vwv[1] is the offset from the
1939	* beginning of the SMB header to the next wct field.
1940	*
1941	* None of the AndX requests put anything valuable in vwv[0] and [1],
1942	* so we can overwrite it here to form the chain.
1943	*/
1944
1945	if ((req->wct < 2) \|\| (CVAL(req->outbuf, smb_wct) < 2)) {
1946	if (req->chain_outbuf == NULL) {
1947	req->chain_outbuf = TALLOC_REALLOC_ARRAY(
1948	req, req->outbuf, uint8_t,
1949	smb_len(req->outbuf) + 4);
1950	if (req->chain_outbuf == NULL) {
1951	smb_panic("talloc failed");
1952	}
1953	}
1954	req->outbuf = NULL;
1955	goto error;
1956	}
1957
1958	/*
1959	* Here we assume that this is the end of the chain. For that we need
1960	* to set "next command" to 0xff and the offset to 0. If we later find
1961	* more commands in the chain, this will be overwritten again.
1962	*/
1963
1964	SCVAL(req->outbuf, smb_vwv0, 0xff);
1965	SCVAL(req->outbuf, smb_vwv0+1, 0);
1966	SSVAL(req->outbuf, smb_vwv1, 0);
1967
1968	if (req->chain_outbuf == NULL) {
1969	/*
1970	* In req->chain_outbuf we collect all the replies. Start the
1971	* chain by copying in the first reply.
1972	*
1973	* We do the realloc because later on we depend on
1974	* talloc_get_size to determine the length of
1975	* chain_outbuf. The reply_xxx routines might have
1976	* over-allocated (reply_pipe_read_and_X used to be such an
1977	* example).
1978	*/
1979	req->chain_outbuf = TALLOC_REALLOC_ARRAY(
1980	req, req->outbuf, uint8_t,
1981	smb_len_large(req->outbuf) + 4);
1982	if (req->chain_outbuf == NULL) {
1983	smb_panic("talloc failed");
1984	}
1985	req->outbuf = NULL;
1986	} else {
1987	/*
1988	* Update smb headers where subsequent chained commands
1989	* may have updated them.
1990	*/
1991	SSVAL(req->chain_outbuf, smb_tid, SVAL(req->outbuf, smb_tid));
1992	SSVAL(req->chain_outbuf, smb_uid, SVAL(req->outbuf, smb_uid));
1993
1994	if (!smb_splice_chain(&req->chain_outbuf,
1995	CVAL(req->outbuf, smb_com),
1996	CVAL(req->outbuf, smb_wct),
1997	(uint16_t *)(req->outbuf + smb_vwv),
1998	0, smb_buflen(req->outbuf),
1999	(uint8_t *)smb_buf(req->outbuf))) {
2000	goto error;
2001	}
2002	TALLOC_FREE(req->outbuf);
2003	}
2004
2005	/*
2006	* We use the old request's vwv field to grab the next chained command
2007	* and offset into the chained fields.
2008	*/
2009
2010	chain_cmd = CVAL(req->vwv+0, 0);
2011	chain_offset = SVAL(req->vwv+1, 0);
2012
2013	if (chain_cmd == 0xff) {
2014	/*
2015	* End of chain, no more requests from the client. So ship the
2016	* replies.
2017	*/
2018	smb_setlen((char *)(req->chain_outbuf),
2019	talloc_get_size(req->chain_outbuf) - 4);
2020
2021	if (!srv_send_smb(req->sconn, (char *)req->chain_outbuf,
2022	true, req->seqnum+1,
2023	IS_CONN_ENCRYPTED(req->conn)
2024	\|\|req->encrypted,
2025	&req->pcd)) {
2026	exit_server_cleanly("chain_reply: srv_send_smb "
2027	"failed.");
2028	}
2029	TALLOC_FREE(req->chain_outbuf);
2030	req->done = true;
2031	return;
2032	}
2033
2034	/* add a new perfcounter for this element of chain */
2035	SMB_PERFCOUNT_ADD(&req->pcd);
2036	SMB_PERFCOUNT_SET_OP(&req->pcd, chain_cmd);
2037	SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, smblen);
2038
2039	/*
2040	* Check if the client tries to fool us. The chain offset
2041	* needs to point beyond the current request in the chain, it
2042	* needs to strictly grow. Otherwise we might be tricked into
2043	* an endless loop always processing the same request over and
2044	* over again. We used to assume that vwv and the byte buffer
2045	* array in a chain are always attached, but OS/2 the
2046	* Write&X/Read&X chain puts the Read&X vwv array right behind
2047	* the Write&X vwv chain. The Write&X bcc array is put behind
2048	* the Read&X vwv array. So now we check whether the chain
2049	* offset points strictly behind the previous vwv
2050	* array. req->buf points right after the vwv array of the
2051	* previous request. See
2052	* https://bugzilla.samba.org/show_bug.cgi?id=8360 for more
2053	* information.
2054	*/
2055
2056	already_used = PTR_DIFF(req->buf, smb_base(req->inbuf));
2057	if (chain_offset <= already_used) {
2058	goto error;
2059	}
2060
2061	/*
2062	* Next check: Make sure the chain offset does not point beyond the
2063	* overall smb request length.
2064	*/
2065
2066	length_needed = chain_offset+1; /* wct */
2067	if (length_needed > smblen) {
2068	goto error;
2069	}
2070
2071	/*
2072	* Now comes the pointer magic. Goal here is to set up req->vwv and
2073	* req->buf correctly again to be able to call the subsequent
2074	* switch_message(). The chain offset (the former vwv[1]) points at
2075	* the new wct field.
2076	*/
2077
2078	wct = CVAL(smb_base(req->inbuf), chain_offset);
2079
2080	/*
2081	* Next consistency check: Make the new vwv array fits in the overall
2082	* smb request.
2083	*/
2084
2085	length_needed += (wct+1)sizeof(uint16_t); / vwv+buflen */
2086	if (length_needed > smblen) {
2087	goto error;
2088	}
2089	vwv = (uint16_t *)(smb_base(req->inbuf) + chain_offset + 1);
2090
2091	/*
2092	* Now grab the new byte buffer....
2093	*/
2094
2095	buflen = SVAL(vwv+wct, 0);
2096
2097	/*
2098	* .. and check that it fits.
2099	*/
2100
2101	length_needed += buflen;
2102	if (length_needed > smblen) {
2103	goto error;
2104	}
2105	buf = (uint8_t *)(vwv+wct+1);
2106
2107	req->cmd = chain_cmd;
2108	req->wct = wct;
2109	req->vwv = vwv;
2110	req->buflen = buflen;
2111	req->buf = buf;
2112
2113	switch_message(chain_cmd, req, smblen);
2114
2115	if (req->outbuf == NULL) {
2116	/*
2117	* This happens if the chained command has suspended itself or
2118	* if it has called srv_send_smb() itself.
2119	*/
2120	return;
2121	}
2122
2123	/*
2124	* We end up here if the chained command was not itself chained or
2125	* suspended, but for example a close() command. We now need to splice
2126	* the chained commands' outbuf into the already built up chain_outbuf
2127	* and ship the result.
2128	*/
2129	goto done;
2130
2131	error:
2132	/*
2133	* We end up here if there's any error in the chain syntax. Report a
2134	* DOS error, just like Windows does.
2135	*/
2136	reply_force_doserror(req, ERRSRV, ERRerror);
2137	fixup_chain_error_packet(req);
2138
2139	done:
2140	/*
2141	* This scary statement intends to set the
2142	* FLAGS2_32_BIT_ERROR_CODES flg2 field in req->chain_outbuf
2143	* to the value req->outbuf carries
2144	*/
2145	SSVAL(req->chain_outbuf, smb_flg2,
2146	(SVAL(req->chain_outbuf, smb_flg2) & ~FLAGS2_32_BIT_ERROR_CODES)
2147	\| (SVAL(req->outbuf, smb_flg2) & FLAGS2_32_BIT_ERROR_CODES));
2148
2149	/*
2150	* Transfer the error codes from the subrequest to the main one
2151	*/
2152	SSVAL(req->chain_outbuf, smb_rcls, SVAL(req->outbuf, smb_rcls));
2153	SSVAL(req->chain_outbuf, smb_err, SVAL(req->outbuf, smb_err));
2154
2155	if (!smb_splice_chain(&req->chain_outbuf,
2156	CVAL(req->outbuf, smb_com),
2157	CVAL(req->outbuf, smb_wct),
2158	(uint16_t *)(req->outbuf + smb_vwv),
2159	0, smb_buflen(req->outbuf),
2160	(uint8_t *)smb_buf(req->outbuf))) {
2161	exit_server_cleanly("chain_reply: smb_splice_chain failed\n");
2162	}
2163	TALLOC_FREE(req->outbuf);
2164
2165	smb_setlen((char *)(req->chain_outbuf),
2166	talloc_get_size(req->chain_outbuf) - 4);
2167
2168	show_msg((char *)(req->chain_outbuf));
2169
2170	if (!srv_send_smb(req->sconn, (char *)req->chain_outbuf,
2171	true, req->seqnum+1,
2172	IS_CONN_ENCRYPTED(req->conn)\|\|req->encrypted,
2173	&req->pcd)) {
2174	exit_server_cleanly("chain_reply: srv_send_smb failed.");
2175	}
2176	TALLOC_FREE(req->chain_outbuf);
2177	req->done = true;
2178	}
2179
2180	/****************************************************************************
2181	Check if services need reloading.
2182	****************************************************************************/
2183
2184	static void check_reload(struct smbd_server_connection *sconn, time_t t)
2185	{
2186
2187	if (last_smb_conf_reload_time == 0) {
2188	last_smb_conf_reload_time = t;
2189	}
2190
2191	if (t >= last_smb_conf_reload_time+SMBD_RELOAD_CHECK) {
2192	reload_services(sconn->msg_ctx, sconn->sock, True);
2193	last_smb_conf_reload_time = t;
2194	}
2195	}
2196
2197	static bool fd_is_readable(int fd)
2198	{
2199	int ret, revents;
2200
2201	ret = poll_one_fd(fd, POLLIN\|POLLHUP, 0, &revents);
2202
2203	return ((ret > 0) && ((revents & (POLLIN\|POLLHUP\|POLLERR)) != 0));
2204
2205	}
2206
2207	static void smbd_server_connection_write_handler(struct smbd_server_connection *conn)
2208	{
2209	/* TODO: make write nonblocking */
2210	}
2211
2212	static void smbd_server_connection_read_handler(
2213	struct smbd_server_connection *conn, int fd)
2214	{
2215	uint8_t *inbuf = NULL;
2216	size_t inbuf_len = 0;
2217	size_t unread_bytes = 0;
2218	bool encrypted = false;
2219	TALLOC_CTX *mem_ctx = talloc_tos();
2220	NTSTATUS status;
2221	uint32_t seqnum;
2222
2223	bool from_client = (conn->sock == fd);
2224
2225	if (from_client) {
2226	smbd_lock_socket(conn);
2227
2228	if (lp_async_smb_echo_handler() && !fd_is_readable(fd)) {
2229	DEBUG(10,("the echo listener was faster\n"));
2230	smbd_unlock_socket(conn);
2231	return;
2232	}
2233
2234	/* TODO: make this completely nonblocking */
2235	status = receive_smb_talloc(mem_ctx, conn, fd,
2236	(char *)(void )&inbuf,
2237	0, /* timeout */
2238	&unread_bytes,
2239	&encrypted,
2240	&inbuf_len, &seqnum,
2241	false /* trusted channel */);
2242	smbd_unlock_socket(conn);
2243	} else {
2244	/* TODO: make this completely nonblocking */
2245	status = receive_smb_talloc(mem_ctx, conn, fd,
2246	(char *)(void )&inbuf,
2247	0, /* timeout */
2248	&unread_bytes,
2249	&encrypted,
2250	&inbuf_len, &seqnum,
2251	true /* trusted channel */);
2252	}
2253
2254	if (NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
2255	goto process;
2256	}
2257	if (NT_STATUS_IS_ERR(status)) {
2258	exit_server_cleanly("failed to receive smb request");
2259	}
2260	if (!NT_STATUS_IS_OK(status)) {
2261	return;
2262	}
2263
2264	process:
2265	process_smb(conn, inbuf, inbuf_len, unread_bytes,
2266	seqnum, encrypted, NULL);
2267	}
2268
2269	static void smbd_server_connection_handler(struct event_context *ev,
2270	struct fd_event *fde,
2271	uint16_t flags,
2272	void *private_data)
2273	{
2274	struct smbd_server_connection *conn = talloc_get_type(private_data,
2275	struct smbd_server_connection);
2276
2277	if (flags & EVENT_FD_WRITE) {
2278	smbd_server_connection_write_handler(conn);
2279	return;
2280	}
2281	if (flags & EVENT_FD_READ) {
2282	smbd_server_connection_read_handler(conn, conn->sock);
2283	return;
2284	}
2285	}
2286
2287	static void smbd_server_echo_handler(struct event_context *ev,
2288	struct fd_event *fde,
2289	uint16_t flags,
2290	void *private_data)
2291	{
2292	struct smbd_server_connection *conn = talloc_get_type(private_data,
2293	struct smbd_server_connection);
2294
2295	if (flags & EVENT_FD_WRITE) {
2296	smbd_server_connection_write_handler(conn);
2297	return;
2298	}
2299	if (flags & EVENT_FD_READ) {
2300	smbd_server_connection_read_handler(
2301	conn, conn->smb1.echo_handler.trusted_fd);
2302	return;
2303	}
2304	}
2305
2306	/****************************************************************************
2307	received when we should release a specific IP
2308	****************************************************************************/
2309	static void release_ip(const char ip, void priv)
2310	{
2311	const char addr = (const char )priv;
2312	const char *p = addr;
2313
2314	if (strncmp("::ffff:", addr, 7) == 0) {
2315	p = addr + 7;
2316	}
2317
2318	DEBUG(10, ("Got release IP message for %s, "
2319	"our address is %s\n", ip, p));
2320
2321	if ((strcmp(p, ip) == 0) \|\| ((p != addr) && strcmp(addr, ip) == 0)) {
2322	/* we can't afford to do a clean exit - that involves
2323	database writes, which would potentially mean we
2324	are still running after the failover has finished -
2325	we have to get rid of this process ID straight
2326	away */
2327	DEBUG(0,("Got release IP message for our IP %s - exiting immediately\n",
2328	ip));
2329	/* note we must exit with non-zero status so the unclean handler gets
2330	called in the parent, so that the brl database is tickled */
2331	_exit(1);
2332	}
2333	}
2334
2335	static void msg_release_ip(struct messaging_context msg_ctx, void private_data,
2336	uint32_t msg_type, struct server_id server_id, DATA_BLOB *data)
2337	{
2338	struct smbd_server_connection *sconn = talloc_get_type_abort(
2339	private_data, struct smbd_server_connection);
2340
2341	release_ip((char *)data->data, sconn->client_id.addr);
2342	}
2343
2344	#ifdef CLUSTER_SUPPORT
2345	static int client_get_tcp_info(int sock, struct sockaddr_storage *server,
2346	struct sockaddr_storage *client)
2347	{
2348	socklen_t length;
2349	length = sizeof(*server);
2350	if (getsockname(sock, (struct sockaddr *)server, &length) != 0) {
2351	return -1;
2352	}
2353	length = sizeof(*client);
2354	if (getpeername(sock, (struct sockaddr *)client, &length) != 0) {
2355	return -1;
2356	}
2357	return 0;
2358	}
2359	#endif
2360
2361	/*
2362	* Send keepalive packets to our client
2363	*/
2364	static bool keepalive_fn(const struct timeval now, void private_data)
2365	{
2366	struct smbd_server_connection *sconn = smbd_server_conn;
2367	bool ret;
2368
2369	if (sconn->using_smb2) {
2370	/* Don't do keepalives on an SMB2 connection. */
2371	return false;
2372	}
2373
2374	smbd_lock_socket(smbd_server_conn);
2375	ret = send_keepalive(sconn->sock);
2376	smbd_unlock_socket(smbd_server_conn);
2377
2378	if (!ret) {
2379	char addr[INET6_ADDRSTRLEN];
2380	/*
2381	* Try and give an error message saying what
2382	* client failed.
2383	*/
2384	DEBUG(0, ("send_keepalive failed for client %s. "
2385	"Error %s - exiting\n",
2386	get_peer_addr(sconn->sock, addr, sizeof(addr)),
2387	strerror(errno)));
2388	return False;
2389	}
2390	return True;
2391	}
2392
2393	/*
2394	* Do the recurring check if we're idle
2395	*/
2396	static bool deadtime_fn(const struct timeval now, void private_data)
2397	{
2398	struct smbd_server_connection *sconn =
2399	(struct smbd_server_connection *)private_data;
2400
2401	if ((conn_num_open(sconn) == 0)
2402	\|\| (conn_idle_all(sconn, now->tv_sec))) {
2403	DEBUG( 2, ( "Closing idle connection\n" ) );
2404	messaging_send(sconn->msg_ctx,
2405	messaging_server_id(sconn->msg_ctx),
2406	MSG_SHUTDOWN, &data_blob_null);
2407	return False;
2408	}
2409
2410	return True;
2411	}
2412
2413	/*
2414	* Do the recurring log file and smb.conf reload checks.
2415	*/
2416
2417	static bool housekeeping_fn(const struct timeval now, void private_data)
2418	{
2419	struct smbd_server_connection *sconn = talloc_get_type_abort(
2420	private_data, struct smbd_server_connection);
2421
2422	DEBUG(5, ("housekeeping\n"));
2423
2424	change_to_root_user();
2425
2426	/* update printer queue caches if necessary */
2427	update_monitored_printq_cache(sconn->msg_ctx);
2428
2429	/* check if we need to reload services */
2430	check_reload(sconn, time_mono(NULL));
2431
2432	/* Change machine password if neccessary. */
2433	attempt_machine_password_change();
2434
2435	/*
2436	* Force a log file check.
2437	*/
2438	force_check_log_size();
2439	check_log_size();
2440	return true;
2441	}
2442
2443	static int create_unlink_tmp(const char *dir)
2444	{
2445	char *fname;
2446	int fd;
2447
2448	fname = talloc_asprintf(talloc_tos(), "%s/listenerlock_XXXXXX", dir);
2449	if (fname == NULL) {
2450	errno = ENOMEM;
2451	return -1;
2452	}
2453	fd = mkstemp(fname);
2454	if (fd == -1) {
2455	TALLOC_FREE(fname);
2456	return -1;
2457	}
2458	if (unlink(fname) == -1) {
2459	int sys_errno = errno;
2460	close(fd);
2461	TALLOC_FREE(fname);
2462	errno = sys_errno;
2463	return -1;
2464	}
2465	TALLOC_FREE(fname);
2466	return fd;
2467	}
2468
2469	struct smbd_echo_state {
2470	struct tevent_context *ev;
2471	struct iovec *pending;
2472	struct smbd_server_connection *sconn;
2473	int parent_pipe;
2474
2475	struct tevent_fd *parent_fde;
2476
2477	struct tevent_fd *read_fde;
2478	struct tevent_req *write_req;
2479	};
2480
2481	static void smbd_echo_writer_done(struct tevent_req *req);
2482
2483	static void smbd_echo_activate_writer(struct smbd_echo_state *state)
2484	{
2485	int num_pending;
2486
2487	if (state->write_req != NULL) {
2488	return;
2489	}
2490
2491	num_pending = talloc_array_length(state->pending);
2492	if (num_pending == 0) {
2493	return;
2494	}
2495
2496	state->write_req = writev_send(state, state->ev, NULL,
2497	state->parent_pipe, false,
2498	state->pending, num_pending);
2499	if (state->write_req == NULL) {
2500	DEBUG(1, ("writev_send failed\n"));
2501	exit(1);
2502	}
2503
2504	talloc_steal(state->write_req, state->pending);
2505	state->pending = NULL;
2506
2507	tevent_req_set_callback(state->write_req, smbd_echo_writer_done,
2508	state);
2509	}
2510
2511	static void smbd_echo_writer_done(struct tevent_req *req)
2512	{
2513	struct smbd_echo_state *state = tevent_req_callback_data(
2514	req, struct smbd_echo_state);
2515	ssize_t written;
2516	int err;
2517
2518	written = writev_recv(req, &err);
2519	TALLOC_FREE(req);
2520	state->write_req = NULL;
2521	if (written == -1) {
2522	DEBUG(1, ("writev to parent failed: %s\n", strerror(err)));
2523	exit(1);
2524	}
2525	DEBUG(10,("echo_handler[%d]: forwarded pdu to main\n", (int)sys_getpid()));
2526	smbd_echo_activate_writer(state);
2527	}
2528
2529	static bool smbd_echo_reply(uint8_t *inbuf, size_t inbuf_len,
2530	uint32_t seqnum)
2531	{
2532	struct smb_request req;
2533	uint16_t num_replies;
2534	size_t out_len;
2535	char *outbuf;
2536	bool ok;
2537
2538	if ((inbuf_len == 4) && (CVAL(inbuf, 0) == SMBkeepalive)) {
2539	DEBUG(10, ("Got netbios keepalive\n"));
2540	/*
2541	* Just swallow it
2542	*/
2543	return true;
2544	}
2545
2546	if (inbuf_len < smb_size) {
2547	DEBUG(10, ("Got short packet: %d bytes\n", (int)inbuf_len));
2548	return false;
2549	}
2550	if (!valid_smb_header(inbuf)) {
2551	DEBUG(10, ("Got invalid SMB header\n"));
2552	return false;
2553	}
2554
2555	if (!init_smb_request(&req, smbd_server_conn, inbuf, 0, false,
2556	seqnum)) {
2557	return false;
2558	}
2559	req.inbuf = inbuf;
2560
2561	DEBUG(10, ("smbecho handler got cmd %d (%s)\n", (int)req.cmd,
2562	smb_messages[req.cmd].name
2563	? smb_messages[req.cmd].name : "unknown"));
2564
2565	if (req.cmd != SMBecho) {
2566	return false;
2567	}
2568	if (req.wct < 1) {
2569	return false;
2570	}
2571
2572	num_replies = SVAL(req.vwv+0, 0);
2573	if (num_replies != 1) {
2574	/* Not a Windows "Hey, you're still there?" request */
2575	return false;
2576	}
2577
2578	if (!create_outbuf(talloc_tos(), &req, (char *)req.inbuf, &outbuf,
2579	1, req.buflen)) {
2580	DEBUG(10, ("create_outbuf failed\n"));
2581	return false;
2582	}
2583	req.outbuf = (uint8_t *)outbuf;
2584
2585	SSVAL(req.outbuf, smb_vwv0, num_replies);
2586
2587	if (req.buflen > 0) {
2588	memcpy(smb_buf(req.outbuf), req.buf, req.buflen);
2589	}
2590
2591	out_len = smb_len(req.outbuf) + 4;
2592
2593	ok = srv_send_smb(req.sconn,
2594	(char *)outbuf,
2595	true, seqnum+1,
2596	false, &req.pcd);
2597	TALLOC_FREE(outbuf);
2598	if (!ok) {
2599	exit(1);
2600	}
2601
2602	return true;
2603	}
2604
2605	static void smbd_echo_exit(struct tevent_context *ev,
2606	struct tevent_fd *fde, uint16_t flags,
2607	void *private_data)
2608	{
2609	DEBUG(2, ("smbd_echo_exit: lost connection to parent\n"));
2610	exit(0);
2611	}
2612
2613	static void smbd_echo_reader(struct tevent_context *ev,
2614	struct tevent_fd *fde, uint16_t flags,
2615	void *private_data)
2616	{
2617	struct smbd_echo_state *state = talloc_get_type_abort(
2618	private_data, struct smbd_echo_state);
2619	struct smbd_server_connection *sconn = state->sconn;
2620	size_t unread, num_pending;
2621	NTSTATUS status;
2622	struct iovec *tmp;
2623	size_t iov_len;
2624	uint32_t seqnum = 0;
2625	bool reply;
2626	bool ok;
2627	bool encrypted = false;
2628
2629	smb_msleep(1000);
2630
2631	ok = smbd_lock_socket_internal(sconn);
2632	if (!ok) {
2633	DEBUG(0, ("%s: failed to lock socket\n",
2634	__location__));
2635	exit(1);
2636	}
2637
2638	if (!fd_is_readable(sconn->sock)) {
2639	DEBUG(10,("echo_handler[%d] the parent smbd was faster\n",
2640	(int)sys_getpid()));
2641	ok = smbd_unlock_socket_internal(sconn);
2642	if (!ok) {
2643	DEBUG(1, ("%s: failed to unlock socket in\n",
2644	__location__));
2645	exit(1);
2646	}
2647	return;
2648	}
2649
2650	num_pending = talloc_array_length(state->pending);
2651	tmp = talloc_realloc(state, state->pending, struct iovec,
2652	num_pending+1);
2653	if (tmp == NULL) {
2654	DEBUG(1, ("talloc_realloc failed\n"));
2655	exit(1);
2656	}
2657	state->pending = tmp;
2658
2659	DEBUG(10,("echo_handler[%d]: reading pdu\n", (int)sys_getpid()));
2660
2661	status = receive_smb_talloc(state->pending, sconn, sconn->sock,
2662	(char *)(void )&state->pending[num_pending].iov_base,
2663	0 /* timeout */,
2664	&unread,
2665	&encrypted,
2666	&iov_len,
2667	&seqnum,
2668	false /* trusted_channel*/);
2669	if (!NT_STATUS_IS_OK(status)) {
2670	DEBUG(1, ("echo_handler[%d]: receive_smb_raw_talloc failed: %s\n",
2671	(int)sys_getpid(), nt_errstr(status)));
2672	exit(1);
2673	}
2674	state->pending[num_pending].iov_len = iov_len;
2675
2676	ok = smbd_unlock_socket_internal(sconn);
2677	if (!ok) {
2678	DEBUG(1, ("%s: failed to unlock socket in\n",
2679	__location__));
2680	exit(1);
2681	}
2682
2683	reply = smbd_echo_reply((uint8_t *)state->pending[num_pending].iov_base,
2684	state->pending[num_pending].iov_len,
2685	seqnum);
2686	if (reply) {
2687	DEBUG(10,("echo_handler[%d]: replied to client\n", (int)sys_getpid()));
2688	/* no check, shrinking by some bytes does not fail */
2689	state->pending = talloc_realloc(state, state->pending,
2690	struct iovec,
2691	num_pending);
2692	return;
2693	}
2694
2695	if (state->pending[num_pending].iov_len >= smb_size) {
2696	/*
2697	* place the seqnum in the packet so that the main process
2698	* can reply with signing
2699	*/
2700	SIVAL((uint8_t *)state->pending[num_pending].iov_base,
2701	smb_ss_field, seqnum);
2702	SIVAL((uint8_t *)state->pending[num_pending].iov_base,
2703	smb_ss_field+4, NT_STATUS_V(NT_STATUS_OK));
2704	}
2705
2706	DEBUG(10,("echo_handler[%d]: forward to main\n", (int)sys_getpid()));
2707	smbd_echo_activate_writer(state);
2708	}
2709
2710	static void smbd_echo_loop(struct smbd_server_connection *sconn,
2711	int parent_pipe)
2712	{
2713	struct smbd_echo_state *state;
2714
2715	state = talloc_zero(sconn, struct smbd_echo_state);
2716	if (state == NULL) {
2717	DEBUG(1, ("talloc failed\n"));
2718	return;
2719	}
2720	state->sconn = sconn;
2721	state->parent_pipe = parent_pipe;
2722	state->ev = s3_tevent_context_init(state);
2723	if (state->ev == NULL) {
2724	DEBUG(1, ("tevent_context_init failed\n"));
2725	TALLOC_FREE(state);
2726	return;
2727	}
2728	state->parent_fde = tevent_add_fd(state->ev, state, parent_pipe,
2729	TEVENT_FD_READ, smbd_echo_exit,
2730	state);
2731	if (state->parent_fde == NULL) {
2732	DEBUG(1, ("tevent_add_fd failed\n"));
2733	TALLOC_FREE(state);
2734	return;
2735	}
2736	state->read_fde = tevent_add_fd(state->ev, state, sconn->sock,
2737	TEVENT_FD_READ, smbd_echo_reader,
2738	state);
2739	if (state->read_fde == NULL) {
2740	DEBUG(1, ("tevent_add_fd failed\n"));
2741	TALLOC_FREE(state);
2742	return;
2743	}
2744
2745	while (true) {
2746	if (tevent_loop_once(state->ev) == -1) {
2747	DEBUG(1, ("tevent_loop_once failed: %s\n",
2748	strerror(errno)));
2749	break;
2750	}
2751	}
2752	TALLOC_FREE(state);
2753	}
2754
2755	/*
2756	* Handle SMBecho requests in a forked child process
2757	*/
2758	bool fork_echo_handler(struct smbd_server_connection *sconn)
2759	{
2760	int listener_pipe[2];
2761	int res;
2762	pid_t child;
2763
2764	res = pipe(listener_pipe);
2765	if (res == -1) {
2766	DEBUG(1, ("pipe() failed: %s\n", strerror(errno)));
2767	return false;
2768	}
2769	sconn->smb1.echo_handler.socket_lock_fd = create_unlink_tmp(lp_lockdir());
2770	if (sconn->smb1.echo_handler.socket_lock_fd == -1) {
2771	DEBUG(1, ("Could not create lock fd: %s\n", strerror(errno)));
2772	goto fail;
2773	}
2774
2775	child = sys_fork();
2776	if (child == 0) {
2777	NTSTATUS status;
2778
2779	close(listener_pipe[0]);
2780	set_blocking(listener_pipe[1], false);
2781
2782	status = reinit_after_fork(sconn->msg_ctx,
2783	smbd_event_context(),
2784	procid_self(), false);
2785	if (!NT_STATUS_IS_OK(status)) {
2786	DEBUG(1, ("reinit_after_fork failed: %s\n",
2787	nt_errstr(status)));
2788	exit(1);
2789	}
2790	smbd_echo_loop(sconn, listener_pipe[1]);
2791	exit(0);
2792	}
2793	close(listener_pipe[1]);
2794	listener_pipe[1] = -1;
2795	sconn->smb1.echo_handler.trusted_fd = listener_pipe[0];
2796
2797	DEBUG(10,("fork_echo_handler: main[%d] echo_child[%d]\n", (int)sys_getpid(), child));
2798
2799	/*
2800	* Without smb signing this is the same as the normal smbd
2801	* listener. This needs to change once signing comes in.
2802	*/
2803	sconn->smb1.echo_handler.trusted_fde = event_add_fd(smbd_event_context(),
2804	sconn,
2805	sconn->smb1.echo_handler.trusted_fd,
2806	EVENT_FD_READ,
2807	smbd_server_echo_handler,
2808	sconn);
2809	if (sconn->smb1.echo_handler.trusted_fde == NULL) {
2810	DEBUG(1, ("event_add_fd failed\n"));
2811	goto fail;
2812	}
2813
2814	return true;
2815
2816	fail:
2817	if (listener_pipe[0] != -1) {
2818	close(listener_pipe[0]);
2819	}
2820	if (listener_pipe[1] != -1) {
2821	close(listener_pipe[1]);
2822	}
2823	sconn->smb1.echo_handler.trusted_fd = -1;
2824	if (sconn->smb1.echo_handler.socket_lock_fd != -1) {
2825	close(sconn->smb1.echo_handler.socket_lock_fd);
2826	}
2827	sconn->smb1.echo_handler.trusted_fd = -1;
2828	sconn->smb1.echo_handler.socket_lock_fd = -1;
2829	return false;
2830	}
2831
2832	#if CLUSTER_SUPPORT
2833
2834	static NTSTATUS smbd_register_ips(struct smbd_server_connection *sconn,
2835	struct sockaddr_storage *srv,
2836	struct sockaddr_storage *clnt)
2837	{
2838	struct ctdbd_connection *cconn;
2839	char tmp_addr[INET6_ADDRSTRLEN];
2840	char *addr;
2841
2842	cconn = messaging_ctdbd_connection();
2843	if (cconn == NULL) {
2844	return NT_STATUS_NO_MEMORY;
2845	}
2846
2847	client_socket_addr(sconn->sock, tmp_addr, sizeof(tmp_addr));
2848	addr = talloc_strdup(cconn, tmp_addr);
2849	if (addr == NULL) {
2850	return NT_STATUS_NO_MEMORY;
2851	}
2852	return ctdbd_register_ips(cconn, srv, clnt, release_ip, addr);
2853	}
2854
2855	#endif
2856
2857	/****************************************************************************
2858	Process commands from the client
2859	****************************************************************************/
2860
2861	void smbd_process(struct smbd_server_connection *sconn)
2862	{
2863	TALLOC_CTX *frame = talloc_stackframe();
2864	struct sockaddr_storage ss;
2865	struct sockaddr *sa = NULL;
2866	socklen_t sa_socklen;
2867	struct tsocket_address *local_address = NULL;
2868	struct tsocket_address *remote_address = NULL;
2869	const char *remaddr = NULL;
2870	int ret;
2871
2872	if (lp_maxprotocol() == PROTOCOL_SMB2) {
2873	/*
2874	* We're not making the decision here,
2875	* we're just allowing the client
2876	* to decide between SMB1 and SMB2
2877	* with the first negprot
2878	* packet.
2879	*/
2880	sconn->using_smb2 = true;
2881	}
2882
2883	/* Ensure child is set to blocking mode */
2884	set_blocking(sconn->sock,True);
2885
2886	set_socket_options(sconn->sock, "SO_KEEPALIVE");
2887	set_socket_options(sconn->sock, lp_socket_options());
2888
2889	sa = (struct sockaddr )(void )&ss;
2890	sa_socklen = sizeof(ss);
2891	ret = getpeername(sconn->sock, sa, &sa_socklen);
2892	if (ret != 0) {
2893	int level = (errno == ENOTCONN)?2:0;
2894	DEBUG(level,("getpeername() failed - %s\n", strerror(errno)));
2895	exit_server_cleanly("getpeername() failed.\n");
2896	}
2897	ret = tsocket_address_bsd_from_sockaddr(sconn,
2898	sa, sa_socklen,
2899	&remote_address);
2900	if (ret != 0) {
2901	DEBUG(0,("%s: tsocket_address_bsd_from_sockaddr remote failed - %s\n",
2902	__location__, strerror(errno)));
2903	exit_server_cleanly("tsocket_address_bsd_from_sockaddr remote failed.\n");
2904	}
2905
2906	sa = (struct sockaddr )(void )&ss;
2907	sa_socklen = sizeof(ss);
2908	ret = getsockname(sconn->sock, sa, &sa_socklen);
2909	if (ret != 0) {
2910	int level = (errno == ENOTCONN)?2:0;
2911	DEBUG(level,("getsockname() failed - %s\n", strerror(errno)));
2912	exit_server_cleanly("getsockname() failed.\n");
2913	}
2914	ret = tsocket_address_bsd_from_sockaddr(sconn,
2915	sa, sa_socklen,
2916	&local_address);
2917	if (ret != 0) {
2918	DEBUG(0,("%s: tsocket_address_bsd_from_sockaddr remote failed - %s\n",
2919	__location__, strerror(errno)));
2920	exit_server_cleanly("tsocket_address_bsd_from_sockaddr remote failed.\n");
2921	}
2922
2923	sconn->local_address = local_address;
2924	sconn->remote_address = remote_address;
2925
2926	if (tsocket_address_is_inet(remote_address, "ip")) {
2927	remaddr = tsocket_address_inet_addr_string(
2928	sconn->remote_address,
2929	talloc_tos());
2930	if (remaddr == NULL) {
2931
2932	}
2933	} else {
2934	remaddr = "0.0.0.0";
2935	}
2936
2937	/* this is needed so that we get decent entries
2938	in smbstatus for port 445 connects */
2939	set_remote_machine_name(remaddr, false);
2940	reload_services(sconn->msg_ctx, sconn->sock, true);
2941
2942	/*
2943	* Before the first packet, check the global hosts allow/ hosts deny
2944	* parameters before doing any parsing of packets passed to us by the
2945	* client. This prevents attacks on our parsing code from hosts not in
2946	* the hosts allow list.
2947	*/
2948
2949	if (!allow_access(lp_hostsdeny(-1), lp_hostsallow(-1),
2950	sconn->client_id.name,
2951	sconn->client_id.addr)) {
2952	/*
2953	* send a negative session response "not listening on calling
2954	* name"
2955	*/
2956	unsigned char buf[5] = {0x83, 0, 0, 1, 0x81};
2957	DEBUG( 1, ("Connection denied from %s to %s\n",
2958	tsocket_address_string(remote_address, talloc_tos()),
2959	tsocket_address_string(local_address, talloc_tos())));
2960	(void)srv_send_smb(sconn,(char *)buf, false,
2961	0, false, NULL);
2962	exit_server_cleanly("connection denied");
2963	}
2964
2965	DEBUG(10, ("Connection allowed from %s to %s\n",
2966	tsocket_address_string(remote_address, talloc_tos()),
2967	tsocket_address_string(local_address, talloc_tos())));
2968
2969	init_modules();
2970
2971	smb_perfcount_init();
2972
2973	if (!init_account_policy()) {
2974	exit_server("Could not open account policy tdb.\n");
2975	}
2976
2977	if (*lp_rootdir()) {
2978	if (chroot(lp_rootdir()) != 0) {
2979	DEBUG(0,("Failed to change root to %s\n", lp_rootdir()));
2980	exit_server("Failed to chroot()");
2981	}
2982	if (chdir("/") == -1) {
2983	DEBUG(0,("Failed to chdir to / on chroot to %s\n", lp_rootdir()));
2984	exit_server("Failed to chroot()");
2985	}
2986	DEBUG(0,("Changed root to %s\n", lp_rootdir()));
2987	}
2988
2989	if (!srv_init_signing(sconn)) {
2990	exit_server("Failed to init smb_signing");
2991	}
2992
2993	/* Setup oplocks */
2994	if (!init_oplocks(sconn->msg_ctx))
2995	exit_server("Failed to init oplocks");
2996
2997	/* register our message handlers */
2998	messaging_register(sconn->msg_ctx, NULL,
2999	MSG_SMB_FORCE_TDIS, msg_force_tdis);
3000	messaging_register(sconn->msg_ctx, sconn,
3001	MSG_SMB_RELEASE_IP, msg_release_ip);
3002	messaging_register(sconn->msg_ctx, NULL,
3003	MSG_SMB_CLOSE_FILE, msg_close_file);
3004
3005	/*
3006	* Use the default MSG_DEBUG handler to avoid rebroadcasting
3007	* MSGs to all child processes
3008	*/
3009	messaging_deregister(sconn->msg_ctx,
3010	MSG_DEBUG, NULL);
3011	messaging_register(sconn->msg_ctx, NULL,
3012	MSG_DEBUG, debug_message);
3013
3014	if ((lp_keepalive() != 0)
3015	&& !(event_add_idle(smbd_event_context(), NULL,
3016	timeval_set(lp_keepalive(), 0),
3017	"keepalive", keepalive_fn,
3018	NULL))) {
3019	DEBUG(0, ("Could not add keepalive event\n"));
3020	exit(1);
3021	}
3022
3023	if (!(event_add_idle(smbd_event_context(), NULL,
3024	timeval_set(IDLE_CLOSED_TIMEOUT, 0),
3025	"deadtime", deadtime_fn, sconn))) {
3026	DEBUG(0, ("Could not add deadtime event\n"));
3027	exit(1);
3028	}
3029
3030	if (!(event_add_idle(smbd_event_context(), NULL,
3031	timeval_set(SMBD_HOUSEKEEPING_INTERVAL, 0),
3032	"housekeeping", housekeeping_fn, sconn))) {
3033	DEBUG(0, ("Could not add housekeeping event\n"));
3034	exit(1);
3035	}
3036
3037	#ifdef CLUSTER_SUPPORT
3038
3039	if (lp_clustering()) {
3040	/*
3041	* We need to tell ctdb about our client's TCP
3042	* connection, so that for failover ctdbd can send
3043	* tickle acks, triggering a reconnection by the
3044	* client.
3045	*/
3046
3047	struct sockaddr_storage srv, clnt;
3048
3049	if (client_get_tcp_info(sconn->sock, &srv, &clnt) == 0) {
3050	NTSTATUS status;
3051	status = smbd_register_ips(sconn, &srv, &clnt);
3052	if (!NT_STATUS_IS_OK(status)) {
3053	DEBUG(0, ("ctdbd_register_ips failed: %s\n",
3054	nt_errstr(status)));
3055	}
3056	} else
3057	{
3058	DEBUG(0,("Unable to get tcp info for "
3059	"CTDB_CONTROL_TCP_CLIENT: %s\n",
3060	strerror(errno)));
3061	}
3062	}
3063
3064	#endif
3065
3066	sconn->nbt.got_session = false;
3067
3068	sconn->smb1.negprot.max_recv = MIN(lp_maxxmit(),BUFFER_SIZE);
3069
3070	sconn->smb1.sessions.done_sesssetup = false;
3071	sconn->smb1.sessions.max_send = BUFFER_SIZE;
3072	sconn->smb1.sessions.last_session_tag = UID_FIELD_INVALID;
3073	/* users from session setup */
3074	sconn->smb1.sessions.session_userlist = NULL;
3075	/* workgroup from session setup. */
3076	sconn->smb1.sessions.session_workgroup = NULL;
3077	/* this holds info on user ids that are already validated for this VC */
3078	sconn->smb1.sessions.validated_users = NULL;
3079	sconn->smb1.sessions.next_vuid = VUID_OFFSET;
3080	sconn->smb1.sessions.num_validated_vuids = 0;
3081
3082	conn_init(sconn);
3083	if (!init_dptrs(sconn)) {
3084	exit_server("init_dptrs() failed");
3085	}
3086
3087	sconn->smb1.fde = event_add_fd(smbd_event_context(),
3088	sconn,
3089	sconn->sock,
3090	EVENT_FD_READ,
3091	smbd_server_connection_handler,
3092	sconn);
3093	if (!sconn->smb1.fde) {
3094	exit_server("failed to create smbd_server_connection fde");
3095	}
3096
3097	TALLOC_FREE(frame);
3098
3099	while (True) {
3100	NTSTATUS status;
3101
3102	frame = talloc_stackframe_pool(8192);
3103
3104	errno = 0;
3105
3106	status = smbd_server_connection_loop_once(sconn);
3107	if (!NT_STATUS_EQUAL(status, NT_STATUS_RETRY) &&
3108	!NT_STATUS_IS_OK(status)) {
3109	DEBUG(3, ("smbd_server_connection_loop_once failed: %s,"
3110	" exiting\n", nt_errstr(status)));
3111	break;
3112	}
3113
3114	TALLOC_FREE(frame);
3115	}
3116
3117	exit_server_cleanly(NULL);
3118	}
3119
3120	bool req_is_in_chain(struct smb_request *req)
3121	{
3122	if (req->vwv != (uint16_t *)(req->inbuf+smb_vwv)) {
3123	/*
3124	* We're right now handling a subsequent request, so we must
3125	* be in a chain
3126	*/
3127	return true;
3128	}
3129
3130	if (!is_andx_req(req->cmd)) {
3131	return false;
3132	}
3133
3134	if (req->wct < 2) {
3135	/*
3136	* Okay, an illegal request, but definitely not chained :-)
3137	*/
3138	return false;
3139	}
3140
3141	return (CVAL(req->vwv+0, 0) != 0xFF);
3142	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: