search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
WHATSNEW: Update release notes.
[Samba.git] / source3 / libsmb / async_smb.c
blob62a8c81c2279c93233b2678201b6d383714e2669
1 /*
2 Unix SMB/CIFS implementation.
3 Infrastructure for async SMB client requests
4 Copyright (C) Volker Lendecke 2008
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21
22 static void cli_state_handler(struct event_context *event_ctx,
23 struct fd_event *event, uint16 flags, void *p);
24
25 /*
26 * Read an smb packet asynchronously, discard keepalives
27 */
28
29 struct read_smb_state {
30 struct tevent_context *ev;
31 int fd;
32 uint8_t *buf;
33 };
34
35 static ssize_t read_smb_more(uint8_t *buf, size_t buflen, void *private_data);
36 static void read_smb_done(struct tevent_req *subreq);
37
38 static struct tevent_req *read_smb_send(TALLOC_CTX *mem_ctx,
39 struct tevent_context *ev,
40 int fd)
41 {
42 struct tevent_req *result, *subreq;
43 struct read_smb_state *state;
44
45 result = tevent_req_create(mem_ctx, &state, struct read_smb_state);
46 if (result == NULL) {
47 return NULL;
48 }
49 state->ev = ev;
50 state->fd = fd;
51
52 subreq = read_packet_send(state, ev, fd, 4, read_smb_more, NULL);
53 if (subreq == NULL) {
54 goto fail;
55 }
56 tevent_req_set_callback(subreq, read_smb_done, result);
57 return result;
58 fail:
59 TALLOC_FREE(result);
60 return NULL;
61 }
62
63 static ssize_t read_smb_more(uint8_t *buf, size_t buflen, void *private_data)
64 {
65 if (buflen > 4) {
66 return 0; /* We've been here, we're done */
67 }
68 return smb_len_large(buf);
69 }
70
71 static void read_smb_done(struct tevent_req *subreq)
72 {
73 struct tevent_req *req = tevent_req_callback_data(
74 subreq, struct tevent_req);
75 struct read_smb_state *state = tevent_req_data(
76 req, struct read_smb_state);
77 ssize_t len;
78 int err;
79
80 len = read_packet_recv(subreq, state, &state->buf, &err);
81 TALLOC_FREE(subreq);
82 if (len == -1) {
83 tevent_req_error(req, err);
84 return;
85 }
86
87 if (CVAL(state->buf, 0) == SMBkeepalive) {
88 subreq = read_packet_send(state, state->ev, state->fd, 4,
89 read_smb_more, NULL);
90 if (tevent_req_nomem(subreq, req)) {
91 return;
92 }
93 tevent_req_set_callback(subreq, read_smb_done, req);
94 return;
95 }
96 tevent_req_done(req);
97 }
98
99 static ssize_t read_smb_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
100 uint8_t **pbuf, int *perrno)
101 {
102 struct read_smb_state *state = tevent_req_data(
103 req, struct read_smb_state);
104
105 if (tevent_req_is_unix_error(req, perrno)) {
106 return -1;
107 }
108 *pbuf = talloc_move(mem_ctx, &state->buf);
109 return talloc_get_size(*pbuf);
110 }
111
112 /**
113 * Fetch an error out of a NBT packet
114 * @param[in] buf The SMB packet
115 * @retval The error, converted to NTSTATUS
116 */
117
118 NTSTATUS cli_pull_error(char *buf)
119 {
120 uint32_t flags2 = SVAL(buf, smb_flg2);
121
122 if (flags2 & FLAGS2_32_BIT_ERROR_CODES) {
123 return NT_STATUS(IVAL(buf, smb_rcls));
124 }
125
126 /* if the client uses dos errors, but there is no error,
127 we should return no error here, otherwise it looks
128 like an unknown bad NT_STATUS. jmcd */
129 if (CVAL(buf, smb_rcls) == 0)
130 return NT_STATUS_OK;
131
132 return NT_STATUS_DOS(CVAL(buf, smb_rcls), SVAL(buf,smb_err));
133 }
134
135 /**
136 * Compatibility helper for the sync APIs: Fake NTSTATUS in cli->inbuf
137 * @param[in] cli The client connection that just received an error
138 * @param[in] status The error to set on "cli"
139 */
140
141 void cli_set_error(struct cli_state *cli, NTSTATUS status)
142 {
143 uint32_t flags2 = SVAL(cli->inbuf, smb_flg2);
144
145 if (NT_STATUS_IS_DOS(status)) {
146 SSVAL(cli->inbuf, smb_flg2,
147 flags2 & ~FLAGS2_32_BIT_ERROR_CODES);
148 SCVAL(cli->inbuf, smb_rcls, NT_STATUS_DOS_CLASS(status));
149 SSVAL(cli->inbuf, smb_err, NT_STATUS_DOS_CODE(status));
150 return;
151 }
152
153 SSVAL(cli->inbuf, smb_flg2, flags2 | FLAGS2_32_BIT_ERROR_CODES);
154 SIVAL(cli->inbuf, smb_rcls, NT_STATUS_V(status));
155 return;
156 }
157
158 /**
159 * Allocate a new mid
160 * @param[in] cli The client connection
161 * @retval The new, unused mid
162 */
163
164 static uint16_t cli_new_mid(struct cli_state *cli)
165 {
166 uint16_t result;
167 struct cli_request *req;
168
169 while (true) {
170 result = cli->mid++;
171 if (result == 0) {
172 continue;
173 }
174
175 for (req = cli->outstanding_requests; req; req = req->next) {
176 if (result == req->mid) {
177 break;
178 }
179 }
180
181 if (req == NULL) {
182 return result;
183 }
184 }
185 }
186
187 /**
188 * Print an async req that happens to be a cli_request
189 * @param[in] mem_ctx The TALLOC_CTX to put the result on
190 * @param[in] req The request to print
191 * @retval The string representation of "req"
192 */
193
194 static char *cli_request_print(TALLOC_CTX *mem_ctx, struct async_req *req)
195 {
196 char *result = async_req_print(mem_ctx, req);
197 struct cli_request *cli_req = talloc_get_type_abort(
198 req->private_data, struct cli_request);
199
200 if (result == NULL) {
201 return NULL;
202 }
203
204 return talloc_asprintf_append_buffer(
205 result, "mid=%d\n", cli_req->mid);
206 }
207
208 /**
209 * Destroy a cli_request
210 * @param[in] req The cli_request to kill
211 * @retval Can't fail
212 */
213
214 static int cli_request_destructor(struct cli_request *req)
215 {
216 if (req->enc_state != NULL) {
217 common_free_enc_buffer(req->enc_state, (char *)req->outbuf);
218 }
219 DLIST_REMOVE(req->cli->outstanding_requests, req);
220 if (req->cli->outstanding_requests == NULL) {
221 TALLOC_FREE(req->cli->fd_event);
222 }
223 return 0;
224 }
225
226 /**
227 * Are there already requests waiting in the chain_accumulator?
228 * @param[in] cli The cli_state we want to check
229 * @retval reply :-)
230 */
231
232 bool cli_in_chain(struct cli_state *cli)
233 {
234 if (cli->chain_accumulator == NULL) {
235 return false;
236 }
237
238 return (cli->chain_accumulator->num_async != 0);
239 }
240
241 /**
242 * @brief Find the smb_cmd offset of the last command pushed
243 * @param[in] buf The buffer we're building up
244 * @retval Where can we put our next andx cmd?
245 *
246 * While chaining requests, the "next" request we're looking at needs to put
247 * its SMB_Command before the data the previous request already built up added
248 * to the chain. Find the offset to the place where we have to put our cmd.
249 */
250
251 static bool find_andx_cmd_ofs(uint8_t *buf, size_t *pofs)
252 {
253 uint8_t cmd;
254 size_t ofs;
255
256 cmd = CVAL(buf, smb_com);
257
258 SMB_ASSERT(is_andx_req(cmd));
259
260 ofs = smb_vwv0;
261
262 while (CVAL(buf, ofs) != 0xff) {
263
264 if (!is_andx_req(CVAL(buf, ofs))) {
265 return false;
266 }
267
268 /*
269 * ofs is from start of smb header, so add the 4 length
270 * bytes. The next cmd is right after the wct field.
271 */
272 ofs = SVAL(buf, ofs+2) + 4 + 1;
273
274 SMB_ASSERT(ofs+4 < talloc_get_size(buf));
275 }
276
277 *pofs = ofs;
278 return true;
279 }
280
281 /**
282 * @brief Do the smb chaining at a buffer level
283 * @param[in] poutbuf Pointer to the talloc'ed buffer to be modified
284 * @param[in] smb_command The command that we want to issue
285 * @param[in] wct How many words?
286 * @param[in] vwv The words, already in network order
287 * @param[in] bytes_alignment How shall we align "bytes"?
288 * @param[in] num_bytes How many bytes?
289 * @param[in] bytes The data the request ships
290 *
291 * smb_splice_chain() adds the vwv and bytes to the request already present in
292 * *poutbuf.
293 */
294
295 bool smb_splice_chain(uint8_t **poutbuf, uint8_t smb_command,
296 uint8_t wct, const uint16_t *vwv,
297 size_t bytes_alignment,
298 uint32_t num_bytes, const uint8_t *bytes)
299 {
300 uint8_t *outbuf;
301 size_t old_size, new_size;
302 size_t ofs;
303 size_t chain_padding = 0;
304 size_t bytes_padding = 0;
305 bool first_request;
306
307 old_size = talloc_get_size(*poutbuf);
308
309 /*
310 * old_size == smb_wct means we're pushing the first request in for
311 * libsmb/
312 */
313
314 first_request = (old_size == smb_wct);
315
316 if (!first_request && ((old_size % 4) != 0)) {
317 /*
318 * Align the wct field of subsequent requests to a 4-byte
319 * boundary
320 */
321 chain_padding = 4 - (old_size % 4);
322 }
323
324 /*
325 * After the old request comes the new wct field (1 byte), the vwv's
326 * and the num_bytes field. After at we might need to align the bytes
327 * given to us to "bytes_alignment", increasing the num_bytes value.
328 */
329
330 new_size = old_size + chain_padding + 1 + wct * sizeof(uint16_t) + 2;
331
332 if ((bytes_alignment != 0) && ((new_size % bytes_alignment) != 0)) {
333 bytes_padding = bytes_alignment - (new_size % bytes_alignment);
334 }
335
336 new_size += bytes_padding + num_bytes;
337
338 if ((smb_command != SMBwriteX) && (new_size > 0xffff)) {
339 DEBUG(1, ("splice_chain: %u bytes won't fit\n",
340 (unsigned)new_size));
341 return false;
342 }
343
344 outbuf = TALLOC_REALLOC_ARRAY(NULL, *poutbuf, uint8_t, new_size);
345 if (outbuf == NULL) {
346 DEBUG(0, ("talloc failed\n"));
347 return false;
348 }
349 *poutbuf = outbuf;
350
351 if (first_request) {
352 SCVAL(outbuf, smb_com, smb_command);
353 } else {
354 size_t andx_cmd_ofs;
355
356 if (!find_andx_cmd_ofs(outbuf, &andx_cmd_ofs)) {
357 DEBUG(1, ("invalid command chain\n"));
358 *poutbuf = TALLOC_REALLOC_ARRAY(
359 NULL, *poutbuf, uint8_t, old_size);
360 return false;
361 }
362
363 if (chain_padding != 0) {
364 memset(outbuf + old_size, 0, chain_padding);
365 old_size += chain_padding;
366 }
367
368 SCVAL(outbuf, andx_cmd_ofs, smb_command);
369 SSVAL(outbuf, andx_cmd_ofs + 2, old_size - 4);
370 }
371
372 ofs = old_size;
373
374 /*
375 * Push the chained request:
376 *
377 * wct field
378 */
379
380 SCVAL(outbuf, ofs, wct);
381 ofs += 1;
382
383 /*
384 * vwv array
385 */
386
387 memcpy(outbuf + ofs, vwv, sizeof(uint16_t) * wct);
388 ofs += sizeof(uint16_t) * wct;
389
390 /*
391 * bcc (byte count)
392 */
393
394 SSVAL(outbuf, ofs, num_bytes + bytes_padding);
395 ofs += sizeof(uint16_t);
396
397 /*
398 * padding
399 */
400
401 if (bytes_padding != 0) {
402 memset(outbuf + ofs, 0, bytes_padding);
403 ofs += bytes_padding;
404 }
405
406 /*
407 * The bytes field
408 */
409
410 memcpy(outbuf + ofs, bytes, num_bytes);
411
412 return true;
413 }
414
415 /**
416 * @brief Destroy an async_req that is the visible part of a cli_request
417 * @param[in] req The request to kill
418 * @retval Return 0 to make talloc happy
419 *
420 * This destructor is a bit tricky: Because a cli_request can host more than
421 * one async_req for chained requests, we need to make sure that the
422 * "cli_request" that we were part of is correctly destroyed at the right
423 * time. This is done by NULLing out ourself from the "async" member of our
424 * "cli_request". If there is none left, then also TALLOC_FREE() the
425 * cli_request, which was a talloc child of the client connection cli_state.
426 */
427
428 static int cli_async_req_destructor(struct async_req *req)
429 {
430 struct cli_request *cli_req = talloc_get_type_abort(
431 req->private_data, struct cli_request);
432 int i, pending;
433 bool found = false;
434
435 pending = 0;
436
437 for (i=0; i<cli_req->num_async; i++) {
438 if (cli_req->async[i] == req) {
439 cli_req->async[i] = NULL;
440 found = true;
441 }
442 if (cli_req->async[i] != NULL) {
443 pending += 1;
444 }
445 }
446
447 SMB_ASSERT(found);
448
449 if (pending == 0) {
450 TALLOC_FREE(cli_req);
451 }
452
453 return 0;
454 }
455
456 /**
457 * @brief Chain up a request
458 * @param[in] mem_ctx The TALLOC_CTX for the result
459 * @param[in] ev The event context that will call us back
460 * @param[in] cli The cli_state we queue the request up for
461 * @param[in] smb_command The command that we want to issue
462 * @param[in] additional_flags open_and_x wants to add oplock header flags
463 * @param[in] wct How many words?
464 * @param[in] vwv The words, already in network order
465 * @param[in] bytes_alignment How shall we align "bytes"?
466 * @param[in] num_bytes How many bytes?
467 * @param[in] bytes The data the request ships
468 *
469 * cli_request_chain() is the core of the SMB request marshalling routine. It
470 * will create a new async_req structure in the cli->chain_accumulator->async
471 * array and marshall the smb_cmd, the vwv array and the bytes into
472 * cli->chain_accumulator->outbuf.
473 */
474
475 static struct async_req *cli_request_chain(TALLOC_CTX *mem_ctx,
476 struct event_context *ev,
477 struct cli_state *cli,
478 uint8_t smb_command,
479 uint8_t additional_flags,
480 uint8_t wct, const uint16_t *vwv,
481 size_t bytes_alignment,
482 uint32_t num_bytes,
483 const uint8_t *bytes)
484 {
485 struct async_req **tmp_reqs;
486 struct cli_request *req;
487
488 req = cli->chain_accumulator;
489
490 tmp_reqs = TALLOC_REALLOC_ARRAY(req, req->async, struct async_req *,
491 req->num_async + 1);
492 if (tmp_reqs == NULL) {
493 DEBUG(0, ("talloc failed\n"));
494 return NULL;
495 }
496 req->async = tmp_reqs;
497 req->num_async += 1;
498
499 req->async[req->num_async-1] = async_req_new(mem_ctx);
500 if (req->async[req->num_async-1] == NULL) {
501 DEBUG(0, ("async_req_new failed\n"));
502 req->num_async -= 1;
503 return NULL;
504 }
505 req->async[req->num_async-1]->private_data = req;
506 req->async[req->num_async-1]->print = cli_request_print;
507 talloc_set_destructor(req->async[req->num_async-1],
508 cli_async_req_destructor);
509
510 if (!smb_splice_chain(&req->outbuf, smb_command, wct, vwv,
511 bytes_alignment, num_bytes, bytes)) {
512 goto fail;
513 }
514
515 return req->async[req->num_async-1];
516
517 fail:
518 TALLOC_FREE(req->async[req->num_async-1]);
519 req->num_async -= 1;
520 return NULL;
521 }
522
523 /**
524 * @brief prepare a cli_state to accept a chain of requests
525 * @param[in] cli The cli_state we want to queue up in
526 * @param[in] ev The event_context that will call us back for the socket
527 * @param[in] size_hint How many bytes are expected, just an optimization
528 * @retval Did we have enough memory?
529 *
530 * cli_chain_cork() sets up a new cli_request in cli->chain_accumulator. If
531 * cli is used in an async fashion, i.e. if we have outstanding requests, then
532 * we do not have to create a fd event. If cli is used only with the sync
533 * helpers, we need to create the fd_event here.
534 *
535 * If you want to issue a chained request to the server, do a
536 * cli_chain_cork(), then do you cli_open_send(), cli_read_and_x_send(),
537 * cli_close_send() and so on. The async requests that come out of
538 * cli_xxx_send() are normal async requests with the difference that they
539 * won't be shipped individually. But the event_context will still trigger the
540 * req->async.fn to be called on every single request.
541 *
542 * You have to take care yourself that you only issue chainable requests in
543 * the middle of the chain.
544 */
545
546 bool cli_chain_cork(struct cli_state *cli, struct event_context *ev,
547 size_t size_hint)
548 {
549 struct cli_request *req = NULL;
550
551 SMB_ASSERT(cli->chain_accumulator == NULL);
552
553 if (cli->fd == -1) {
554 DEBUG(10, ("cli->fd closed\n"));
555 return false;
556 }
557
558 if (cli->fd_event == NULL) {
559 SMB_ASSERT(cli->outstanding_requests == NULL);
560 cli->fd_event = event_add_fd(ev, cli, cli->fd,
561 EVENT_FD_READ,
562 cli_state_handler, cli);
563 if (cli->fd_event == NULL) {
564 return false;
565 }
566 }
567
568 req = talloc(cli, struct cli_request);
569 if (req == NULL) {
570 goto fail;
571 }
572 req->cli = cli;
573
574 if (size_hint == 0) {
575 size_hint = 100;
576 }
577 req->outbuf = talloc_array(req, uint8_t, smb_wct + size_hint);
578 if (req->outbuf == NULL) {
579 goto fail;
580 }
581 req->outbuf = TALLOC_REALLOC_ARRAY(NULL, req->outbuf, uint8_t,
582 smb_wct);
583
584 req->num_async = 0;
585 req->async = NULL;
586
587 req->enc_state = NULL;
588 req->recv_helper.fn = NULL;
589
590 SSVAL(req->outbuf, smb_tid, cli->cnum);
591 cli_setup_packet_buf(cli, (char *)req->outbuf);
592
593 req->mid = cli_new_mid(cli);
594
595 cli->chain_accumulator = req;
596
597 DEBUG(10, ("cli_chain_cork: mid=%d\n", req->mid));
598
599 return true;
600 fail:
601 TALLOC_FREE(req);
602 if (cli->outstanding_requests == NULL) {
603 TALLOC_FREE(cli->fd_event);
604 }
605 return false;
606 }
607
608 /**
609 * Ship a request queued up via cli_request_chain()
610 * @param[in] cl The connection
611 */
612
613 void cli_chain_uncork(struct cli_state *cli)
614 {
615 struct cli_request *req = cli->chain_accumulator;
616 size_t smblen;
617
618 SMB_ASSERT(req != NULL);
619
620 DLIST_ADD_END(cli->outstanding_requests, req, struct cli_request *);
621 talloc_set_destructor(req, cli_request_destructor);
622
623 cli->chain_accumulator = NULL;
624
625 SSVAL(req->outbuf, smb_mid, req->mid);
626
627 smblen = talloc_get_size(req->outbuf) - 4;
628
629 smb_setlen((char *)req->outbuf, smblen);
630
631 if (smblen > 0x1ffff) {
632 /*
633 * This is a POSIX 14 word large write. Overwrite just the
634 * size field, the '0xFFSMB' has been set by smb_setlen which
635 * _smb_setlen_large does not do.
636 */
637 _smb_setlen_large(((char *)req->outbuf), smblen);
638 }
639
640 cli_calculate_sign_mac(cli, (char *)req->outbuf);
641
642 if (cli_encryption_on(cli)) {
643 NTSTATUS status;
644 char *enc_buf;
645
646 status = cli_encrypt_message(cli, (char *)req->outbuf,
647 &enc_buf);
648 if (!NT_STATUS_IS_OK(status)) {
649 DEBUG(0, ("Error in encrypting client message. "
650 "Error %s\n", nt_errstr(status)));
651 TALLOC_FREE(req);
652 return;
653 }
654 req->outbuf = (uint8_t *)enc_buf;
655 req->enc_state = cli->trans_enc_state;
656 }
657
658 req->sent = 0;
659
660 event_fd_set_writeable(cli->fd_event);
661 }
662
663 /**
664 * @brief Send a request to the server
665 * @param[in] mem_ctx The TALLOC_CTX for the result
666 * @param[in] ev The event context that will call us back
667 * @param[in] cli The cli_state we queue the request up for
668 * @param[in] smb_command The command that we want to issue
669 * @param[in] additional_flags open_and_x wants to add oplock header flags
670 * @param[in] wct How many words?
671 * @param[in] vwv The words, already in network order
672 * @param[in] bytes_alignment How shall we align "bytes"?
673 * @param[in] num_bytes How many bytes?
674 * @param[in] bytes The data the request ships
675 *
676 * This is the generic routine to be used by the cli_xxx_send routines.
677 */
678
679 struct async_req *cli_request_send(TALLOC_CTX *mem_ctx,
680 struct event_context *ev,
681 struct cli_state *cli,
682 uint8_t smb_command,
683 uint8_t additional_flags,
684 uint8_t wct, const uint16_t *vwv,
685 size_t bytes_alignment,
686 uint32_t num_bytes, const uint8_t *bytes)
687 {
688 struct async_req *result;
689 bool uncork = false;
690
691 if (cli->chain_accumulator == NULL) {
692 if (!cli_chain_cork(cli, ev,
693 wct * sizeof(uint16_t) + num_bytes + 3)) {
694 DEBUG(1, ("cli_chain_cork failed\n"));
695 return NULL;
696 }
697 uncork = true;
698 }
699
700 result = cli_request_chain(mem_ctx, ev, cli, smb_command,
701 additional_flags, wct, vwv, bytes_alignment,
702 num_bytes, bytes);
703
704 if (result == NULL) {
705 DEBUG(1, ("cli_request_chain failed\n"));
706 }
707
708 if (uncork) {
709 cli_chain_uncork(cli);
710 }
711
712 return result;
713 }
714
715 /**
716 * Calculate the current ofs to wct for requests like write&x
717 * @param[in] req The smb request we're currently building
718 * @retval how many bytes offset have we accumulated?
719 */
720
721 uint16_t cli_wct_ofs(const struct cli_state *cli)
722 {
723 size_t buf_size;
724
725 if (cli->chain_accumulator == NULL) {
726 return smb_wct - 4;
727 }
728
729 buf_size = talloc_get_size(cli->chain_accumulator->outbuf);
730
731 if (buf_size == smb_wct) {
732 return smb_wct - 4;
733 }
734
735 /*
736 * Add alignment for subsequent requests
737 */
738
739 if ((buf_size % 4) != 0) {
740 buf_size += (4 - (buf_size % 4));
741 }
742
743 return buf_size - 4;
744 }
745
746 /**
747 * Figure out if there is an andx command behind the current one
748 * @param[in] buf The smb buffer to look at
749 * @param[in] ofs The offset to the wct field that is followed by the cmd
750 * @retval Is there a command following?
751 */
752
753 static bool have_andx_command(const char *buf, uint16_t ofs)
754 {
755 uint8_t wct;
756 size_t buflen = talloc_get_size(buf);
757
758 if ((ofs == buflen-1) || (ofs == buflen)) {
759 return false;
760 }
761
762 wct = CVAL(buf, ofs);
763 if (wct < 2) {
764 /*
765 * Not enough space for the command and a following pointer
766 */
767 return false;
768 }
769 return (CVAL(buf, ofs+1) != 0xff);
770 }
771
772 /**
773 * @brief Pull reply data out of a request
774 * @param[in] req The request that we just received a reply for
775 * @param[out] pwct How many words did the server send?
776 * @param[out] pvwv The words themselves
777 * @param[out] pnum_bytes How many bytes did the server send?
778 * @param[out] pbytes The bytes themselves
779 * @retval Was the reply formally correct?
780 */
781
782 NTSTATUS cli_pull_reply(struct async_req *req,
783 uint8_t *pwct, uint16_t **pvwv,
784 uint16_t *pnum_bytes, uint8_t **pbytes)
785 {
786 struct cli_request *cli_req = talloc_get_type_abort(
787 req->private_data, struct cli_request);
788 uint8_t wct, cmd;
789 uint16_t num_bytes;
790 size_t wct_ofs, bytes_offset;
791 int i, j;
792 NTSTATUS status;
793
794 for (i = 0; i < cli_req->num_async; i++) {
795 if (req == cli_req->async[i]) {
796 break;
797 }
798 }
799
800 if (i == cli_req->num_async) {
801 cli_set_error(cli_req->cli, NT_STATUS_INVALID_PARAMETER);
802 return NT_STATUS_INVALID_PARAMETER;
803 }
804
805 /**
806 * The status we pull here is only relevant for the last reply in the
807 * chain.
808 */
809
810 status = cli_pull_error(cli_req->inbuf);
811
812 if (i == 0) {
813 if (NT_STATUS_IS_ERR(status)
814 && !have_andx_command(cli_req->inbuf, smb_wct)) {
815 cli_set_error(cli_req->cli, status);
816 return status;
817 }
818 wct_ofs = smb_wct;
819 goto done;
820 }
821
822 cmd = CVAL(cli_req->inbuf, smb_com);
823 wct_ofs = smb_wct;
824
825 for (j = 0; j < i; j++) {
826 if (j < i-1) {
827 if (cmd == 0xff) {
828 return NT_STATUS_REQUEST_ABORTED;
829 }
830 if (!is_andx_req(cmd)) {
831 return NT_STATUS_INVALID_NETWORK_RESPONSE;
832 }
833 }
834
835 if (!have_andx_command(cli_req->inbuf, wct_ofs)) {
836 /*
837 * This request was not completed because a previous
838 * request in the chain had received an error.
839 */
840 return NT_STATUS_REQUEST_ABORTED;
841 }
842
843 wct_ofs = SVAL(cli_req->inbuf, wct_ofs + 3);
844
845 /*
846 * Skip the all-present length field. No overflow, we've just
847 * put a 16-bit value into a size_t.
848 */
849 wct_ofs += 4;
850
851 if (wct_ofs+2 > talloc_get_size(cli_req->inbuf)) {
852 return NT_STATUS_INVALID_NETWORK_RESPONSE;
853 }
854
855 cmd = CVAL(cli_req->inbuf, wct_ofs + 1);
856 }
857
858 if (!have_andx_command(cli_req->inbuf, wct_ofs)
859 && NT_STATUS_IS_ERR(status)) {
860 /*
861 * The last command takes the error code. All further commands
862 * down the requested chain will get a
863 * NT_STATUS_REQUEST_ABORTED.
864 */
865 return status;
866 }
867
868 done:
869 wct = CVAL(cli_req->inbuf, wct_ofs);
870
871 bytes_offset = wct_ofs + 1 + wct * sizeof(uint16_t);
872 num_bytes = SVAL(cli_req->inbuf, bytes_offset);
873
874 /*
875 * wct_ofs is a 16-bit value plus 4, wct is a 8-bit value, num_bytes
876 * is a 16-bit value. So bytes_offset being size_t should be far from
877 * wrapping.
878 */
879
880 if ((bytes_offset + 2 > talloc_get_size(cli_req->inbuf))
881 || (bytes_offset > 0xffff)) {
882 return NT_STATUS_INVALID_NETWORK_RESPONSE;
883 }
884
885 *pwct = wct;
886 *pvwv = (uint16_t *)(cli_req->inbuf + wct_ofs + 1);
887 *pnum_bytes = num_bytes;
888 *pbytes = (uint8_t *)cli_req->inbuf + bytes_offset + 2;
889
890 return NT_STATUS_OK;
891 }
892
893 /**
894 * Decrypt a PDU, check the signature
895 * @param[in] cli The cli_state that received something
896 * @param[in] pdu The incoming bytes
897 * @retval error code
898 */
899
900
901 static NTSTATUS validate_smb_crypto(struct cli_state *cli, char *pdu)
902 {
903 NTSTATUS status;
904
905 if ((IVAL(pdu, 4) != 0x424d53ff) /* 0xFF"SMB" */
906 && (SVAL(pdu, 4) != 0x45ff)) /* 0xFF"E" */ {
907 DEBUG(10, ("Got non-SMB PDU\n"));
908 return NT_STATUS_INVALID_NETWORK_RESPONSE;
909 }
910
911 if (cli_encryption_on(cli) && CVAL(pdu, 0) == 0) {
912 uint16_t enc_ctx_num;
913
914 status = get_enc_ctx_num((uint8_t *)pdu, &enc_ctx_num);
915 if (!NT_STATUS_IS_OK(status)) {
916 DEBUG(10, ("get_enc_ctx_num returned %s\n",
917 nt_errstr(status)));
918 return status;
919 }
920
921 if (enc_ctx_num != cli->trans_enc_state->enc_ctx_num) {
922 DEBUG(10, ("wrong enc_ctx %d, expected %d\n",
923 enc_ctx_num,
924 cli->trans_enc_state->enc_ctx_num));
925 return NT_STATUS_INVALID_HANDLE;
926 }
927
928 status = common_decrypt_buffer(cli->trans_enc_state, pdu);
929 if (!NT_STATUS_IS_OK(status)) {
930 DEBUG(10, ("common_decrypt_buffer returned %s\n",
931 nt_errstr(status)));
932 return status;
933 }
934 }
935
936 if (!cli_check_sign_mac(cli, pdu)) {
937 DEBUG(10, ("cli_check_sign_mac failed\n"));
938 close(cli->fd);
939 cli->fd = -1;
940 return NT_STATUS_ACCESS_DENIED;
941 }
942
943 return NT_STATUS_OK;
944 }
945
946 /**
947 * A PDU has arrived on cli->evt_inbuf
948 * @param[in] cli The cli_state that received something
949 */
950
951 static void handle_incoming_pdu(struct cli_state *cli)
952 {
953 struct cli_request *req, *next;
954 uint16_t mid;
955 size_t raw_pdu_len, buf_len, pdu_len, rest_len;
956 char *pdu;
957 int i;
958 NTSTATUS status;
959
960 int num_async;
961
962 /*
963 * The encrypted PDU len might differ from the unencrypted one
964 */
965 raw_pdu_len = smb_len(cli->evt_inbuf) + 4;
966 buf_len = talloc_get_size(cli->evt_inbuf);
967 rest_len = buf_len - raw_pdu_len;
968
969 if (buf_len == raw_pdu_len) {
970 /*
971 * Optimal case: Exactly one PDU was in the socket buffer
972 */
973 pdu = cli->evt_inbuf;
974 cli->evt_inbuf = NULL;
975 }
976 else {
977 DEBUG(11, ("buf_len = %d, raw_pdu_len = %d, splitting "
978 "buffer\n", (int)buf_len, (int)raw_pdu_len));
979
980 if (raw_pdu_len < rest_len) {
981 /*
982 * The PDU is shorter, talloc_memdup that one.
983 */
984 pdu = (char *)talloc_memdup(
985 cli, cli->evt_inbuf, raw_pdu_len);
986
987 memmove(cli->evt_inbuf, cli->evt_inbuf + raw_pdu_len,
988 buf_len - raw_pdu_len);
989
990 cli->evt_inbuf = TALLOC_REALLOC_ARRAY(
991 NULL, cli->evt_inbuf, char, rest_len);
992
993 if (pdu == NULL) {
994 status = NT_STATUS_NO_MEMORY;
995 goto invalidate_requests;
996 }
997 }
998 else {
999 /*
1000 * The PDU is larger than the rest, talloc_memdup the
1001 * rest
1002 */
1003 pdu = cli->evt_inbuf;
1004
1005 cli->evt_inbuf = (char *)talloc_memdup(
1006 cli, pdu + raw_pdu_len, rest_len);
1007
1008 if (cli->evt_inbuf == NULL) {
1009 status = NT_STATUS_NO_MEMORY;
1010 goto invalidate_requests;
1011 }
1012 }
1013 }
1014
1015 if ((raw_pdu_len == 4) && (CVAL(pdu, 0) == SMBkeepalive)) {
1016 DEBUG(10, ("Got keepalive\n"));
1017 TALLOC_FREE(pdu);
1018 return;
1019 }
1020
1021 status = validate_smb_crypto(cli, pdu);
1022 if (!NT_STATUS_IS_OK(status)) {
1023 goto invalidate_requests;
1024 }
1025
1026 mid = SVAL(pdu, smb_mid);
1027
1028 DEBUG(10, ("handle_incoming_pdu: got mid %d\n", mid));
1029
1030 for (req = cli->outstanding_requests; req; req = req->next) {
1031 if (req->mid == mid) {
1032 break;
1033 }
1034 }
1035
1036 pdu_len = smb_len(pdu) + 4;
1037
1038 if (req == NULL) {
1039 DEBUG(3, ("Request for mid %d not found, dumping PDU\n", mid));
1040
1041 TALLOC_FREE(pdu);
1042 return;
1043 }
1044
1045 req->inbuf = talloc_move(req, &pdu);
1046
1047 /*
1048 * Freeing the last async_req will free the req (see
1049 * cli_async_req_destructor). So make a copy of req->num_async, we
1050 * can't reference it in the last round.
1051 */
1052
1053 num_async = req->num_async;
1054
1055 for (i=0; i<num_async; i++) {
1056 /**
1057 * A request might have been talloc_free()'ed before we arrive
1058 * here. It will have removed itself from req->async via its
1059 * destructor cli_async_req_destructor().
1060 */
1061 if (req->async[i] != NULL) {
1062 if (req->recv_helper.fn != NULL) {
1063 req->recv_helper.fn(req->async[i]);
1064 } else {
1065 async_req_done(req->async[i]);
1066 }
1067 }
1068 }
1069 return;
1070
1071 invalidate_requests:
1072
1073 DEBUG(10, ("handle_incoming_pdu: Aborting with %s\n",
1074 nt_errstr(status)));
1075
1076 for (req = cli->outstanding_requests; req; req = next) {
1077 next = req->next;
1078 if (req->num_async) {
1079 async_req_nterror(req->async[0], status);
1080 }
1081 }
1082 return;
1083 }
1084
1085 /**
1086 * fd event callback. This is the basic connection to the socket
1087 * @param[in] event_ctx The event context that called us
1088 * @param[in] event The event that fired
1089 * @param[in] flags EVENT_FD_READ | EVENT_FD_WRITE
1090 * @param[in] p private_data, in this case the cli_state
1091 */
1092
1093 static void cli_state_handler(struct event_context *event_ctx,
1094 struct fd_event *event, uint16 flags, void *p)
1095 {
1096 struct cli_state *cli = (struct cli_state *)p;
1097 struct cli_request *req, *next;
1098 NTSTATUS status;
1099
1100 DEBUG(11, ("cli_state_handler called with flags %d\n", flags));
1101
1102 if (cli->fd == -1) {
1103 status = NT_STATUS_CONNECTION_INVALID;
1104 goto sock_error;
1105 }
1106
1107 if (flags & EVENT_FD_WRITE) {
1108 size_t to_send;
1109 ssize_t sent;
1110
1111 for (req = cli->outstanding_requests; req; req = req->next) {
1112 to_send = smb_len(req->outbuf)+4;
1113 if (to_send > req->sent) {
1114 break;
1115 }
1116 }
1117
1118 if (req == NULL) {
1119 if (cli->fd_event != NULL) {
1120 event_fd_set_not_writeable(cli->fd_event);
1121 }
1122 return;
1123 }
1124
1125 sent = sys_send(cli->fd, req->outbuf + req->sent,
1126 to_send - req->sent, 0);
1127
1128 if (sent < 0) {
1129 status = map_nt_error_from_unix(errno);
1130 goto sock_error;
1131 }
1132
1133 req->sent += sent;
1134
1135 if (req->sent == to_send) {
1136 return;
1137 }
1138 }
1139
1140 if (flags & EVENT_FD_READ) {
1141 int res, available;
1142 size_t old_size, new_size;
1143 char *tmp;
1144
1145 res = ioctl(cli->fd, FIONREAD, &available);
1146 if (res == -1) {
1147 DEBUG(10, ("ioctl(FIONREAD) failed: %s\n",
1148 strerror(errno)));
1149 status = map_nt_error_from_unix(errno);
1150 goto sock_error;
1151 }
1152
1153 if (available == 0) {
1154 /* EOF */
1155 status = NT_STATUS_END_OF_FILE;
1156 goto sock_error;
1157 }
1158
1159 old_size = talloc_get_size(cli->evt_inbuf);
1160 new_size = old_size + available;
1161
1162 if (new_size < old_size) {
1163 /* wrap */
1164 status = NT_STATUS_UNEXPECTED_IO_ERROR;
1165 goto sock_error;
1166 }
1167
1168 tmp = TALLOC_REALLOC_ARRAY(cli, cli->evt_inbuf, char,
1169 new_size);
1170 if (tmp == NULL) {
1171 /* nomem */
1172 status = NT_STATUS_NO_MEMORY;
1173 goto sock_error;
1174 }
1175 cli->evt_inbuf = tmp;
1176
1177 res = sys_recv(cli->fd, cli->evt_inbuf + old_size, available, 0);
1178 if (res == -1) {
1179 DEBUG(10, ("recv failed: %s\n", strerror(errno)));
1180 status = map_nt_error_from_unix(errno);
1181 goto sock_error;
1182 }
1183
1184 DEBUG(11, ("cli_state_handler: received %d bytes, "
1185 "smb_len(evt_inbuf) = %d\n", (int)res,
1186 smb_len(cli->evt_inbuf)));
1187
1188 /* recv *might* have returned less than announced */
1189 new_size = old_size + res;
1190
1191 /* shrink, so I don't expect errors here */
1192 cli->evt_inbuf = TALLOC_REALLOC_ARRAY(cli, cli->evt_inbuf,
1193 char, new_size);
1194
1195 while ((cli->evt_inbuf != NULL)
1196 && ((smb_len(cli->evt_inbuf) + 4) <= new_size)) {
1197 /*
1198 * we've got a complete NBT level PDU in evt_inbuf
1199 */
1200 handle_incoming_pdu(cli);
1201 new_size = talloc_get_size(cli->evt_inbuf);
1202 }
1203 }
1204
1205 return;
1206
1207 sock_error:
1208
1209 for (req = cli->outstanding_requests; req; req = next) {
1210 int i, num_async;
1211
1212 next = req->next;
1213 num_async = req->num_async;
1214
1215 for (i=0; i<num_async; i++) {
1216 async_req_nterror(req->async[i], status);
1217 }
1218 }
1219 TALLOC_FREE(cli->fd_event);
1220 if (cli->fd != -1) {
1221 close(cli->fd);
1222 cli->fd = -1;
1223 }
1224 }
1225
1226
1227 struct cli_session_request_state {
1228 struct tevent_context *ev;
1229 int sock;
1230 uint32 len_hdr;
1231 struct iovec iov[3];
1232 uint8_t nb_session_response;
1233 };
1234
1235 static void cli_session_request_sent(struct tevent_req *subreq);
1236 static void cli_session_request_recvd(struct tevent_req *subreq);
1237
1238 struct tevent_req *cli_session_request_send(TALLOC_CTX *mem_ctx,
1239 struct tevent_context *ev,
1240 int sock,
1241 const struct nmb_name *called,
1242 const struct nmb_name *calling)
1243 {
1244 struct tevent_req *req, *subreq;
1245 struct cli_session_request_state *state;
1246
1247 req = tevent_req_create(mem_ctx, &state,
1248 struct cli_session_request_state);
1249 if (req == NULL) {
1250 return NULL;
1251 }
1252 state->ev = ev;
1253 state->sock = sock;
1254
1255 state->iov[1].iov_base = name_mangle(
1256 state, called->name, called->name_type);
1257 if (tevent_req_nomem(state->iov[1].iov_base, req)) {
1258 return tevent_req_post(req, ev);
1259 }
1260 state->iov[1].iov_len = name_len(
1261 (char *)state->iov[1].iov_base);
1262
1263 state->iov[2].iov_base = name_mangle(
1264 state, calling->name, calling->name_type);
1265 if (tevent_req_nomem(state->iov[2].iov_base, req)) {
1266 return tevent_req_post(req, ev);
1267 }
1268 state->iov[2].iov_len = name_len(
1269 (char *)state->iov[2].iov_base);
1270
1271 _smb_setlen(((char *)&state->len_hdr),
1272 state->iov[1].iov_len + state->iov[2].iov_len);
1273 SCVAL((char *)&state->len_hdr, 0, 0x81);
1274
1275 state->iov[0].iov_base = &state->len_hdr;
1276 state->iov[0].iov_len = sizeof(state->len_hdr);
1277
1278 subreq = writev_send(state, ev, NULL, sock, state->iov, 3);
1279 if (tevent_req_nomem(subreq, req)) {
1280 return tevent_req_post(req, ev);
1281 }
1282 tevent_req_set_callback(subreq, cli_session_request_sent, req);
1283 return req;
1284 }
1285
1286 static void cli_session_request_sent(struct tevent_req *subreq)
1287 {
1288 struct tevent_req *req = tevent_req_callback_data(
1289 subreq, struct tevent_req);
1290 struct cli_session_request_state *state = tevent_req_data(
1291 req, struct cli_session_request_state);
1292 ssize_t ret;
1293 int err;
1294
1295 ret = writev_recv(subreq, &err);
1296 TALLOC_FREE(subreq);
1297 if (ret == -1) {
1298 tevent_req_error(req, err);
1299 return;
1300 }
1301 subreq = read_smb_send(state, state->ev, state->sock);
1302 if (tevent_req_nomem(subreq, req)) {
1303 return;
1304 }
1305 tevent_req_set_callback(subreq, cli_session_request_recvd, req);
1306 }
1307
1308 static void cli_session_request_recvd(struct tevent_req *subreq)
1309 {
1310 struct tevent_req *req = tevent_req_callback_data(
1311 subreq, struct tevent_req);
1312 struct cli_session_request_state *state = tevent_req_data(
1313 req, struct cli_session_request_state);
1314 uint8_t *buf;
1315 ssize_t ret;
1316 int err;
1317
1318 ret = read_smb_recv(subreq, talloc_tos(), &buf, &err);
1319 TALLOC_FREE(subreq);
1320
1321 if (ret < 4) {
1322 ret = -1;
1323 err = EIO;
1324 }
1325 if (ret == -1) {
1326 tevent_req_error(req, err);
1327 return;
1328 }
1329 /*
1330 * In case of an error there is more information in the data
1331 * portion according to RFC1002. We're not subtle enough to
1332 * respond to the different error conditions, so drop the
1333 * error info here.
1334 */
1335 state->nb_session_response = CVAL(buf, 0);
1336 tevent_req_done(req);
1337 }
1338
1339 bool cli_session_request_recv(struct tevent_req *req, int *err, uint8_t *resp)
1340 {
1341 struct cli_session_request_state *state = tevent_req_data(
1342 req, struct cli_session_request_state);
1343
1344 if (tevent_req_is_unix_error(req, err)) {
1345 return false;
1346 }
1347 *resp = state->nb_session_response;
1348 return true;
1349 }
Samba GIT mirror