Context Navigation

source: vendor/current/source3/smbd/process.c@ 597

Visit:

Last change on this file since 597 was 597, checked in by Herwig Bauernfeind, 14 years ago
Samba 3.5: Update vendor to version 3.5.9
File size: 69.6 KB

Line
1	/*
2	Unix SMB/CIFS implementation.
3	process incoming packets - main loop
4	Copyright (C) Andrew Tridgell 1992-1998
5	Copyright (C) Volker Lendecke 2005-2007
6
7	This program is free software; you can redistribute it and/or modify
8	it under the terms of the GNU General Public License as published by
9	the Free Software Foundation; either version 3 of the License, or
10	(at your option) any later version.
11
12	This program is distributed in the hope that it will be useful,
13	but WITHOUT ANY WARRANTY; without even the implied warranty of
14	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15	GNU General Public License for more details.
16
17	You should have received a copy of the GNU General Public License
18	along with this program. If not, see <http://www.gnu.org/licenses/>.
19	*/
20
21	#include "includes.h"
22	#include "smbd/globals.h"
23	#include "../librpc/gen_ndr/srv_dfs.h"
24	#include "../librpc/gen_ndr/srv_dssetup.h"
25	#include "../librpc/gen_ndr/srv_echo.h"
26	#include "../librpc/gen_ndr/srv_eventlog.h"
27	#include "../librpc/gen_ndr/srv_initshutdown.h"
28	#include "../librpc/gen_ndr/srv_lsa.h"
29	#include "../librpc/gen_ndr/srv_netlogon.h"
30	#include "../librpc/gen_ndr/srv_ntsvcs.h"
31	#include "../librpc/gen_ndr/srv_samr.h"
32	#include "../librpc/gen_ndr/srv_spoolss.h"
33	#include "../librpc/gen_ndr/srv_srvsvc.h"
34	#include "../librpc/gen_ndr/srv_svcctl.h"
35	#include "../librpc/gen_ndr/srv_winreg.h"
36	#include "../librpc/gen_ndr/srv_wkssvc.h"
37
38	extern bool global_machine_password_needs_changing;
39
40	static void construct_reply_common(struct smb_request req, const char inbuf,
41	char *outbuf);
42
43	/* Accessor function for smb_read_error for smbd functions. */
44
45	/****************************************************************************
46	Send an smb to a fd.
47	****************************************************************************/
48
49	bool srv_send_smb(int fd, char *buffer,
50	bool do_signing, uint32_t seqnum,
51	bool do_encrypt,
52	struct smb_perfcount_data *pcd)
53	{
54	size_t len = 0;
55	size_t nwritten=0;
56	ssize_t ret;
57	char *buf_out = buffer;
58
59	if (do_signing) {
60	/* Sign the outgoing packet if required. */
61	srv_calculate_sign_mac(smbd_server_conn, buf_out, seqnum);
62	}
63
64	if (do_encrypt) {
65	NTSTATUS status = srv_encrypt_buffer(buffer, &buf_out);
66	if (!NT_STATUS_IS_OK(status)) {
67	DEBUG(0, ("send_smb: SMB encryption failed "
68	"on outgoing packet! Error %s\n",
69	nt_errstr(status) ));
70	goto out;
71	}
72	}
73
74	len = smb_len(buf_out) + 4;
75
76	ret = write_data(fd,buf_out+nwritten,len - nwritten);
77	if (ret <= 0) {
78	DEBUG(0,("Error writing %d bytes to client. %d. (%s)\n",
79	(int)len,(int)ret, strerror(errno) ));
80	srv_free_enc_buffer(buf_out);
81	goto out;
82	}
83
84	SMB_PERFCOUNT_SET_MSGLEN_OUT(pcd, len);
85	srv_free_enc_buffer(buf_out);
86	out:
87	SMB_PERFCOUNT_END(pcd);
88	return true;
89	}
90
91	/*******************************************************************
92	Setup the word count and byte count for a smb message.
93	********************************************************************/
94
95	int srv_set_message(char *buf,
96	int num_words,
97	int num_bytes,
98	bool zero)
99	{
100	if (zero && (num_words \|\| num_bytes)) {
101	memset(buf + smb_size,'\0',num_words*2 + num_bytes);
102	}
103	SCVAL(buf,smb_wct,num_words);
104	SSVAL(buf,smb_vwv + num_words*SIZEOFWORD,num_bytes);
105	smb_setlen(buf,(smb_size + num_words*2 + num_bytes - 4));
106	return (smb_size + num_words*2 + num_bytes);
107	}
108
109	static bool valid_smb_header(const uint8_t *inbuf)
110	{
111	if (is_encrypted_packet(inbuf)) {
112	return true;
113	}
114	/*
115	* This used to be (strncmp(smb_base(inbuf),"\377SMB",4) == 0)
116	* but it just looks weird to call strncmp for this one.
117	*/
118	return (IVAL(smb_base(inbuf), 0) == 0x424D53FF);
119	}
120
121	/* Socket functions for smbd packet processing. */
122
123	static bool valid_packet_size(size_t len)
124	{
125	/*
126	* A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
127	* of header. Don't print the error if this fits.... JRA.
128	*/
129
130	if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
131	DEBUG(0,("Invalid packet length! (%lu bytes).\n",
132	(unsigned long)len));
133	return false;
134	}
135	return true;
136	}
137
138	static NTSTATUS read_packet_remainder(int fd, char *buffer,
139	unsigned int timeout, ssize_t len)
140	{
141	if (len <= 0) {
142	return NT_STATUS_OK;
143	}
144
145	return read_fd_with_timeout(fd, buffer, len, len, timeout, NULL);
146	}
147
148	/****************************************************************************
149	Attempt a zerocopy writeX read. We know here that len > smb_size-4
150	****************************************************************************/
151
152	/*
153	* Unfortunately, earlier versions of smbclient/libsmbclient
154	* don't send this "standard" writeX header. I've fixed this
155	* for 3.2 but we'll use the old method with earlier versions.
156	* Windows and CIFSFS at least use this standard size. Not
157	* sure about MacOSX.
158	*/
159
160	#define STANDARD_WRITE_AND_X_HEADER_SIZE (smb_size - 4 + /* basic header */ \
161	(214) + / word count (including bcc) */ \
162	1 /* pad byte */)
163
164	static NTSTATUS receive_smb_raw_talloc_partial_read(TALLOC_CTX *mem_ctx,
165	const char lenbuf[4],
166	int fd, char **buffer,
167	unsigned int timeout,
168	size_t *p_unread,
169	size_t *len_ret)
170	{
171	/* Size of a WRITEX call (+4 byte len). */
172	char writeX_header[4 + STANDARD_WRITE_AND_X_HEADER_SIZE];
173	ssize_t len = smb_len_large(lenbuf); /* Could be a UNIX large writeX. */
174	ssize_t toread;
175	NTSTATUS status;
176
177	memcpy(writeX_header, lenbuf, 4);
178
179	status = read_fd_with_timeout(
180	fd, writeX_header + 4,
181	STANDARD_WRITE_AND_X_HEADER_SIZE,
182	STANDARD_WRITE_AND_X_HEADER_SIZE,
183	timeout, NULL);
184
185	if (!NT_STATUS_IS_OK(status)) {
186	return status;
187	}
188
189	/*
190	* Ok - now try and see if this is a possible
191	* valid writeX call.
192	*/
193
194	if (is_valid_writeX_buffer((uint8_t *)writeX_header)) {
195	/*
196	* If the data offset is beyond what
197	* we've read, drain the extra bytes.
198	*/
199	uint16_t doff = SVAL(writeX_header,smb_vwv11);
200	ssize_t newlen;
201
202	if (doff > STANDARD_WRITE_AND_X_HEADER_SIZE) {
203	size_t drain = doff - STANDARD_WRITE_AND_X_HEADER_SIZE;
204	if (drain_socket(smbd_server_fd(), drain) != drain) {
205	smb_panic("receive_smb_raw_talloc_partial_read:"
206	" failed to drain pending bytes");
207	}
208	} else {
209	doff = STANDARD_WRITE_AND_X_HEADER_SIZE;
210	}
211
212	/* Spoof down the length and null out the bcc. */
213	set_message_bcc(writeX_header, 0);
214	newlen = smb_len(writeX_header);
215
216	/* Copy the header we've written. */
217
218	buffer = (char )TALLOC_MEMDUP(mem_ctx,
219	writeX_header,
220	sizeof(writeX_header));
221
222	if (*buffer == NULL) {
223	DEBUG(0, ("Could not allocate inbuf of length %d\n",
224	(int)sizeof(writeX_header)));
225	return NT_STATUS_NO_MEMORY;
226	}
227
228	/* Work out the remaining bytes. */
229	*p_unread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
230	*len_ret = newlen + 4;
231	return NT_STATUS_OK;
232	}
233
234	if (!valid_packet_size(len)) {
235	return NT_STATUS_INVALID_PARAMETER;
236	}
237
238	/*
239	* Not a valid writeX call. Just do the standard
240	* talloc and return.
241	*/
242
243	*buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
244
245	if (*buffer == NULL) {
246	DEBUG(0, ("Could not allocate inbuf of length %d\n",
247	(int)len+4));
248	return NT_STATUS_NO_MEMORY;
249	}
250
251	/* Copy in what we already read. */
252	memcpy(*buffer,
253	writeX_header,
254	4 + STANDARD_WRITE_AND_X_HEADER_SIZE);
255	toread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
256
257	if(toread > 0) {
258	status = read_packet_remainder(
259	fd, (*buffer) + 4 + STANDARD_WRITE_AND_X_HEADER_SIZE,
260	timeout, toread);
261
262	if (!NT_STATUS_IS_OK(status)) {
263	DEBUG(10, ("receive_smb_raw_talloc_partial_read: %s\n",
264	nt_errstr(status)));
265	return status;
266	}
267	}
268
269	*len_ret = len + 4;
270	return NT_STATUS_OK;
271	}
272
273	static NTSTATUS receive_smb_raw_talloc(TALLOC_CTX *mem_ctx, int fd,
274	char **buffer, unsigned int timeout,
275	size_t p_unread, size_t plen)
276	{
277	char lenbuf[4];
278	size_t len;
279	int min_recv_size = lp_min_receive_file_size();
280	NTSTATUS status;
281
282	*p_unread = 0;
283
284	status = read_smb_length_return_keepalive(fd, lenbuf, timeout, &len);
285	if (!NT_STATUS_IS_OK(status)) {
286	DEBUG(10, ("receive_smb_raw: %s\n", nt_errstr(status)));
287	return status;
288	}
289
290	if (CVAL(lenbuf,0) == 0 && min_recv_size &&
291	(smb_len_large(lenbuf) > /* Could be a UNIX large writeX. */
292	(min_recv_size + STANDARD_WRITE_AND_X_HEADER_SIZE)) &&
293	!srv_is_signing_active(smbd_server_conn)) {
294
295	return receive_smb_raw_talloc_partial_read(
296	mem_ctx, lenbuf, fd, buffer, timeout, p_unread, plen);
297	}
298
299	if (!valid_packet_size(len)) {
300	return NT_STATUS_INVALID_PARAMETER;
301	}
302
303	/*
304	* The +4 here can't wrap, we've checked the length above already.
305	*/
306
307	*buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
308
309	if (*buffer == NULL) {
310	DEBUG(0, ("Could not allocate inbuf of length %d\n",
311	(int)len+4));
312	return NT_STATUS_NO_MEMORY;
313	}
314
315	memcpy(*buffer, lenbuf, sizeof(lenbuf));
316
317	status = read_packet_remainder(fd, (*buffer)+4, timeout, len);
318	if (!NT_STATUS_IS_OK(status)) {
319	return status;
320	}
321
322	*plen = len + 4;
323	return NT_STATUS_OK;
324	}
325
326	static NTSTATUS receive_smb_talloc(TALLOC_CTX *mem_ctx, int fd,
327	char **buffer, unsigned int timeout,
328	size_t p_unread, bool p_encrypted,
329	size_t *p_len,
330	uint32_t *seqnum)
331	{
332	size_t len = 0;
333	NTSTATUS status;
334
335	*p_encrypted = false;
336
337	status = receive_smb_raw_talloc(mem_ctx, fd, buffer, timeout,
338	p_unread, &len);
339	if (!NT_STATUS_IS_OK(status)) {
340	return status;
341	}
342
343	if (is_encrypted_packet((uint8_t )buffer)) {
344	status = srv_decrypt_buffer(*buffer);
345	if (!NT_STATUS_IS_OK(status)) {
346	DEBUG(0, ("receive_smb_talloc: SMB decryption failed on "
347	"incoming packet! Error %s\n",
348	nt_errstr(status) ));
349	return status;
350	}
351	*p_encrypted = true;
352	}
353
354	/* Check the incoming SMB signature. */
355	if (!srv_check_sign_mac(smbd_server_conn, *buffer, seqnum)) {
356	DEBUG(0, ("receive_smb: SMB Signature verification failed on "
357	"incoming packet!\n"));
358	return NT_STATUS_INVALID_NETWORK_RESPONSE;
359	}
360
361	*p_len = len;
362	return NT_STATUS_OK;
363	}
364
365	/*
366	* Initialize a struct smb_request from an inbuf
367	*/
368
369	void init_smb_request(struct smb_request *req,
370	const uint8 *inbuf,
371	size_t unread_bytes,
372	bool encrypted)
373	{
374	struct smbd_server_connection *sconn = smbd_server_conn;
375	size_t req_size = smb_len(inbuf) + 4;
376	/* Ensure we have at least smb_size bytes. */
377	if (req_size < smb_size) {
378	DEBUG(0,("init_smb_request: invalid request size %u\n",
379	(unsigned int)req_size ));
380	exit_server_cleanly("Invalid SMB request");
381	}
382	req->cmd = CVAL(inbuf, smb_com);
383	req->flags2 = SVAL(inbuf, smb_flg2);
384	req->smbpid = SVAL(inbuf, smb_pid);
385	req->mid = SVAL(inbuf, smb_mid);
386	req->seqnum = 0;
387	req->vuid = SVAL(inbuf, smb_uid);
388	req->tid = SVAL(inbuf, smb_tid);
389	req->wct = CVAL(inbuf, smb_wct);
390	req->vwv = (uint16_t *)(inbuf+smb_vwv);
391	req->buflen = smb_buflen(inbuf);
392	req->buf = (const uint8_t *)smb_buf(inbuf);
393	req->unread_bytes = unread_bytes;
394	req->encrypted = encrypted;
395	req->conn = conn_find(sconn,req->tid);
396	req->chain_fsp = NULL;
397	req->chain_outbuf = NULL;
398	req->done = false;
399	smb_init_perfcount_data(&req->pcd);
400
401	/* Ensure we have at least wct words and 2 bytes of bcc. */
402	if (smb_size + req->wct*2 > req_size) {
403	DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n",
404	(unsigned int)req->wct,
405	(unsigned int)req_size));
406	exit_server_cleanly("Invalid SMB request");
407	}
408	/* Ensure bcc is correct. */
409	if (((uint8 *)smb_buf(inbuf)) + req->buflen > inbuf + req_size) {
410	DEBUG(0,("init_smb_request: invalid bcc number %u "
411	"(wct = %u, size %u)\n",
412	(unsigned int)req->buflen,
413	(unsigned int)req->wct,
414	(unsigned int)req_size));
415	exit_server_cleanly("Invalid SMB request");
416	}
417
418	req->outbuf = NULL;
419	}
420
421	static void process_smb(struct smbd_server_connection *conn,
422	uint8_t *inbuf, size_t nread, size_t unread_bytes,
423	uint32_t seqnum, bool encrypted,
424	struct smb_perfcount_data *deferred_pcd);
425
426	static void smbd_deferred_open_timer(struct event_context *ev,
427	struct timed_event *te,
428	struct timeval _tval,
429	void *private_data)
430	{
431	struct pending_message_list *msg = talloc_get_type(private_data,
432	struct pending_message_list);
433	TALLOC_CTX *mem_ctx = talloc_tos();
434	uint16_t mid = SVAL(msg->buf.data,smb_mid);
435	uint8_t *inbuf;
436
437	inbuf = (uint8_t *)talloc_memdup(mem_ctx, msg->buf.data,
438	msg->buf.length);
439	if (inbuf == NULL) {
440	exit_server("smbd_deferred_open_timer: talloc failed\n");
441	return;
442	}
443
444	/* We leave this message on the queue so the open code can
445	know this is a retry. */
446	DEBUG(5,("smbd_deferred_open_timer: trigger mid %u.\n",
447	(unsigned int)mid ));
448
449	/* Mark the message as processed so this is not
450	* re-processed in error. */
451	msg->processed = true;
452
453	process_smb(smbd_server_conn, inbuf,
454	msg->buf.length, 0,
455	msg->seqnum, msg->encrypted, &msg->pcd);
456
457	/* If it's still there and was processed, remove it. */
458	msg = get_open_deferred_message(mid);
459	if (msg && msg->processed) {
460	remove_deferred_open_smb_message(mid);
461	}
462	}
463
464	/****************************************************************************
465	Function to push a message onto the tail of a linked list of smb messages ready
466	for processing.
467	****************************************************************************/
468
469	static bool push_queued_message(struct smb_request *req,
470	struct timeval request_time,
471	struct timeval end_time,
472	char *private_data, size_t private_len)
473	{
474	int msg_len = smb_len(req->inbuf) + 4;
475	struct pending_message_list *msg;
476
477	msg = TALLOC_ZERO_P(NULL, struct pending_message_list);
478
479	if(msg == NULL) {
480	DEBUG(0,("push_message: malloc fail (1)\n"));
481	return False;
482	}
483
484	msg->buf = data_blob_talloc(msg, req->inbuf, msg_len);
485	if(msg->buf.data == NULL) {
486	DEBUG(0,("push_message: malloc fail (2)\n"));
487	TALLOC_FREE(msg);
488	return False;
489	}
490
491	msg->request_time = request_time;
492	msg->seqnum = req->seqnum;
493	msg->encrypted = req->encrypted;
494	msg->processed = false;
495	SMB_PERFCOUNT_DEFER_OP(&req->pcd, &msg->pcd);
496
497	if (private_data) {
498	msg->private_data = data_blob_talloc(msg, private_data,
499	private_len);
500	if (msg->private_data.data == NULL) {
501	DEBUG(0,("push_message: malloc fail (3)\n"));
502	TALLOC_FREE(msg);
503	return False;
504	}
505	}
506
507	msg->te = event_add_timed(smbd_event_context(),
508	msg,
509	end_time,
510	smbd_deferred_open_timer,
511	msg);
512	if (!msg->te) {
513	DEBUG(0,("push_message: event_add_timed failed\n"));
514	TALLOC_FREE(msg);
515	return false;
516	}
517
518	DLIST_ADD_END(deferred_open_queue, msg, struct pending_message_list *);
519
520	DEBUG(10,("push_message: pushed message length %u on "
521	"deferred_open_queue\n", (unsigned int)msg_len));
522
523	return True;
524	}
525
526	/****************************************************************************
527	Function to delete a sharing violation open message by mid.
528	****************************************************************************/
529
530	void remove_deferred_open_smb_message(uint16 mid)
531	{
532	struct pending_message_list *pml;
533
534	for (pml = deferred_open_queue; pml; pml = pml->next) {
535	if (mid == SVAL(pml->buf.data,smb_mid)) {
536	DEBUG(10,("remove_deferred_open_smb_message: "
537	"deleting mid %u len %u\n",
538	(unsigned int)mid,
539	(unsigned int)pml->buf.length ));
540	DLIST_REMOVE(deferred_open_queue, pml);
541	TALLOC_FREE(pml);
542	return;
543	}
544	}
545	}
546
547	/****************************************************************************
548	Move a sharing violation open retry message to the front of the list and
549	schedule it for immediate processing.
550	****************************************************************************/
551
552	void schedule_deferred_open_smb_message(uint16 mid)
553	{
554	struct pending_message_list *pml;
555	int i = 0;
556
557	for (pml = deferred_open_queue; pml; pml = pml->next) {
558	uint16 msg_mid = SVAL(pml->buf.data,smb_mid);
559
560	DEBUG(10,("schedule_deferred_open_smb_message: [%d] msg_mid = %u\n", i++,
561	(unsigned int)msg_mid ));
562
563	if (mid == msg_mid) {
564	struct timed_event *te;
565
566	if (pml->processed) {
567	/* A processed message should not be
568	* rescheduled. */
569	DEBUG(0,("schedule_deferred_open_smb_message: LOGIC ERROR "
570	"message mid %u was already processed\n",
571	msg_mid ));
572	continue;
573	}
574
575	DEBUG(10,("schedule_deferred_open_smb_message: scheduling mid %u\n",
576	mid ));
577
578	te = event_add_timed(smbd_event_context(),
579	pml,
580	timeval_zero(),
581	smbd_deferred_open_timer,
582	pml);
583	if (!te) {
584	DEBUG(10,("schedule_deferred_open_smb_message: "
585	"event_add_timed() failed, skipping mid %u\n",
586	mid ));
587	}
588
589	TALLOC_FREE(pml->te);
590	pml->te = te;
591	DLIST_PROMOTE(deferred_open_queue, pml);
592	return;
593	}
594	}
595
596	DEBUG(10,("schedule_deferred_open_smb_message: failed to find message mid %u\n",
597	mid ));
598	}
599
600	/****************************************************************************
601	Return true if this mid is on the deferred queue and was not yet processed.
602	****************************************************************************/
603
604	bool open_was_deferred(uint16 mid)
605	{
606	struct pending_message_list *pml;
607
608	for (pml = deferred_open_queue; pml; pml = pml->next) {
609	if (SVAL(pml->buf.data,smb_mid) == mid && !pml->processed) {
610	return True;
611	}
612	}
613	return False;
614	}
615
616	/****************************************************************************
617	Return the message queued by this mid.
618	****************************************************************************/
619
620	struct pending_message_list *get_open_deferred_message(uint16 mid)
621	{
622	struct pending_message_list *pml;
623
624	for (pml = deferred_open_queue; pml; pml = pml->next) {
625	if (SVAL(pml->buf.data,smb_mid) == mid) {
626	return pml;
627	}
628	}
629	return NULL;
630	}
631
632	/****************************************************************************
633	Function to push a deferred open smb message onto a linked list of local smb
634	messages ready for processing.
635	****************************************************************************/
636
637	bool push_deferred_smb_message(struct smb_request *req,
638	struct timeval request_time,
639	struct timeval timeout,
640	char *private_data, size_t priv_len)
641	{
642	struct timeval end_time;
643
644	if (req->unread_bytes) {
645	DEBUG(0,("push_deferred_smb_message: logic error ! "
646	"unread_bytes = %u\n",
647	(unsigned int)req->unread_bytes ));
648	smb_panic("push_deferred_smb_message: "
649	"logic error unread_bytes != 0" );
650	}
651
652	end_time = timeval_sum(&request_time, &timeout);
653
654	DEBUG(10,("push_deferred_open_smb_message: pushing message len %u mid %u "
655	"timeout time [%u.%06u]\n",
656	(unsigned int) smb_len(req->inbuf)+4, (unsigned int)req->mid,
657	(unsigned int)end_time.tv_sec,
658	(unsigned int)end_time.tv_usec));
659
660	return push_queued_message(req, request_time, end_time,
661	private_data, priv_len);
662	}
663
664	struct idle_event {
665	struct timed_event *te;
666	struct timeval interval;
667	char *name;
668	bool (handler)(const struct timeval now, void *private_data);
669	void *private_data;
670	};
671
672	static void smbd_idle_event_handler(struct event_context *ctx,
673	struct timed_event *te,
674	struct timeval now,
675	void *private_data)
676	{
677	struct idle_event *event =
678	talloc_get_type_abort(private_data, struct idle_event);
679
680	TALLOC_FREE(event->te);
681
682	DEBUG(10,("smbd_idle_event_handler: %s %p called\n",
683	event->name, event->te));
684
685	if (!event->handler(&now, event->private_data)) {
686	DEBUG(10,("smbd_idle_event_handler: %s %p stopped\n",
687	event->name, event->te));
688	/* Don't repeat, delete ourselves */
689	TALLOC_FREE(event);
690	return;
691	}
692
693	DEBUG(10,("smbd_idle_event_handler: %s %p rescheduled\n",
694	event->name, event->te));
695
696	event->te = event_add_timed(ctx, event,
697	timeval_sum(&now, &event->interval),
698	smbd_idle_event_handler, event);
699
700	/* We can't do much but fail here. */
701	SMB_ASSERT(event->te != NULL);
702	}
703
704	struct idle_event event_add_idle(struct event_context event_ctx,
705	TALLOC_CTX *mem_ctx,
706	struct timeval interval,
707	const char *name,
708	bool (handler)(const struct timeval now,
709	void *private_data),
710	void *private_data)
711	{
712	struct idle_event *result;
713	struct timeval now = timeval_current();
714
715	result = TALLOC_P(mem_ctx, struct idle_event);
716	if (result == NULL) {
717	DEBUG(0, ("talloc failed\n"));
718	return NULL;
719	}
720
721	result->interval = interval;
722	result->handler = handler;
723	result->private_data = private_data;
724
725	if (!(result->name = talloc_asprintf(result, "idle_evt(%s)", name))) {
726	DEBUG(0, ("talloc failed\n"));
727	TALLOC_FREE(result);
728	return NULL;
729	}
730
731	result->te = event_add_timed(event_ctx, result,
732	timeval_sum(&now, &interval),
733	smbd_idle_event_handler, result);
734	if (result->te == NULL) {
735	DEBUG(0, ("event_add_timed failed\n"));
736	TALLOC_FREE(result);
737	return NULL;
738	}
739
740	DEBUG(10,("event_add_idle: %s %p\n", result->name, result->te));
741	return result;
742	}
743
744	static void smbd_sig_term_handler(struct tevent_context *ev,
745	struct tevent_signal *se,
746	int signum,
747	int count,
748	void *siginfo,
749	void *private_data)
750	{
751	exit_server_cleanly("termination signal");
752	}
753
754	void smbd_setup_sig_term_handler(void)
755	{
756	struct tevent_signal *se;
757
758	se = tevent_add_signal(smbd_event_context(),
759	smbd_event_context(),
760	SIGTERM, 0,
761	smbd_sig_term_handler,
762	NULL);
763	if (!se) {
764	exit_server("failed to setup SIGTERM handler");
765	}
766	}
767
768	static void smbd_sig_hup_handler(struct tevent_context *ev,
769	struct tevent_signal *se,
770	int signum,
771	int count,
772	void *siginfo,
773	void *private_data)
774	{
775	change_to_root_user();
776	DEBUG(1,("Reloading services after SIGHUP\n"));
777	reload_services(False);
778	}
779
780	void smbd_setup_sig_hup_handler(void)
781	{
782	struct tevent_signal *se;
783
784	se = tevent_add_signal(smbd_event_context(),
785	smbd_event_context(),
786	SIGHUP, 0,
787	smbd_sig_hup_handler,
788	NULL);
789	if (!se) {
790	exit_server("failed to setup SIGHUP handler");
791	}
792	}
793
794	static NTSTATUS smbd_server_connection_loop_once(struct smbd_server_connection *conn)
795	{
796	fd_set r_fds, w_fds;
797	int selrtn;
798	struct timeval to;
799	int maxfd = 0;
800
801	to.tv_sec = SMBD_SELECT_TIMEOUT;
802	to.tv_usec = 0;
803
804	/*
805	* Setup the select fd sets.
806	*/
807
808	FD_ZERO(&r_fds);
809	FD_ZERO(&w_fds);
810
811	/*
812	* Are there any timed events waiting ? If so, ensure we don't
813	* select for longer than it would take to wait for them.
814	*/
815
816	{
817	struct timeval now;
818	GetTimeOfDay(&now);
819
820	event_add_to_select_args(smbd_event_context(), &now,
821	&r_fds, &w_fds, &to, &maxfd);
822	}
823
824	/* Process a signal and timed events now... */
825	if (run_events(smbd_event_context(), 0, NULL, NULL)) {
826	return NT_STATUS_RETRY;
827	}
828
829	{
830	int sav;
831	START_PROFILE(smbd_idle);
832
833	selrtn = sys_select(maxfd+1,&r_fds,&w_fds,NULL,&to);
834	sav = errno;
835
836	END_PROFILE(smbd_idle);
837	errno = sav;
838	}
839
840	if (selrtn == -1 && errno != EINTR) {
841	return map_nt_error_from_unix(errno);
842	}
843
844	if (run_events(smbd_event_context(), selrtn, &r_fds, &w_fds)) {
845	return NT_STATUS_RETRY;
846	}
847
848	/* Check if error */
849	if (selrtn == -1) {
850	/* something is wrong. Maybe the socket is dead? */
851	return map_nt_error_from_unix(errno);
852	}
853
854	/* Did we timeout ? */
855	if (selrtn == 0) {
856	return NT_STATUS_RETRY;
857	}
858
859	/* should not be reached */
860	return NT_STATUS_INTERNAL_ERROR;
861	}
862
863	/*
864	* Only allow 5 outstanding trans requests. We're allocating memory, so
865	* prevent a DoS.
866	*/
867
868	NTSTATUS allow_new_trans(struct trans_state *list, int mid)
869	{
870	int count = 0;
871	for (; list != NULL; list = list->next) {
872
873	if (list->mid == mid) {
874	return NT_STATUS_INVALID_PARAMETER;
875	}
876
877	count += 1;
878	}
879	if (count > 5) {
880	return NT_STATUS_INSUFFICIENT_RESOURCES;
881	}
882
883	return NT_STATUS_OK;
884	}
885
886	/*
887	These flags determine some of the permissions required to do an operation
888
889	Note that I don't set NEED_WRITE on some write operations because they
890	are used by some brain-dead clients when printing, and I don't want to
891	force write permissions on print services.
892	*/
893	#define AS_USER (1<<0)
894	#define NEED_WRITE (1<<1) /* Must be paired with AS_USER */
895	#define TIME_INIT (1<<2)
896	#define CAN_IPC (1<<3) /* Must be paired with AS_USER */
897	#define AS_GUEST (1<<5) /* Must NOT be paired with AS_USER */
898	#define DO_CHDIR (1<<6)
899
900	/*
901	define a list of possible SMB messages and their corresponding
902	functions. Any message that has a NULL function is unimplemented -
903	please feel free to contribute implementations!
904	*/
905	static const struct smb_message_struct {
906	const char *name;
907	void (fn)(struct smb_request req);
908	int flags;
909	} smb_messages[256] = {
910
911	/* 0x00 */ { "SMBmkdir",reply_mkdir,AS_USER \| NEED_WRITE},
912	/* 0x01 */ { "SMBrmdir",reply_rmdir,AS_USER \| NEED_WRITE},
913	/* 0x02 */ { "SMBopen",reply_open,AS_USER },
914	/* 0x03 */ { "SMBcreate",reply_mknew,AS_USER},
915	/* 0x04 */ { "SMBclose",reply_close,AS_USER \| CAN_IPC },
916	/* 0x05 */ { "SMBflush",reply_flush,AS_USER},
917	/* 0x06 */ { "SMBunlink",reply_unlink,AS_USER \| NEED_WRITE },
918	/* 0x07 */ { "SMBmv",reply_mv,AS_USER \| NEED_WRITE },
919	/* 0x08 */ { "SMBgetatr",reply_getatr,AS_USER},
920	/* 0x09 */ { "SMBsetatr",reply_setatr,AS_USER \| NEED_WRITE},
921	/* 0x0a */ { "SMBread",reply_read,AS_USER},
922	/* 0x0b */ { "SMBwrite",reply_write,AS_USER \| CAN_IPC },
923	/* 0x0c */ { "SMBlock",reply_lock,AS_USER},
924	/* 0x0d */ { "SMBunlock",reply_unlock,AS_USER},
925	/* 0x0e */ { "SMBctemp",reply_ctemp,AS_USER },
926	/* 0x0f */ { "SMBmknew",reply_mknew,AS_USER},
927	/* 0x10 */ { "SMBcheckpath",reply_checkpath,AS_USER},
928	/* 0x11 */ { "SMBexit",reply_exit,DO_CHDIR},
929	/* 0x12 */ { "SMBlseek",reply_lseek,AS_USER},
930	/* 0x13 */ { "SMBlockread",reply_lockread,AS_USER},
931	/* 0x14 */ { "SMBwriteunlock",reply_writeunlock,AS_USER},
932	/* 0x15 */ { NULL, NULL, 0 },
933	/* 0x16 */ { NULL, NULL, 0 },
934	/* 0x17 */ { NULL, NULL, 0 },
935	/* 0x18 */ { NULL, NULL, 0 },
936	/* 0x19 */ { NULL, NULL, 0 },
937	/* 0x1a */ { "SMBreadbraw",reply_readbraw,AS_USER},
938	/* 0x1b */ { "SMBreadBmpx",reply_readbmpx,AS_USER},
939	/* 0x1c */ { "SMBreadBs",reply_readbs,AS_USER },
940	/* 0x1d */ { "SMBwritebraw",reply_writebraw,AS_USER},
941	/* 0x1e */ { "SMBwriteBmpx",reply_writebmpx,AS_USER},
942	/* 0x1f */ { "SMBwriteBs",reply_writebs,AS_USER},
943	/* 0x20 */ { "SMBwritec", NULL,0},
944	/* 0x21 */ { NULL, NULL, 0 },
945	/* 0x22 */ { "SMBsetattrE",reply_setattrE,AS_USER \| NEED_WRITE },
946	/* 0x23 */ { "SMBgetattrE",reply_getattrE,AS_USER },
947	/* 0x24 */ { "SMBlockingX",reply_lockingX,AS_USER },
948	/* 0x25 */ { "SMBtrans",reply_trans,AS_USER \| CAN_IPC },
949	/* 0x26 */ { "SMBtranss",reply_transs,AS_USER \| CAN_IPC},
950	/* 0x27 */ { "SMBioctl",reply_ioctl,0},
951	/* 0x28 */ { "SMBioctls", NULL,AS_USER},
952	/* 0x29 */ { "SMBcopy",reply_copy,AS_USER \| NEED_WRITE },
953	/* 0x2a */ { "SMBmove", NULL,AS_USER \| NEED_WRITE },
954	/* 0x2b */ { "SMBecho",reply_echo,0},
955	/* 0x2c */ { "SMBwriteclose",reply_writeclose,AS_USER},
956	/* 0x2d */ { "SMBopenX",reply_open_and_X,AS_USER \| CAN_IPC },
957	/* 0x2e */ { "SMBreadX",reply_read_and_X,AS_USER \| CAN_IPC },
958	/* 0x2f */ { "SMBwriteX",reply_write_and_X,AS_USER \| CAN_IPC },
959	/* 0x30 */ { NULL, NULL, 0 },
960	/* 0x31 */ { NULL, NULL, 0 },
961	/* 0x32 */ { "SMBtrans2",reply_trans2, AS_USER \| CAN_IPC },
962	/* 0x33 */ { "SMBtranss2",reply_transs2, AS_USER \| CAN_IPC },
963	/* 0x34 */ { "SMBfindclose",reply_findclose,AS_USER},
964	/* 0x35 */ { "SMBfindnclose",reply_findnclose,AS_USER},
965	/* 0x36 */ { NULL, NULL, 0 },
966	/* 0x37 */ { NULL, NULL, 0 },
967	/* 0x38 */ { NULL, NULL, 0 },
968	/* 0x39 */ { NULL, NULL, 0 },
969	/* 0x3a */ { NULL, NULL, 0 },
970	/* 0x3b */ { NULL, NULL, 0 },
971	/* 0x3c */ { NULL, NULL, 0 },
972	/* 0x3d */ { NULL, NULL, 0 },
973	/* 0x3e */ { NULL, NULL, 0 },
974	/* 0x3f */ { NULL, NULL, 0 },
975	/* 0x40 */ { NULL, NULL, 0 },
976	/* 0x41 */ { NULL, NULL, 0 },
977	/* 0x42 */ { NULL, NULL, 0 },
978	/* 0x43 */ { NULL, NULL, 0 },
979	/* 0x44 */ { NULL, NULL, 0 },
980	/* 0x45 */ { NULL, NULL, 0 },
981	/* 0x46 */ { NULL, NULL, 0 },
982	/* 0x47 */ { NULL, NULL, 0 },
983	/* 0x48 */ { NULL, NULL, 0 },
984	/* 0x49 */ { NULL, NULL, 0 },
985	/* 0x4a */ { NULL, NULL, 0 },
986	/* 0x4b */ { NULL, NULL, 0 },
987	/* 0x4c */ { NULL, NULL, 0 },
988	/* 0x4d */ { NULL, NULL, 0 },
989	/* 0x4e */ { NULL, NULL, 0 },
990	/* 0x4f */ { NULL, NULL, 0 },
991	/* 0x50 */ { NULL, NULL, 0 },
992	/* 0x51 */ { NULL, NULL, 0 },
993	/* 0x52 */ { NULL, NULL, 0 },
994	/* 0x53 */ { NULL, NULL, 0 },
995	/* 0x54 */ { NULL, NULL, 0 },
996	/* 0x55 */ { NULL, NULL, 0 },
997	/* 0x56 */ { NULL, NULL, 0 },
998	/* 0x57 */ { NULL, NULL, 0 },
999	/* 0x58 */ { NULL, NULL, 0 },
1000	/* 0x59 */ { NULL, NULL, 0 },
1001	/* 0x5a */ { NULL, NULL, 0 },
1002	/* 0x5b */ { NULL, NULL, 0 },
1003	/* 0x5c */ { NULL, NULL, 0 },
1004	/* 0x5d */ { NULL, NULL, 0 },
1005	/* 0x5e */ { NULL, NULL, 0 },
1006	/* 0x5f */ { NULL, NULL, 0 },
1007	/* 0x60 */ { NULL, NULL, 0 },
1008	/* 0x61 */ { NULL, NULL, 0 },
1009	/* 0x62 */ { NULL, NULL, 0 },
1010	/* 0x63 */ { NULL, NULL, 0 },
1011	/* 0x64 */ { NULL, NULL, 0 },
1012	/* 0x65 */ { NULL, NULL, 0 },
1013	/* 0x66 */ { NULL, NULL, 0 },
1014	/* 0x67 */ { NULL, NULL, 0 },
1015	/* 0x68 */ { NULL, NULL, 0 },
1016	/* 0x69 */ { NULL, NULL, 0 },
1017	/* 0x6a */ { NULL, NULL, 0 },
1018	/* 0x6b */ { NULL, NULL, 0 },
1019	/* 0x6c */ { NULL, NULL, 0 },
1020	/* 0x6d */ { NULL, NULL, 0 },
1021	/* 0x6e */ { NULL, NULL, 0 },
1022	/* 0x6f */ { NULL, NULL, 0 },
1023	/* 0x70 */ { "SMBtcon",reply_tcon,0},
1024	/* 0x71 */ { "SMBtdis",reply_tdis,DO_CHDIR},
1025	/* 0x72 */ { "SMBnegprot",reply_negprot,0},
1026	/* 0x73 */ { "SMBsesssetupX",reply_sesssetup_and_X,0},
1027	/* 0x74 / { "SMBulogoffX",reply_ulogoffX, 0}, / ulogoff doesn't give a valid TID */
1028	/* 0x75 */ { "SMBtconX",reply_tcon_and_X,0},
1029	/* 0x76 */ { NULL, NULL, 0 },
1030	/* 0x77 */ { NULL, NULL, 0 },
1031	/* 0x78 */ { NULL, NULL, 0 },
1032	/* 0x79 */ { NULL, NULL, 0 },
1033	/* 0x7a */ { NULL, NULL, 0 },
1034	/* 0x7b */ { NULL, NULL, 0 },
1035	/* 0x7c */ { NULL, NULL, 0 },
1036	/* 0x7d */ { NULL, NULL, 0 },
1037	/* 0x7e */ { NULL, NULL, 0 },
1038	/* 0x7f */ { NULL, NULL, 0 },
1039	/* 0x80 */ { "SMBdskattr",reply_dskattr,AS_USER},
1040	/* 0x81 */ { "SMBsearch",reply_search,AS_USER},
1041	/* 0x82 */ { "SMBffirst",reply_search,AS_USER},
1042	/* 0x83 */ { "SMBfunique",reply_search,AS_USER},
1043	/* 0x84 */ { "SMBfclose",reply_fclose,AS_USER},
1044	/* 0x85 */ { NULL, NULL, 0 },
1045	/* 0x86 */ { NULL, NULL, 0 },
1046	/* 0x87 */ { NULL, NULL, 0 },
1047	/* 0x88 */ { NULL, NULL, 0 },
1048	/* 0x89 */ { NULL, NULL, 0 },
1049	/* 0x8a */ { NULL, NULL, 0 },
1050	/* 0x8b */ { NULL, NULL, 0 },
1051	/* 0x8c */ { NULL, NULL, 0 },
1052	/* 0x8d */ { NULL, NULL, 0 },
1053	/* 0x8e */ { NULL, NULL, 0 },
1054	/* 0x8f */ { NULL, NULL, 0 },
1055	/* 0x90 */ { NULL, NULL, 0 },
1056	/* 0x91 */ { NULL, NULL, 0 },
1057	/* 0x92 */ { NULL, NULL, 0 },
1058	/* 0x93 */ { NULL, NULL, 0 },
1059	/* 0x94 */ { NULL, NULL, 0 },
1060	/* 0x95 */ { NULL, NULL, 0 },
1061	/* 0x96 */ { NULL, NULL, 0 },
1062	/* 0x97 */ { NULL, NULL, 0 },
1063	/* 0x98 */ { NULL, NULL, 0 },
1064	/* 0x99 */ { NULL, NULL, 0 },
1065	/* 0x9a */ { NULL, NULL, 0 },
1066	/* 0x9b */ { NULL, NULL, 0 },
1067	/* 0x9c */ { NULL, NULL, 0 },
1068	/* 0x9d */ { NULL, NULL, 0 },
1069	/* 0x9e */ { NULL, NULL, 0 },
1070	/* 0x9f */ { NULL, NULL, 0 },
1071	/* 0xa0 */ { "SMBnttrans",reply_nttrans, AS_USER \| CAN_IPC },
1072	/* 0xa1 */ { "SMBnttranss",reply_nttranss, AS_USER \| CAN_IPC },
1073	/* 0xa2 */ { "SMBntcreateX",reply_ntcreate_and_X, AS_USER \| CAN_IPC },
1074	/* 0xa3 */ { NULL, NULL, 0 },
1075	/* 0xa4 */ { "SMBntcancel",reply_ntcancel, 0 },
1076	/* 0xa5 */ { "SMBntrename",reply_ntrename, AS_USER \| NEED_WRITE },
1077	/* 0xa6 */ { NULL, NULL, 0 },
1078	/* 0xa7 */ { NULL, NULL, 0 },
1079	/* 0xa8 */ { NULL, NULL, 0 },
1080	/* 0xa9 */ { NULL, NULL, 0 },
1081	/* 0xaa */ { NULL, NULL, 0 },
1082	/* 0xab */ { NULL, NULL, 0 },
1083	/* 0xac */ { NULL, NULL, 0 },
1084	/* 0xad */ { NULL, NULL, 0 },
1085	/* 0xae */ { NULL, NULL, 0 },
1086	/* 0xaf */ { NULL, NULL, 0 },
1087	/* 0xb0 */ { NULL, NULL, 0 },
1088	/* 0xb1 */ { NULL, NULL, 0 },
1089	/* 0xb2 */ { NULL, NULL, 0 },
1090	/* 0xb3 */ { NULL, NULL, 0 },
1091	/* 0xb4 */ { NULL, NULL, 0 },
1092	/* 0xb5 */ { NULL, NULL, 0 },
1093	/* 0xb6 */ { NULL, NULL, 0 },
1094	/* 0xb7 */ { NULL, NULL, 0 },
1095	/* 0xb8 */ { NULL, NULL, 0 },
1096	/* 0xb9 */ { NULL, NULL, 0 },
1097	/* 0xba */ { NULL, NULL, 0 },
1098	/* 0xbb */ { NULL, NULL, 0 },
1099	/* 0xbc */ { NULL, NULL, 0 },
1100	/* 0xbd */ { NULL, NULL, 0 },
1101	/* 0xbe */ { NULL, NULL, 0 },
1102	/* 0xbf */ { NULL, NULL, 0 },
1103	/* 0xc0 */ { "SMBsplopen",reply_printopen,AS_USER},
1104	/* 0xc1 */ { "SMBsplwr",reply_printwrite,AS_USER},
1105	/* 0xc2 */ { "SMBsplclose",reply_printclose,AS_USER},
1106	/* 0xc3 */ { "SMBsplretq",reply_printqueue,AS_USER},
1107	/* 0xc4 */ { NULL, NULL, 0 },
1108	/* 0xc5 */ { NULL, NULL, 0 },
1109	/* 0xc6 */ { NULL, NULL, 0 },
1110	/* 0xc7 */ { NULL, NULL, 0 },
1111	/* 0xc8 */ { NULL, NULL, 0 },
1112	/* 0xc9 */ { NULL, NULL, 0 },
1113	/* 0xca */ { NULL, NULL, 0 },
1114	/* 0xcb */ { NULL, NULL, 0 },
1115	/* 0xcc */ { NULL, NULL, 0 },
1116	/* 0xcd */ { NULL, NULL, 0 },
1117	/* 0xce */ { NULL, NULL, 0 },
1118	/* 0xcf */ { NULL, NULL, 0 },
1119	/* 0xd0 */ { "SMBsends",reply_sends,AS_GUEST},
1120	/* 0xd1 */ { "SMBsendb", NULL,AS_GUEST},
1121	/* 0xd2 */ { "SMBfwdname", NULL,AS_GUEST},
1122	/* 0xd3 */ { "SMBcancelf", NULL,AS_GUEST},
1123	/* 0xd4 */ { "SMBgetmac", NULL,AS_GUEST},
1124	/* 0xd5 */ { "SMBsendstrt",reply_sendstrt,AS_GUEST},
1125	/* 0xd6 */ { "SMBsendend",reply_sendend,AS_GUEST},
1126	/* 0xd7 */ { "SMBsendtxt",reply_sendtxt,AS_GUEST},
1127	/* 0xd8 */ { NULL, NULL, 0 },
1128	/* 0xd9 */ { NULL, NULL, 0 },
1129	/* 0xda */ { NULL, NULL, 0 },
1130	/* 0xdb */ { NULL, NULL, 0 },
1131	/* 0xdc */ { NULL, NULL, 0 },
1132	/* 0xdd */ { NULL, NULL, 0 },
1133	/* 0xde */ { NULL, NULL, 0 },
1134	/* 0xdf */ { NULL, NULL, 0 },
1135	/* 0xe0 */ { NULL, NULL, 0 },
1136	/* 0xe1 */ { NULL, NULL, 0 },
1137	/* 0xe2 */ { NULL, NULL, 0 },
1138	/* 0xe3 */ { NULL, NULL, 0 },
1139	/* 0xe4 */ { NULL, NULL, 0 },
1140	/* 0xe5 */ { NULL, NULL, 0 },
1141	/* 0xe6 */ { NULL, NULL, 0 },
1142	/* 0xe7 */ { NULL, NULL, 0 },
1143	/* 0xe8 */ { NULL, NULL, 0 },
1144	/* 0xe9 */ { NULL, NULL, 0 },
1145	/* 0xea */ { NULL, NULL, 0 },
1146	/* 0xeb */ { NULL, NULL, 0 },
1147	/* 0xec */ { NULL, NULL, 0 },
1148	/* 0xed */ { NULL, NULL, 0 },
1149	/* 0xee */ { NULL, NULL, 0 },
1150	/* 0xef */ { NULL, NULL, 0 },
1151	/* 0xf0 */ { NULL, NULL, 0 },
1152	/* 0xf1 */ { NULL, NULL, 0 },
1153	/* 0xf2 */ { NULL, NULL, 0 },
1154	/* 0xf3 */ { NULL, NULL, 0 },
1155	/* 0xf4 */ { NULL, NULL, 0 },
1156	/* 0xf5 */ { NULL, NULL, 0 },
1157	/* 0xf6 */ { NULL, NULL, 0 },
1158	/* 0xf7 */ { NULL, NULL, 0 },
1159	/* 0xf8 */ { NULL, NULL, 0 },
1160	/* 0xf9 */ { NULL, NULL, 0 },
1161	/* 0xfa */ { NULL, NULL, 0 },
1162	/* 0xfb */ { NULL, NULL, 0 },
1163	/* 0xfc */ { NULL, NULL, 0 },
1164	/* 0xfd */ { NULL, NULL, 0 },
1165	/* 0xfe */ { NULL, NULL, 0 },
1166	/* 0xff */ { NULL, NULL, 0 }
1167
1168	};
1169
1170	/*******************************************************************
1171	allocate and initialize a reply packet
1172	********************************************************************/
1173
1174	static bool create_outbuf(TALLOC_CTX mem_ctx, struct smb_request req,
1175	const char inbuf, char *outbuf, uint8_t num_words,
1176	uint32_t num_bytes)
1177	{
1178	/*
1179	* Protect against integer wrap
1180	*/
1181	if ((num_bytes > 0xffffff)
1182	\|\| ((num_bytes + smb_size + num_words*2) > 0xffffff)) {
1183	char *msg;
1184	if (asprintf(&msg, "num_bytes too large: %u",
1185	(unsigned)num_bytes) == -1) {
1186	msg = CONST_DISCARD(char *, "num_bytes too large");
1187	}
1188	smb_panic(msg);
1189	}
1190
1191	*outbuf = TALLOC_ARRAY(mem_ctx, char,
1192	smb_size + num_words*2 + num_bytes);
1193	if (*outbuf == NULL) {
1194	return false;
1195	}
1196
1197	construct_reply_common(req, inbuf, *outbuf);
1198	srv_set_message(*outbuf, num_words, num_bytes, false);
1199	/*
1200	* Zero out the word area, the caller has to take care of the bcc area
1201	* himself
1202	*/
1203	if (num_words != 0) {
1204	memset(outbuf + smb_vwv0, 0, num_words2);
1205	}
1206
1207	return true;
1208	}
1209
1210	void reply_outbuf(struct smb_request *req, uint8 num_words, uint32 num_bytes)
1211	{
1212	char *outbuf;
1213	if (!create_outbuf(req, req, (char *)req->inbuf, &outbuf, num_words,
1214	num_bytes)) {
1215	smb_panic("could not allocate output buffer\n");
1216	}
1217	req->outbuf = (uint8_t *)outbuf;
1218	}
1219
1220
1221	/*******************************************************************
1222	Dump a packet to a file.
1223	********************************************************************/
1224
1225	static void smb_dump(const char name, int type, const char data, ssize_t len)
1226	{
1227	int fd, i;
1228	char *fname = NULL;
1229	if (DEBUGLEVEL < 50) {
1230	return;
1231	}
1232
1233	if (len < 4) len = smb_len(data)+4;
1234	for (i=1;i<100;i++) {
1235	if (asprintf(&fname, "/tmp/%s.%d.%s", name, i,
1236	type ? "req" : "resp") == -1) {
1237	return;
1238	}
1239	fd = open(fname, O_WRONLY\|O_CREAT\|O_EXCL, 0644);
1240	if (fd != -1 \|\| errno != EEXIST) break;
1241	}
1242	if (fd != -1) {
1243	ssize_t ret = write(fd, data, len);
1244	if (ret != len)
1245	DEBUG(0,("smb_dump: problem: write returned %d\n", (int)ret ));
1246	close(fd);
1247	DEBUG(0,("created %s len %lu\n", fname, (unsigned long)len));
1248	}
1249	SAFE_FREE(fname);
1250	}
1251
1252	/****************************************************************************
1253	Prepare everything for calling the actual request function, and potentially
1254	call the request function via the "new" interface.
1255
1256	Return False if the "legacy" function needs to be called, everything is
1257	prepared.
1258
1259	Return True if we're done.
1260
1261	I know this API sucks, but it is the one with the least code change I could
1262	find.
1263	****************************************************************************/
1264
1265	static connection_struct switch_message(uint8 type, struct smb_request req, int size)
1266	{
1267	int flags;
1268	uint16 session_tag;
1269	connection_struct *conn = NULL;
1270	struct smbd_server_connection *sconn = smbd_server_conn;
1271
1272	errno = 0;
1273
1274	/* Make sure this is an SMB packet. smb_size contains NetBIOS header
1275	* so subtract 4 from it. */
1276	if (!valid_smb_header(req->inbuf)
1277	\|\| (size < (smb_size - 4))) {
1278	DEBUG(2,("Non-SMB packet of length %d. Terminating server\n",
1279	smb_len(req->inbuf)));
1280	exit_server_cleanly("Non-SMB packet");
1281	}
1282
1283	if (smb_messages[type].fn == NULL) {
1284	DEBUG(0,("Unknown message type %d!\n",type));
1285	smb_dump("Unknown", 1, (char *)req->inbuf, size);
1286	reply_unknown_new(req, type);
1287	return NULL;
1288	}
1289
1290	flags = smb_messages[type].flags;
1291
1292	/* In share mode security we must ignore the vuid. */
1293	session_tag = (lp_security() == SEC_SHARE)
1294	? UID_FIELD_INVALID : req->vuid;
1295	conn = req->conn;
1296
1297	DEBUG(3,("switch message %s (pid %d) conn 0x%lx\n", smb_fn_name(type),
1298	(int)sys_getpid(), (unsigned long)conn));
1299
1300	smb_dump(smb_fn_name(type), 1, (char *)req->inbuf, size);
1301
1302	/* Ensure this value is replaced in the incoming packet. */
1303	SSVAL(req->inbuf,smb_uid,session_tag);
1304
1305	/*
1306	* Ensure the correct username is in current_user_info. This is a
1307	* really ugly bugfix for problems with multiple session_setup_and_X's
1308	* being done and allowing %U and %G substitutions to work correctly.
1309	* There is a reason this code is done here, don't move it unless you
1310	* know what you're doing... :-).
1311	* JRA.
1312	*/
1313
1314	if (session_tag != sconn->smb1.sessions.last_session_tag) {
1315	user_struct *vuser = NULL;
1316
1317	sconn->smb1.sessions.last_session_tag = session_tag;
1318	if(session_tag != UID_FIELD_INVALID) {
1319	vuser = get_valid_user_struct(sconn, session_tag);
1320	if (vuser) {
1321	set_current_user_info(
1322	vuser->server_info->sanitized_username,
1323	vuser->server_info->unix_name,
1324	pdb_get_domain(vuser->server_info
1325	->sam_account));
1326	}
1327	}
1328	}
1329
1330	/* Does this call need to be run as the connected user? */
1331	if (flags & AS_USER) {
1332
1333	/* Does this call need a valid tree connection? */
1334	if (!conn) {
1335	/*
1336	* Amazingly, the error code depends on the command
1337	* (from Samba4).
1338	*/
1339	if (type == SMBntcreateX) {
1340	reply_nterror(req, NT_STATUS_INVALID_HANDLE);
1341	} else {
1342	reply_nterror(req, NT_STATUS_NETWORK_NAME_DELETED);
1343	}
1344	return NULL;
1345	}
1346
1347	if (!change_to_user(conn,session_tag)) {
1348	DEBUG(0, ("Error: Could not change to user. Removing "
1349	"deferred open, mid=%d.\n", req->mid));
1350	reply_force_doserror(req, ERRSRV, ERRbaduid);
1351	return conn;
1352	}
1353
1354	/* All NEED_WRITE and CAN_IPC flags must also have AS_USER. */
1355
1356	/* Does it need write permission? */
1357	if ((flags & NEED_WRITE) && !CAN_WRITE(conn)) {
1358	reply_nterror(req, NT_STATUS_MEDIA_WRITE_PROTECTED);
1359	return conn;
1360	}
1361
1362	/* IPC services are limited */
1363	if (IS_IPC(conn) && !(flags & CAN_IPC)) {
1364	reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1365	return conn;
1366	}
1367	} else {
1368	/* This call needs to be run as root */
1369	change_to_root_user();
1370	}
1371
1372	/* load service specific parameters */
1373	if (conn) {
1374	if (req->encrypted) {
1375	conn->encrypted_tid = true;
1376	/* encrypted required from now on. */
1377	conn->encrypt_level = Required;
1378	} else if (ENCRYPTION_REQUIRED(conn)) {
1379	if (req->cmd != SMBtrans2 && req->cmd != SMBtranss2) {
1380	exit_server_cleanly("encryption required "
1381	"on connection");
1382	return conn;
1383	}
1384	}
1385
1386	if (!set_current_service(conn,SVAL(req->inbuf,smb_flg),
1387	(flags & (AS_USER\|DO_CHDIR)
1388	?True:False))) {
1389	reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1390	return conn;
1391	}
1392	conn->num_smb_operations++;
1393	}
1394
1395	/* does this protocol need to be run as guest? */
1396	if ((flags & AS_GUEST)
1397	&& (!change_to_guest() \|\|
1398	!check_access(smbd_server_fd(), lp_hostsallow(-1),
1399	lp_hostsdeny(-1)))) {
1400	reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1401	return conn;
1402	}
1403
1404	smb_messages[type].fn(req);
1405	return req->conn;
1406	}
1407
1408	/****************************************************************************
1409	Construct a reply to the incoming packet.
1410	****************************************************************************/
1411
1412	static void construct_reply(char *inbuf, int size, size_t unread_bytes,
1413	uint32_t seqnum, bool encrypted,
1414	struct smb_perfcount_data *deferred_pcd)
1415	{
1416	connection_struct *conn;
1417	struct smb_request *req;
1418
1419	if (!(req = talloc(talloc_tos(), struct smb_request))) {
1420	smb_panic("could not allocate smb_request");
1421	}
1422
1423	init_smb_request(req, (uint8 *)inbuf, unread_bytes, encrypted);
1424	req->inbuf = (uint8_t *)talloc_move(req, &inbuf);
1425	req->seqnum = seqnum;
1426
1427	/* we popped this message off the queue - keep original perf data */
1428	if (deferred_pcd)
1429	req->pcd = *deferred_pcd;
1430	else {
1431	SMB_PERFCOUNT_START(&req->pcd);
1432	SMB_PERFCOUNT_SET_OP(&req->pcd, req->cmd);
1433	SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, size);
1434	}
1435
1436	conn = switch_message(req->cmd, req, size);
1437
1438	if (req->unread_bytes) {
1439	/* writeX failed. drain socket. */
1440	if (drain_socket(smbd_server_fd(), req->unread_bytes) !=
1441	req->unread_bytes) {
1442	smb_panic("failed to drain pending bytes");
1443	}
1444	req->unread_bytes = 0;
1445	}
1446
1447	if (req->done) {
1448	TALLOC_FREE(req);
1449	return;
1450	}
1451
1452	if (req->outbuf == NULL) {
1453	return;
1454	}
1455
1456	if (CVAL(req->outbuf,0) == 0) {
1457	show_msg((char *)req->outbuf);
1458	}
1459
1460	if (!srv_send_smb(smbd_server_fd(),
1461	(char *)req->outbuf,
1462	true, req->seqnum+1,
1463	IS_CONN_ENCRYPTED(conn)\|\|req->encrypted,
1464	&req->pcd)) {
1465	exit_server_cleanly("construct_reply: srv_send_smb failed.");
1466	}
1467
1468	TALLOC_FREE(req);
1469
1470	return;
1471	}
1472
1473	/****************************************************************************
1474	Process an smb from the client
1475	****************************************************************************/
1476	static void process_smb(struct smbd_server_connection *conn,
1477	uint8_t *inbuf, size_t nread, size_t unread_bytes,
1478	uint32_t seqnum, bool encrypted,
1479	struct smb_perfcount_data *deferred_pcd)
1480	{
1481	int msg_type = CVAL(inbuf,0);
1482
1483	DO_PROFILE_INC(smb_count);
1484
1485	DEBUG( 6, ( "got message type 0x%x of len 0x%x\n", msg_type,
1486	smb_len(inbuf) ) );
1487	DEBUG( 3, ( "Transaction %d of length %d (%u toread)\n", trans_num,
1488	(int)nread,
1489	(unsigned int)unread_bytes ));
1490
1491	if (msg_type != 0) {
1492	/*
1493	* NetBIOS session request, keepalive, etc.
1494	*/
1495	reply_special((char *)inbuf, nread);
1496	goto done;
1497	}
1498
1499	if (smbd_server_conn->allow_smb2) {
1500	if (smbd_is_smb2_header(inbuf, nread)) {
1501	smbd_smb2_first_negprot(smbd_server_conn, inbuf, nread);
1502	return;
1503	}
1504	smbd_server_conn->allow_smb2 = false;
1505	}
1506
1507	show_msg((char *)inbuf);
1508
1509	construct_reply((char *)inbuf,nread,unread_bytes,seqnum,encrypted,deferred_pcd);
1510	trans_num++;
1511
1512	done:
1513	conn->smb1.num_requests++;
1514
1515	/* The timeout_processing function isn't run nearly
1516	often enough to implement 'max log size' without
1517	overrunning the size of the file by many megabytes.
1518	This is especially true if we are running at debug
1519	level 10. Checking every 50 SMBs is a nice
1520	tradeoff of performance vs log file size overrun. */
1521
1522	if ((conn->smb1.num_requests % 50) == 0 &&
1523	need_to_check_log_size()) {
1524	change_to_root_user();
1525	check_log_size();
1526	}
1527	}
1528
1529	/****************************************************************************
1530	Return a string containing the function name of a SMB command.
1531	****************************************************************************/
1532
1533	const char *smb_fn_name(int type)
1534	{
1535	const char *unknown_name = "SMBunknown";
1536
1537	if (smb_messages[type].name == NULL)
1538	return(unknown_name);
1539
1540	return(smb_messages[type].name);
1541	}
1542
1543	/****************************************************************************
1544	Helper functions for contruct_reply.
1545	****************************************************************************/
1546
1547	void add_to_common_flags2(uint32 v)
1548	{
1549	common_flags2 \|= v;
1550	}
1551
1552	void remove_from_common_flags2(uint32 v)
1553	{
1554	common_flags2 &= ~v;
1555	}
1556
1557	static void construct_reply_common(struct smb_request req, const char inbuf,
1558	char *outbuf)
1559	{
1560	srv_set_message(outbuf,0,0,false);
1561
1562	SCVAL(outbuf, smb_com, req->cmd);
1563	SIVAL(outbuf,smb_rcls,0);
1564	SCVAL(outbuf,smb_flg, FLAG_REPLY \| (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES));
1565	SSVAL(outbuf,smb_flg2,
1566	(SVAL(inbuf,smb_flg2) & FLAGS2_UNICODE_STRINGS) \|
1567	common_flags2);
1568	memset(outbuf+smb_pidhigh,'\0',(smb_tid-smb_pidhigh));
1569
1570	SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid));
1571	SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid));
1572	SSVAL(outbuf,smb_uid,SVAL(inbuf,smb_uid));
1573	SSVAL(outbuf,smb_mid,SVAL(inbuf,smb_mid));
1574	}
1575
1576	void construct_reply_common_req(struct smb_request req, char outbuf)
1577	{
1578	construct_reply_common(req, (char *)req->inbuf, outbuf);
1579	}
1580
1581	/*
1582	* How many bytes have we already accumulated up to the current wct field
1583	* offset?
1584	*/
1585
1586	size_t req_wct_ofs(struct smb_request *req)
1587	{
1588	size_t buf_size;
1589
1590	if (req->chain_outbuf == NULL) {
1591	return smb_wct - 4;
1592	}
1593	buf_size = talloc_get_size(req->chain_outbuf);
1594	if ((buf_size % 4) != 0) {
1595	buf_size += (4 - (buf_size % 4));
1596	}
1597	return buf_size - 4;
1598	}
1599
1600	/*
1601	* Hack around reply_nterror & friends not being aware of chained requests,
1602	* generating illegal (i.e. wct==0) chain replies.
1603	*/
1604
1605	static void fixup_chain_error_packet(struct smb_request *req)
1606	{
1607	uint8_t *outbuf = req->outbuf;
1608	req->outbuf = NULL;
1609	reply_outbuf(req, 2, 0);
1610	memcpy(req->outbuf, outbuf, smb_wct);
1611	TALLOC_FREE(outbuf);
1612	SCVAL(req->outbuf, smb_vwv0, 0xff);
1613	}
1614
1615	/**
1616	* @brief Find the smb_cmd offset of the last command pushed
1617	* @param[in] buf The buffer we're building up
1618	* @retval Where can we put our next andx cmd?
1619	*
1620	* While chaining requests, the "next" request we're looking at needs to put
1621	* its SMB_Command before the data the previous request already built up added
1622	* to the chain. Find the offset to the place where we have to put our cmd.
1623	*/
1624
1625	static bool find_andx_cmd_ofs(uint8_t buf, size_t pofs)
1626	{
1627	uint8_t cmd;
1628	size_t ofs;
1629
1630	cmd = CVAL(buf, smb_com);
1631
1632	SMB_ASSERT(is_andx_req(cmd));
1633
1634	ofs = smb_vwv0;
1635
1636	while (CVAL(buf, ofs) != 0xff) {
1637
1638	if (!is_andx_req(CVAL(buf, ofs))) {
1639	return false;
1640	}
1641
1642	/*
1643	* ofs is from start of smb header, so add the 4 length
1644	* bytes. The next cmd is right after the wct field.
1645	*/
1646	ofs = SVAL(buf, ofs+2) + 4 + 1;
1647
1648	SMB_ASSERT(ofs+4 < talloc_get_size(buf));
1649	}
1650
1651	*pofs = ofs;
1652	return true;
1653	}
1654
1655	/**
1656	* @brief Do the smb chaining at a buffer level
1657	* @param[in] poutbuf Pointer to the talloc'ed buffer to be modified
1658	* @param[in] smb_command The command that we want to issue
1659	* @param[in] wct How many words?
1660	* @param[in] vwv The words, already in network order
1661	* @param[in] bytes_alignment How shall we align "bytes"?
1662	* @param[in] num_bytes How many bytes?
1663	* @param[in] bytes The data the request ships
1664	*
1665	* smb_splice_chain() adds the vwv and bytes to the request already present in
1666	* *poutbuf.
1667	*/
1668
1669	static bool smb_splice_chain(uint8_t **poutbuf, uint8_t smb_command,
1670	uint8_t wct, const uint16_t *vwv,
1671	size_t bytes_alignment,
1672	uint32_t num_bytes, const uint8_t *bytes)
1673	{
1674	uint8_t *outbuf;
1675	size_t old_size, new_size;
1676	size_t ofs;
1677	size_t chain_padding = 0;
1678	size_t bytes_padding = 0;
1679	bool first_request;
1680
1681	old_size = talloc_get_size(*poutbuf);
1682
1683	/*
1684	* old_size == smb_wct means we're pushing the first request in for
1685	* libsmb/
1686	*/
1687
1688	first_request = (old_size == smb_wct);
1689
1690	if (!first_request && ((old_size % 4) != 0)) {
1691	/*
1692	* Align the wct field of subsequent requests to a 4-byte
1693	* boundary
1694	*/
1695	chain_padding = 4 - (old_size % 4);
1696	}
1697
1698	/*
1699	* After the old request comes the new wct field (1 byte), the vwv's
1700	* and the num_bytes field. After at we might need to align the bytes
1701	* given to us to "bytes_alignment", increasing the num_bytes value.
1702	*/
1703
1704	new_size = old_size + chain_padding + 1 + wct * sizeof(uint16_t) + 2;
1705
1706	if ((bytes_alignment != 0) && ((new_size % bytes_alignment) != 0)) {
1707	bytes_padding = bytes_alignment - (new_size % bytes_alignment);
1708	}
1709
1710	new_size += bytes_padding + num_bytes;
1711
1712	if ((smb_command != SMBwriteX) && (new_size > 0xffff)) {
1713	DEBUG(1, ("splice_chain: %u bytes won't fit\n",
1714	(unsigned)new_size));
1715	return false;
1716	}
1717
1718	outbuf = TALLOC_REALLOC_ARRAY(NULL, *poutbuf, uint8_t, new_size);
1719	if (outbuf == NULL) {
1720	DEBUG(0, ("talloc failed\n"));
1721	return false;
1722	}
1723	*poutbuf = outbuf;
1724
1725	if (first_request) {
1726	SCVAL(outbuf, smb_com, smb_command);
1727	} else {
1728	size_t andx_cmd_ofs;
1729
1730	if (!find_andx_cmd_ofs(outbuf, &andx_cmd_ofs)) {
1731	DEBUG(1, ("invalid command chain\n"));
1732	*poutbuf = TALLOC_REALLOC_ARRAY(
1733	NULL, *poutbuf, uint8_t, old_size);
1734	return false;
1735	}
1736
1737	if (chain_padding != 0) {
1738	memset(outbuf + old_size, 0, chain_padding);
1739	old_size += chain_padding;
1740	}
1741
1742	SCVAL(outbuf, andx_cmd_ofs, smb_command);
1743	SSVAL(outbuf, andx_cmd_ofs + 2, old_size - 4);
1744	}
1745
1746	ofs = old_size;
1747
1748	/*
1749	* Push the chained request:
1750	*
1751	* wct field
1752	*/
1753
1754	SCVAL(outbuf, ofs, wct);
1755	ofs += 1;
1756
1757	/*
1758	* vwv array
1759	*/
1760
1761	memcpy(outbuf + ofs, vwv, sizeof(uint16_t) * wct);
1762	ofs += sizeof(uint16_t) * wct;
1763
1764	/*
1765	* bcc (byte count)
1766	*/
1767
1768	SSVAL(outbuf, ofs, num_bytes + bytes_padding);
1769	ofs += sizeof(uint16_t);
1770
1771	/*
1772	* padding
1773	*/
1774
1775	if (bytes_padding != 0) {
1776	memset(outbuf + ofs, 0, bytes_padding);
1777	ofs += bytes_padding;
1778	}
1779
1780	/*
1781	* The bytes field
1782	*/
1783
1784	memcpy(outbuf + ofs, bytes, num_bytes);
1785
1786	return true;
1787	}
1788
1789	/****************************************************************************
1790	Construct a chained reply and add it to the already made reply
1791	****************************************************************************/
1792
1793	void chain_reply(struct smb_request *req)
1794	{
1795	size_t smblen = smb_len(req->inbuf);
1796	size_t already_used, length_needed;
1797	uint8_t chain_cmd;
1798	uint32_t chain_offset; /* uint32_t to avoid overflow */
1799
1800	uint8_t wct;
1801	uint16_t *vwv;
1802	uint16_t buflen;
1803	uint8_t *buf;
1804
1805	if (IVAL(req->outbuf, smb_rcls) != 0) {
1806	fixup_chain_error_packet(req);
1807	}
1808
1809	/*
1810	* Any of the AndX requests and replies have at least a wct of
1811	* 2. vwv[0] is the next command, vwv[1] is the offset from the
1812	* beginning of the SMB header to the next wct field.
1813	*
1814	* None of the AndX requests put anything valuable in vwv[0] and [1],
1815	* so we can overwrite it here to form the chain.
1816	*/
1817
1818	if ((req->wct < 2) \|\| (CVAL(req->outbuf, smb_wct) < 2)) {
1819	if (req->chain_outbuf == NULL) {
1820	req->chain_outbuf = TALLOC_REALLOC_ARRAY(
1821	req, req->outbuf, uint8_t,
1822	smb_len(req->outbuf) + 4);
1823	if (req->chain_outbuf == NULL) {
1824	smb_panic("talloc failed");
1825	}
1826	}
1827	req->outbuf = NULL;
1828	goto error;
1829	}
1830
1831	/*
1832	* Here we assume that this is the end of the chain. For that we need
1833	* to set "next command" to 0xff and the offset to 0. If we later find
1834	* more commands in the chain, this will be overwritten again.
1835	*/
1836
1837	SCVAL(req->outbuf, smb_vwv0, 0xff);
1838	SCVAL(req->outbuf, smb_vwv0+1, 0);
1839	SSVAL(req->outbuf, smb_vwv1, 0);
1840
1841	if (req->chain_outbuf == NULL) {
1842	/*
1843	* In req->chain_outbuf we collect all the replies. Start the
1844	* chain by copying in the first reply.
1845	*
1846	* We do the realloc because later on we depend on
1847	* talloc_get_size to determine the length of
1848	* chain_outbuf. The reply_xxx routines might have
1849	* over-allocated (reply_pipe_read_and_X used to be such an
1850	* example).
1851	*/
1852	req->chain_outbuf = TALLOC_REALLOC_ARRAY(
1853	req, req->outbuf, uint8_t, smb_len(req->outbuf) + 4);
1854	if (req->chain_outbuf == NULL) {
1855	smb_panic("talloc failed");
1856	}
1857	req->outbuf = NULL;
1858	} else {
1859	/*
1860	* Update smb headers where subsequent chained commands
1861	* may have updated them.
1862	*/
1863	SSVAL(req->chain_outbuf, smb_tid, SVAL(req->outbuf, smb_tid));
1864	SSVAL(req->chain_outbuf, smb_uid, SVAL(req->outbuf, smb_uid));
1865
1866	if (!smb_splice_chain(&req->chain_outbuf,
1867	CVAL(req->outbuf, smb_com),
1868	CVAL(req->outbuf, smb_wct),
1869	(uint16_t *)(req->outbuf + smb_vwv),
1870	0, smb_buflen(req->outbuf),
1871	(uint8_t *)smb_buf(req->outbuf))) {
1872	goto error;
1873	}
1874	TALLOC_FREE(req->outbuf);
1875	}
1876
1877	/*
1878	* We use the old request's vwv field to grab the next chained command
1879	* and offset into the chained fields.
1880	*/
1881
1882	chain_cmd = CVAL(req->vwv+0, 0);
1883	chain_offset = SVAL(req->vwv+1, 0);
1884
1885	if (chain_cmd == 0xff) {
1886	/*
1887	* End of chain, no more requests from the client. So ship the
1888	* replies.
1889	*/
1890	smb_setlen((char *)(req->chain_outbuf),
1891	talloc_get_size(req->chain_outbuf) - 4);
1892
1893	if (!srv_send_smb(smbd_server_fd(), (char *)req->chain_outbuf,
1894	true, req->seqnum+1,
1895	IS_CONN_ENCRYPTED(req->conn)
1896	\|\|req->encrypted,
1897	&req->pcd)) {
1898	exit_server_cleanly("chain_reply: srv_send_smb "
1899	"failed.");
1900	}
1901	TALLOC_FREE(req->chain_outbuf);
1902	req->done = true;
1903	return;
1904	}
1905
1906	/* add a new perfcounter for this element of chain */
1907	SMB_PERFCOUNT_ADD(&req->pcd);
1908	SMB_PERFCOUNT_SET_OP(&req->pcd, chain_cmd);
1909	SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, smblen);
1910
1911	/*
1912	* Check if the client tries to fool us. The request so far uses the
1913	* space to the end of the byte buffer in the request just
1914	* processed. The chain_offset can't point into that area. If that was
1915	* the case, we could end up with an endless processing of the chain,
1916	* we would always handle the same request.
1917	*/
1918
1919	already_used = PTR_DIFF(req->buf+req->buflen, smb_base(req->inbuf));
1920	if (chain_offset < already_used) {
1921	goto error;
1922	}
1923
1924	/*
1925	* Next check: Make sure the chain offset does not point beyond the
1926	* overall smb request length.
1927	*/
1928
1929	length_needed = chain_offset+1; /* wct */
1930	if (length_needed > smblen) {
1931	goto error;
1932	}
1933
1934	/*
1935	* Now comes the pointer magic. Goal here is to set up req->vwv and
1936	* req->buf correctly again to be able to call the subsequent
1937	* switch_message(). The chain offset (the former vwv[1]) points at
1938	* the new wct field.
1939	*/
1940
1941	wct = CVAL(smb_base(req->inbuf), chain_offset);
1942
1943	/*
1944	* Next consistency check: Make the new vwv array fits in the overall
1945	* smb request.
1946	*/
1947
1948	length_needed += (wct+1)sizeof(uint16_t); / vwv+buflen */
1949	if (length_needed > smblen) {
1950	goto error;
1951	}
1952	vwv = (uint16_t *)(smb_base(req->inbuf) + chain_offset + 1);
1953
1954	/*
1955	* Now grab the new byte buffer....
1956	*/
1957
1958	buflen = SVAL(vwv+wct, 0);
1959
1960	/*
1961	* .. and check that it fits.
1962	*/
1963
1964	length_needed += buflen;
1965	if (length_needed > smblen) {
1966	goto error;
1967	}
1968	buf = (uint8_t *)(vwv+wct+1);
1969
1970	req->cmd = chain_cmd;
1971	req->wct = wct;
1972	req->vwv = vwv;
1973	req->buflen = buflen;
1974	req->buf = buf;
1975
1976	switch_message(chain_cmd, req, smblen);
1977
1978	if (req->outbuf == NULL) {
1979	/*
1980	* This happens if the chained command has suspended itself or
1981	* if it has called srv_send_smb() itself.
1982	*/
1983	return;
1984	}
1985
1986	/*
1987	* We end up here if the chained command was not itself chained or
1988	* suspended, but for example a close() command. We now need to splice
1989	* the chained commands' outbuf into the already built up chain_outbuf
1990	* and ship the result.
1991	*/
1992	goto done;
1993
1994	error:
1995	/*
1996	* We end up here if there's any error in the chain syntax. Report a
1997	* DOS error, just like Windows does.
1998	*/
1999	reply_force_doserror(req, ERRSRV, ERRerror);
2000	fixup_chain_error_packet(req);
2001
2002	done:
2003	/*
2004	* This scary statement intends to set the
2005	* FLAGS2_32_BIT_ERROR_CODES flg2 field in req->chain_outbuf
2006	* to the value req->outbuf carries
2007	*/
2008	SSVAL(req->chain_outbuf, smb_flg2,
2009	(SVAL(req->chain_outbuf, smb_flg2) & ~FLAGS2_32_BIT_ERROR_CODES)
2010	\| (SVAL(req->outbuf, smb_flg2) & FLAGS2_32_BIT_ERROR_CODES));
2011
2012	/*
2013	* Transfer the error codes from the subrequest to the main one
2014	*/
2015	SSVAL(req->chain_outbuf, smb_rcls, SVAL(req->outbuf, smb_rcls));
2016	SSVAL(req->chain_outbuf, smb_err, SVAL(req->outbuf, smb_err));
2017
2018	if (!smb_splice_chain(&req->chain_outbuf,
2019	CVAL(req->outbuf, smb_com),
2020	CVAL(req->outbuf, smb_wct),
2021	(uint16_t *)(req->outbuf + smb_vwv),
2022	0, smb_buflen(req->outbuf),
2023	(uint8_t *)smb_buf(req->outbuf))) {
2024	exit_server_cleanly("chain_reply: smb_splice_chain failed\n");
2025	}
2026	TALLOC_FREE(req->outbuf);
2027
2028	smb_setlen((char *)(req->chain_outbuf),
2029	talloc_get_size(req->chain_outbuf) - 4);
2030
2031	show_msg((char *)(req->chain_outbuf));
2032
2033	if (!srv_send_smb(smbd_server_fd(), (char *)req->chain_outbuf,
2034	true, req->seqnum+1,
2035	IS_CONN_ENCRYPTED(req->conn)\|\|req->encrypted,
2036	&req->pcd)) {
2037	exit_server_cleanly("construct_reply: srv_send_smb failed.");
2038	}
2039	TALLOC_FREE(req->chain_outbuf);
2040	req->done = true;
2041	}
2042
2043	/****************************************************************************
2044	Check if services need reloading.
2045	****************************************************************************/
2046
2047	void check_reload(time_t t)
2048	{
2049	time_t printcap_cache_time = (time_t)lp_printcap_cache_time();
2050
2051	if(last_smb_conf_reload_time == 0) {
2052	last_smb_conf_reload_time = t;
2053	/* Our printing subsystem might not be ready at smbd start up.
2054	Then no printer is available till the first printers check
2055	is performed. A lower initial interval circumvents this. */
2056	if ( printcap_cache_time > 60 )
2057	last_printer_reload_time = t - printcap_cache_time + 60;
2058	else
2059	last_printer_reload_time = t;
2060	}
2061
2062	if (mypid != getpid()) { /* First time or fork happened meanwhile */
2063	/* randomize over 60 second the printcap reload to avoid all
2064	* process hitting cupsd at the same time */
2065	int time_range = 60;
2066
2067	last_printer_reload_time += random() % time_range;
2068	mypid = getpid();
2069	}
2070
2071	if (t >= last_smb_conf_reload_time+SMBD_RELOAD_CHECK) {
2072	reload_services(True);
2073	last_smb_conf_reload_time = t;
2074	}
2075
2076	/* 'printcap cache time = 0' disable the feature */
2077
2078	if ( printcap_cache_time != 0 )
2079	{
2080	/* see if it's time to reload or if the clock has been set back */
2081
2082	if ( (t >= last_printer_reload_time+printcap_cache_time)
2083	\|\| (t-last_printer_reload_time < 0) )
2084	{
2085	DEBUG( 3,( "Printcap cache time expired.\n"));
2086	pcap_cache_reload(&reload_printers);
2087	last_printer_reload_time = t;
2088	}
2089	}
2090	}
2091
2092	static void smbd_server_connection_write_handler(struct smbd_server_connection *conn)
2093	{
2094	/* TODO: make write nonblocking */
2095	}
2096
2097	static void smbd_server_connection_read_handler(struct smbd_server_connection *conn)
2098	{
2099	uint8_t *inbuf = NULL;
2100	size_t inbuf_len = 0;
2101	size_t unread_bytes = 0;
2102	bool encrypted = false;
2103	TALLOC_CTX *mem_ctx = talloc_tos();
2104	NTSTATUS status;
2105	uint32_t seqnum;
2106
2107	/* TODO: make this completely nonblocking */
2108
2109	status = receive_smb_talloc(mem_ctx, smbd_server_fd(),
2110	(char *)(void )&inbuf,
2111	0, /* timeout */
2112	&unread_bytes,
2113	&encrypted,
2114	&inbuf_len, &seqnum);
2115	if (NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
2116	goto process;
2117	}
2118	if (NT_STATUS_IS_ERR(status)) {
2119	exit_server_cleanly("failed to receive smb request");
2120	}
2121	if (!NT_STATUS_IS_OK(status)) {
2122	return;
2123	}
2124
2125	process:
2126	process_smb(conn, inbuf, inbuf_len, unread_bytes,
2127	seqnum, encrypted, NULL);
2128	}
2129
2130	static void smbd_server_connection_handler(struct event_context *ev,
2131	struct fd_event *fde,
2132	uint16_t flags,
2133	void *private_data)
2134	{
2135	struct smbd_server_connection *conn = talloc_get_type(private_data,
2136	struct smbd_server_connection);
2137
2138	if (flags & EVENT_FD_WRITE) {
2139	smbd_server_connection_write_handler(conn);
2140	} else if (flags & EVENT_FD_READ) {
2141	smbd_server_connection_read_handler(conn);
2142	}
2143	}
2144
2145
2146	/****************************************************************************
2147	received when we should release a specific IP
2148	****************************************************************************/
2149	static void release_ip(const char ip, void priv)
2150	{
2151	char addr[INET6_ADDRSTRLEN];
2152	char *p = addr;
2153
2154	client_socket_addr(get_client_fd(),addr,sizeof(addr));
2155
2156	if (strncmp("::ffff:", addr, 7) == 0) {
2157	p = addr + 7;
2158	}
2159
2160	if ((strcmp(p, ip) == 0) \|\| ((p != addr) && strcmp(addr, ip) == 0)) {
2161	/* we can't afford to do a clean exit - that involves
2162	database writes, which would potentially mean we
2163	are still running after the failover has finished -
2164	we have to get rid of this process ID straight
2165	away */
2166	DEBUG(0,("Got release IP message for our IP %s - exiting immediately\n",
2167	ip));
2168	/* note we must exit with non-zero status so the unclean handler gets
2169	called in the parent, so that the brl database is tickled */
2170	_exit(1);
2171	}
2172	}
2173
2174	static void msg_release_ip(struct messaging_context msg_ctx, void private_data,
2175	uint32_t msg_type, struct server_id server_id, DATA_BLOB *data)
2176	{
2177	release_ip((char *)data->data, NULL);
2178	}
2179
2180	#ifdef CLUSTER_SUPPORT
2181	static int client_get_tcp_info(struct sockaddr_storage *server,
2182	struct sockaddr_storage *client)
2183	{
2184	socklen_t length;
2185	if (server_fd == -1) {
2186	return -1;
2187	}
2188	length = sizeof(*server);
2189	if (getsockname(server_fd, (struct sockaddr *)server, &length) != 0) {
2190	return -1;
2191	}
2192	length = sizeof(*client);
2193	if (getpeername(server_fd, (struct sockaddr *)client, &length) != 0) {
2194	return -1;
2195	}
2196	return 0;
2197	}
2198	#endif
2199
2200	/*
2201	* Send keepalive packets to our client
2202	*/
2203	static bool keepalive_fn(const struct timeval now, void private_data)
2204	{
2205	if (!send_keepalive(smbd_server_fd())) {
2206	DEBUG( 2, ( "Keepalive failed - exiting.\n" ) );
2207	return False;
2208	}
2209	return True;
2210	}
2211
2212	/*
2213	* Do the recurring check if we're idle
2214	*/
2215	static bool deadtime_fn(const struct timeval now, void private_data)
2216	{
2217	struct smbd_server_connection *sconn = smbd_server_conn;
2218	if ((conn_num_open(sconn) == 0)
2219	\|\| (conn_idle_all(sconn, now->tv_sec))) {
2220	DEBUG( 2, ( "Closing idle connection\n" ) );
2221	messaging_send(smbd_messaging_context(), procid_self(),
2222	MSG_SHUTDOWN, &data_blob_null);
2223	return False;
2224	}
2225
2226	return True;
2227	}
2228
2229	/*
2230	* Do the recurring log file and smb.conf reload checks.
2231	*/
2232
2233	static bool housekeeping_fn(const struct timeval now, void private_data)
2234	{
2235	change_to_root_user();
2236
2237	/* update printer queue caches if necessary */
2238	update_monitored_printq_cache();
2239
2240	/* check if we need to reload services */
2241	check_reload(time(NULL));
2242
2243	/* Change machine password if neccessary. */
2244	attempt_machine_password_change();
2245
2246	/*
2247	* Force a log file check.
2248	*/
2249	force_check_log_size();
2250	check_log_size();
2251	return true;
2252	}
2253
2254	/****************************************************************************
2255	Process commands from the client
2256	****************************************************************************/
2257
2258	void smbd_process(void)
2259	{
2260	TALLOC_CTX *frame = talloc_stackframe();
2261	char remaddr[INET6_ADDRSTRLEN];
2262
2263	if (lp_maxprotocol() == PROTOCOL_SMB2 &&
2264	lp_security() != SEC_SHARE) {
2265	smbd_server_conn->allow_smb2 = true;
2266	}
2267
2268	/* Ensure child is set to blocking mode */
2269	set_blocking(smbd_server_fd(),True);
2270
2271	set_socket_options(smbd_server_fd(),"SO_KEEPALIVE");
2272	set_socket_options(smbd_server_fd(), lp_socket_options());
2273
2274	/* this is needed so that we get decent entries
2275	in smbstatus for port 445 connects */
2276	set_remote_machine_name(get_peer_addr(smbd_server_fd(),
2277	remaddr,
2278	sizeof(remaddr)),
2279	false);
2280	reload_services(true);
2281
2282	/*
2283	* Before the first packet, check the global hosts allow/ hosts deny
2284	* parameters before doing any parsing of packets passed to us by the
2285	* client. This prevents attacks on our parsing code from hosts not in
2286	* the hosts allow list.
2287	*/
2288
2289	if (!check_access(smbd_server_fd(), lp_hostsallow(-1),
2290	lp_hostsdeny(-1))) {
2291	char addr[INET6_ADDRSTRLEN];
2292
2293	/*
2294	* send a negative session response "not listening on calling
2295	* name"
2296	*/
2297	unsigned char buf[5] = {0x83, 0, 0, 1, 0x81};
2298	DEBUG( 1, ("Connection denied from %s\n",
2299	client_addr(get_client_fd(),addr,sizeof(addr)) ) );
2300	(void)srv_send_smb(smbd_server_fd(),(char *)buf, false,
2301	0, false, NULL);
2302	exit_server_cleanly("connection denied");
2303	}
2304
2305	static_init_rpc;
2306
2307	init_modules();
2308
2309	smb_perfcount_init();
2310
2311	if (!init_account_policy()) {
2312	exit_server("Could not open account policy tdb.\n");
2313	}
2314
2315	if (*lp_rootdir()) {
2316	if (chroot(lp_rootdir()) != 0) {
2317	DEBUG(0,("Failed to change root to %s\n", lp_rootdir()));
2318	exit_server("Failed to chroot()");
2319	}
2320	if (chdir("/") == -1) {
2321	DEBUG(0,("Failed to chdir to / on chroot to %s\n", lp_rootdir()));
2322	exit_server("Failed to chroot()");
2323	}
2324	DEBUG(0,("Changed root to %s\n", lp_rootdir()));
2325	}
2326
2327	if (!srv_init_signing(smbd_server_conn)) {
2328	exit_server("Failed to init smb_signing");
2329	}
2330
2331	/* Setup oplocks */
2332	if (!init_oplocks(smbd_messaging_context()))
2333	exit_server("Failed to init oplocks");
2334
2335	/* Setup aio signal handler. */
2336	initialize_async_io_handler();
2337
2338	/* register our message handlers */
2339	messaging_register(smbd_messaging_context(), NULL,
2340	MSG_SMB_FORCE_TDIS, msg_force_tdis);
2341	messaging_register(smbd_messaging_context(), NULL,
2342	MSG_SMB_RELEASE_IP, msg_release_ip);
2343	messaging_register(smbd_messaging_context(), NULL,
2344	MSG_SMB_CLOSE_FILE, msg_close_file);
2345
2346	/*
2347	* Use the default MSG_DEBUG handler to avoid rebroadcasting
2348	* MSGs to all child processes
2349	*/
2350	messaging_deregister(smbd_messaging_context(),
2351	MSG_DEBUG, NULL);
2352	messaging_register(smbd_messaging_context(), NULL,
2353	MSG_DEBUG, debug_message);
2354
2355	if ((lp_keepalive() != 0)
2356	&& !(event_add_idle(smbd_event_context(), NULL,
2357	timeval_set(lp_keepalive(), 0),
2358	"keepalive", keepalive_fn,
2359	NULL))) {
2360	DEBUG(0, ("Could not add keepalive event\n"));
2361	exit(1);
2362	}
2363
2364	if (!(event_add_idle(smbd_event_context(), NULL,
2365	timeval_set(IDLE_CLOSED_TIMEOUT, 0),
2366	"deadtime", deadtime_fn, NULL))) {
2367	DEBUG(0, ("Could not add deadtime event\n"));
2368	exit(1);
2369	}
2370
2371	if (!(event_add_idle(smbd_event_context(), NULL,
2372	timeval_set(SMBD_HOUSEKEEPING_INTERVAL, 0),
2373	"housekeeping", housekeeping_fn, NULL))) {
2374	DEBUG(0, ("Could not add housekeeping event\n"));
2375	exit(1);
2376	}
2377
2378	#ifdef CLUSTER_SUPPORT
2379
2380	if (lp_clustering()) {
2381	/*
2382	* We need to tell ctdb about our client's TCP
2383	* connection, so that for failover ctdbd can send
2384	* tickle acks, triggering a reconnection by the
2385	* client.
2386	*/
2387
2388	struct sockaddr_storage srv, clnt;
2389
2390	if (client_get_tcp_info(&srv, &clnt) == 0) {
2391
2392	NTSTATUS status;
2393
2394	status = ctdbd_register_ips(
2395	messaging_ctdbd_connection(),
2396	&srv, &clnt, release_ip, NULL);
2397
2398	if (!NT_STATUS_IS_OK(status)) {
2399	DEBUG(0, ("ctdbd_register_ips failed: %s\n",
2400	nt_errstr(status)));
2401	}
2402	} else
2403	{
2404	DEBUG(0,("Unable to get tcp info for "
2405	"CTDB_CONTROL_TCP_CLIENT: %s\n",
2406	strerror(errno)));
2407	}
2408	}
2409
2410	#endif
2411
2412	smbd_server_conn->nbt.got_session = false;
2413
2414	smbd_server_conn->smb1.negprot.max_recv = MIN(lp_maxxmit(),BUFFER_SIZE);
2415
2416	smbd_server_conn->smb1.sessions.done_sesssetup = false;
2417	smbd_server_conn->smb1.sessions.max_send = BUFFER_SIZE;
2418	smbd_server_conn->smb1.sessions.last_session_tag = UID_FIELD_INVALID;
2419	/* users from session setup */
2420	smbd_server_conn->smb1.sessions.session_userlist = NULL;
2421	/* workgroup from session setup. */
2422	smbd_server_conn->smb1.sessions.session_workgroup = NULL;
2423	/* this holds info on user ids that are already validated for this VC */
2424	smbd_server_conn->smb1.sessions.validated_users = NULL;
2425	smbd_server_conn->smb1.sessions.next_vuid = VUID_OFFSET;
2426	smbd_server_conn->smb1.sessions.num_validated_vuids = 0;
2427	#ifdef HAVE_NETGROUP
2428	smbd_server_conn->smb1.sessions.my_yp_domain = NULL;
2429	#endif
2430
2431	conn_init(smbd_server_conn);
2432	if (!init_dptrs(smbd_server_conn)) {
2433	exit_server("init_dptrs() failed");
2434	}
2435
2436	smbd_server_conn->smb1.fde = event_add_fd(smbd_event_context(),
2437	smbd_server_conn,
2438	smbd_server_fd(),
2439	EVENT_FD_READ,
2440	smbd_server_connection_handler,
2441	smbd_server_conn);
2442	if (!smbd_server_conn->smb1.fde) {
2443	exit_server("failed to create smbd_server_connection fde");
2444	}
2445
2446	TALLOC_FREE(frame);
2447
2448	while (True) {
2449	NTSTATUS status;
2450
2451	frame = talloc_stackframe_pool(8192);
2452
2453	errno = 0;
2454
2455	status = smbd_server_connection_loop_once(smbd_server_conn);
2456	if (!NT_STATUS_EQUAL(status, NT_STATUS_RETRY) &&
2457	!NT_STATUS_IS_OK(status)) {
2458	DEBUG(3, ("smbd_server_connection_loop_once failed: %s,"
2459	" exiting\n", nt_errstr(status)));
2460	break;
2461	}
2462
2463	TALLOC_FREE(frame);
2464	}
2465
2466	exit_server_cleanly(NULL);
2467	}
2468
2469	bool req_is_in_chain(struct smb_request *req)
2470	{
2471	if (req->vwv != (uint16_t *)(req->inbuf+smb_vwv)) {
2472	/*
2473	* We're right now handling a subsequent request, so we must
2474	* be in a chain
2475	*/
2476	return true;
2477	}
2478
2479	if (!is_andx_req(req->cmd)) {
2480	return false;
2481	}
2482
2483	if (req->wct < 2) {
2484	/*
2485	* Okay, an illegal request, but definitely not chained :-)
2486	*/
2487	return false;
2488	}
2489
2490	return (CVAL(req->vwv+0, 0) != 0xFF);
2491	}

Note: See TracBrowser for help on using the repository browser.

Download in other formats: