search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Ensure we do pathname processing before SD and EA processing in NTTRANS_CREATE.
[Samba.git] / source3 / smbd / nttrans.c
blobee0deb8cbeb08ffce250ab4cd30a96747d1b2fcd
1 /*
2 Unix SMB/CIFS implementation.
3 SMB NT transaction handling
4 Copyright (C) Jeremy Allison 1994-2007
5 Copyright (C) Stefan (metze) Metzmacher 2003
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "system/filesys.h"
23 #include "smbd/smbd.h"
24 #include "smbd/globals.h"
25 #include "fake_file.h"
26 #include "../libcli/security/security.h"
27 #include "../librpc/gen_ndr/ndr_security.h"
28 #include "passdb/lookup_sid.h"
29 #include "auth.h"
30 #include "smbprofile.h"
31 #include "libsmb/libsmb.h"
32
33 extern const struct generic_mapping file_generic_mapping;
34
35 static char *nttrans_realloc(char **ptr, size_t size)
36 {
37 if (ptr==NULL) {
38 smb_panic("nttrans_realloc() called with NULL ptr");
39 }
40
41 *ptr = (char *)SMB_REALLOC(*ptr, size);
42 if(*ptr == NULL) {
43 return NULL;
44 }
45 memset(*ptr,'\0',size);
46 return *ptr;
47 }
48
49 /****************************************************************************
50 Send the required number of replies back.
51 We assume all fields other than the data fields are
52 set correctly for the type of call.
53 HACK ! Always assumes smb_setup field is zero.
54 ****************************************************************************/
55
56 static void send_nt_replies(connection_struct *conn,
57 struct smb_request *req, NTSTATUS nt_error,
58 char *params, int paramsize,
59 char *pdata, int datasize)
60 {
61 int data_to_send = datasize;
62 int params_to_send = paramsize;
63 int useable_space;
64 char *pp = params;
65 char *pd = pdata;
66 int params_sent_thistime, data_sent_thistime, total_sent_thistime;
67 int alignment_offset = 1;
68 int data_alignment_offset = 0;
69 struct smbd_server_connection *sconn = req->sconn;
70 int max_send = sconn->smb1.sessions.max_send;
71
72 /*
73 * If there genuinely are no parameters or data to send just send
74 * the empty packet.
75 */
76
77 if(params_to_send == 0 && data_to_send == 0) {
78 reply_outbuf(req, 18, 0);
79 if (NT_STATUS_V(nt_error)) {
80 error_packet_set((char *)req->outbuf,
81 0, 0, nt_error,
82 __LINE__,__FILE__);
83 }
84 show_msg((char *)req->outbuf);
85 if (!srv_send_smb(sconn,
86 (char *)req->outbuf,
87 true, req->seqnum+1,
88 IS_CONN_ENCRYPTED(conn),
89 &req->pcd)) {
90 exit_server_cleanly("send_nt_replies: srv_send_smb failed.");
91 }
92 TALLOC_FREE(req->outbuf);
93 return;
94 }
95
96 /*
97 * When sending params and data ensure that both are nicely aligned.
98 * Only do this alignment when there is also data to send - else
99 * can cause NT redirector problems.
100 */
101
102 if (((params_to_send % 4) != 0) && (data_to_send != 0)) {
103 data_alignment_offset = 4 - (params_to_send % 4);
104 }
105
106 /*
107 * Space is bufsize minus Netbios over TCP header minus SMB header.
108 * The alignment_offset is to align the param bytes on a four byte
109 * boundary (2 bytes for data len, one byte pad).
110 * NT needs this to work correctly.
111 */
112
113 useable_space = max_send - (smb_size
114 + 2 * 18 /* wct */
115 + alignment_offset
116 + data_alignment_offset);
117
118 if (useable_space < 0) {
119 char *msg = talloc_asprintf(
120 talloc_tos(),
121 "send_nt_replies failed sanity useable_space = %d!!!",
122 useable_space);
123 DEBUG(0, ("%s\n", msg));
124 exit_server_cleanly(msg);
125 }
126
127 while (params_to_send || data_to_send) {
128
129 /*
130 * Calculate whether we will totally or partially fill this packet.
131 */
132
133 total_sent_thistime = params_to_send + data_to_send;
134
135 /*
136 * We can never send more than useable_space.
137 */
138
139 total_sent_thistime = MIN(total_sent_thistime, useable_space);
140
141 reply_outbuf(req, 18,
142 total_sent_thistime + alignment_offset
143 + data_alignment_offset);
144
145 /*
146 * Set total params and data to be sent.
147 */
148
149 SIVAL(req->outbuf,smb_ntr_TotalParameterCount,paramsize);
150 SIVAL(req->outbuf,smb_ntr_TotalDataCount,datasize);
151
152 /*
153 * Calculate how many parameters and data we can fit into
154 * this packet. Parameters get precedence.
155 */
156
157 params_sent_thistime = MIN(params_to_send,useable_space);
158 data_sent_thistime = useable_space - params_sent_thistime;
159 data_sent_thistime = MIN(data_sent_thistime,data_to_send);
160
161 SIVAL(req->outbuf, smb_ntr_ParameterCount,
162 params_sent_thistime);
163
164 if(params_sent_thistime == 0) {
165 SIVAL(req->outbuf,smb_ntr_ParameterOffset,0);
166 SIVAL(req->outbuf,smb_ntr_ParameterDisplacement,0);
167 } else {
168 /*
169 * smb_ntr_ParameterOffset is the offset from the start of the SMB header to the
170 * parameter bytes, however the first 4 bytes of outbuf are
171 * the Netbios over TCP header. Thus use smb_base() to subtract
172 * them from the calculation.
173 */
174
175 SIVAL(req->outbuf,smb_ntr_ParameterOffset,
176 ((smb_buf(req->outbuf)+alignment_offset)
177 - smb_base(req->outbuf)));
178 /*
179 * Absolute displacement of param bytes sent in this packet.
180 */
181
182 SIVAL(req->outbuf, smb_ntr_ParameterDisplacement,
183 pp - params);
184 }
185
186 /*
187 * Deal with the data portion.
188 */
189
190 SIVAL(req->outbuf, smb_ntr_DataCount, data_sent_thistime);
191
192 if(data_sent_thistime == 0) {
193 SIVAL(req->outbuf,smb_ntr_DataOffset,0);
194 SIVAL(req->outbuf,smb_ntr_DataDisplacement, 0);
195 } else {
196 /*
197 * The offset of the data bytes is the offset of the
198 * parameter bytes plus the number of parameters being sent this time.
199 */
200
201 SIVAL(req->outbuf, smb_ntr_DataOffset,
202 ((smb_buf(req->outbuf)+alignment_offset) -
203 smb_base(req->outbuf))
204 + params_sent_thistime + data_alignment_offset);
205 SIVAL(req->outbuf,smb_ntr_DataDisplacement, pd - pdata);
206 }
207
208 /*
209 * Copy the param bytes into the packet.
210 */
211
212 if(params_sent_thistime) {
213 if (alignment_offset != 0) {
214 memset(smb_buf(req->outbuf), 0,
215 alignment_offset);
216 }
217 memcpy((smb_buf(req->outbuf)+alignment_offset), pp,
218 params_sent_thistime);
219 }
220
221 /*
222 * Copy in the data bytes
223 */
224
225 if(data_sent_thistime) {
226 if (data_alignment_offset != 0) {
227 memset((smb_buf(req->outbuf)+alignment_offset+
228 params_sent_thistime), 0,
229 data_alignment_offset);
230 }
231 memcpy(smb_buf(req->outbuf)+alignment_offset
232 +params_sent_thistime+data_alignment_offset,
233 pd,data_sent_thistime);
234 }
235
236 DEBUG(9,("nt_rep: params_sent_thistime = %d, data_sent_thistime = %d, useable_space = %d\n",
237 params_sent_thistime, data_sent_thistime, useable_space));
238 DEBUG(9,("nt_rep: params_to_send = %d, data_to_send = %d, paramsize = %d, datasize = %d\n",
239 params_to_send, data_to_send, paramsize, datasize));
240
241 if (NT_STATUS_V(nt_error)) {
242 error_packet_set((char *)req->outbuf,
243 0, 0, nt_error,
244 __LINE__,__FILE__);
245 }
246
247 /* Send the packet */
248 show_msg((char *)req->outbuf);
249 if (!srv_send_smb(sconn,
250 (char *)req->outbuf,
251 true, req->seqnum+1,
252 IS_CONN_ENCRYPTED(conn),
253 &req->pcd)) {
254 exit_server_cleanly("send_nt_replies: srv_send_smb failed.");
255 }
256
257 TALLOC_FREE(req->outbuf);
258
259 pp += params_sent_thistime;
260 pd += data_sent_thistime;
261
262 params_to_send -= params_sent_thistime;
263 data_to_send -= data_sent_thistime;
264
265 /*
266 * Sanity check
267 */
268
269 if(params_to_send < 0 || data_to_send < 0) {
270 DEBUG(0,("send_nt_replies failed sanity check pts = %d, dts = %d\n!!!",
271 params_to_send, data_to_send));
272 exit_server_cleanly("send_nt_replies: internal error");
273 }
274 }
275 }
276
277 /****************************************************************************
278 Reply to an NT create and X call on a pipe
279 ****************************************************************************/
280
281 static void nt_open_pipe(char *fname, connection_struct *conn,
282 struct smb_request *req, uint16_t *ppnum)
283 {
284 files_struct *fsp;
285 NTSTATUS status;
286
287 DEBUG(4,("nt_open_pipe: Opening pipe %s.\n", fname));
288
289 /* Strip \\ off the name if present. */
290 while (fname[0] == '\\') {
291 fname++;
292 }
293
294 status = open_np_file(req, fname, &fsp);
295 if (!NT_STATUS_IS_OK(status)) {
296 if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
297 reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND,
298 ERRDOS, ERRbadpipe);
299 return;
300 }
301 reply_nterror(req, status);
302 return;
303 }
304
305 *ppnum = fsp->fnum;
306 return;
307 }
308
309 /****************************************************************************
310 Reply to an NT create and X call for pipes.
311 ****************************************************************************/
312
313 static void do_ntcreate_pipe_open(connection_struct *conn,
314 struct smb_request *req)
315 {
316 char *fname = NULL;
317 uint16_t pnum = FNUM_FIELD_INVALID;
318 char *p = NULL;
319 uint32 flags = IVAL(req->vwv+3, 1);
320 TALLOC_CTX *ctx = talloc_tos();
321
322 srvstr_pull_req_talloc(ctx, req, &fname, req->buf, STR_TERMINATE);
323
324 if (!fname) {
325 reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND,
326 ERRDOS, ERRbadpipe);
327 return;
328 }
329 nt_open_pipe(fname, conn, req, &pnum);
330
331 if (req->outbuf) {
332 /* error reply */
333 return;
334 }
335
336 /*
337 * Deal with pipe return.
338 */
339
340 if (flags & EXTENDED_RESPONSE_REQUIRED) {
341 /* This is very strange. We
342 * return 50 words, but only set
343 * the wcnt to 42 ? It's definitely
344 * what happens on the wire....
345 */
346 reply_outbuf(req, 50, 0);
347 SCVAL(req->outbuf,smb_wct,42);
348 } else {
349 reply_outbuf(req, 34, 0);
350 }
351
352 SSVAL(req->outbuf, smb_vwv0, 0xff); /* andx chain ends */
353 SSVAL(req->outbuf, smb_vwv1, 0); /* no andx offset */
354
355 p = (char *)req->outbuf + smb_vwv2;
356 p++;
357 SSVAL(p,0,pnum);
358 p += 2;
359 SIVAL(p,0,FILE_WAS_OPENED);
360 p += 4;
361 p += 32;
362 SIVAL(p,0,FILE_ATTRIBUTE_NORMAL); /* File Attributes. */
363 p += 20;
364 /* File type. */
365 SSVAL(p,0,FILE_TYPE_MESSAGE_MODE_PIPE);
366 /* Device state. */
367 SSVAL(p,2, 0x5FF); /* ? */
368 p += 4;
369
370 if (flags & EXTENDED_RESPONSE_REQUIRED) {
371 p += 25;
372 SIVAL(p,0,FILE_GENERIC_ALL);
373 /*
374 * For pipes W2K3 seems to return
375 * 0x12019B next.
376 * This is ((FILE_GENERIC_READ|FILE_GENERIC_WRITE) & ~FILE_APPEND_DATA)
377 */
378 SIVAL(p,4,(FILE_GENERIC_READ|FILE_GENERIC_WRITE)&~FILE_APPEND_DATA);
379 }
380
381 DEBUG(5,("do_ntcreate_pipe_open: open pipe = %s\n", fname));
382 }
383
384 struct case_semantics_state {
385 connection_struct *conn;
386 bool case_sensitive;
387 bool case_preserve;
388 bool short_case_preserve;
389 };
390
391 /****************************************************************************
392 Restore case semantics.
393 ****************************************************************************/
394
395 static int restore_case_semantics(struct case_semantics_state *state)
396 {
397 state->conn->case_sensitive = state->case_sensitive;
398 state->conn->case_preserve = state->case_preserve;
399 state->conn->short_case_preserve = state->short_case_preserve;
400 return 0;
401 }
402
403 /****************************************************************************
404 Save case semantics.
405 ****************************************************************************/
406
407 static struct case_semantics_state *set_posix_case_semantics(TALLOC_CTX *mem_ctx,
408 connection_struct *conn)
409 {
410 struct case_semantics_state *result;
411
412 if (!(result = talloc(mem_ctx, struct case_semantics_state))) {
413 return NULL;
414 }
415
416 result->conn = conn;
417 result->case_sensitive = conn->case_sensitive;
418 result->case_preserve = conn->case_preserve;
419 result->short_case_preserve = conn->short_case_preserve;
420
421 /* Set to POSIX. */
422 conn->case_sensitive = True;
423 conn->case_preserve = True;
424 conn->short_case_preserve = True;
425
426 talloc_set_destructor(result, restore_case_semantics);
427
428 return result;
429 }
430
431 /****************************************************************************
432 Reply to an NT create and X call.
433 ****************************************************************************/
434
435 void reply_ntcreate_and_X(struct smb_request *req)
436 {
437 connection_struct *conn = req->conn;
438 struct smb_filename *smb_fname = NULL;
439 char *fname = NULL;
440 uint32 flags;
441 uint32 access_mask;
442 uint32 file_attributes;
443 uint32 share_access;
444 uint32 create_disposition;
445 uint32 create_options;
446 uint16 root_dir_fid;
447 uint64_t allocation_size;
448 /* Breakout the oplock request bits so we can set the
449 reply bits separately. */
450 uint32 fattr=0;
451 off_t file_len = 0;
452 int info = 0;
453 files_struct *fsp = NULL;
454 char *p = NULL;
455 struct timespec create_timespec;
456 struct timespec c_timespec;
457 struct timespec a_timespec;
458 struct timespec m_timespec;
459 struct timespec write_time_ts;
460 NTSTATUS status;
461 int oplock_request;
462 uint8_t oplock_granted = NO_OPLOCK_RETURN;
463 struct case_semantics_state *case_state = NULL;
464 TALLOC_CTX *ctx = talloc_tos();
465
466 START_PROFILE(SMBntcreateX);
467
468 if (req->wct < 24) {
469 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
470 goto out;
471 }
472
473 flags = IVAL(req->vwv+3, 1);
474 access_mask = IVAL(req->vwv+7, 1);
475 file_attributes = IVAL(req->vwv+13, 1);
476 share_access = IVAL(req->vwv+15, 1);
477 create_disposition = IVAL(req->vwv+17, 1);
478 create_options = IVAL(req->vwv+19, 1);
479 root_dir_fid = (uint16)IVAL(req->vwv+5, 1);
480
481 allocation_size = BVAL(req->vwv+9, 1);
482
483 srvstr_get_path_req(ctx, req, &fname, (const char *)req->buf,
484 STR_TERMINATE, &status);
485
486 if (!NT_STATUS_IS_OK(status)) {
487 reply_nterror(req, status);
488 goto out;
489 }
490
491 DEBUG(10,("reply_ntcreate_and_X: flags = 0x%x, access_mask = 0x%x "
492 "file_attributes = 0x%x, share_access = 0x%x, "
493 "create_disposition = 0x%x create_options = 0x%x "
494 "root_dir_fid = 0x%x, fname = %s\n",
495 (unsigned int)flags,
496 (unsigned int)access_mask,
497 (unsigned int)file_attributes,
498 (unsigned int)share_access,
499 (unsigned int)create_disposition,
500 (unsigned int)create_options,
501 (unsigned int)root_dir_fid,
502 fname));
503
504 /*
505 * we need to remove ignored bits when they come directly from the client
506 * because we reuse some of them for internal stuff
507 */
508 create_options &= ~NTCREATEX_OPTIONS_MUST_IGNORE_MASK;
509
510 /*
511 * If it's an IPC, use the pipe handler.
512 */
513
514 if (IS_IPC(conn)) {
515 if (lp_nt_pipe_support()) {
516 do_ntcreate_pipe_open(conn, req);
517 goto out;
518 }
519 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
520 goto out;
521 }
522
523 oplock_request = (flags & REQUEST_OPLOCK) ? EXCLUSIVE_OPLOCK : 0;
524 if (oplock_request) {
525 oplock_request |= (flags & REQUEST_BATCH_OPLOCK)
526 ? BATCH_OPLOCK : 0;
527 }
528
529 if (file_attributes & FILE_FLAG_POSIX_SEMANTICS) {
530 case_state = set_posix_case_semantics(ctx, conn);
531 if (!case_state) {
532 reply_nterror(req, NT_STATUS_NO_MEMORY);
533 goto out;
534 }
535 }
536
537 status = filename_convert(ctx,
538 conn,
539 req->flags2 & FLAGS2_DFS_PATHNAMES,
540 fname,
541 0,
542 NULL,
543 &smb_fname);
544
545 TALLOC_FREE(case_state);
546
547 if (!NT_STATUS_IS_OK(status)) {
548 if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
549 reply_botherror(req,
550 NT_STATUS_PATH_NOT_COVERED,
551 ERRSRV, ERRbadpath);
552 goto out;
553 }
554 reply_nterror(req, status);
555 goto out;
556 }
557
558 /*
559 * Bug #6898 - clients using Windows opens should
560 * never be able to set this attribute into the
561 * VFS.
562 */
563 file_attributes &= ~FILE_FLAG_POSIX_SEMANTICS;
564
565 status = SMB_VFS_CREATE_FILE(
566 conn, /* conn */
567 req, /* req */
568 root_dir_fid, /* root_dir_fid */
569 smb_fname, /* fname */
570 access_mask, /* access_mask */
571 share_access, /* share_access */
572 create_disposition, /* create_disposition*/
573 create_options, /* create_options */
574 file_attributes, /* file_attributes */
575 oplock_request, /* oplock_request */
576 allocation_size, /* allocation_size */
577 0, /* private_flags */
578 NULL, /* sd */
579 NULL, /* ea_list */
580 &fsp, /* result */
581 &info); /* pinfo */
582
583 if (!NT_STATUS_IS_OK(status)) {
584 if (open_was_deferred(req->sconn, req->mid)) {
585 /* We have re-scheduled this call, no error. */
586 goto out;
587 }
588 reply_openerror(req, status);
589 goto out;
590 }
591
592 /* Ensure we're pointing at the correct stat struct. */
593 TALLOC_FREE(smb_fname);
594 smb_fname = fsp->fsp_name;
595
596 /*
597 * If the caller set the extended oplock request bit
598 * and we granted one (by whatever means) - set the
599 * correct bit for extended oplock reply.
600 */
601
602 if (oplock_request &&
603 (lp_fake_oplocks(SNUM(conn))
604 || EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type))) {
605
606 /*
607 * Exclusive oplock granted
608 */
609
610 if (flags & REQUEST_BATCH_OPLOCK) {
611 oplock_granted = BATCH_OPLOCK_RETURN;
612 } else {
613 oplock_granted = EXCLUSIVE_OPLOCK_RETURN;
614 }
615 } else if (fsp->oplock_type == LEVEL_II_OPLOCK) {
616 oplock_granted = LEVEL_II_OPLOCK_RETURN;
617 } else {
618 oplock_granted = NO_OPLOCK_RETURN;
619 }
620
621 file_len = smb_fname->st.st_ex_size;
622
623 if (flags & EXTENDED_RESPONSE_REQUIRED) {
624 /* This is very strange. We
625 * return 50 words, but only set
626 * the wcnt to 42 ? It's definitely
627 * what happens on the wire....
628 */
629 reply_outbuf(req, 50, 0);
630 SCVAL(req->outbuf,smb_wct,42);
631 } else {
632 reply_outbuf(req, 34, 0);
633 }
634
635 SSVAL(req->outbuf, smb_vwv0, 0xff); /* andx chain ends */
636 SSVAL(req->outbuf, smb_vwv1, 0); /* no andx offset */
637
638 p = (char *)req->outbuf + smb_vwv2;
639
640 SCVAL(p, 0, oplock_granted);
641
642 p++;
643 SSVAL(p,0,fsp->fnum);
644 p += 2;
645 if ((create_disposition == FILE_SUPERSEDE)
646 && (info == FILE_WAS_OVERWRITTEN)) {
647 SIVAL(p,0,FILE_WAS_SUPERSEDED);
648 } else {
649 SIVAL(p,0,info);
650 }
651 p += 4;
652
653 fattr = dos_mode(conn, smb_fname);
654 if (fattr == 0) {
655 fattr = FILE_ATTRIBUTE_NORMAL;
656 }
657
658 /* Deal with other possible opens having a modified
659 write time. JRA. */
660 ZERO_STRUCT(write_time_ts);
661 get_file_infos(fsp->file_id, 0, NULL, &write_time_ts);
662 if (!null_timespec(write_time_ts)) {
663 update_stat_ex_mtime(&smb_fname->st, write_time_ts);
664 }
665
666 /* Create time. */
667 create_timespec = get_create_timespec(conn, fsp, smb_fname);
668 a_timespec = smb_fname->st.st_ex_atime;
669 m_timespec = smb_fname->st.st_ex_mtime;
670 c_timespec = get_change_timespec(conn, fsp, smb_fname);
671
672 if (lp_dos_filetime_resolution(SNUM(conn))) {
673 dos_filetime_timespec(&create_timespec);
674 dos_filetime_timespec(&a_timespec);
675 dos_filetime_timespec(&m_timespec);
676 dos_filetime_timespec(&c_timespec);
677 }
678
679 put_long_date_timespec(conn->ts_res, p, create_timespec); /* create time. */
680 p += 8;
681 put_long_date_timespec(conn->ts_res, p, a_timespec); /* access time */
682 p += 8;
683 put_long_date_timespec(conn->ts_res, p, m_timespec); /* write time */
684 p += 8;
685 put_long_date_timespec(conn->ts_res, p, c_timespec); /* change time */
686 p += 8;
687 SIVAL(p,0,fattr); /* File Attributes. */
688 p += 4;
689 SOFF_T(p, 0, SMB_VFS_GET_ALLOC_SIZE(conn,fsp,&smb_fname->st));
690 p += 8;
691 SOFF_T(p,0,file_len);
692 p += 8;
693 if (flags & EXTENDED_RESPONSE_REQUIRED) {
694 uint16_t file_status = (NO_EAS|NO_SUBSTREAMS|NO_REPARSETAG);
695 size_t num_names = 0;
696 unsigned int num_streams = 0;
697 struct stream_struct *streams = NULL;
698
699 /* Do we have any EA's ? */
700 status = get_ea_names_from_file(ctx, conn, fsp,
701 smb_fname->base_name, NULL, &num_names);
702 if (NT_STATUS_IS_OK(status) && num_names) {
703 file_status &= ~NO_EAS;
704 }
705 status = vfs_streaminfo(conn, NULL, smb_fname->base_name, ctx,
706 &num_streams, &streams);
707 /* There is always one stream, ::$DATA. */
708 if (NT_STATUS_IS_OK(status) && num_streams > 1) {
709 file_status &= ~NO_SUBSTREAMS;
710 }
711 TALLOC_FREE(streams);
712 SSVAL(p,2,file_status);
713 }
714 p += 4;
715 SCVAL(p,0,fsp->is_directory ? 1 : 0);
716
717 if (flags & EXTENDED_RESPONSE_REQUIRED) {
718 uint32 perms = 0;
719 p += 25;
720 if (fsp->is_directory ||
721 can_write_to_file(conn, smb_fname)) {
722 perms = FILE_GENERIC_ALL;
723 } else {
724 perms = FILE_GENERIC_READ|FILE_EXECUTE;
725 }
726 SIVAL(p,0,perms);
727 }
728
729 DEBUG(5,("reply_ntcreate_and_X: %s, open name = %s\n",
730 fsp_fnum_dbg(fsp), smb_fname_str_dbg(smb_fname)));
731
732 out:
733 END_PROFILE(SMBntcreateX);
734 return;
735 }
736
737 /****************************************************************************
738 Reply to a NT_TRANSACT_CREATE call to open a pipe.
739 ****************************************************************************/
740
741 static void do_nt_transact_create_pipe(connection_struct *conn,
742 struct smb_request *req,
743 uint16 **ppsetup, uint32 setup_count,
744 char **ppparams, uint32 parameter_count,
745 char **ppdata, uint32 data_count)
746 {
747 char *fname = NULL;
748 char *params = *ppparams;
749 uint16_t pnum = FNUM_FIELD_INVALID;
750 char *p = NULL;
751 NTSTATUS status;
752 size_t param_len;
753 uint32 flags;
754 TALLOC_CTX *ctx = talloc_tos();
755
756 /*
757 * Ensure minimum number of parameters sent.
758 */
759
760 if(parameter_count < 54) {
761 DEBUG(0,("do_nt_transact_create_pipe - insufficient parameters (%u)\n", (unsigned int)parameter_count));
762 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
763 return;
764 }
765
766 flags = IVAL(params,0);
767
768 srvstr_get_path(ctx, params, req->flags2, &fname, params+53,
769 parameter_count-53, STR_TERMINATE,
770 &status);
771 if (!NT_STATUS_IS_OK(status)) {
772 reply_nterror(req, status);
773 return;
774 }
775
776 nt_open_pipe(fname, conn, req, &pnum);
777
778 if (req->outbuf) {
779 /* Error return */
780 return;
781 }
782
783 /* Realloc the size of parameters and data we will return */
784 if (flags & EXTENDED_RESPONSE_REQUIRED) {
785 /* Extended response is 32 more byyes. */
786 param_len = 101;
787 } else {
788 param_len = 69;
789 }
790 params = nttrans_realloc(ppparams, param_len);
791 if(params == NULL) {
792 reply_nterror(req, NT_STATUS_NO_MEMORY);
793 return;
794 }
795
796 p = params;
797 SCVAL(p,0,NO_OPLOCK_RETURN);
798
799 p += 2;
800 SSVAL(p,0,pnum);
801 p += 2;
802 SIVAL(p,0,FILE_WAS_OPENED);
803 p += 8;
804
805 p += 32;
806 SIVAL(p,0,FILE_ATTRIBUTE_NORMAL); /* File Attributes. */
807 p += 20;
808 /* File type. */
809 SSVAL(p,0,FILE_TYPE_MESSAGE_MODE_PIPE);
810 /* Device state. */
811 SSVAL(p,2, 0x5FF); /* ? */
812 p += 4;
813
814 if (flags & EXTENDED_RESPONSE_REQUIRED) {
815 p += 25;
816 SIVAL(p,0,FILE_GENERIC_ALL);
817 /*
818 * For pipes W2K3 seems to return
819 * 0x12019B next.
820 * This is ((FILE_GENERIC_READ|FILE_GENERIC_WRITE) & ~FILE_APPEND_DATA)
821 */
822 SIVAL(p,4,(FILE_GENERIC_READ|FILE_GENERIC_WRITE)&~FILE_APPEND_DATA);
823 }
824
825 DEBUG(5,("do_nt_transact_create_pipe: open name = %s\n", fname));
826
827 /* Send the required number of replies */
828 send_nt_replies(conn, req, NT_STATUS_OK, params, param_len, *ppdata, 0);
829
830 return;
831 }
832
833 /*********************************************************************
834 Windows seems to do canonicalization of inheritance bits. Do the
835 same.
836 *********************************************************************/
837
838 static void canonicalize_inheritance_bits(struct security_descriptor *psd)
839 {
840 bool set_auto_inherited = false;
841
842 /*
843 * We need to filter out the
844 * SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ
845 * bits. If both are set we store SEC_DESC_DACL_AUTO_INHERITED
846 * as this alters whether SEC_ACE_FLAG_INHERITED_ACE is set
847 * when an ACE is inherited. Otherwise we zero these bits out.
848 * See:
849 *
850 * http://social.msdn.microsoft.com/Forums/eu/os_fileservices/thread/11f77b68-731e-407d-b1b3-064750716531
851 *
852 * for details.
853 */
854
855 if ((psd->type & (SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ))
856 == (SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ)) {
857 set_auto_inherited = true;
858 }
859
860 psd->type &= ~(SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ);
861 if (set_auto_inherited) {
862 psd->type |= SEC_DESC_DACL_AUTO_INHERITED;
863 }
864 }
865
866 /****************************************************************************
867 Internal fn to set security descriptors.
868 ****************************************************************************/
869
870 NTSTATUS set_sd(files_struct *fsp, struct security_descriptor *psd,
871 uint32_t security_info_sent)
872 {
873 NTSTATUS status;
874
875 if (!CAN_WRITE(fsp->conn)) {
876 return NT_STATUS_ACCESS_DENIED;
877 }
878
879 if (!lp_nt_acl_support(SNUM(fsp->conn))) {
880 return NT_STATUS_OK;
881 }
882
883 if (psd->owner_sid == NULL) {
884 security_info_sent &= ~SECINFO_OWNER;
885 }
886 if (psd->group_sid == NULL) {
887 security_info_sent &= ~SECINFO_GROUP;
888 }
889
890 /* Ensure we have at least one thing set. */
891 if ((security_info_sent & (SECINFO_OWNER|SECINFO_GROUP|SECINFO_DACL|SECINFO_SACL)) == 0) {
892 /* Just like W2K3 */
893 return NT_STATUS_OK;
894 }
895
896 /* Ensure we have the rights to do this. */
897 if (security_info_sent & SECINFO_OWNER) {
898 if (!(fsp->access_mask & SEC_STD_WRITE_OWNER)) {
899 return NT_STATUS_ACCESS_DENIED;
900 }
901 }
902
903 if (security_info_sent & SECINFO_GROUP) {
904 if (!(fsp->access_mask & SEC_STD_WRITE_OWNER)) {
905 return NT_STATUS_ACCESS_DENIED;
906 }
907 }
908
909 if (security_info_sent & SECINFO_DACL) {
910 if (!(fsp->access_mask & SEC_STD_WRITE_DAC)) {
911 return NT_STATUS_ACCESS_DENIED;
912 }
913 /* Convert all the generic bits. */
914 if (psd->dacl) {
915 security_acl_map_generic(psd->dacl, &file_generic_mapping);
916 }
917 }
918
919 if (security_info_sent & SECINFO_SACL) {
920 if (!(fsp->access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
921 return NT_STATUS_ACCESS_DENIED;
922 }
923 /* Convert all the generic bits. */
924 if (psd->sacl) {
925 security_acl_map_generic(psd->sacl, &file_generic_mapping);
926 }
927 }
928
929 canonicalize_inheritance_bits(psd);
930
931 if (DEBUGLEVEL >= 10) {
932 DEBUG(10,("set_sd for file %s\n", fsp_str_dbg(fsp)));
933 NDR_PRINT_DEBUG(security_descriptor, psd);
934 }
935
936 status = SMB_VFS_FSET_NT_ACL(fsp, security_info_sent, psd);
937
938 TALLOC_FREE(psd);
939
940 return status;
941 }
942
943 /****************************************************************************
944 Internal fn to set security descriptors from a data blob.
945 ****************************************************************************/
946
947 NTSTATUS set_sd_blob(files_struct *fsp, uint8_t *data, uint32_t sd_len,
948 uint32_t security_info_sent)
949 {
950 struct security_descriptor *psd = NULL;
951 NTSTATUS status;
952
953 if (sd_len == 0) {
954 return NT_STATUS_INVALID_PARAMETER;
955 }
956
957 status = unmarshall_sec_desc(talloc_tos(), data, sd_len, &psd);
958
959 if (!NT_STATUS_IS_OK(status)) {
960 return status;
961 }
962
963 return set_sd(fsp, psd, security_info_sent);
964 }
965
966 /****************************************************************************
967 Read a list of EA names and data from an incoming data buffer. Create an ea_list with them.
968 ****************************************************************************/
969
970 struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t data_size)
971 {
972 struct ea_list *ea_list_head = NULL;
973 size_t offset = 0;
974
975 if (data_size < 4) {
976 return NULL;
977 }
978
979 while (offset + 4 <= data_size) {
980 size_t next_offset = IVAL(pdata,offset);
981 struct ea_list *eal = read_ea_list_entry(ctx, pdata + offset + 4, data_size - offset - 4, NULL);
982
983 if (!eal) {
984 return NULL;
985 }
986
987 DLIST_ADD_END(ea_list_head, eal, struct ea_list *);
988 if (next_offset == 0) {
989 break;
990 }
991
992 /* Integer wrap protection for the increment. */
993 if (offset + next_offset < offset) {
994 break;
995 }
996
997 offset += next_offset;
998
999 /* Integer wrap protection for while loop. */
1000 if (offset + 4 < offset) {
1001 break;
1002 }
1003
1004 }
1005
1006 return ea_list_head;
1007 }
1008
1009 /****************************************************************************
1010 Reply to a NT_TRANSACT_CREATE call (needs to process SD's).
1011 ****************************************************************************/
1012
1013 static void call_nt_transact_create(connection_struct *conn,
1014 struct smb_request *req,
1015 uint16 **ppsetup, uint32 setup_count,
1016 char **ppparams, uint32 parameter_count,
1017 char **ppdata, uint32 data_count,
1018 uint32 max_data_count)
1019 {
1020 struct smb_filename *smb_fname = NULL;
1021 char *fname = NULL;
1022 char *params = *ppparams;
1023 char *data = *ppdata;
1024 /* Breakout the oplock request bits so we can set the reply bits separately. */
1025 uint32 fattr=0;
1026 off_t file_len = 0;
1027 int info = 0;
1028 files_struct *fsp = NULL;
1029 char *p = NULL;
1030 uint32 flags;
1031 uint32 access_mask;
1032 uint32 file_attributes;
1033 uint32 share_access;
1034 uint32 create_disposition;
1035 uint32 create_options;
1036 uint32 sd_len;
1037 struct security_descriptor *sd = NULL;
1038 uint32 ea_len;
1039 uint16 root_dir_fid;
1040 struct timespec create_timespec;
1041 struct timespec c_timespec;
1042 struct timespec a_timespec;
1043 struct timespec m_timespec;
1044 struct timespec write_time_ts;
1045 struct ea_list *ea_list = NULL;
1046 NTSTATUS status;
1047 size_t param_len;
1048 uint64_t allocation_size;
1049 int oplock_request;
1050 uint8_t oplock_granted;
1051 struct case_semantics_state *case_state = NULL;
1052 TALLOC_CTX *ctx = talloc_tos();
1053
1054 DEBUG(5,("call_nt_transact_create\n"));
1055
1056 /*
1057 * If it's an IPC, use the pipe handler.
1058 */
1059
1060 if (IS_IPC(conn)) {
1061 if (lp_nt_pipe_support()) {
1062 do_nt_transact_create_pipe(
1063 conn, req,
1064 ppsetup, setup_count,
1065 ppparams, parameter_count,
1066 ppdata, data_count);
1067 goto out;
1068 }
1069 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1070 goto out;
1071 }
1072
1073 /*
1074 * Ensure minimum number of parameters sent.
1075 */
1076
1077 if(parameter_count < 54) {
1078 DEBUG(0,("call_nt_transact_create - insufficient parameters (%u)\n", (unsigned int)parameter_count));
1079 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1080 goto out;
1081 }
1082
1083 flags = IVAL(params,0);
1084 access_mask = IVAL(params,8);
1085 file_attributes = IVAL(params,20);
1086 share_access = IVAL(params,24);
1087 create_disposition = IVAL(params,28);
1088 create_options = IVAL(params,32);
1089 sd_len = IVAL(params,36);
1090 ea_len = IVAL(params,40);
1091 root_dir_fid = (uint16)IVAL(params,4);
1092 allocation_size = BVAL(params,12);
1093
1094 /*
1095 * we need to remove ignored bits when they come directly from the client
1096 * because we reuse some of them for internal stuff
1097 */
1098 create_options &= ~NTCREATEX_OPTIONS_MUST_IGNORE_MASK;
1099
1100 srvstr_get_path(ctx, params, req->flags2, &fname,
1101 params+53, parameter_count-53,
1102 STR_TERMINATE, &status);
1103 if (!NT_STATUS_IS_OK(status)) {
1104 reply_nterror(req, status);
1105 goto out;
1106 }
1107
1108 if (file_attributes & FILE_FLAG_POSIX_SEMANTICS) {
1109 case_state = set_posix_case_semantics(ctx, conn);
1110 if (!case_state) {
1111 reply_nterror(req, NT_STATUS_NO_MEMORY);
1112 goto out;
1113 }
1114 }
1115
1116 status = filename_convert(ctx,
1117 conn,
1118 req->flags2 & FLAGS2_DFS_PATHNAMES,
1119 fname,
1120 0,
1121 NULL,
1122 &smb_fname);
1123
1124 TALLOC_FREE(case_state);
1125
1126 if (!NT_STATUS_IS_OK(status)) {
1127 if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
1128 reply_botherror(req,
1129 NT_STATUS_PATH_NOT_COVERED,
1130 ERRSRV, ERRbadpath);
1131 goto out;
1132 }
1133 reply_nterror(req, status);
1134 goto out;
1135 }
1136
1137 /* Ensure the data_len is correct for the sd and ea values given. */
1138 if ((ea_len + sd_len > data_count)
1139 || (ea_len > data_count) || (sd_len > data_count)
1140 || (ea_len + sd_len < ea_len) || (ea_len + sd_len < sd_len)) {
1141 DEBUG(10, ("call_nt_transact_create - ea_len = %u, sd_len = "
1142 "%u, data_count = %u\n", (unsigned int)ea_len,
1143 (unsigned int)sd_len, (unsigned int)data_count));
1144 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1145 goto out;
1146 }
1147
1148 if (sd_len) {
1149 DEBUG(10, ("call_nt_transact_create - sd_len = %d\n",
1150 sd_len));
1151
1152 status = unmarshall_sec_desc(ctx, (uint8_t *)data, sd_len,
1153 &sd);
1154 if (!NT_STATUS_IS_OK(status)) {
1155 DEBUG(10, ("call_nt_transact_create: "
1156 "unmarshall_sec_desc failed: %s\n",
1157 nt_errstr(status)));
1158 reply_nterror(req, status);
1159 goto out;
1160 }
1161 }
1162
1163 if (ea_len) {
1164 if (!lp_ea_support(SNUM(conn))) {
1165 DEBUG(10, ("call_nt_transact_create - ea_len = %u but "
1166 "EA's not supported.\n",
1167 (unsigned int)ea_len));
1168 reply_nterror(req, NT_STATUS_EAS_NOT_SUPPORTED);
1169 goto out;
1170 }
1171
1172 if (ea_len < 10) {
1173 DEBUG(10,("call_nt_transact_create - ea_len = %u - "
1174 "too small (should be more than 10)\n",
1175 (unsigned int)ea_len ));
1176 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1177 goto out;
1178 }
1179
1180 /* We have already checked that ea_len <= data_count here. */
1181 ea_list = read_nttrans_ea_list(talloc_tos(), data + sd_len,
1182 ea_len);
1183 if (ea_list == NULL) {
1184 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1185 goto out;
1186 }
1187
1188 if (ea_list_has_invalid_name(ea_list)) {
1189 /* Realloc the size of parameters and data we will return */
1190 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1191 /* Extended response is 32 more byyes. */
1192 param_len = 101;
1193 } else {
1194 param_len = 69;
1195 }
1196 params = nttrans_realloc(ppparams, param_len);
1197 if(params == NULL) {
1198 reply_nterror(req, NT_STATUS_NO_MEMORY);
1199 goto out;
1200 }
1201
1202 memset(params, '\0', param_len);
1203 send_nt_replies(conn, req, STATUS_INVALID_EA_NAME,
1204 params, param_len, NULL, 0);
1205 goto out;
1206 }
1207 }
1208
1209 oplock_request = (flags & REQUEST_OPLOCK) ? EXCLUSIVE_OPLOCK : 0;
1210 if (oplock_request) {
1211 oplock_request |= (flags & REQUEST_BATCH_OPLOCK)
1212 ? BATCH_OPLOCK : 0;
1213 }
1214
1215 /*
1216 * Bug #6898 - clients using Windows opens should
1217 * never be able to set this attribute into the
1218 * VFS.
1219 */
1220 file_attributes &= ~FILE_FLAG_POSIX_SEMANTICS;
1221
1222 status = SMB_VFS_CREATE_FILE(
1223 conn, /* conn */
1224 req, /* req */
1225 root_dir_fid, /* root_dir_fid */
1226 smb_fname, /* fname */
1227 access_mask, /* access_mask */
1228 share_access, /* share_access */
1229 create_disposition, /* create_disposition*/
1230 create_options, /* create_options */
1231 file_attributes, /* file_attributes */
1232 oplock_request, /* oplock_request */
1233 allocation_size, /* allocation_size */
1234 0, /* private_flags */
1235 sd, /* sd */
1236 ea_list, /* ea_list */
1237 &fsp, /* result */
1238 &info); /* pinfo */
1239
1240 if(!NT_STATUS_IS_OK(status)) {
1241 if (open_was_deferred(req->sconn, req->mid)) {
1242 /* We have re-scheduled this call, no error. */
1243 return;
1244 }
1245 reply_openerror(req, status);
1246 goto out;
1247 }
1248
1249 /* Ensure we're pointing at the correct stat struct. */
1250 TALLOC_FREE(smb_fname);
1251 smb_fname = fsp->fsp_name;
1252
1253 /*
1254 * If the caller set the extended oplock request bit
1255 * and we granted one (by whatever means) - set the
1256 * correct bit for extended oplock reply.
1257 */
1258
1259 if (oplock_request &&
1260 (lp_fake_oplocks(SNUM(conn))
1261 || EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type))) {
1262
1263 /*
1264 * Exclusive oplock granted
1265 */
1266
1267 if (flags & REQUEST_BATCH_OPLOCK) {
1268 oplock_granted = BATCH_OPLOCK_RETURN;
1269 } else {
1270 oplock_granted = EXCLUSIVE_OPLOCK_RETURN;
1271 }
1272 } else if (fsp->oplock_type == LEVEL_II_OPLOCK) {
1273 oplock_granted = LEVEL_II_OPLOCK_RETURN;
1274 } else {
1275 oplock_granted = NO_OPLOCK_RETURN;
1276 }
1277
1278 file_len = smb_fname->st.st_ex_size;
1279
1280 /* Realloc the size of parameters and data we will return */
1281 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1282 /* Extended response is 32 more byyes. */
1283 param_len = 101;
1284 } else {
1285 param_len = 69;
1286 }
1287 params = nttrans_realloc(ppparams, param_len);
1288 if(params == NULL) {
1289 reply_nterror(req, NT_STATUS_NO_MEMORY);
1290 goto out;
1291 }
1292
1293 p = params;
1294 SCVAL(p, 0, oplock_granted);
1295
1296 p += 2;
1297 SSVAL(p,0,fsp->fnum);
1298 p += 2;
1299 if ((create_disposition == FILE_SUPERSEDE)
1300 && (info == FILE_WAS_OVERWRITTEN)) {
1301 SIVAL(p,0,FILE_WAS_SUPERSEDED);
1302 } else {
1303 SIVAL(p,0,info);
1304 }
1305 p += 8;
1306
1307 fattr = dos_mode(conn, smb_fname);
1308 if (fattr == 0) {
1309 fattr = FILE_ATTRIBUTE_NORMAL;
1310 }
1311
1312 /* Deal with other possible opens having a modified
1313 write time. JRA. */
1314 ZERO_STRUCT(write_time_ts);
1315 get_file_infos(fsp->file_id, 0, NULL, &write_time_ts);
1316 if (!null_timespec(write_time_ts)) {
1317 update_stat_ex_mtime(&smb_fname->st, write_time_ts);
1318 }
1319
1320 /* Create time. */
1321 create_timespec = get_create_timespec(conn, fsp, smb_fname);
1322 a_timespec = smb_fname->st.st_ex_atime;
1323 m_timespec = smb_fname->st.st_ex_mtime;
1324 c_timespec = get_change_timespec(conn, fsp, smb_fname);
1325
1326 if (lp_dos_filetime_resolution(SNUM(conn))) {
1327 dos_filetime_timespec(&create_timespec);
1328 dos_filetime_timespec(&a_timespec);
1329 dos_filetime_timespec(&m_timespec);
1330 dos_filetime_timespec(&c_timespec);
1331 }
1332
1333 put_long_date_timespec(conn->ts_res, p, create_timespec); /* create time. */
1334 p += 8;
1335 put_long_date_timespec(conn->ts_res, p, a_timespec); /* access time */
1336 p += 8;
1337 put_long_date_timespec(conn->ts_res, p, m_timespec); /* write time */
1338 p += 8;
1339 put_long_date_timespec(conn->ts_res, p, c_timespec); /* change time */
1340 p += 8;
1341 SIVAL(p,0,fattr); /* File Attributes. */
1342 p += 4;
1343 SOFF_T(p, 0, SMB_VFS_GET_ALLOC_SIZE(conn, fsp, &smb_fname->st));
1344 p += 8;
1345 SOFF_T(p,0,file_len);
1346 p += 8;
1347 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1348 uint16_t file_status = (NO_EAS|NO_SUBSTREAMS|NO_REPARSETAG);
1349 size_t num_names = 0;
1350 unsigned int num_streams = 0;
1351 struct stream_struct *streams = NULL;
1352
1353 /* Do we have any EA's ? */
1354 status = get_ea_names_from_file(ctx, conn, fsp,
1355 smb_fname->base_name, NULL, &num_names);
1356 if (NT_STATUS_IS_OK(status) && num_names) {
1357 file_status &= ~NO_EAS;
1358 }
1359 status = vfs_streaminfo(conn, NULL, smb_fname->base_name, ctx,
1360 &num_streams, &streams);
1361 /* There is always one stream, ::$DATA. */
1362 if (NT_STATUS_IS_OK(status) && num_streams > 1) {
1363 file_status &= ~NO_SUBSTREAMS;
1364 }
1365 TALLOC_FREE(streams);
1366 SSVAL(p,2,file_status);
1367 }
1368 p += 4;
1369 SCVAL(p,0,fsp->is_directory ? 1 : 0);
1370
1371 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1372 uint32 perms = 0;
1373 p += 25;
1374 if (fsp->is_directory ||
1375 can_write_to_file(conn, smb_fname)) {
1376 perms = FILE_GENERIC_ALL;
1377 } else {
1378 perms = FILE_GENERIC_READ|FILE_EXECUTE;
1379 }
1380 SIVAL(p,0,perms);
1381 }
1382
1383 DEBUG(5,("call_nt_transact_create: open name = %s\n",
1384 smb_fname_str_dbg(smb_fname)));
1385
1386 /* Send the required number of replies */
1387 send_nt_replies(conn, req, NT_STATUS_OK, params, param_len, *ppdata, 0);
1388 out:
1389 return;
1390 }
1391
1392 /****************************************************************************
1393 Reply to a NT CANCEL request.
1394 conn POINTER CAN BE NULL HERE !
1395 ****************************************************************************/
1396
1397 void reply_ntcancel(struct smb_request *req)
1398 {
1399 /*
1400 * Go through and cancel any pending change notifies.
1401 */
1402
1403 START_PROFILE(SMBntcancel);
1404 srv_cancel_sign_response(req->sconn);
1405 remove_pending_change_notify_requests_by_mid(req->sconn, req->mid);
1406 remove_pending_lock_requests_by_mid_smb1(req->sconn, req->mid);
1407
1408 DEBUG(3,("reply_ntcancel: cancel called on mid = %llu.\n",
1409 (unsigned long long)req->mid));
1410
1411 END_PROFILE(SMBntcancel);
1412 return;
1413 }
1414
1415 /****************************************************************************
1416 Copy a file.
1417 ****************************************************************************/
1418
1419 static NTSTATUS copy_internals(TALLOC_CTX *ctx,
1420 connection_struct *conn,
1421 struct smb_request *req,
1422 struct smb_filename *smb_fname_src,
1423 struct smb_filename *smb_fname_dst,
1424 uint32 attrs)
1425 {
1426 files_struct *fsp1,*fsp2;
1427 uint32 fattr;
1428 int info;
1429 off_t ret=-1;
1430 NTSTATUS status = NT_STATUS_OK;
1431 char *parent;
1432
1433 if (!CAN_WRITE(conn)) {
1434 status = NT_STATUS_MEDIA_WRITE_PROTECTED;
1435 goto out;
1436 }
1437
1438 /* Source must already exist. */
1439 if (!VALID_STAT(smb_fname_src->st)) {
1440 status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
1441 goto out;
1442 }
1443
1444 /* Ensure attributes match. */
1445 fattr = dos_mode(conn, smb_fname_src);
1446 if ((fattr & ~attrs) & (FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM)) {
1447 status = NT_STATUS_NO_SUCH_FILE;
1448 goto out;
1449 }
1450
1451 /* Disallow if dst file already exists. */
1452 if (VALID_STAT(smb_fname_dst->st)) {
1453 status = NT_STATUS_OBJECT_NAME_COLLISION;
1454 goto out;
1455 }
1456
1457 /* No links from a directory. */
1458 if (S_ISDIR(smb_fname_src->st.st_ex_mode)) {
1459 status = NT_STATUS_FILE_IS_A_DIRECTORY;
1460 goto out;
1461 }
1462
1463 DEBUG(10,("copy_internals: doing file copy %s to %s\n",
1464 smb_fname_str_dbg(smb_fname_src),
1465 smb_fname_str_dbg(smb_fname_dst)));
1466
1467 status = SMB_VFS_CREATE_FILE(
1468 conn, /* conn */
1469 req, /* req */
1470 0, /* root_dir_fid */
1471 smb_fname_src, /* fname */
1472 FILE_READ_DATA|FILE_READ_ATTRIBUTES|
1473 FILE_READ_EA, /* access_mask */
1474 (FILE_SHARE_READ | FILE_SHARE_WRITE | /* share_access */
1475 FILE_SHARE_DELETE),
1476 FILE_OPEN, /* create_disposition*/
1477 0, /* create_options */
1478 FILE_ATTRIBUTE_NORMAL, /* file_attributes */
1479 NO_OPLOCK, /* oplock_request */
1480 0, /* allocation_size */
1481 0, /* private_flags */
1482 NULL, /* sd */
1483 NULL, /* ea_list */
1484 &fsp1, /* result */
1485 &info); /* pinfo */
1486
1487 if (!NT_STATUS_IS_OK(status)) {
1488 goto out;
1489 }
1490
1491 status = SMB_VFS_CREATE_FILE(
1492 conn, /* conn */
1493 req, /* req */
1494 0, /* root_dir_fid */
1495 smb_fname_dst, /* fname */
1496 FILE_WRITE_DATA|FILE_WRITE_ATTRIBUTES|
1497 FILE_WRITE_EA, /* access_mask */
1498 (FILE_SHARE_READ | FILE_SHARE_WRITE | /* share_access */
1499 FILE_SHARE_DELETE),
1500 FILE_CREATE, /* create_disposition*/
1501 0, /* create_options */
1502 fattr, /* file_attributes */
1503 NO_OPLOCK, /* oplock_request */
1504 0, /* allocation_size */
1505 0, /* private_flags */
1506 NULL, /* sd */
1507 NULL, /* ea_list */
1508 &fsp2, /* result */
1509 &info); /* pinfo */
1510
1511 if (!NT_STATUS_IS_OK(status)) {
1512 close_file(NULL, fsp1, ERROR_CLOSE);
1513 goto out;
1514 }
1515
1516 if (smb_fname_src->st.st_ex_size) {
1517 ret = vfs_transfer_file(fsp1, fsp2, smb_fname_src->st.st_ex_size);
1518 }
1519
1520 /*
1521 * As we are opening fsp1 read-only we only expect
1522 * an error on close on fsp2 if we are out of space.
1523 * Thus we don't look at the error return from the
1524 * close of fsp1.
1525 */
1526 close_file(NULL, fsp1, NORMAL_CLOSE);
1527
1528 /* Ensure the modtime is set correctly on the destination file. */
1529 set_close_write_time(fsp2, smb_fname_src->st.st_ex_mtime);
1530
1531 status = close_file(NULL, fsp2, NORMAL_CLOSE);
1532
1533 /* Grrr. We have to do this as open_file_ntcreate adds FILE_ATTRIBUTE_ARCHIVE when it
1534 creates the file. This isn't the correct thing to do in the copy
1535 case. JRA */
1536 if (!parent_dirname(talloc_tos(), smb_fname_dst->base_name, &parent,
1537 NULL)) {
1538 status = NT_STATUS_NO_MEMORY;
1539 goto out;
1540 }
1541 file_set_dosmode(conn, smb_fname_dst, fattr, parent, false);
1542 TALLOC_FREE(parent);
1543
1544 if (ret < (off_t)smb_fname_src->st.st_ex_size) {
1545 status = NT_STATUS_DISK_FULL;
1546 goto out;
1547 }
1548 out:
1549 if (!NT_STATUS_IS_OK(status)) {
1550 DEBUG(3,("copy_internals: Error %s copy file %s to %s\n",
1551 nt_errstr(status), smb_fname_str_dbg(smb_fname_src),
1552 smb_fname_str_dbg(smb_fname_dst)));
1553 }
1554
1555 return status;
1556 }
1557
1558 /****************************************************************************
1559 Reply to a NT rename request.
1560 ****************************************************************************/
1561
1562 void reply_ntrename(struct smb_request *req)
1563 {
1564 connection_struct *conn = req->conn;
1565 struct smb_filename *smb_fname_old = NULL;
1566 struct smb_filename *smb_fname_new = NULL;
1567 char *oldname = NULL;
1568 char *newname = NULL;
1569 const char *p;
1570 NTSTATUS status;
1571 bool src_has_wcard = False;
1572 bool dest_has_wcard = False;
1573 uint32 attrs;
1574 uint32_t ucf_flags_src = 0;
1575 uint32_t ucf_flags_dst = 0;
1576 uint16 rename_type;
1577 TALLOC_CTX *ctx = talloc_tos();
1578 bool stream_rename = false;
1579
1580 START_PROFILE(SMBntrename);
1581
1582 if (req->wct < 4) {
1583 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1584 goto out;
1585 }
1586
1587 attrs = SVAL(req->vwv+0, 0);
1588 rename_type = SVAL(req->vwv+1, 0);
1589
1590 p = (const char *)req->buf + 1;
1591 p += srvstr_get_path_req_wcard(ctx, req, &oldname, p, STR_TERMINATE,
1592 &status, &src_has_wcard);
1593 if (!NT_STATUS_IS_OK(status)) {
1594 reply_nterror(req, status);
1595 goto out;
1596 }
1597
1598 if (ms_has_wild(oldname)) {
1599 reply_nterror(req, NT_STATUS_OBJECT_PATH_SYNTAX_BAD);
1600 goto out;
1601 }
1602
1603 p++;
1604 p += srvstr_get_path_req_wcard(ctx, req, &newname, p, STR_TERMINATE,
1605 &status, &dest_has_wcard);
1606 if (!NT_STATUS_IS_OK(status)) {
1607 reply_nterror(req, status);
1608 goto out;
1609 }
1610
1611 if (!lp_posix_pathnames()) {
1612 /* The newname must begin with a ':' if the
1613 oldname contains a ':'. */
1614 if (strchr_m(oldname, ':')) {
1615 if (newname[0] != ':') {
1616 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1617 goto out;
1618 }
1619 stream_rename = true;
1620 }
1621 }
1622
1623 /*
1624 * If this is a rename operation, allow wildcards and save the
1625 * destination's last component.
1626 */
1627 if (rename_type == RENAME_FLAG_RENAME) {
1628 ucf_flags_src = UCF_COND_ALLOW_WCARD_LCOMP;
1629 ucf_flags_dst = UCF_COND_ALLOW_WCARD_LCOMP | UCF_SAVE_LCOMP;
1630 }
1631
1632 /* rename_internals() calls unix_convert(), so don't call it here. */
1633 status = filename_convert(ctx, conn,
1634 req->flags2 & FLAGS2_DFS_PATHNAMES,
1635 oldname,
1636 ucf_flags_src,
1637 NULL,
1638 &smb_fname_old);
1639 if (!NT_STATUS_IS_OK(status)) {
1640 if (NT_STATUS_EQUAL(status,
1641 NT_STATUS_PATH_NOT_COVERED)) {
1642 reply_botherror(req,
1643 NT_STATUS_PATH_NOT_COVERED,
1644 ERRSRV, ERRbadpath);
1645 goto out;
1646 }
1647 reply_nterror(req, status);
1648 goto out;
1649 }
1650
1651 status = filename_convert(ctx, conn,
1652 req->flags2 & FLAGS2_DFS_PATHNAMES,
1653 newname,
1654 ucf_flags_dst,
1655 &dest_has_wcard,
1656 &smb_fname_new);
1657 if (!NT_STATUS_IS_OK(status)) {
1658 if (NT_STATUS_EQUAL(status,
1659 NT_STATUS_PATH_NOT_COVERED)) {
1660 reply_botherror(req,
1661 NT_STATUS_PATH_NOT_COVERED,
1662 ERRSRV, ERRbadpath);
1663 goto out;
1664 }
1665 reply_nterror(req, status);
1666 goto out;
1667 }
1668
1669 if (stream_rename) {
1670 /* smb_fname_new must be the same as smb_fname_old. */
1671 TALLOC_FREE(smb_fname_new->base_name);
1672 smb_fname_new->base_name = talloc_strdup(smb_fname_new,
1673 smb_fname_old->base_name);
1674 if (!smb_fname_new->base_name) {
1675 reply_nterror(req, NT_STATUS_NO_MEMORY);
1676 goto out;
1677 }
1678 }
1679
1680 DEBUG(3,("reply_ntrename: %s -> %s\n",
1681 smb_fname_str_dbg(smb_fname_old),
1682 smb_fname_str_dbg(smb_fname_new)));
1683
1684 switch(rename_type) {
1685 case RENAME_FLAG_RENAME:
1686 status = rename_internals(ctx, conn, req,
1687 smb_fname_old, smb_fname_new,
1688 attrs, False, src_has_wcard,
1689 dest_has_wcard,
1690 DELETE_ACCESS);
1691 break;
1692 case RENAME_FLAG_HARD_LINK:
1693 if (src_has_wcard || dest_has_wcard) {
1694 /* No wildcards. */
1695 status = NT_STATUS_OBJECT_PATH_SYNTAX_BAD;
1696 } else {
1697 status = hardlink_internals(ctx, conn,
1698 req,
1699 false,
1700 smb_fname_old,
1701 smb_fname_new);
1702 }
1703 break;
1704 case RENAME_FLAG_COPY:
1705 if (src_has_wcard || dest_has_wcard) {
1706 /* No wildcards. */
1707 status = NT_STATUS_OBJECT_PATH_SYNTAX_BAD;
1708 } else {
1709 status = copy_internals(ctx, conn, req,
1710 smb_fname_old,
1711 smb_fname_new,
1712 attrs);
1713 }
1714 break;
1715 case RENAME_FLAG_MOVE_CLUSTER_INFORMATION:
1716 status = NT_STATUS_INVALID_PARAMETER;
1717 break;
1718 default:
1719 status = NT_STATUS_ACCESS_DENIED; /* Default error. */
1720 break;
1721 }
1722
1723 if (!NT_STATUS_IS_OK(status)) {
1724 if (open_was_deferred(req->sconn, req->mid)) {
1725 /* We have re-scheduled this call. */
1726 goto out;
1727 }
1728
1729 reply_nterror(req, status);
1730 goto out;
1731 }
1732
1733 reply_outbuf(req, 0, 0);
1734 out:
1735 END_PROFILE(SMBntrename);
1736 return;
1737 }
1738
1739 /****************************************************************************
1740 Reply to a notify change - queue the request and
1741 don't allow a directory to be opened.
1742 ****************************************************************************/
1743
1744 static void smbd_smb1_notify_reply(struct smb_request *req,
1745 NTSTATUS error_code,
1746 uint8_t *buf, size_t len)
1747 {
1748 send_nt_replies(req->conn, req, error_code, (char *)buf, len, NULL, 0);
1749 }
1750
1751 static void call_nt_transact_notify_change(connection_struct *conn,
1752 struct smb_request *req,
1753 uint16 **ppsetup,
1754 uint32 setup_count,
1755 char **ppparams,
1756 uint32 parameter_count,
1757 char **ppdata, uint32 data_count,
1758 uint32 max_data_count,
1759 uint32 max_param_count)
1760 {
1761 uint16 *setup = *ppsetup;
1762 files_struct *fsp;
1763 uint32 filter;
1764 NTSTATUS status;
1765 bool recursive;
1766
1767 if(setup_count < 6) {
1768 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1769 return;
1770 }
1771
1772 fsp = file_fsp(req, SVAL(setup,4));
1773 filter = IVAL(setup, 0);
1774 recursive = (SVAL(setup, 6) != 0) ? True : False;
1775
1776 DEBUG(3,("call_nt_transact_notify_change\n"));
1777
1778 if(!fsp) {
1779 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
1780 return;
1781 }
1782
1783 {
1784 char *filter_string;
1785
1786 if (!(filter_string = notify_filter_string(NULL, filter))) {
1787 reply_nterror(req,NT_STATUS_NO_MEMORY);
1788 return;
1789 }
1790
1791 DEBUG(3,("call_nt_transact_notify_change: notify change "
1792 "called on %s, filter = %s, recursive = %d\n",
1793 fsp_str_dbg(fsp), filter_string, recursive));
1794
1795 TALLOC_FREE(filter_string);
1796 }
1797
1798 if((!fsp->is_directory) || (conn != fsp->conn)) {
1799 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1800 return;
1801 }
1802
1803 if (fsp->notify == NULL) {
1804
1805 status = change_notify_create(fsp, filter, recursive);
1806
1807 if (!NT_STATUS_IS_OK(status)) {
1808 DEBUG(10, ("change_notify_create returned %s\n",
1809 nt_errstr(status)));
1810 reply_nterror(req, status);
1811 return;
1812 }
1813 }
1814
1815 if (change_notify_fsp_has_changes(fsp)) {
1816
1817 /*
1818 * We've got changes pending, respond immediately
1819 */
1820
1821 /*
1822 * TODO: write a torture test to check the filtering behaviour
1823 * here.
1824 */
1825
1826 change_notify_reply(req,
1827 NT_STATUS_OK,
1828 max_param_count,
1829 fsp->notify,
1830 smbd_smb1_notify_reply);
1831
1832 /*
1833 * change_notify_reply() above has independently sent its
1834 * results
1835 */
1836 return;
1837 }
1838
1839 /*
1840 * No changes pending, queue the request
1841 */
1842
1843 status = change_notify_add_request(req,
1844 max_param_count,
1845 filter,
1846 recursive, fsp,
1847 smbd_smb1_notify_reply);
1848 if (!NT_STATUS_IS_OK(status)) {
1849 reply_nterror(req, status);
1850 }
1851 return;
1852 }
1853
1854 /****************************************************************************
1855 Reply to an NT transact rename command.
1856 ****************************************************************************/
1857
1858 static void call_nt_transact_rename(connection_struct *conn,
1859 struct smb_request *req,
1860 uint16 **ppsetup, uint32 setup_count,
1861 char **ppparams, uint32 parameter_count,
1862 char **ppdata, uint32 data_count,
1863 uint32 max_data_count)
1864 {
1865 char *params = *ppparams;
1866 char *new_name = NULL;
1867 files_struct *fsp = NULL;
1868 bool dest_has_wcard = False;
1869 NTSTATUS status;
1870 TALLOC_CTX *ctx = talloc_tos();
1871
1872 if(parameter_count < 5) {
1873 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1874 return;
1875 }
1876
1877 fsp = file_fsp(req, SVAL(params, 0));
1878 if (!check_fsp(conn, req, fsp)) {
1879 return;
1880 }
1881 srvstr_get_path_wcard(ctx, params, req->flags2, &new_name, params+4,
1882 parameter_count - 4,
1883 STR_TERMINATE, &status, &dest_has_wcard);
1884 if (!NT_STATUS_IS_OK(status)) {
1885 reply_nterror(req, status);
1886 return;
1887 }
1888
1889 /*
1890 * W2K3 ignores this request as the RAW-RENAME test
1891 * demonstrates, so we do.
1892 */
1893 send_nt_replies(conn, req, NT_STATUS_OK, NULL, 0, NULL, 0);
1894
1895 DEBUG(3,("nt transact rename from = %s, to = %s ignored!\n",
1896 fsp_str_dbg(fsp), new_name));
1897
1898 return;
1899 }
1900
1901 /******************************************************************************
1902 Fake up a completely empty SD.
1903 *******************************************************************************/
1904
1905 static NTSTATUS get_null_nt_acl(TALLOC_CTX *mem_ctx, struct security_descriptor **ppsd)
1906 {
1907 size_t sd_size;
1908
1909 *ppsd = make_standard_sec_desc( mem_ctx, &global_sid_World, &global_sid_World, NULL, &sd_size);
1910 if(!*ppsd) {
1911 DEBUG(0,("get_null_nt_acl: Unable to malloc space for security descriptor.\n"));
1912 return NT_STATUS_NO_MEMORY;
1913 }
1914
1915 return NT_STATUS_OK;
1916 }
1917
1918 /****************************************************************************
1919 Reply to query a security descriptor.
1920 Callable from SMB2 and SMB2.
1921 If it returns NT_STATUS_BUFFER_TOO_SMALL, pdata_size is initialized with
1922 the required size.
1923 ****************************************************************************/
1924
1925 NTSTATUS smbd_do_query_security_desc(connection_struct *conn,
1926 TALLOC_CTX *mem_ctx,
1927 files_struct *fsp,
1928 uint32_t security_info_wanted,
1929 uint32_t max_data_count,
1930 uint8_t **ppmarshalled_sd,
1931 size_t *psd_size)
1932 {
1933 NTSTATUS status;
1934 struct security_descriptor *psd = NULL;
1935 TALLOC_CTX *frame = talloc_stackframe();
1936
1937 /*
1938 * Get the permissions to return.
1939 */
1940
1941 if ((security_info_wanted & SECINFO_SACL) &&
1942 !(fsp->access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
1943 DEBUG(10, ("Access to SACL denied.\n"));
1944 TALLOC_FREE(frame);
1945 return NT_STATUS_ACCESS_DENIED;
1946 }
1947
1948 if ((security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|SECINFO_GROUP)) &&
1949 !(fsp->access_mask & SEC_STD_READ_CONTROL)) {
1950 DEBUG(10, ("Access to DACL, OWNER, or GROUP denied.\n"));
1951 TALLOC_FREE(frame);
1952 return NT_STATUS_ACCESS_DENIED;
1953 }
1954
1955 if (security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|
1956 SECINFO_GROUP|SECINFO_SACL)) {
1957 /* Don't return SECINFO_LABEL if anything else was
1958 requested. See bug #8458. */
1959 security_info_wanted &= ~SECINFO_LABEL;
1960 }
1961
1962 if (!lp_nt_acl_support(SNUM(conn))) {
1963 status = get_null_nt_acl(frame, &psd);
1964 } else if (security_info_wanted & SECINFO_LABEL) {
1965 /* Like W2K3 return a null object. */
1966 status = get_null_nt_acl(frame, &psd);
1967 } else {
1968 status = SMB_VFS_FGET_NT_ACL(
1969 fsp, security_info_wanted, frame, &psd);
1970 }
1971 if (!NT_STATUS_IS_OK(status)) {
1972 TALLOC_FREE(frame);
1973 return status;
1974 }
1975
1976 if (!(security_info_wanted & SECINFO_OWNER)) {
1977 psd->owner_sid = NULL;
1978 }
1979 if (!(security_info_wanted & SECINFO_GROUP)) {
1980 psd->group_sid = NULL;
1981 }
1982 if (!(security_info_wanted & SECINFO_DACL)) {
1983 psd->type &= ~SEC_DESC_DACL_PRESENT;
1984 psd->dacl = NULL;
1985 }
1986 if (!(security_info_wanted & SECINFO_SACL)) {
1987 psd->type &= ~SEC_DESC_SACL_PRESENT;
1988 psd->sacl = NULL;
1989 }
1990
1991 /* If the SACL/DACL is NULL, but was requested, we mark that it is
1992 * present in the reply to match Windows behavior */
1993 if (psd->sacl == NULL &&
1994 security_info_wanted & SECINFO_SACL)
1995 psd->type |= SEC_DESC_SACL_PRESENT;
1996 if (psd->dacl == NULL &&
1997 security_info_wanted & SECINFO_DACL)
1998 psd->type |= SEC_DESC_DACL_PRESENT;
1999
2000 if (security_info_wanted & SECINFO_LABEL) {
2001 /* Like W2K3 return a null object. */
2002 psd->owner_sid = NULL;
2003 psd->group_sid = NULL;
2004 psd->dacl = NULL;
2005 psd->sacl = NULL;
2006 psd->type &= ~(SEC_DESC_DACL_PRESENT|SEC_DESC_SACL_PRESENT);
2007 }
2008
2009 *psd_size = ndr_size_security_descriptor(psd, 0);
2010
2011 DEBUG(3,("smbd_do_query_security_desc: sd_size = %lu.\n",
2012 (unsigned long)*psd_size));
2013
2014 if (DEBUGLEVEL >= 10) {
2015 DEBUG(10,("smbd_do_query_security_desc for file %s\n",
2016 fsp_str_dbg(fsp)));
2017 NDR_PRINT_DEBUG(security_descriptor, psd);
2018 }
2019
2020 if (max_data_count < *psd_size) {
2021 TALLOC_FREE(frame);
2022 return NT_STATUS_BUFFER_TOO_SMALL;
2023 }
2024
2025 status = marshall_sec_desc(mem_ctx, psd,
2026 ppmarshalled_sd, psd_size);
2027
2028 if (!NT_STATUS_IS_OK(status)) {
2029 TALLOC_FREE(frame);
2030 return status;
2031 }
2032
2033 TALLOC_FREE(frame);
2034 return NT_STATUS_OK;
2035 }
2036
2037 /****************************************************************************
2038 SMB1 reply to query a security descriptor.
2039 ****************************************************************************/
2040
2041 static void call_nt_transact_query_security_desc(connection_struct *conn,
2042 struct smb_request *req,
2043 uint16 **ppsetup,
2044 uint32 setup_count,
2045 char **ppparams,
2046 uint32 parameter_count,
2047 char **ppdata,
2048 uint32 data_count,
2049 uint32 max_data_count)
2050 {
2051 char *params = *ppparams;
2052 char *data = *ppdata;
2053 size_t sd_size = 0;
2054 uint32 security_info_wanted;
2055 files_struct *fsp = NULL;
2056 NTSTATUS status;
2057 uint8_t *marshalled_sd = NULL;
2058
2059 if(parameter_count < 8) {
2060 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2061 return;
2062 }
2063
2064 fsp = file_fsp(req, SVAL(params,0));
2065 if(!fsp) {
2066 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
2067 return;
2068 }
2069
2070 security_info_wanted = IVAL(params,4);
2071
2072 DEBUG(3,("call_nt_transact_query_security_desc: file = %s, "
2073 "info_wanted = 0x%x\n", fsp_str_dbg(fsp),
2074 (unsigned int)security_info_wanted));
2075
2076 params = nttrans_realloc(ppparams, 4);
2077 if(params == NULL) {
2078 reply_nterror(req, NT_STATUS_NO_MEMORY);
2079 return;
2080 }
2081
2082 /*
2083 * Get the permissions to return.
2084 */
2085
2086 status = smbd_do_query_security_desc(conn,
2087 talloc_tos(),
2088 fsp,
2089 security_info_wanted,
2090 max_data_count,
2091 &marshalled_sd,
2092 &sd_size);
2093
2094 if (NT_STATUS_EQUAL(status, NT_STATUS_BUFFER_TOO_SMALL)) {
2095 SIVAL(params,0,(uint32_t)sd_size);
2096 send_nt_replies(conn, req, NT_STATUS_BUFFER_TOO_SMALL,
2097 params, 4, NULL, 0);
2098 return;
2099 }
2100
2101 if (!NT_STATUS_IS_OK(status)) {
2102 reply_nterror(req, status);
2103 return;
2104 }
2105
2106 SMB_ASSERT(sd_size > 0);
2107
2108 SIVAL(params,0,(uint32_t)sd_size);
2109
2110 if (max_data_count < sd_size) {
2111 send_nt_replies(conn, req, NT_STATUS_BUFFER_TOO_SMALL,
2112 params, 4, NULL, 0);
2113 return;
2114 }
2115
2116 /*
2117 * Allocate the data we will return.
2118 */
2119
2120 data = nttrans_realloc(ppdata, sd_size);
2121 if(data == NULL) {
2122 reply_nterror(req, NT_STATUS_NO_MEMORY);
2123 return;
2124 }
2125
2126 memcpy(data, marshalled_sd, sd_size);
2127
2128 send_nt_replies(conn, req, NT_STATUS_OK, params, 4, data, (int)sd_size);
2129
2130 return;
2131 }
2132
2133 /****************************************************************************
2134 Reply to set a security descriptor. Map to UNIX perms or POSIX ACLs.
2135 ****************************************************************************/
2136
2137 static void call_nt_transact_set_security_desc(connection_struct *conn,
2138 struct smb_request *req,
2139 uint16 **ppsetup,
2140 uint32 setup_count,
2141 char **ppparams,
2142 uint32 parameter_count,
2143 char **ppdata,
2144 uint32 data_count,
2145 uint32 max_data_count)
2146 {
2147 char *params= *ppparams;
2148 char *data = *ppdata;
2149 files_struct *fsp = NULL;
2150 uint32 security_info_sent = 0;
2151 NTSTATUS status;
2152
2153 if(parameter_count < 8) {
2154 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2155 return;
2156 }
2157
2158 if((fsp = file_fsp(req, SVAL(params,0))) == NULL) {
2159 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
2160 return;
2161 }
2162
2163 if (!CAN_WRITE(fsp->conn)) {
2164 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
2165 return;
2166 }
2167
2168 if(!lp_nt_acl_support(SNUM(conn))) {
2169 goto done;
2170 }
2171
2172 security_info_sent = IVAL(params,4);
2173
2174 DEBUG(3,("call_nt_transact_set_security_desc: file = %s, sent 0x%x\n",
2175 fsp_str_dbg(fsp), (unsigned int)security_info_sent));
2176
2177 if (data_count == 0) {
2178 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2179 return;
2180 }
2181
2182 status = set_sd_blob(fsp, (uint8 *)data, data_count, security_info_sent);
2183
2184 if (!NT_STATUS_IS_OK(status)) {
2185 reply_nterror(req, status);
2186 return;
2187 }
2188
2189 done:
2190 send_nt_replies(conn, req, NT_STATUS_OK, NULL, 0, NULL, 0);
2191 return;
2192 }
2193
2194 /****************************************************************************
2195 Reply to NT IOCTL
2196 ****************************************************************************/
2197
2198 static void call_nt_transact_ioctl(connection_struct *conn,
2199 struct smb_request *req,
2200 uint16 **ppsetup, uint32 setup_count,
2201 char **ppparams, uint32 parameter_count,
2202 char **ppdata, uint32 data_count,
2203 uint32 max_data_count)
2204 {
2205 NTSTATUS status;
2206 uint32 function;
2207 uint16 fidnum;
2208 files_struct *fsp;
2209 uint8 isFSctl;
2210 uint8 compfilter;
2211 char *out_data = NULL;
2212 uint32 out_data_len = 0;
2213 char *pdata = *ppdata;
2214 TALLOC_CTX *ctx = talloc_tos();
2215
2216 if (setup_count != 8) {
2217 DEBUG(3,("call_nt_transact_ioctl: invalid setup count %d\n", setup_count));
2218 reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
2219 return;
2220 }
2221
2222 function = IVAL(*ppsetup, 0);
2223 fidnum = SVAL(*ppsetup, 4);
2224 isFSctl = CVAL(*ppsetup, 6);
2225 compfilter = CVAL(*ppsetup, 7);
2226
2227 DEBUG(10, ("call_nt_transact_ioctl: function[0x%08X] FID[0x%04X] isFSctl[0x%02X] compfilter[0x%02X]\n",
2228 function, fidnum, isFSctl, compfilter));
2229
2230 fsp=file_fsp(req, fidnum);
2231
2232 /*
2233 * We don't really implement IOCTLs, especially on files.
2234 */
2235 if (!isFSctl) {
2236 DEBUG(10, ("isFSctl: 0x%02X indicates IOCTL, not FSCTL!\n",
2237 isFSctl));
2238 reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
2239 return;
2240 }
2241
2242 /* Has to be for an open file! */
2243 if (!check_fsp_open(conn, req, fsp)) {
2244 return;
2245 }
2246
2247 SMB_PERFCOUNT_SET_IOCTL(&req->pcd, function);
2248
2249 /*
2250 * out_data might be allocated by the VFS module, but talloc should be
2251 * used, and should be cleaned up when the request ends.
2252 */
2253 status = SMB_VFS_FSCTL(fsp,
2254 ctx,
2255 function,
2256 req->flags2,
2257 (uint8_t *)pdata,
2258 data_count,
2259 (uint8_t **)&out_data,
2260 max_data_count,
2261 &out_data_len);
2262 if (!NT_STATUS_IS_OK(status)) {
2263 reply_nterror(req, status);
2264 } else {
2265 send_nt_replies(conn, req, NT_STATUS_OK, NULL, 0, out_data, out_data_len);
2266 }
2267 }
2268
2269
2270 #ifdef HAVE_SYS_QUOTAS
2271 /****************************************************************************
2272 Reply to get user quota
2273 ****************************************************************************/
2274
2275 static void call_nt_transact_get_user_quota(connection_struct *conn,
2276 struct smb_request *req,
2277 uint16 **ppsetup,
2278 uint32 setup_count,
2279 char **ppparams,
2280 uint32 parameter_count,
2281 char **ppdata,
2282 uint32 data_count,
2283 uint32 max_data_count)
2284 {
2285 NTSTATUS nt_status = NT_STATUS_OK;
2286 char *params = *ppparams;
2287 char *pdata = *ppdata;
2288 char *entry;
2289 int data_len=0,param_len=0;
2290 int qt_len=0;
2291 int entry_len = 0;
2292 files_struct *fsp = NULL;
2293 uint16 level = 0;
2294 size_t sid_len;
2295 struct dom_sid sid;
2296 bool start_enum = True;
2297 SMB_NTQUOTA_STRUCT qt;
2298 SMB_NTQUOTA_LIST *tmp_list;
2299 SMB_NTQUOTA_HANDLE *qt_handle = NULL;
2300
2301 ZERO_STRUCT(qt);
2302
2303 /* access check */
2304 if (get_current_uid(conn) != 0) {
2305 DEBUG(1,("get_user_quota: access_denied service [%s] user "
2306 "[%s]\n", lp_servicename(talloc_tos(), SNUM(conn)),
2307 conn->session_info->unix_info->unix_name));
2308 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
2309 return;
2310 }
2311
2312 /*
2313 * Ensure minimum number of parameters sent.
2314 */
2315
2316 if (parameter_count < 4) {
2317 DEBUG(0,("TRANSACT_GET_USER_QUOTA: requires %d >= 4 bytes parameters\n",parameter_count));
2318 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2319 return;
2320 }
2321
2322 /* maybe we can check the quota_fnum */
2323 fsp = file_fsp(req, SVAL(params,0));
2324 if (!check_fsp_ntquota_handle(conn, req, fsp)) {
2325 DEBUG(3,("TRANSACT_GET_USER_QUOTA: no valid QUOTA HANDLE\n"));
2326 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
2327 return;
2328 }
2329
2330 /* the NULL pointer checking for fsp->fake_file_handle->pd
2331 * is done by CHECK_NTQUOTA_HANDLE_OK()
2332 */
2333 qt_handle = (SMB_NTQUOTA_HANDLE *)fsp->fake_file_handle->private_data;
2334
2335 level = SVAL(params,2);
2336
2337 /* unknown 12 bytes leading in params */
2338
2339 switch (level) {
2340 case TRANSACT_GET_USER_QUOTA_LIST_CONTINUE:
2341 /* seems that we should continue with the enum here --metze */
2342
2343 if (qt_handle->quota_list!=NULL &&
2344 qt_handle->tmp_list==NULL) {
2345
2346 /* free the list */
2347 free_ntquota_list(&(qt_handle->quota_list));
2348
2349 /* Realloc the size of parameters and data we will return */
2350 param_len = 4;
2351 params = nttrans_realloc(ppparams, param_len);
2352 if(params == NULL) {
2353 reply_nterror(req, NT_STATUS_NO_MEMORY);
2354 return;
2355 }
2356
2357 data_len = 0;
2358 SIVAL(params,0,data_len);
2359
2360 break;
2361 }
2362
2363 start_enum = False;
2364
2365 case TRANSACT_GET_USER_QUOTA_LIST_START:
2366
2367 if (qt_handle->quota_list==NULL &&
2368 qt_handle->tmp_list==NULL) {
2369 start_enum = True;
2370 }
2371
2372 if (start_enum && vfs_get_user_ntquota_list(fsp,&(qt_handle->quota_list))!=0) {
2373 reply_nterror(req, NT_STATUS_INTERNAL_ERROR);
2374 return;
2375 }
2376
2377 /* Realloc the size of parameters and data we will return */
2378 param_len = 4;
2379 params = nttrans_realloc(ppparams, param_len);
2380 if(params == NULL) {
2381 reply_nterror(req, NT_STATUS_NO_MEMORY);
2382 return;
2383 }
2384
2385 /* we should not trust the value in max_data_count*/
2386 max_data_count = MIN(max_data_count,2048);
2387
2388 pdata = nttrans_realloc(ppdata, max_data_count);/* should be max data count from client*/
2389 if(pdata == NULL) {
2390 reply_nterror(req, NT_STATUS_NO_MEMORY);
2391 return;
2392 }
2393
2394 entry = pdata;
2395
2396 /* set params Size of returned Quota Data 4 bytes*/
2397 /* but set it later when we know it */
2398
2399 /* for each entry push the data */
2400
2401 if (start_enum) {
2402 qt_handle->tmp_list = qt_handle->quota_list;
2403 }
2404
2405 tmp_list = qt_handle->tmp_list;
2406
2407 for (;((tmp_list!=NULL)&&((qt_len +40+SID_MAX_SIZE)<max_data_count));
2408 tmp_list=tmp_list->next,entry+=entry_len,qt_len+=entry_len) {
2409
2410 sid_len = ndr_size_dom_sid(
2411 &tmp_list->quotas->sid, 0);
2412 entry_len = 40 + sid_len;
2413
2414 /* nextoffset entry 4 bytes */
2415 SIVAL(entry,0,entry_len);
2416
2417 /* then the len of the SID 4 bytes */
2418 SIVAL(entry,4,sid_len);
2419
2420 /* unknown data 8 bytes uint64_t */
2421 SBIG_UINT(entry,8,(uint64_t)0); /* this is not 0 in windows...-metze*/
2422
2423 /* the used disk space 8 bytes uint64_t */
2424 SBIG_UINT(entry,16,tmp_list->quotas->usedspace);
2425
2426 /* the soft quotas 8 bytes uint64_t */
2427 SBIG_UINT(entry,24,tmp_list->quotas->softlim);
2428
2429 /* the hard quotas 8 bytes uint64_t */
2430 SBIG_UINT(entry,32,tmp_list->quotas->hardlim);
2431
2432 /* and now the SID */
2433 sid_linearize(entry+40, sid_len, &tmp_list->quotas->sid);
2434 }
2435
2436 qt_handle->tmp_list = tmp_list;
2437
2438 /* overwrite the offset of the last entry */
2439 SIVAL(entry-entry_len,0,0);
2440
2441 data_len = 4+qt_len;
2442 /* overwrite the params quota_data_len */
2443 SIVAL(params,0,data_len);
2444
2445 break;
2446
2447 case TRANSACT_GET_USER_QUOTA_FOR_SID:
2448
2449 /* unknown 4 bytes IVAL(pdata,0) */
2450
2451 if (data_count < 8) {
2452 DEBUG(0,("TRANSACT_GET_USER_QUOTA_FOR_SID: requires %d >= %d bytes data\n",data_count,8));
2453 reply_nterror(req, NT_STATUS_INVALID_LEVEL);
2454 return;
2455 }
2456
2457 sid_len = IVAL(pdata,4);
2458 /* Ensure this is less than 1mb. */
2459 if (sid_len > (1024*1024)) {
2460 reply_nterror(req, NT_STATUS_NO_MEMORY);
2461 return;
2462 }
2463
2464 if (data_count < 8+sid_len) {
2465 DEBUG(0,("TRANSACT_GET_USER_QUOTA_FOR_SID: requires %d >= %lu bytes data\n",data_count,(unsigned long)(8+sid_len)));
2466 reply_nterror(req, NT_STATUS_INVALID_LEVEL);
2467 return;
2468 }
2469
2470 data_len = 4+40+sid_len;
2471
2472 if (max_data_count < data_len) {
2473 DEBUG(0,("TRANSACT_GET_USER_QUOTA_FOR_SID: max_data_count(%d) < data_len(%d)\n",
2474 max_data_count, data_len));
2475 param_len = 4;
2476 SIVAL(params,0,data_len);
2477 data_len = 0;
2478 nt_status = NT_STATUS_BUFFER_TOO_SMALL;
2479 break;
2480 }
2481
2482 if (!sid_parse(pdata+8,sid_len,&sid)) {
2483 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2484 return;
2485 }
2486
2487 if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
2488 ZERO_STRUCT(qt);
2489 /*
2490 * we have to return zero's in all fields
2491 * instead of returning an error here
2492 * --metze
2493 */
2494 }
2495
2496 /* Realloc the size of parameters and data we will return */
2497 param_len = 4;
2498 params = nttrans_realloc(ppparams, param_len);
2499 if(params == NULL) {
2500 reply_nterror(req, NT_STATUS_NO_MEMORY);
2501 return;
2502 }
2503
2504 pdata = nttrans_realloc(ppdata, data_len);
2505 if(pdata == NULL) {
2506 reply_nterror(req, NT_STATUS_NO_MEMORY);
2507 return;
2508 }
2509
2510 entry = pdata;
2511
2512 /* set params Size of returned Quota Data 4 bytes*/
2513 SIVAL(params,0,data_len);
2514
2515 /* nextoffset entry 4 bytes */
2516 SIVAL(entry,0,0);
2517
2518 /* then the len of the SID 4 bytes */
2519 SIVAL(entry,4,sid_len);
2520
2521 /* unknown data 8 bytes uint64_t */
2522 SBIG_UINT(entry,8,(uint64_t)0); /* this is not 0 in windows...-mezte*/
2523
2524 /* the used disk space 8 bytes uint64_t */
2525 SBIG_UINT(entry,16,qt.usedspace);
2526
2527 /* the soft quotas 8 bytes uint64_t */
2528 SBIG_UINT(entry,24,qt.softlim);
2529
2530 /* the hard quotas 8 bytes uint64_t */
2531 SBIG_UINT(entry,32,qt.hardlim);
2532
2533 /* and now the SID */
2534 sid_linearize(entry+40, sid_len, &sid);
2535
2536 break;
2537
2538 default:
2539 DEBUG(0, ("do_nt_transact_get_user_quota: %s: unknown "
2540 "level 0x%04hX\n",
2541 fsp_fnum_dbg(fsp), level));
2542 reply_nterror(req, NT_STATUS_INVALID_LEVEL);
2543 return;
2544 break;
2545 }
2546
2547 send_nt_replies(conn, req, nt_status, params, param_len,
2548 pdata, data_len);
2549 }
2550
2551 /****************************************************************************
2552 Reply to set user quota
2553 ****************************************************************************/
2554
2555 static void call_nt_transact_set_user_quota(connection_struct *conn,
2556 struct smb_request *req,
2557 uint16 **ppsetup,
2558 uint32 setup_count,
2559 char **ppparams,
2560 uint32 parameter_count,
2561 char **ppdata,
2562 uint32 data_count,
2563 uint32 max_data_count)
2564 {
2565 char *params = *ppparams;
2566 char *pdata = *ppdata;
2567 int data_len=0,param_len=0;
2568 SMB_NTQUOTA_STRUCT qt;
2569 size_t sid_len;
2570 struct dom_sid sid;
2571 files_struct *fsp = NULL;
2572
2573 ZERO_STRUCT(qt);
2574
2575 /* access check */
2576 if (get_current_uid(conn) != 0) {
2577 DEBUG(1,("set_user_quota: access_denied service [%s] user "
2578 "[%s]\n", lp_servicename(talloc_tos(), SNUM(conn)),
2579 conn->session_info->unix_info->unix_name));
2580 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
2581 return;
2582 }
2583
2584 /*
2585 * Ensure minimum number of parameters sent.
2586 */
2587
2588 if (parameter_count < 2) {
2589 DEBUG(0,("TRANSACT_SET_USER_QUOTA: requires %d >= 2 bytes parameters\n",parameter_count));
2590 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2591 return;
2592 }
2593
2594 /* maybe we can check the quota_fnum */
2595 fsp = file_fsp(req, SVAL(params,0));
2596 if (!check_fsp_ntquota_handle(conn, req, fsp)) {
2597 DEBUG(3,("TRANSACT_GET_USER_QUOTA: no valid QUOTA HANDLE\n"));
2598 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
2599 return;
2600 }
2601
2602 if (data_count < 40) {
2603 DEBUG(0,("TRANSACT_SET_USER_QUOTA: requires %d >= %d bytes data\n",data_count,40));
2604 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2605 return;
2606 }
2607
2608 /* offset to next quota record.
2609 * 4 bytes IVAL(pdata,0)
2610 * unused here...
2611 */
2612
2613 /* sid len */
2614 sid_len = IVAL(pdata,4);
2615
2616 if (data_count < 40+sid_len || (40+sid_len < sid_len)) {
2617 DEBUG(0,("TRANSACT_SET_USER_QUOTA: requires %d >= %lu bytes data\n",data_count,(unsigned long)40+sid_len));
2618 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2619 return;
2620 }
2621
2622 /* unknown 8 bytes in pdata
2623 * maybe its the change time in NTTIME
2624 */
2625
2626 /* the used space 8 bytes (uint64_t)*/
2627 qt.usedspace = BVAL(pdata,16);
2628
2629 /* the soft quotas 8 bytes (uint64_t)*/
2630 qt.softlim = BVAL(pdata,24);
2631
2632 /* the hard quotas 8 bytes (uint64_t)*/
2633 qt.hardlim = BVAL(pdata,32);
2634
2635 if (!sid_parse(pdata+40,sid_len,&sid)) {
2636 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2637 return;
2638 }
2639
2640 DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid)));
2641
2642 /* 44 unknown bytes left... */
2643
2644 if (vfs_set_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
2645 reply_nterror(req, NT_STATUS_INTERNAL_ERROR);
2646 return;
2647 }
2648
2649 send_nt_replies(conn, req, NT_STATUS_OK, params, param_len,
2650 pdata, data_len);
2651 }
2652 #endif /* HAVE_SYS_QUOTAS */
2653
2654 static void handle_nttrans(connection_struct *conn,
2655 struct trans_state *state,
2656 struct smb_request *req)
2657 {
2658 if (get_Protocol() >= PROTOCOL_NT1) {
2659 req->flags2 |= 0x40; /* IS_LONG_NAME */
2660 SSVAL(discard_const_p(uint8_t, req->inbuf),smb_flg2,req->flags2);
2661 }
2662
2663
2664 SMB_PERFCOUNT_SET_SUBOP(&req->pcd, state->call);
2665
2666 /* Now we must call the relevant NT_TRANS function */
2667 switch(state->call) {
2668 case NT_TRANSACT_CREATE:
2669 {
2670 START_PROFILE(NT_transact_create);
2671 call_nt_transact_create(
2672 conn, req,
2673 &state->setup, state->setup_count,
2674 &state->param, state->total_param,
2675 &state->data, state->total_data,
2676 state->max_data_return);
2677 END_PROFILE(NT_transact_create);
2678 break;
2679 }
2680
2681 case NT_TRANSACT_IOCTL:
2682 {
2683 START_PROFILE(NT_transact_ioctl);
2684 call_nt_transact_ioctl(
2685 conn, req,
2686 &state->setup, state->setup_count,
2687 &state->param, state->total_param,
2688 &state->data, state->total_data,
2689 state->max_data_return);
2690 END_PROFILE(NT_transact_ioctl);
2691 break;
2692 }
2693
2694 case NT_TRANSACT_SET_SECURITY_DESC:
2695 {
2696 START_PROFILE(NT_transact_set_security_desc);
2697 call_nt_transact_set_security_desc(
2698 conn, req,
2699 &state->setup, state->setup_count,
2700 &state->param, state->total_param,
2701 &state->data, state->total_data,
2702 state->max_data_return);
2703 END_PROFILE(NT_transact_set_security_desc);
2704 break;
2705 }
2706
2707 case NT_TRANSACT_NOTIFY_CHANGE:
2708 {
2709 START_PROFILE(NT_transact_notify_change);
2710 call_nt_transact_notify_change(
2711 conn, req,
2712 &state->setup, state->setup_count,
2713 &state->param, state->total_param,
2714 &state->data, state->total_data,
2715 state->max_data_return,
2716 state->max_param_return);
2717 END_PROFILE(NT_transact_notify_change);
2718 break;
2719 }
2720
2721 case NT_TRANSACT_RENAME:
2722 {
2723 START_PROFILE(NT_transact_rename);
2724 call_nt_transact_rename(
2725 conn, req,
2726 &state->setup, state->setup_count,
2727 &state->param, state->total_param,
2728 &state->data, state->total_data,
2729 state->max_data_return);
2730 END_PROFILE(NT_transact_rename);
2731 break;
2732 }
2733
2734 case NT_TRANSACT_QUERY_SECURITY_DESC:
2735 {
2736 START_PROFILE(NT_transact_query_security_desc);
2737 call_nt_transact_query_security_desc(
2738 conn, req,
2739 &state->setup, state->setup_count,
2740 &state->param, state->total_param,
2741 &state->data, state->total_data,
2742 state->max_data_return);
2743 END_PROFILE(NT_transact_query_security_desc);
2744 break;
2745 }
2746
2747 #ifdef HAVE_SYS_QUOTAS
2748 case NT_TRANSACT_GET_USER_QUOTA:
2749 {
2750 START_PROFILE(NT_transact_get_user_quota);
2751 call_nt_transact_get_user_quota(
2752 conn, req,
2753 &state->setup, state->setup_count,
2754 &state->param, state->total_param,
2755 &state->data, state->total_data,
2756 state->max_data_return);
2757 END_PROFILE(NT_transact_get_user_quota);
2758 break;
2759 }
2760
2761 case NT_TRANSACT_SET_USER_QUOTA:
2762 {
2763 START_PROFILE(NT_transact_set_user_quota);
2764 call_nt_transact_set_user_quota(
2765 conn, req,
2766 &state->setup, state->setup_count,
2767 &state->param, state->total_param,
2768 &state->data, state->total_data,
2769 state->max_data_return);
2770 END_PROFILE(NT_transact_set_user_quota);
2771 break;
2772 }
2773 #endif /* HAVE_SYS_QUOTAS */
2774
2775 default:
2776 /* Error in request */
2777 DEBUG(0,("handle_nttrans: Unknown request %d in "
2778 "nttrans call\n", state->call));
2779 reply_nterror(req, NT_STATUS_INVALID_LEVEL);
2780 return;
2781 }
2782 return;
2783 }
2784
2785 /****************************************************************************
2786 Reply to a SMBNTtrans.
2787 ****************************************************************************/
2788
2789 void reply_nttrans(struct smb_request *req)
2790 {
2791 connection_struct *conn = req->conn;
2792 uint32_t pscnt;
2793 uint32_t psoff;
2794 uint32_t dscnt;
2795 uint32_t dsoff;
2796 uint16 function_code;
2797 NTSTATUS result;
2798 struct trans_state *state;
2799
2800 START_PROFILE(SMBnttrans);
2801
2802 if (req->wct < 19) {
2803 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2804 END_PROFILE(SMBnttrans);
2805 return;
2806 }
2807
2808 pscnt = IVAL(req->vwv+9, 1);
2809 psoff = IVAL(req->vwv+11, 1);
2810 dscnt = IVAL(req->vwv+13, 1);
2811 dsoff = IVAL(req->vwv+15, 1);
2812 function_code = SVAL(req->vwv+18, 0);
2813
2814 if (IS_IPC(conn) && (function_code != NT_TRANSACT_CREATE)) {
2815 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
2816 END_PROFILE(SMBnttrans);
2817 return;
2818 }
2819
2820 result = allow_new_trans(conn->pending_trans, req->mid);
2821 if (!NT_STATUS_IS_OK(result)) {
2822 DEBUG(2, ("Got invalid nttrans request: %s\n", nt_errstr(result)));
2823 reply_nterror(req, result);
2824 END_PROFILE(SMBnttrans);
2825 return;
2826 }
2827
2828 if ((state = talloc(conn, struct trans_state)) == NULL) {
2829 reply_nterror(req, NT_STATUS_NO_MEMORY);
2830 END_PROFILE(SMBnttrans);
2831 return;
2832 }
2833
2834 state->cmd = SMBnttrans;
2835
2836 state->mid = req->mid;
2837 state->vuid = req->vuid;
2838 state->total_data = IVAL(req->vwv+3, 1);
2839 state->data = NULL;
2840 state->total_param = IVAL(req->vwv+1, 1);
2841 state->param = NULL;
2842 state->max_data_return = IVAL(req->vwv+7, 1);
2843 state->max_param_return = IVAL(req->vwv+5, 1);
2844
2845 /* setup count is in *words* */
2846 state->setup_count = 2*CVAL(req->vwv+17, 1);
2847 state->setup = NULL;
2848 state->call = function_code;
2849
2850 DEBUG(10, ("num_setup=%u, "
2851 "param_total=%u, this_param=%u, max_param=%u, "
2852 "data_total=%u, this_data=%u, max_data=%u, "
2853 "param_offset=%u, data_offset=%u\n",
2854 (unsigned)state->setup_count,
2855 (unsigned)state->total_param, (unsigned)pscnt,
2856 (unsigned)state->max_param_return,
2857 (unsigned)state->total_data, (unsigned)dscnt,
2858 (unsigned)state->max_data_return,
2859 (unsigned)psoff, (unsigned)dsoff));
2860
2861 /*
2862 * All nttrans messages we handle have smb_wct == 19 +
2863 * state->setup_count. Ensure this is so as a sanity check.
2864 */
2865
2866 if(req->wct != 19 + (state->setup_count/2)) {
2867 DEBUG(2,("Invalid smb_wct %d in nttrans call (should be %d)\n",
2868 req->wct, 19 + (state->setup_count/2)));
2869 goto bad_param;
2870 }
2871
2872 /* Don't allow more than 128mb for each value. */
2873 if ((state->total_data > (1024*1024*128)) ||
2874 (state->total_param > (1024*1024*128))) {
2875 reply_nterror(req, NT_STATUS_NO_MEMORY);
2876 END_PROFILE(SMBnttrans);
2877 return;
2878 }
2879
2880 if ((dscnt > state->total_data) || (pscnt > state->total_param))
2881 goto bad_param;
2882
2883 if (state->total_data) {
2884
2885 if (trans_oob(state->total_data, 0, dscnt)
2886 || trans_oob(smb_len(req->inbuf), dsoff, dscnt)) {
2887 goto bad_param;
2888 }
2889
2890 /* Can't use talloc here, the core routines do realloc on the
2891 * params and data. */
2892 if ((state->data = (char *)SMB_MALLOC(state->total_data)) == NULL) {
2893 DEBUG(0,("reply_nttrans: data malloc fail for %u "
2894 "bytes !\n", (unsigned int)state->total_data));
2895 TALLOC_FREE(state);
2896 reply_nterror(req, NT_STATUS_NO_MEMORY);
2897 END_PROFILE(SMBnttrans);
2898 return;
2899 }
2900
2901 memcpy(state->data,smb_base(req->inbuf)+dsoff,dscnt);
2902 }
2903
2904 if (state->total_param) {
2905
2906 if (trans_oob(state->total_param, 0, pscnt)
2907 || trans_oob(smb_len(req->inbuf), psoff, pscnt)) {
2908 goto bad_param;
2909 }
2910
2911 /* Can't use talloc here, the core routines do realloc on the
2912 * params and data. */
2913 if ((state->param = (char *)SMB_MALLOC(state->total_param)) == NULL) {
2914 DEBUG(0,("reply_nttrans: param malloc fail for %u "
2915 "bytes !\n", (unsigned int)state->total_param));
2916 SAFE_FREE(state->data);
2917 TALLOC_FREE(state);
2918 reply_nterror(req, NT_STATUS_NO_MEMORY);
2919 END_PROFILE(SMBnttrans);
2920 return;
2921 }
2922
2923 memcpy(state->param,smb_base(req->inbuf)+psoff,pscnt);
2924 }
2925
2926 state->received_data = dscnt;
2927 state->received_param = pscnt;
2928
2929 if(state->setup_count > 0) {
2930 DEBUG(10,("reply_nttrans: state->setup_count = %d\n",
2931 state->setup_count));
2932
2933 /*
2934 * No overflow possible here, state->setup_count is an
2935 * unsigned int, being filled by a single byte from
2936 * CVAL(req->vwv+13, 0) above. The cast in the comparison
2937 * below is not necessary, it's here to clarify things. The
2938 * validity of req->vwv and req->wct has been checked in
2939 * init_smb_request already.
2940 */
2941 if ((state->setup_count/2) + 19 > (unsigned int)req->wct) {
2942 goto bad_param;
2943 }
2944
2945 state->setup = (uint16 *)TALLOC(state, state->setup_count);
2946 if (state->setup == NULL) {
2947 DEBUG(0,("reply_nttrans : Out of memory\n"));
2948 SAFE_FREE(state->data);
2949 SAFE_FREE(state->param);
2950 TALLOC_FREE(state);
2951 reply_nterror(req, NT_STATUS_NO_MEMORY);
2952 END_PROFILE(SMBnttrans);
2953 return;
2954 }
2955
2956 memcpy(state->setup, req->vwv+19, state->setup_count);
2957 dump_data(10, (uint8 *)state->setup, state->setup_count);
2958 }
2959
2960 if ((state->received_data == state->total_data) &&
2961 (state->received_param == state->total_param)) {
2962 handle_nttrans(conn, state, req);
2963 SAFE_FREE(state->param);
2964 SAFE_FREE(state->data);
2965 TALLOC_FREE(state);
2966 END_PROFILE(SMBnttrans);
2967 return;
2968 }
2969
2970 DLIST_ADD(conn->pending_trans, state);
2971
2972 /* We need to send an interim response then receive the rest
2973 of the parameter/data bytes */
2974 reply_outbuf(req, 0, 0);
2975 show_msg((char *)req->outbuf);
2976 END_PROFILE(SMBnttrans);
2977 return;
2978
2979 bad_param:
2980
2981 DEBUG(0,("reply_nttrans: invalid trans parameters\n"));
2982 SAFE_FREE(state->data);
2983 SAFE_FREE(state->param);
2984 TALLOC_FREE(state);
2985 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2986 END_PROFILE(SMBnttrans);
2987 return;
2988 }
2989
2990 /****************************************************************************
2991 Reply to a SMBnttranss
2992 ****************************************************************************/
2993
2994 void reply_nttranss(struct smb_request *req)
2995 {
2996 connection_struct *conn = req->conn;
2997 uint32_t pcnt,poff,dcnt,doff,pdisp,ddisp;
2998 struct trans_state *state;
2999
3000 START_PROFILE(SMBnttranss);
3001
3002 show_msg((const char *)req->inbuf);
3003
3004 /* Windows clients expect all replies to
3005 an NT transact secondary (SMBnttranss 0xA1)
3006 to have a command code of NT transact
3007 (SMBnttrans 0xA0). See bug #8989 for details. */
3008 req->cmd = SMBnttrans;
3009
3010 if (req->wct < 18) {
3011 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
3012 END_PROFILE(SMBnttranss);
3013 return;
3014 }
3015
3016 for (state = conn->pending_trans; state != NULL;
3017 state = state->next) {
3018 if (state->mid == req->mid) {
3019 break;
3020 }
3021 }
3022
3023 if ((state == NULL) || (state->cmd != SMBnttrans)) {
3024 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
3025 END_PROFILE(SMBnttranss);
3026 return;
3027 }
3028
3029 /* Revise state->total_param and state->total_data in case they have
3030 changed downwards */
3031 if (IVAL(req->vwv+1, 1) < state->total_param) {
3032 state->total_param = IVAL(req->vwv+1, 1);
3033 }
3034 if (IVAL(req->vwv+3, 1) < state->total_data) {
3035 state->total_data = IVAL(req->vwv+3, 1);
3036 }
3037
3038 pcnt = IVAL(req->vwv+5, 1);
3039 poff = IVAL(req->vwv+7, 1);
3040 pdisp = IVAL(req->vwv+9, 1);
3041
3042 dcnt = IVAL(req->vwv+11, 1);
3043 doff = IVAL(req->vwv+13, 1);
3044 ddisp = IVAL(req->vwv+15, 1);
3045
3046 state->received_param += pcnt;
3047 state->received_data += dcnt;
3048
3049 if ((state->received_data > state->total_data) ||
3050 (state->received_param > state->total_param))
3051 goto bad_param;
3052
3053 if (pcnt) {
3054 if (trans_oob(state->total_param, pdisp, pcnt)
3055 || trans_oob(smb_len(req->inbuf), poff, pcnt)) {
3056 goto bad_param;
3057 }
3058 memcpy(state->param+pdisp, smb_base(req->inbuf)+poff,pcnt);
3059 }
3060
3061 if (dcnt) {
3062 if (trans_oob(state->total_data, ddisp, dcnt)
3063 || trans_oob(smb_len(req->inbuf), doff, dcnt)) {
3064 goto bad_param;
3065 }
3066 memcpy(state->data+ddisp, smb_base(req->inbuf)+doff,dcnt);
3067 }
3068
3069 if ((state->received_param < state->total_param) ||
3070 (state->received_data < state->total_data)) {
3071 END_PROFILE(SMBnttranss);
3072 return;
3073 }
3074
3075 handle_nttrans(conn, state, req);
3076
3077 DLIST_REMOVE(conn->pending_trans, state);
3078 SAFE_FREE(state->data);
3079 SAFE_FREE(state->param);
3080 TALLOC_FREE(state);
3081 END_PROFILE(SMBnttranss);
3082 return;
3083
3084 bad_param:
3085
3086 DEBUG(0,("reply_nttranss: invalid trans parameters\n"));
3087 DLIST_REMOVE(conn->pending_trans, state);
3088 SAFE_FREE(state->data);
3089 SAFE_FREE(state->param);
3090 TALLOC_FREE(state);
3091 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
3092 END_PROFILE(SMBnttranss);
3093 return;
3094 }
Samba GIT mirror