search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Part 2 of fix for bug #8998 - Notify code can miss a ChDir.
[Samba.git] / source3 / smbd / process.c
blob5aa19cbee0d7c1471ef9dfad278b5ad2e70d86f7
1 /*
2 Unix SMB/CIFS implementation.
3 process incoming packets - main loop
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Volker Lendecke 2005-2007
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "../lib/tsocket/tsocket.h"
23 #include "system/filesys.h"
24 #include "smbd/smbd.h"
25 #include "smbd/globals.h"
26 #include "librpc/gen_ndr/netlogon.h"
27 #include "../lib/async_req/async_sock.h"
28 #include "ctdbd_conn.h"
29 #include "../lib/util/select.h"
30 #include "printing/pcap.h"
31 #include "system/select.h"
32 #include "passdb.h"
33 #include "auth.h"
34 #include "messages.h"
35 #include "smbprofile.h"
36 #include "rpc_server/spoolss/srv_spoolss_nt.h"
37 #include "libsmb/libsmb.h"
38
39 extern bool global_machine_password_needs_changing;
40
41 static void construct_reply_common(struct smb_request *req, const char *inbuf,
42 char *outbuf);
43 static struct pending_message_list *get_deferred_open_message_smb(uint64_t mid);
44
45 static bool smbd_lock_socket_internal(struct smbd_server_connection *sconn)
46 {
47 bool ok;
48
49 if (sconn->smb1.echo_handler.socket_lock_fd == -1) {
50 return true;
51 }
52
53 sconn->smb1.echo_handler.ref_count++;
54
55 if (sconn->smb1.echo_handler.ref_count > 1) {
56 return true;
57 }
58
59 DEBUG(10,("pid[%d] wait for socket lock\n", (int)sys_getpid()));
60
61 do {
62 ok = fcntl_lock(
63 sconn->smb1.echo_handler.socket_lock_fd,
64 SMB_F_SETLKW, 0, 0, F_WRLCK);
65 } while (!ok && (errno == EINTR));
66
67 if (!ok) {
68 DEBUG(1, ("fcntl_lock failed: %s\n", strerror(errno)));
69 return false;
70 }
71
72 DEBUG(10,("pid[%d] got for socket lock\n", (int)sys_getpid()));
73
74 return true;
75 }
76
77 void smbd_lock_socket(struct smbd_server_connection *sconn)
78 {
79 if (!smbd_lock_socket_internal(sconn)) {
80 exit_server_cleanly("failed to lock socket");
81 }
82 }
83
84 static bool smbd_unlock_socket_internal(struct smbd_server_connection *sconn)
85 {
86 bool ok;
87
88 if (sconn->smb1.echo_handler.socket_lock_fd == -1) {
89 return true;
90 }
91
92 sconn->smb1.echo_handler.ref_count--;
93
94 if (sconn->smb1.echo_handler.ref_count > 0) {
95 return true;
96 }
97
98 do {
99 ok = fcntl_lock(
100 sconn->smb1.echo_handler.socket_lock_fd,
101 SMB_F_SETLKW, 0, 0, F_UNLCK);
102 } while (!ok && (errno == EINTR));
103
104 if (!ok) {
105 DEBUG(1, ("fcntl_lock failed: %s\n", strerror(errno)));
106 return false;
107 }
108
109 DEBUG(10,("pid[%d] unlocked socket\n", (int)sys_getpid()));
110
111 return true;
112 }
113
114 void smbd_unlock_socket(struct smbd_server_connection *sconn)
115 {
116 if (!smbd_unlock_socket_internal(sconn)) {
117 exit_server_cleanly("failed to unlock socket");
118 }
119 }
120
121 /* Accessor function for smb_read_error for smbd functions. */
122
123 /****************************************************************************
124 Send an smb to a fd.
125 ****************************************************************************/
126
127 bool srv_send_smb(struct smbd_server_connection *sconn, char *buffer,
128 bool do_signing, uint32_t seqnum,
129 bool do_encrypt,
130 struct smb_perfcount_data *pcd)
131 {
132 size_t len = 0;
133 size_t nwritten=0;
134 ssize_t ret;
135 char *buf_out = buffer;
136
137 smbd_lock_socket(sconn);
138
139 if (do_signing) {
140 /* Sign the outgoing packet if required. */
141 srv_calculate_sign_mac(sconn, buf_out, seqnum);
142 }
143
144 if (do_encrypt) {
145 NTSTATUS status = srv_encrypt_buffer(buffer, &buf_out);
146 if (!NT_STATUS_IS_OK(status)) {
147 DEBUG(0, ("send_smb: SMB encryption failed "
148 "on outgoing packet! Error %s\n",
149 nt_errstr(status) ));
150 goto out;
151 }
152 }
153
154 len = smb_len(buf_out) + 4;
155
156 ret = write_data(sconn->sock, buf_out+nwritten, len - nwritten);
157 if (ret <= 0) {
158
159 char addr[INET6_ADDRSTRLEN];
160 /*
161 * Try and give an error message saying what
162 * client failed.
163 */
164 DEBUG(1,("pid[%d] Error writing %d bytes to client %s. %d. (%s)\n",
165 (int)sys_getpid(), (int)len,
166 get_peer_addr(sconn->sock, addr, sizeof(addr)),
167 (int)ret, strerror(errno) ));
168
169 srv_free_enc_buffer(buf_out);
170 goto out;
171 }
172
173 SMB_PERFCOUNT_SET_MSGLEN_OUT(pcd, len);
174 srv_free_enc_buffer(buf_out);
175 out:
176 SMB_PERFCOUNT_END(pcd);
177
178 smbd_unlock_socket(sconn);
179 return true;
180 }
181
182 /*******************************************************************
183 Setup the word count and byte count for a smb message.
184 ********************************************************************/
185
186 int srv_set_message(char *buf,
187 int num_words,
188 int num_bytes,
189 bool zero)
190 {
191 if (zero && (num_words || num_bytes)) {
192 memset(buf + smb_size,'\0',num_words*2 + num_bytes);
193 }
194 SCVAL(buf,smb_wct,num_words);
195 SSVAL(buf,smb_vwv + num_words*SIZEOFWORD,num_bytes);
196 smb_setlen(buf,(smb_size + num_words*2 + num_bytes - 4));
197 return (smb_size + num_words*2 + num_bytes);
198 }
199
200 static bool valid_smb_header(const uint8_t *inbuf)
201 {
202 if (is_encrypted_packet(inbuf)) {
203 return true;
204 }
205 /*
206 * This used to be (strncmp(smb_base(inbuf),"\377SMB",4) == 0)
207 * but it just looks weird to call strncmp for this one.
208 */
209 return (IVAL(smb_base(inbuf), 0) == 0x424D53FF);
210 }
211
212 /* Socket functions for smbd packet processing. */
213
214 static bool valid_packet_size(size_t len)
215 {
216 /*
217 * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
218 * of header. Don't print the error if this fits.... JRA.
219 */
220
221 if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
222 DEBUG(0,("Invalid packet length! (%lu bytes).\n",
223 (unsigned long)len));
224 return false;
225 }
226 return true;
227 }
228
229 static NTSTATUS read_packet_remainder(int fd, char *buffer,
230 unsigned int timeout, ssize_t len)
231 {
232 NTSTATUS status;
233
234 if (len <= 0) {
235 return NT_STATUS_OK;
236 }
237
238 status = read_fd_with_timeout(fd, buffer, len, len, timeout, NULL);
239 if (!NT_STATUS_IS_OK(status)) {
240 char addr[INET6_ADDRSTRLEN];
241 DEBUG(0, ("read_fd_with_timeout failed for client %s read "
242 "error = %s.\n",
243 get_peer_addr(fd, addr, sizeof(addr)),
244 nt_errstr(status)));
245 }
246 return status;
247 }
248
249 /****************************************************************************
250 Attempt a zerocopy writeX read. We know here that len > smb_size-4
251 ****************************************************************************/
252
253 /*
254 * Unfortunately, earlier versions of smbclient/libsmbclient
255 * don't send this "standard" writeX header. I've fixed this
256 * for 3.2 but we'll use the old method with earlier versions.
257 * Windows and CIFSFS at least use this standard size. Not
258 * sure about MacOSX.
259 */
260
261 #define STANDARD_WRITE_AND_X_HEADER_SIZE (smb_size - 4 + /* basic header */ \
262 (2*14) + /* word count (including bcc) */ \
263 1 /* pad byte */)
264
265 static NTSTATUS receive_smb_raw_talloc_partial_read(TALLOC_CTX *mem_ctx,
266 const char lenbuf[4],
267 struct smbd_server_connection *sconn,
268 int sock,
269 char **buffer,
270 unsigned int timeout,
271 size_t *p_unread,
272 size_t *len_ret)
273 {
274 /* Size of a WRITEX call (+4 byte len). */
275 char writeX_header[4 + STANDARD_WRITE_AND_X_HEADER_SIZE];
276 ssize_t len = smb_len_large(lenbuf); /* Could be a UNIX large writeX. */
277 ssize_t toread;
278 NTSTATUS status;
279
280 memcpy(writeX_header, lenbuf, 4);
281
282 status = read_fd_with_timeout(
283 sock, writeX_header + 4,
284 STANDARD_WRITE_AND_X_HEADER_SIZE,
285 STANDARD_WRITE_AND_X_HEADER_SIZE,
286 timeout, NULL);
287
288 if (!NT_STATUS_IS_OK(status)) {
289 DEBUG(0, ("read_fd_with_timeout failed for client %s read "
290 "error = %s.\n", sconn->client_id.addr,
291 nt_errstr(status)));
292 return status;
293 }
294
295 /*
296 * Ok - now try and see if this is a possible
297 * valid writeX call.
298 */
299
300 if (is_valid_writeX_buffer(sconn, (uint8_t *)writeX_header)) {
301 /*
302 * If the data offset is beyond what
303 * we've read, drain the extra bytes.
304 */
305 uint16_t doff = SVAL(writeX_header,smb_vwv11);
306 ssize_t newlen;
307
308 if (doff > STANDARD_WRITE_AND_X_HEADER_SIZE) {
309 size_t drain = doff - STANDARD_WRITE_AND_X_HEADER_SIZE;
310 if (drain_socket(sock, drain) != drain) {
311 smb_panic("receive_smb_raw_talloc_partial_read:"
312 " failed to drain pending bytes");
313 }
314 } else {
315 doff = STANDARD_WRITE_AND_X_HEADER_SIZE;
316 }
317
318 /* Spoof down the length and null out the bcc. */
319 set_message_bcc(writeX_header, 0);
320 newlen = smb_len(writeX_header);
321
322 /* Copy the header we've written. */
323
324 *buffer = (char *)TALLOC_MEMDUP(mem_ctx,
325 writeX_header,
326 sizeof(writeX_header));
327
328 if (*buffer == NULL) {
329 DEBUG(0, ("Could not allocate inbuf of length %d\n",
330 (int)sizeof(writeX_header)));
331 return NT_STATUS_NO_MEMORY;
332 }
333
334 /* Work out the remaining bytes. */
335 *p_unread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
336 *len_ret = newlen + 4;
337 return NT_STATUS_OK;
338 }
339
340 if (!valid_packet_size(len)) {
341 return NT_STATUS_INVALID_PARAMETER;
342 }
343
344 /*
345 * Not a valid writeX call. Just do the standard
346 * talloc and return.
347 */
348
349 *buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
350
351 if (*buffer == NULL) {
352 DEBUG(0, ("Could not allocate inbuf of length %d\n",
353 (int)len+4));
354 return NT_STATUS_NO_MEMORY;
355 }
356
357 /* Copy in what we already read. */
358 memcpy(*buffer,
359 writeX_header,
360 4 + STANDARD_WRITE_AND_X_HEADER_SIZE);
361 toread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
362
363 if(toread > 0) {
364 status = read_packet_remainder(
365 sock,
366 (*buffer) + 4 + STANDARD_WRITE_AND_X_HEADER_SIZE,
367 timeout, toread);
368
369 if (!NT_STATUS_IS_OK(status)) {
370 DEBUG(10, ("receive_smb_raw_talloc_partial_read: %s\n",
371 nt_errstr(status)));
372 return status;
373 }
374 }
375
376 *len_ret = len + 4;
377 return NT_STATUS_OK;
378 }
379
380 static NTSTATUS receive_smb_raw_talloc(TALLOC_CTX *mem_ctx,
381 struct smbd_server_connection *sconn,
382 int sock,
383 char **buffer, unsigned int timeout,
384 size_t *p_unread, size_t *plen)
385 {
386 char lenbuf[4];
387 size_t len;
388 int min_recv_size = lp_min_receive_file_size();
389 NTSTATUS status;
390
391 *p_unread = 0;
392
393 status = read_smb_length_return_keepalive(sock, lenbuf, timeout,
394 &len);
395 if (!NT_STATUS_IS_OK(status)) {
396 return status;
397 }
398
399 if (CVAL(lenbuf,0) == 0 && min_recv_size &&
400 (smb_len_large(lenbuf) > /* Could be a UNIX large writeX. */
401 (min_recv_size + STANDARD_WRITE_AND_X_HEADER_SIZE)) &&
402 !srv_is_signing_active(sconn) &&
403 sconn->smb1.echo_handler.trusted_fde == NULL) {
404
405 return receive_smb_raw_talloc_partial_read(
406 mem_ctx, lenbuf, sconn, sock, buffer, timeout,
407 p_unread, plen);
408 }
409
410 if (!valid_packet_size(len)) {
411 return NT_STATUS_INVALID_PARAMETER;
412 }
413
414 /*
415 * The +4 here can't wrap, we've checked the length above already.
416 */
417
418 *buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
419
420 if (*buffer == NULL) {
421 DEBUG(0, ("Could not allocate inbuf of length %d\n",
422 (int)len+4));
423 return NT_STATUS_NO_MEMORY;
424 }
425
426 memcpy(*buffer, lenbuf, sizeof(lenbuf));
427
428 status = read_packet_remainder(sock, (*buffer)+4, timeout, len);
429 if (!NT_STATUS_IS_OK(status)) {
430 return status;
431 }
432
433 *plen = len + 4;
434 return NT_STATUS_OK;
435 }
436
437 static NTSTATUS receive_smb_talloc(TALLOC_CTX *mem_ctx,
438 struct smbd_server_connection *sconn,
439 int sock,
440 char **buffer, unsigned int timeout,
441 size_t *p_unread, bool *p_encrypted,
442 size_t *p_len,
443 uint32_t *seqnum,
444 bool trusted_channel)
445 {
446 size_t len = 0;
447 NTSTATUS status;
448
449 *p_encrypted = false;
450
451 status = receive_smb_raw_talloc(mem_ctx, sconn, sock, buffer, timeout,
452 p_unread, &len);
453 if (!NT_STATUS_IS_OK(status)) {
454 DEBUG(NT_STATUS_EQUAL(status, NT_STATUS_END_OF_FILE)?5:1,
455 ("receive_smb_raw_talloc failed for client %s "
456 "read error = %s.\n",
457 sconn->client_id.addr, nt_errstr(status)));
458 return status;
459 }
460
461 if (is_encrypted_packet((uint8_t *)*buffer)) {
462 status = srv_decrypt_buffer(*buffer);
463 if (!NT_STATUS_IS_OK(status)) {
464 DEBUG(0, ("receive_smb_talloc: SMB decryption failed on "
465 "incoming packet! Error %s\n",
466 nt_errstr(status) ));
467 return status;
468 }
469 *p_encrypted = true;
470 }
471
472 /* Check the incoming SMB signature. */
473 if (!srv_check_sign_mac(sconn, *buffer, seqnum, trusted_channel)) {
474 DEBUG(0, ("receive_smb: SMB Signature verification failed on "
475 "incoming packet!\n"));
476 return NT_STATUS_INVALID_NETWORK_RESPONSE;
477 }
478
479 *p_len = len;
480 return NT_STATUS_OK;
481 }
482
483 /*
484 * Initialize a struct smb_request from an inbuf
485 */
486
487 static bool init_smb_request(struct smb_request *req,
488 struct smbd_server_connection *sconn,
489 const uint8 *inbuf,
490 size_t unread_bytes, bool encrypted,
491 uint32_t seqnum)
492 {
493 size_t req_size = smb_len(inbuf) + 4;
494 /* Ensure we have at least smb_size bytes. */
495 if (req_size < smb_size) {
496 DEBUG(0,("init_smb_request: invalid request size %u\n",
497 (unsigned int)req_size ));
498 return false;
499 }
500 req->cmd = CVAL(inbuf, smb_com);
501 req->flags2 = SVAL(inbuf, smb_flg2);
502 req->smbpid = SVAL(inbuf, smb_pid);
503 req->mid = (uint64_t)SVAL(inbuf, smb_mid);
504 req->seqnum = seqnum;
505 req->vuid = SVAL(inbuf, smb_uid);
506 req->tid = SVAL(inbuf, smb_tid);
507 req->wct = CVAL(inbuf, smb_wct);
508 req->vwv = (uint16_t *)(inbuf+smb_vwv);
509 req->buflen = smb_buflen(inbuf);
510 req->buf = (const uint8_t *)smb_buf(inbuf);
511 req->unread_bytes = unread_bytes;
512 req->encrypted = encrypted;
513 req->sconn = sconn;
514 req->conn = conn_find(sconn,req->tid);
515 req->chain_fsp = NULL;
516 req->chain_outbuf = NULL;
517 req->done = false;
518 req->smb2req = NULL;
519 smb_init_perfcount_data(&req->pcd);
520
521 /* Ensure we have at least wct words and 2 bytes of bcc. */
522 if (smb_size + req->wct*2 > req_size) {
523 DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n",
524 (unsigned int)req->wct,
525 (unsigned int)req_size));
526 return false;
527 }
528 /* Ensure bcc is correct. */
529 if (((uint8 *)smb_buf(inbuf)) + req->buflen > inbuf + req_size) {
530 DEBUG(0,("init_smb_request: invalid bcc number %u "
531 "(wct = %u, size %u)\n",
532 (unsigned int)req->buflen,
533 (unsigned int)req->wct,
534 (unsigned int)req_size));
535 return false;
536 }
537
538 req->outbuf = NULL;
539 return true;
540 }
541
542 static void process_smb(struct smbd_server_connection *conn,
543 uint8_t *inbuf, size_t nread, size_t unread_bytes,
544 uint32_t seqnum, bool encrypted,
545 struct smb_perfcount_data *deferred_pcd);
546
547 static void smbd_deferred_open_timer(struct event_context *ev,
548 struct timed_event *te,
549 struct timeval _tval,
550 void *private_data)
551 {
552 struct pending_message_list *msg = talloc_get_type(private_data,
553 struct pending_message_list);
554 TALLOC_CTX *mem_ctx = talloc_tos();
555 uint64_t mid = (uint64_t)SVAL(msg->buf.data,smb_mid);
556 uint8_t *inbuf;
557
558 inbuf = (uint8_t *)talloc_memdup(mem_ctx, msg->buf.data,
559 msg->buf.length);
560 if (inbuf == NULL) {
561 exit_server("smbd_deferred_open_timer: talloc failed\n");
562 return;
563 }
564
565 /* We leave this message on the queue so the open code can
566 know this is a retry. */
567 DEBUG(5,("smbd_deferred_open_timer: trigger mid %llu.\n",
568 (unsigned long long)mid ));
569
570 /* Mark the message as processed so this is not
571 * re-processed in error. */
572 msg->processed = true;
573
574 process_smb(smbd_server_conn, inbuf,
575 msg->buf.length, 0,
576 msg->seqnum, msg->encrypted, &msg->pcd);
577
578 /* If it's still there and was processed, remove it. */
579 msg = get_deferred_open_message_smb(mid);
580 if (msg && msg->processed) {
581 remove_deferred_open_message_smb(mid);
582 }
583 }
584
585 /****************************************************************************
586 Function to push a message onto the tail of a linked list of smb messages ready
587 for processing.
588 ****************************************************************************/
589
590 static bool push_queued_message(struct smb_request *req,
591 struct timeval request_time,
592 struct timeval end_time,
593 char *private_data, size_t private_len)
594 {
595 int msg_len = smb_len(req->inbuf) + 4;
596 struct pending_message_list *msg;
597
598 msg = TALLOC_ZERO_P(NULL, struct pending_message_list);
599
600 if(msg == NULL) {
601 DEBUG(0,("push_message: malloc fail (1)\n"));
602 return False;
603 }
604
605 msg->buf = data_blob_talloc(msg, req->inbuf, msg_len);
606 if(msg->buf.data == NULL) {
607 DEBUG(0,("push_message: malloc fail (2)\n"));
608 TALLOC_FREE(msg);
609 return False;
610 }
611
612 msg->request_time = request_time;
613 msg->seqnum = req->seqnum;
614 msg->encrypted = req->encrypted;
615 msg->processed = false;
616 SMB_PERFCOUNT_DEFER_OP(&req->pcd, &msg->pcd);
617
618 if (private_data) {
619 msg->private_data = data_blob_talloc(msg, private_data,
620 private_len);
621 if (msg->private_data.data == NULL) {
622 DEBUG(0,("push_message: malloc fail (3)\n"));
623 TALLOC_FREE(msg);
624 return False;
625 }
626 }
627
628 msg->te = event_add_timed(smbd_event_context(),
629 msg,
630 end_time,
631 smbd_deferred_open_timer,
632 msg);
633 if (!msg->te) {
634 DEBUG(0,("push_message: event_add_timed failed\n"));
635 TALLOC_FREE(msg);
636 return false;
637 }
638
639 DLIST_ADD_END(deferred_open_queue, msg, struct pending_message_list *);
640
641 DEBUG(10,("push_message: pushed message length %u on "
642 "deferred_open_queue\n", (unsigned int)msg_len));
643
644 return True;
645 }
646
647 /****************************************************************************
648 Function to delete a sharing violation open message by mid.
649 ****************************************************************************/
650
651 void remove_deferred_open_message_smb(uint64_t mid)
652 {
653 struct pending_message_list *pml;
654
655 if (smbd_server_conn->using_smb2) {
656 remove_deferred_open_message_smb2(smbd_server_conn, mid);
657 return;
658 }
659
660 for (pml = deferred_open_queue; pml; pml = pml->next) {
661 if (mid == (uint64_t)SVAL(pml->buf.data,smb_mid)) {
662 DEBUG(10,("remove_deferred_open_message_smb: "
663 "deleting mid %llu len %u\n",
664 (unsigned long long)mid,
665 (unsigned int)pml->buf.length ));
666 DLIST_REMOVE(deferred_open_queue, pml);
667 TALLOC_FREE(pml);
668 return;
669 }
670 }
671 }
672
673 /****************************************************************************
674 Move a sharing violation open retry message to the front of the list and
675 schedule it for immediate processing.
676 ****************************************************************************/
677
678 void schedule_deferred_open_message_smb(uint64_t mid)
679 {
680 struct pending_message_list *pml;
681 int i = 0;
682
683 if (smbd_server_conn->using_smb2) {
684 schedule_deferred_open_message_smb2(smbd_server_conn, mid);
685 return;
686 }
687
688 for (pml = deferred_open_queue; pml; pml = pml->next) {
689 uint64_t msg_mid = (uint64_t)SVAL(pml->buf.data,smb_mid);
690
691 DEBUG(10,("schedule_deferred_open_message_smb: [%d] "
692 "msg_mid = %llu\n",
693 i++,
694 (unsigned long long)msg_mid ));
695
696 if (mid == msg_mid) {
697 struct timed_event *te;
698
699 if (pml->processed) {
700 /* A processed message should not be
701 * rescheduled. */
702 DEBUG(0,("schedule_deferred_open_message_smb: LOGIC ERROR "
703 "message mid %llu was already processed\n",
704 (unsigned long long)msg_mid ));
705 continue;
706 }
707
708 DEBUG(10,("schedule_deferred_open_message_smb: "
709 "scheduling mid %llu\n",
710 (unsigned long long)mid ));
711
712 te = event_add_timed(smbd_event_context(),
713 pml,
714 timeval_zero(),
715 smbd_deferred_open_timer,
716 pml);
717 if (!te) {
718 DEBUG(10,("schedule_deferred_open_message_smb: "
719 "event_add_timed() failed, "
720 "skipping mid %llu\n",
721 (unsigned long long)msg_mid ));
722 }
723
724 TALLOC_FREE(pml->te);
725 pml->te = te;
726 DLIST_PROMOTE(deferred_open_queue, pml);
727 return;
728 }
729 }
730
731 DEBUG(10,("schedule_deferred_open_message_smb: failed to "
732 "find message mid %llu\n",
733 (unsigned long long)mid ));
734 }
735
736 /****************************************************************************
737 Return true if this mid is on the deferred queue and was not yet processed.
738 ****************************************************************************/
739
740 bool open_was_deferred(uint64_t mid)
741 {
742 struct pending_message_list *pml;
743
744 if (smbd_server_conn->using_smb2) {
745 return open_was_deferred_smb2(smbd_server_conn, mid);
746 }
747
748 for (pml = deferred_open_queue; pml; pml = pml->next) {
749 if (((uint64_t)SVAL(pml->buf.data,smb_mid)) == mid && !pml->processed) {
750 return True;
751 }
752 }
753 return False;
754 }
755
756 /****************************************************************************
757 Return the message queued by this mid.
758 ****************************************************************************/
759
760 static struct pending_message_list *get_deferred_open_message_smb(uint64_t mid)
761 {
762 struct pending_message_list *pml;
763
764 for (pml = deferred_open_queue; pml; pml = pml->next) {
765 if (((uint64_t)SVAL(pml->buf.data,smb_mid)) == mid) {
766 return pml;
767 }
768 }
769 return NULL;
770 }
771
772 /****************************************************************************
773 Get the state data queued by this mid.
774 ****************************************************************************/
775
776 bool get_deferred_open_message_state(struct smb_request *smbreq,
777 struct timeval *p_request_time,
778 void **pp_state)
779 {
780 struct pending_message_list *pml;
781
782 if (smbd_server_conn->using_smb2) {
783 return get_deferred_open_message_state_smb2(smbreq->smb2req,
784 p_request_time,
785 pp_state);
786 }
787
788 pml = get_deferred_open_message_smb(smbreq->mid);
789 if (!pml) {
790 return false;
791 }
792 if (p_request_time) {
793 *p_request_time = pml->request_time;
794 }
795 if (pp_state) {
796 *pp_state = (void *)pml->private_data.data;
797 }
798 return true;
799 }
800
801 /****************************************************************************
802 Function to push a deferred open smb message onto a linked list of local smb
803 messages ready for processing.
804 ****************************************************************************/
805
806 bool push_deferred_open_message_smb(struct smb_request *req,
807 struct timeval request_time,
808 struct timeval timeout,
809 struct file_id id,
810 char *private_data, size_t priv_len)
811 {
812 struct timeval end_time;
813
814 if (req->smb2req) {
815 return push_deferred_open_message_smb2(req->smb2req,
816 request_time,
817 timeout,
818 id,
819 private_data,
820 priv_len);
821 }
822
823 if (req->unread_bytes) {
824 DEBUG(0,("push_deferred_open_message_smb: logic error ! "
825 "unread_bytes = %u\n",
826 (unsigned int)req->unread_bytes ));
827 smb_panic("push_deferred_open_message_smb: "
828 "logic error unread_bytes != 0" );
829 }
830
831 end_time = timeval_sum(&request_time, &timeout);
832
833 DEBUG(10,("push_deferred_open_message_smb: pushing message "
834 "len %u mid %llu timeout time [%u.%06u]\n",
835 (unsigned int) smb_len(req->inbuf)+4,
836 (unsigned long long)req->mid,
837 (unsigned int)end_time.tv_sec,
838 (unsigned int)end_time.tv_usec));
839
840 return push_queued_message(req, request_time, end_time,
841 private_data, priv_len);
842 }
843
844 struct idle_event {
845 struct timed_event *te;
846 struct timeval interval;
847 char *name;
848 bool (*handler)(const struct timeval *now, void *private_data);
849 void *private_data;
850 };
851
852 static void smbd_idle_event_handler(struct event_context *ctx,
853 struct timed_event *te,
854 struct timeval now,
855 void *private_data)
856 {
857 struct idle_event *event =
858 talloc_get_type_abort(private_data, struct idle_event);
859
860 TALLOC_FREE(event->te);
861
862 DEBUG(10,("smbd_idle_event_handler: %s %p called\n",
863 event->name, event->te));
864
865 if (!event->handler(&now, event->private_data)) {
866 DEBUG(10,("smbd_idle_event_handler: %s %p stopped\n",
867 event->name, event->te));
868 /* Don't repeat, delete ourselves */
869 TALLOC_FREE(event);
870 return;
871 }
872
873 DEBUG(10,("smbd_idle_event_handler: %s %p rescheduled\n",
874 event->name, event->te));
875
876 event->te = event_add_timed(ctx, event,
877 timeval_sum(&now, &event->interval),
878 smbd_idle_event_handler, event);
879
880 /* We can't do much but fail here. */
881 SMB_ASSERT(event->te != NULL);
882 }
883
884 struct idle_event *event_add_idle(struct event_context *event_ctx,
885 TALLOC_CTX *mem_ctx,
886 struct timeval interval,
887 const char *name,
888 bool (*handler)(const struct timeval *now,
889 void *private_data),
890 void *private_data)
891 {
892 struct idle_event *result;
893 struct timeval now = timeval_current();
894
895 result = TALLOC_P(mem_ctx, struct idle_event);
896 if (result == NULL) {
897 DEBUG(0, ("talloc failed\n"));
898 return NULL;
899 }
900
901 result->interval = interval;
902 result->handler = handler;
903 result->private_data = private_data;
904
905 if (!(result->name = talloc_asprintf(result, "idle_evt(%s)", name))) {
906 DEBUG(0, ("talloc failed\n"));
907 TALLOC_FREE(result);
908 return NULL;
909 }
910
911 result->te = event_add_timed(event_ctx, result,
912 timeval_sum(&now, &interval),
913 smbd_idle_event_handler, result);
914 if (result->te == NULL) {
915 DEBUG(0, ("event_add_timed failed\n"));
916 TALLOC_FREE(result);
917 return NULL;
918 }
919
920 DEBUG(10,("event_add_idle: %s %p\n", result->name, result->te));
921 return result;
922 }
923
924 static void smbd_sig_term_handler(struct tevent_context *ev,
925 struct tevent_signal *se,
926 int signum,
927 int count,
928 void *siginfo,
929 void *private_data)
930 {
931 exit_server_cleanly("termination signal");
932 }
933
934 void smbd_setup_sig_term_handler(void)
935 {
936 struct tevent_signal *se;
937
938 se = tevent_add_signal(smbd_event_context(),
939 smbd_event_context(),
940 SIGTERM, 0,
941 smbd_sig_term_handler,
942 NULL);
943 if (!se) {
944 exit_server("failed to setup SIGTERM handler");
945 }
946 }
947
948 static void smbd_sig_hup_handler(struct tevent_context *ev,
949 struct tevent_signal *se,
950 int signum,
951 int count,
952 void *siginfo,
953 void *private_data)
954 {
955 struct messaging_context *msg_ctx = talloc_get_type_abort(
956 private_data, struct messaging_context);
957 change_to_root_user();
958 DEBUG(1,("Reloading services after SIGHUP\n"));
959 reload_services(msg_ctx, smbd_server_conn->sock, False);
960 if (am_parent) {
961 pcap_cache_reload(ev, msg_ctx, &reload_pcap_change_notify);
962 }
963 }
964
965 void smbd_setup_sig_hup_handler(struct tevent_context *ev,
966 struct messaging_context *msg_ctx)
967 {
968 struct tevent_signal *se;
969
970 se = tevent_add_signal(ev, ev, SIGHUP, 0, smbd_sig_hup_handler,
971 msg_ctx);
972 if (!se) {
973 exit_server("failed to setup SIGHUP handler");
974 }
975 }
976
977 static NTSTATUS smbd_server_connection_loop_once(struct smbd_server_connection *conn)
978 {
979 int timeout;
980 int num_pfds = 0;
981 int ret;
982 bool retry;
983
984 timeout = SMBD_SELECT_TIMEOUT * 1000;
985
986 /*
987 * Are there any timed events waiting ? If so, ensure we don't
988 * select for longer than it would take to wait for them.
989 */
990
991 event_add_to_poll_args(smbd_event_context(), conn,
992 &conn->pfds, &num_pfds, &timeout);
993
994 /* Process a signal and timed events now... */
995 if (run_events_poll(smbd_event_context(), 0, NULL, 0)) {
996 return NT_STATUS_RETRY;
997 }
998
999 {
1000 int sav;
1001 START_PROFILE(smbd_idle);
1002
1003 ret = sys_poll(conn->pfds, num_pfds, timeout);
1004 sav = errno;
1005
1006 END_PROFILE(smbd_idle);
1007 errno = sav;
1008 }
1009
1010 if (ret == -1) {
1011 if (errno == EINTR) {
1012 return NT_STATUS_RETRY;
1013 }
1014 return map_nt_error_from_unix(errno);
1015 }
1016
1017 retry = run_events_poll(smbd_event_context(), ret, conn->pfds,
1018 num_pfds);
1019 if (retry) {
1020 return NT_STATUS_RETRY;
1021 }
1022
1023 /* Did we timeout ? */
1024 if (ret == 0) {
1025 return NT_STATUS_RETRY;
1026 }
1027
1028 /* should not be reached */
1029 return NT_STATUS_INTERNAL_ERROR;
1030 }
1031
1032 /*
1033 * Only allow 5 outstanding trans requests. We're allocating memory, so
1034 * prevent a DoS.
1035 */
1036
1037 NTSTATUS allow_new_trans(struct trans_state *list, uint64_t mid)
1038 {
1039 int count = 0;
1040 for (; list != NULL; list = list->next) {
1041
1042 if (list->mid == mid) {
1043 return NT_STATUS_INVALID_PARAMETER;
1044 }
1045
1046 count += 1;
1047 }
1048 if (count > 5) {
1049 return NT_STATUS_INSUFFICIENT_RESOURCES;
1050 }
1051
1052 return NT_STATUS_OK;
1053 }
1054
1055 /*
1056 These flags determine some of the permissions required to do an operation
1057
1058 Note that I don't set NEED_WRITE on some write operations because they
1059 are used by some brain-dead clients when printing, and I don't want to
1060 force write permissions on print services.
1061 */
1062 #define AS_USER (1<<0)
1063 #define NEED_WRITE (1<<1) /* Must be paired with AS_USER */
1064 #define TIME_INIT (1<<2)
1065 #define CAN_IPC (1<<3) /* Must be paired with AS_USER */
1066 #define AS_GUEST (1<<5) /* Must *NOT* be paired with AS_USER */
1067 #define DO_CHDIR (1<<6)
1068
1069 /*
1070 define a list of possible SMB messages and their corresponding
1071 functions. Any message that has a NULL function is unimplemented -
1072 please feel free to contribute implementations!
1073 */
1074 static const struct smb_message_struct {
1075 const char *name;
1076 void (*fn)(struct smb_request *req);
1077 int flags;
1078 } smb_messages[256] = {
1079
1080 /* 0x00 */ { "SMBmkdir",reply_mkdir,AS_USER | NEED_WRITE},
1081 /* 0x01 */ { "SMBrmdir",reply_rmdir,AS_USER | NEED_WRITE},
1082 /* 0x02 */ { "SMBopen",reply_open,AS_USER },
1083 /* 0x03 */ { "SMBcreate",reply_mknew,AS_USER},
1084 /* 0x04 */ { "SMBclose",reply_close,AS_USER | CAN_IPC },
1085 /* 0x05 */ { "SMBflush",reply_flush,AS_USER},
1086 /* 0x06 */ { "SMBunlink",reply_unlink,AS_USER | NEED_WRITE },
1087 /* 0x07 */ { "SMBmv",reply_mv,AS_USER | NEED_WRITE },
1088 /* 0x08 */ { "SMBgetatr",reply_getatr,AS_USER},
1089 /* 0x09 */ { "SMBsetatr",reply_setatr,AS_USER | NEED_WRITE},
1090 /* 0x0a */ { "SMBread",reply_read,AS_USER},
1091 /* 0x0b */ { "SMBwrite",reply_write,AS_USER | CAN_IPC },
1092 /* 0x0c */ { "SMBlock",reply_lock,AS_USER},
1093 /* 0x0d */ { "SMBunlock",reply_unlock,AS_USER},
1094 /* 0x0e */ { "SMBctemp",reply_ctemp,AS_USER },
1095 /* 0x0f */ { "SMBmknew",reply_mknew,AS_USER},
1096 /* 0x10 */ { "SMBcheckpath",reply_checkpath,AS_USER},
1097 /* 0x11 */ { "SMBexit",reply_exit,DO_CHDIR},
1098 /* 0x12 */ { "SMBlseek",reply_lseek,AS_USER},
1099 /* 0x13 */ { "SMBlockread",reply_lockread,AS_USER},
1100 /* 0x14 */ { "SMBwriteunlock",reply_writeunlock,AS_USER},
1101 /* 0x15 */ { NULL, NULL, 0 },
1102 /* 0x16 */ { NULL, NULL, 0 },
1103 /* 0x17 */ { NULL, NULL, 0 },
1104 /* 0x18 */ { NULL, NULL, 0 },
1105 /* 0x19 */ { NULL, NULL, 0 },
1106 /* 0x1a */ { "SMBreadbraw",reply_readbraw,AS_USER},
1107 /* 0x1b */ { "SMBreadBmpx",reply_readbmpx,AS_USER},
1108 /* 0x1c */ { "SMBreadBs",reply_readbs,AS_USER },
1109 /* 0x1d */ { "SMBwritebraw",reply_writebraw,AS_USER},
1110 /* 0x1e */ { "SMBwriteBmpx",reply_writebmpx,AS_USER},
1111 /* 0x1f */ { "SMBwriteBs",reply_writebs,AS_USER},
1112 /* 0x20 */ { "SMBwritec", NULL,0},
1113 /* 0x21 */ { NULL, NULL, 0 },
1114 /* 0x22 */ { "SMBsetattrE",reply_setattrE,AS_USER | NEED_WRITE },
1115 /* 0x23 */ { "SMBgetattrE",reply_getattrE,AS_USER },
1116 /* 0x24 */ { "SMBlockingX",reply_lockingX,AS_USER },
1117 /* 0x25 */ { "SMBtrans",reply_trans,AS_USER | CAN_IPC },
1118 /* 0x26 */ { "SMBtranss",reply_transs,AS_USER | CAN_IPC},
1119 /* 0x27 */ { "SMBioctl",reply_ioctl,0},
1120 /* 0x28 */ { "SMBioctls", NULL,AS_USER},
1121 /* 0x29 */ { "SMBcopy",reply_copy,AS_USER | NEED_WRITE },
1122 /* 0x2a */ { "SMBmove", NULL,AS_USER | NEED_WRITE },
1123 /* 0x2b */ { "SMBecho",reply_echo,0},
1124 /* 0x2c */ { "SMBwriteclose",reply_writeclose,AS_USER},
1125 /* 0x2d */ { "SMBopenX",reply_open_and_X,AS_USER | CAN_IPC },
1126 /* 0x2e */ { "SMBreadX",reply_read_and_X,AS_USER | CAN_IPC },
1127 /* 0x2f */ { "SMBwriteX",reply_write_and_X,AS_USER | CAN_IPC },
1128 /* 0x30 */ { NULL, NULL, 0 },
1129 /* 0x31 */ { NULL, NULL, 0 },
1130 /* 0x32 */ { "SMBtrans2",reply_trans2, AS_USER | CAN_IPC },
1131 /* 0x33 */ { "SMBtranss2",reply_transs2, AS_USER | CAN_IPC },
1132 /* 0x34 */ { "SMBfindclose",reply_findclose,AS_USER},
1133 /* 0x35 */ { "SMBfindnclose",reply_findnclose,AS_USER},
1134 /* 0x36 */ { NULL, NULL, 0 },
1135 /* 0x37 */ { NULL, NULL, 0 },
1136 /* 0x38 */ { NULL, NULL, 0 },
1137 /* 0x39 */ { NULL, NULL, 0 },
1138 /* 0x3a */ { NULL, NULL, 0 },
1139 /* 0x3b */ { NULL, NULL, 0 },
1140 /* 0x3c */ { NULL, NULL, 0 },
1141 /* 0x3d */ { NULL, NULL, 0 },
1142 /* 0x3e */ { NULL, NULL, 0 },
1143 /* 0x3f */ { NULL, NULL, 0 },
1144 /* 0x40 */ { NULL, NULL, 0 },
1145 /* 0x41 */ { NULL, NULL, 0 },
1146 /* 0x42 */ { NULL, NULL, 0 },
1147 /* 0x43 */ { NULL, NULL, 0 },
1148 /* 0x44 */ { NULL, NULL, 0 },
1149 /* 0x45 */ { NULL, NULL, 0 },
1150 /* 0x46 */ { NULL, NULL, 0 },
1151 /* 0x47 */ { NULL, NULL, 0 },
1152 /* 0x48 */ { NULL, NULL, 0 },
1153 /* 0x49 */ { NULL, NULL, 0 },
1154 /* 0x4a */ { NULL, NULL, 0 },
1155 /* 0x4b */ { NULL, NULL, 0 },
1156 /* 0x4c */ { NULL, NULL, 0 },
1157 /* 0x4d */ { NULL, NULL, 0 },
1158 /* 0x4e */ { NULL, NULL, 0 },
1159 /* 0x4f */ { NULL, NULL, 0 },
1160 /* 0x50 */ { NULL, NULL, 0 },
1161 /* 0x51 */ { NULL, NULL, 0 },
1162 /* 0x52 */ { NULL, NULL, 0 },
1163 /* 0x53 */ { NULL, NULL, 0 },
1164 /* 0x54 */ { NULL, NULL, 0 },
1165 /* 0x55 */ { NULL, NULL, 0 },
1166 /* 0x56 */ { NULL, NULL, 0 },
1167 /* 0x57 */ { NULL, NULL, 0 },
1168 /* 0x58 */ { NULL, NULL, 0 },
1169 /* 0x59 */ { NULL, NULL, 0 },
1170 /* 0x5a */ { NULL, NULL, 0 },
1171 /* 0x5b */ { NULL, NULL, 0 },
1172 /* 0x5c */ { NULL, NULL, 0 },
1173 /* 0x5d */ { NULL, NULL, 0 },
1174 /* 0x5e */ { NULL, NULL, 0 },
1175 /* 0x5f */ { NULL, NULL, 0 },
1176 /* 0x60 */ { NULL, NULL, 0 },
1177 /* 0x61 */ { NULL, NULL, 0 },
1178 /* 0x62 */ { NULL, NULL, 0 },
1179 /* 0x63 */ { NULL, NULL, 0 },
1180 /* 0x64 */ { NULL, NULL, 0 },
1181 /* 0x65 */ { NULL, NULL, 0 },
1182 /* 0x66 */ { NULL, NULL, 0 },
1183 /* 0x67 */ { NULL, NULL, 0 },
1184 /* 0x68 */ { NULL, NULL, 0 },
1185 /* 0x69 */ { NULL, NULL, 0 },
1186 /* 0x6a */ { NULL, NULL, 0 },
1187 /* 0x6b */ { NULL, NULL, 0 },
1188 /* 0x6c */ { NULL, NULL, 0 },
1189 /* 0x6d */ { NULL, NULL, 0 },
1190 /* 0x6e */ { NULL, NULL, 0 },
1191 /* 0x6f */ { NULL, NULL, 0 },
1192 /* 0x70 */ { "SMBtcon",reply_tcon,0},
1193 /* 0x71 */ { "SMBtdis",reply_tdis,DO_CHDIR},
1194 /* 0x72 */ { "SMBnegprot",reply_negprot,0},
1195 /* 0x73 */ { "SMBsesssetupX",reply_sesssetup_and_X,0},
1196 /* 0x74 */ { "SMBulogoffX",reply_ulogoffX, 0}, /* ulogoff doesn't give a valid TID */
1197 /* 0x75 */ { "SMBtconX",reply_tcon_and_X,0},
1198 /* 0x76 */ { NULL, NULL, 0 },
1199 /* 0x77 */ { NULL, NULL, 0 },
1200 /* 0x78 */ { NULL, NULL, 0 },
1201 /* 0x79 */ { NULL, NULL, 0 },
1202 /* 0x7a */ { NULL, NULL, 0 },
1203 /* 0x7b */ { NULL, NULL, 0 },
1204 /* 0x7c */ { NULL, NULL, 0 },
1205 /* 0x7d */ { NULL, NULL, 0 },
1206 /* 0x7e */ { NULL, NULL, 0 },
1207 /* 0x7f */ { NULL, NULL, 0 },
1208 /* 0x80 */ { "SMBdskattr",reply_dskattr,AS_USER},
1209 /* 0x81 */ { "SMBsearch",reply_search,AS_USER},
1210 /* 0x82 */ { "SMBffirst",reply_search,AS_USER},
1211 /* 0x83 */ { "SMBfunique",reply_search,AS_USER},
1212 /* 0x84 */ { "SMBfclose",reply_fclose,AS_USER},
1213 /* 0x85 */ { NULL, NULL, 0 },
1214 /* 0x86 */ { NULL, NULL, 0 },
1215 /* 0x87 */ { NULL, NULL, 0 },
1216 /* 0x88 */ { NULL, NULL, 0 },
1217 /* 0x89 */ { NULL, NULL, 0 },
1218 /* 0x8a */ { NULL, NULL, 0 },
1219 /* 0x8b */ { NULL, NULL, 0 },
1220 /* 0x8c */ { NULL, NULL, 0 },
1221 /* 0x8d */ { NULL, NULL, 0 },
1222 /* 0x8e */ { NULL, NULL, 0 },
1223 /* 0x8f */ { NULL, NULL, 0 },
1224 /* 0x90 */ { NULL, NULL, 0 },
1225 /* 0x91 */ { NULL, NULL, 0 },
1226 /* 0x92 */ { NULL, NULL, 0 },
1227 /* 0x93 */ { NULL, NULL, 0 },
1228 /* 0x94 */ { NULL, NULL, 0 },
1229 /* 0x95 */ { NULL, NULL, 0 },
1230 /* 0x96 */ { NULL, NULL, 0 },
1231 /* 0x97 */ { NULL, NULL, 0 },
1232 /* 0x98 */ { NULL, NULL, 0 },
1233 /* 0x99 */ { NULL, NULL, 0 },
1234 /* 0x9a */ { NULL, NULL, 0 },
1235 /* 0x9b */ { NULL, NULL, 0 },
1236 /* 0x9c */ { NULL, NULL, 0 },
1237 /* 0x9d */ { NULL, NULL, 0 },
1238 /* 0x9e */ { NULL, NULL, 0 },
1239 /* 0x9f */ { NULL, NULL, 0 },
1240 /* 0xa0 */ { "SMBnttrans",reply_nttrans, AS_USER | CAN_IPC },
1241 /* 0xa1 */ { "SMBnttranss",reply_nttranss, AS_USER | CAN_IPC },
1242 /* 0xa2 */ { "SMBntcreateX",reply_ntcreate_and_X, AS_USER | CAN_IPC },
1243 /* 0xa3 */ { NULL, NULL, 0 },
1244 /* 0xa4 */ { "SMBntcancel",reply_ntcancel, 0 },
1245 /* 0xa5 */ { "SMBntrename",reply_ntrename, AS_USER | NEED_WRITE },
1246 /* 0xa6 */ { NULL, NULL, 0 },
1247 /* 0xa7 */ { NULL, NULL, 0 },
1248 /* 0xa8 */ { NULL, NULL, 0 },
1249 /* 0xa9 */ { NULL, NULL, 0 },
1250 /* 0xaa */ { NULL, NULL, 0 },
1251 /* 0xab */ { NULL, NULL, 0 },
1252 /* 0xac */ { NULL, NULL, 0 },
1253 /* 0xad */ { NULL, NULL, 0 },
1254 /* 0xae */ { NULL, NULL, 0 },
1255 /* 0xaf */ { NULL, NULL, 0 },
1256 /* 0xb0 */ { NULL, NULL, 0 },
1257 /* 0xb1 */ { NULL, NULL, 0 },
1258 /* 0xb2 */ { NULL, NULL, 0 },
1259 /* 0xb3 */ { NULL, NULL, 0 },
1260 /* 0xb4 */ { NULL, NULL, 0 },
1261 /* 0xb5 */ { NULL, NULL, 0 },
1262 /* 0xb6 */ { NULL, NULL, 0 },
1263 /* 0xb7 */ { NULL, NULL, 0 },
1264 /* 0xb8 */ { NULL, NULL, 0 },
1265 /* 0xb9 */ { NULL, NULL, 0 },
1266 /* 0xba */ { NULL, NULL, 0 },
1267 /* 0xbb */ { NULL, NULL, 0 },
1268 /* 0xbc */ { NULL, NULL, 0 },
1269 /* 0xbd */ { NULL, NULL, 0 },
1270 /* 0xbe */ { NULL, NULL, 0 },
1271 /* 0xbf */ { NULL, NULL, 0 },
1272 /* 0xc0 */ { "SMBsplopen",reply_printopen,AS_USER},
1273 /* 0xc1 */ { "SMBsplwr",reply_printwrite,AS_USER},
1274 /* 0xc2 */ { "SMBsplclose",reply_printclose,AS_USER},
1275 /* 0xc3 */ { "SMBsplretq",reply_printqueue,AS_USER},
1276 /* 0xc4 */ { NULL, NULL, 0 },
1277 /* 0xc5 */ { NULL, NULL, 0 },
1278 /* 0xc6 */ { NULL, NULL, 0 },
1279 /* 0xc7 */ { NULL, NULL, 0 },
1280 /* 0xc8 */ { NULL, NULL, 0 },
1281 /* 0xc9 */ { NULL, NULL, 0 },
1282 /* 0xca */ { NULL, NULL, 0 },
1283 /* 0xcb */ { NULL, NULL, 0 },
1284 /* 0xcc */ { NULL, NULL, 0 },
1285 /* 0xcd */ { NULL, NULL, 0 },
1286 /* 0xce */ { NULL, NULL, 0 },
1287 /* 0xcf */ { NULL, NULL, 0 },
1288 /* 0xd0 */ { "SMBsends",reply_sends,AS_GUEST},
1289 /* 0xd1 */ { "SMBsendb", NULL,AS_GUEST},
1290 /* 0xd2 */ { "SMBfwdname", NULL,AS_GUEST},
1291 /* 0xd3 */ { "SMBcancelf", NULL,AS_GUEST},
1292 /* 0xd4 */ { "SMBgetmac", NULL,AS_GUEST},
1293 /* 0xd5 */ { "SMBsendstrt",reply_sendstrt,AS_GUEST},
1294 /* 0xd6 */ { "SMBsendend",reply_sendend,AS_GUEST},
1295 /* 0xd7 */ { "SMBsendtxt",reply_sendtxt,AS_GUEST},
1296 /* 0xd8 */ { NULL, NULL, 0 },
1297 /* 0xd9 */ { NULL, NULL, 0 },
1298 /* 0xda */ { NULL, NULL, 0 },
1299 /* 0xdb */ { NULL, NULL, 0 },
1300 /* 0xdc */ { NULL, NULL, 0 },
1301 /* 0xdd */ { NULL, NULL, 0 },
1302 /* 0xde */ { NULL, NULL, 0 },
1303 /* 0xdf */ { NULL, NULL, 0 },
1304 /* 0xe0 */ { NULL, NULL, 0 },
1305 /* 0xe1 */ { NULL, NULL, 0 },
1306 /* 0xe2 */ { NULL, NULL, 0 },
1307 /* 0xe3 */ { NULL, NULL, 0 },
1308 /* 0xe4 */ { NULL, NULL, 0 },
1309 /* 0xe5 */ { NULL, NULL, 0 },
1310 /* 0xe6 */ { NULL, NULL, 0 },
1311 /* 0xe7 */ { NULL, NULL, 0 },
1312 /* 0xe8 */ { NULL, NULL, 0 },
1313 /* 0xe9 */ { NULL, NULL, 0 },
1314 /* 0xea */ { NULL, NULL, 0 },
1315 /* 0xeb */ { NULL, NULL, 0 },
1316 /* 0xec */ { NULL, NULL, 0 },
1317 /* 0xed */ { NULL, NULL, 0 },
1318 /* 0xee */ { NULL, NULL, 0 },
1319 /* 0xef */ { NULL, NULL, 0 },
1320 /* 0xf0 */ { NULL, NULL, 0 },
1321 /* 0xf1 */ { NULL, NULL, 0 },
1322 /* 0xf2 */ { NULL, NULL, 0 },
1323 /* 0xf3 */ { NULL, NULL, 0 },
1324 /* 0xf4 */ { NULL, NULL, 0 },
1325 /* 0xf5 */ { NULL, NULL, 0 },
1326 /* 0xf6 */ { NULL, NULL, 0 },
1327 /* 0xf7 */ { NULL, NULL, 0 },
1328 /* 0xf8 */ { NULL, NULL, 0 },
1329 /* 0xf9 */ { NULL, NULL, 0 },
1330 /* 0xfa */ { NULL, NULL, 0 },
1331 /* 0xfb */ { NULL, NULL, 0 },
1332 /* 0xfc */ { NULL, NULL, 0 },
1333 /* 0xfd */ { NULL, NULL, 0 },
1334 /* 0xfe */ { NULL, NULL, 0 },
1335 /* 0xff */ { NULL, NULL, 0 }
1336
1337 };
1338
1339 /*******************************************************************
1340 allocate and initialize a reply packet
1341 ********************************************************************/
1342
1343 static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req,
1344 const char *inbuf, char **outbuf, uint8_t num_words,
1345 uint32_t num_bytes)
1346 {
1347 /*
1348 * Protect against integer wrap
1349 */
1350 if ((num_bytes > 0xffffff)
1351 || ((num_bytes + smb_size + num_words*2) > 0xffffff)) {
1352 char *msg;
1353 if (asprintf(&msg, "num_bytes too large: %u",
1354 (unsigned)num_bytes) == -1) {
1355 msg = CONST_DISCARD(char *, "num_bytes too large");
1356 }
1357 smb_panic(msg);
1358 }
1359
1360 *outbuf = TALLOC_ARRAY(mem_ctx, char,
1361 smb_size + num_words*2 + num_bytes);
1362 if (*outbuf == NULL) {
1363 return false;
1364 }
1365
1366 construct_reply_common(req, inbuf, *outbuf);
1367 srv_set_message(*outbuf, num_words, num_bytes, false);
1368 /*
1369 * Zero out the word area, the caller has to take care of the bcc area
1370 * himself
1371 */
1372 if (num_words != 0) {
1373 memset(*outbuf + smb_vwv0, 0, num_words*2);
1374 }
1375
1376 return true;
1377 }
1378
1379 void reply_outbuf(struct smb_request *req, uint8 num_words, uint32 num_bytes)
1380 {
1381 char *outbuf;
1382 if (!create_outbuf(req, req, (char *)req->inbuf, &outbuf, num_words,
1383 num_bytes)) {
1384 smb_panic("could not allocate output buffer\n");
1385 }
1386 req->outbuf = (uint8_t *)outbuf;
1387 }
1388
1389
1390 /*******************************************************************
1391 Dump a packet to a file.
1392 ********************************************************************/
1393
1394 static void smb_dump(const char *name, int type, const char *data, ssize_t len)
1395 {
1396 int fd, i;
1397 char *fname = NULL;
1398 if (DEBUGLEVEL < 50) {
1399 return;
1400 }
1401
1402 if (len < 4) len = smb_len(data)+4;
1403 for (i=1;i<100;i++) {
1404 if (asprintf(&fname, "/tmp/%s.%d.%s", name, i,
1405 type ? "req" : "resp") == -1) {
1406 return;
1407 }
1408 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
1409 if (fd != -1 || errno != EEXIST) break;
1410 }
1411 if (fd != -1) {
1412 ssize_t ret = write(fd, data, len);
1413 if (ret != len)
1414 DEBUG(0,("smb_dump: problem: write returned %d\n", (int)ret ));
1415 close(fd);
1416 DEBUG(0,("created %s len %lu\n", fname, (unsigned long)len));
1417 }
1418 SAFE_FREE(fname);
1419 }
1420
1421 /****************************************************************************
1422 Prepare everything for calling the actual request function, and potentially
1423 call the request function via the "new" interface.
1424
1425 Return False if the "legacy" function needs to be called, everything is
1426 prepared.
1427
1428 Return True if we're done.
1429
1430 I know this API sucks, but it is the one with the least code change I could
1431 find.
1432 ****************************************************************************/
1433
1434 static connection_struct *switch_message(uint8 type, struct smb_request *req, int size)
1435 {
1436 int flags;
1437 uint16 session_tag;
1438 connection_struct *conn = NULL;
1439 struct smbd_server_connection *sconn = req->sconn;
1440
1441 errno = 0;
1442
1443 /* Make sure this is an SMB packet. smb_size contains NetBIOS header
1444 * so subtract 4 from it. */
1445 if ((size < (smb_size - 4)) ||
1446 !valid_smb_header(req->inbuf)) {
1447 DEBUG(2,("Non-SMB packet of length %d. Terminating server\n",
1448 smb_len(req->inbuf)));
1449 exit_server_cleanly("Non-SMB packet");
1450 }
1451
1452 if (smb_messages[type].fn == NULL) {
1453 DEBUG(0,("Unknown message type %d!\n",type));
1454 smb_dump("Unknown", 1, (char *)req->inbuf, size);
1455 reply_unknown_new(req, type);
1456 return NULL;
1457 }
1458
1459 flags = smb_messages[type].flags;
1460
1461 /* In share mode security we must ignore the vuid. */
1462 session_tag = (lp_security() == SEC_SHARE)
1463 ? UID_FIELD_INVALID : req->vuid;
1464 conn = req->conn;
1465
1466 DEBUG(3,("switch message %s (pid %d) conn 0x%lx\n", smb_fn_name(type),
1467 (int)sys_getpid(), (unsigned long)conn));
1468
1469 smb_dump(smb_fn_name(type), 1, (char *)req->inbuf, size);
1470
1471 /* Ensure this value is replaced in the incoming packet. */
1472 SSVAL(req->inbuf,smb_uid,session_tag);
1473
1474 /*
1475 * Ensure the correct username is in current_user_info. This is a
1476 * really ugly bugfix for problems with multiple session_setup_and_X's
1477 * being done and allowing %U and %G substitutions to work correctly.
1478 * There is a reason this code is done here, don't move it unless you
1479 * know what you're doing... :-).
1480 * JRA.
1481 */
1482
1483 if (session_tag != sconn->smb1.sessions.last_session_tag) {
1484 user_struct *vuser = NULL;
1485
1486 sconn->smb1.sessions.last_session_tag = session_tag;
1487 if(session_tag != UID_FIELD_INVALID) {
1488 vuser = get_valid_user_struct(sconn, session_tag);
1489 if (vuser) {
1490 set_current_user_info(
1491 vuser->session_info->sanitized_username,
1492 vuser->session_info->unix_name,
1493 vuser->session_info->info3->base.domain.string);
1494 }
1495 }
1496 }
1497
1498 /* Does this call need to be run as the connected user? */
1499 if (flags & AS_USER) {
1500
1501 /* Does this call need a valid tree connection? */
1502 if (!conn) {
1503 /*
1504 * Amazingly, the error code depends on the command
1505 * (from Samba4).
1506 */
1507 if (type == SMBntcreateX) {
1508 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
1509 } else {
1510 reply_nterror(req, NT_STATUS_NETWORK_NAME_DELETED);
1511 }
1512 return NULL;
1513 }
1514
1515 if (!change_to_user(conn,session_tag)) {
1516 DEBUG(0, ("Error: Could not change to user. Removing "
1517 "deferred open, mid=%llu.\n",
1518 (unsigned long long)req->mid));
1519 reply_force_doserror(req, ERRSRV, ERRbaduid);
1520 return conn;
1521 }
1522
1523 /* All NEED_WRITE and CAN_IPC flags must also have AS_USER. */
1524
1525 /* Does it need write permission? */
1526 if ((flags & NEED_WRITE) && !CAN_WRITE(conn)) {
1527 reply_nterror(req, NT_STATUS_MEDIA_WRITE_PROTECTED);
1528 return conn;
1529 }
1530
1531 /* IPC services are limited */
1532 if (IS_IPC(conn) && !(flags & CAN_IPC)) {
1533 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1534 return conn;
1535 }
1536 } else {
1537 /* This call needs to be run as root */
1538 change_to_root_user();
1539 }
1540
1541 /* load service specific parameters */
1542 if (conn) {
1543 if (req->encrypted) {
1544 conn->encrypted_tid = true;
1545 /* encrypted required from now on. */
1546 conn->encrypt_level = Required;
1547 } else if (ENCRYPTION_REQUIRED(conn)) {
1548 if (req->cmd != SMBtrans2 && req->cmd != SMBtranss2) {
1549 exit_server_cleanly("encryption required "
1550 "on connection");
1551 return conn;
1552 }
1553 }
1554
1555 if (!set_current_service(conn,SVAL(req->inbuf,smb_flg),
1556 (flags & (AS_USER|DO_CHDIR)
1557 ?True:False))) {
1558 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1559 return conn;
1560 }
1561 conn->num_smb_operations++;
1562 }
1563
1564 /* does this protocol need to be run as guest? */
1565 if ((flags & AS_GUEST)
1566 && (!change_to_guest() ||
1567 !allow_access(lp_hostsdeny(-1), lp_hostsallow(-1),
1568 sconn->client_id.name,
1569 sconn->client_id.addr))) {
1570 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1571 return conn;
1572 }
1573
1574 smb_messages[type].fn(req);
1575 return req->conn;
1576 }
1577
1578 /****************************************************************************
1579 Construct a reply to the incoming packet.
1580 ****************************************************************************/
1581
1582 static void construct_reply(struct smbd_server_connection *sconn,
1583 char *inbuf, int size, size_t unread_bytes,
1584 uint32_t seqnum, bool encrypted,
1585 struct smb_perfcount_data *deferred_pcd)
1586 {
1587 connection_struct *conn;
1588 struct smb_request *req;
1589
1590 if (!(req = talloc(talloc_tos(), struct smb_request))) {
1591 smb_panic("could not allocate smb_request");
1592 }
1593
1594 if (!init_smb_request(req, sconn, (uint8 *)inbuf, unread_bytes,
1595 encrypted, seqnum)) {
1596 exit_server_cleanly("Invalid SMB request");
1597 }
1598
1599 req->inbuf = (uint8_t *)talloc_move(req, &inbuf);
1600
1601 /* we popped this message off the queue - keep original perf data */
1602 if (deferred_pcd)
1603 req->pcd = *deferred_pcd;
1604 else {
1605 SMB_PERFCOUNT_START(&req->pcd);
1606 SMB_PERFCOUNT_SET_OP(&req->pcd, req->cmd);
1607 SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, size);
1608 }
1609
1610 conn = switch_message(req->cmd, req, size);
1611
1612 if (req->unread_bytes) {
1613 /* writeX failed. drain socket. */
1614 if (drain_socket(req->sconn->sock, req->unread_bytes) !=
1615 req->unread_bytes) {
1616 smb_panic("failed to drain pending bytes");
1617 }
1618 req->unread_bytes = 0;
1619 }
1620
1621 if (req->done) {
1622 TALLOC_FREE(req);
1623 return;
1624 }
1625
1626 if (req->outbuf == NULL) {
1627 return;
1628 }
1629
1630 if (CVAL(req->outbuf,0) == 0) {
1631 show_msg((char *)req->outbuf);
1632 }
1633
1634 if (!srv_send_smb(req->sconn,
1635 (char *)req->outbuf,
1636 true, req->seqnum+1,
1637 IS_CONN_ENCRYPTED(conn)||req->encrypted,
1638 &req->pcd)) {
1639 exit_server_cleanly("construct_reply: srv_send_smb failed.");
1640 }
1641
1642 TALLOC_FREE(req);
1643
1644 return;
1645 }
1646
1647 /****************************************************************************
1648 Process an smb from the client
1649 ****************************************************************************/
1650 static void process_smb(struct smbd_server_connection *sconn,
1651 uint8_t *inbuf, size_t nread, size_t unread_bytes,
1652 uint32_t seqnum, bool encrypted,
1653 struct smb_perfcount_data *deferred_pcd)
1654 {
1655 int msg_type = CVAL(inbuf,0);
1656
1657 DO_PROFILE_INC(smb_count);
1658
1659 DEBUG( 6, ( "got message type 0x%x of len 0x%x\n", msg_type,
1660 smb_len(inbuf) ) );
1661 DEBUG(3, ("Transaction %d of length %d (%u toread)\n",
1662 sconn->trans_num, (int)nread, (unsigned int)unread_bytes));
1663
1664 if (msg_type != 0) {
1665 /*
1666 * NetBIOS session request, keepalive, etc.
1667 */
1668 reply_special(sconn, (char *)inbuf, nread);
1669 goto done;
1670 }
1671
1672 if (sconn->using_smb2) {
1673 /* At this point we're not really using smb2,
1674 * we make the decision here.. */
1675 if (smbd_is_smb2_header(inbuf, nread)) {
1676 smbd_smb2_first_negprot(sconn, inbuf, nread);
1677 return;
1678 } else if (nread >= smb_size && valid_smb_header(inbuf)
1679 && CVAL(inbuf, smb_com) != 0x72) {
1680 /* This is a non-negprot SMB1 packet.
1681 Disable SMB2 from now on. */
1682 sconn->using_smb2 = false;
1683 }
1684 }
1685
1686 show_msg((char *)inbuf);
1687
1688 construct_reply(sconn, (char *)inbuf, nread, unread_bytes, seqnum,
1689 encrypted, deferred_pcd);
1690 sconn->trans_num++;
1691
1692 done:
1693 sconn->num_requests++;
1694
1695 /* The timeout_processing function isn't run nearly
1696 often enough to implement 'max log size' without
1697 overrunning the size of the file by many megabytes.
1698 This is especially true if we are running at debug
1699 level 10. Checking every 50 SMBs is a nice
1700 tradeoff of performance vs log file size overrun. */
1701
1702 if ((sconn->num_requests % 50) == 0 &&
1703 need_to_check_log_size()) {
1704 change_to_root_user();
1705 check_log_size();
1706 }
1707 }
1708
1709 /****************************************************************************
1710 Return a string containing the function name of a SMB command.
1711 ****************************************************************************/
1712
1713 const char *smb_fn_name(int type)
1714 {
1715 const char *unknown_name = "SMBunknown";
1716
1717 if (smb_messages[type].name == NULL)
1718 return(unknown_name);
1719
1720 return(smb_messages[type].name);
1721 }
1722
1723 /****************************************************************************
1724 Helper functions for contruct_reply.
1725 ****************************************************************************/
1726
1727 void add_to_common_flags2(uint32 v)
1728 {
1729 common_flags2 |= v;
1730 }
1731
1732 void remove_from_common_flags2(uint32 v)
1733 {
1734 common_flags2 &= ~v;
1735 }
1736
1737 static void construct_reply_common(struct smb_request *req, const char *inbuf,
1738 char *outbuf)
1739 {
1740 srv_set_message(outbuf,0,0,false);
1741
1742 SCVAL(outbuf, smb_com, req->cmd);
1743 SIVAL(outbuf,smb_rcls,0);
1744 SCVAL(outbuf,smb_flg, FLAG_REPLY | (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES));
1745 SSVAL(outbuf,smb_flg2,
1746 (SVAL(inbuf,smb_flg2) & FLAGS2_UNICODE_STRINGS) |
1747 common_flags2);
1748 memset(outbuf+smb_pidhigh,'\0',(smb_tid-smb_pidhigh));
1749
1750 SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid));
1751 SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid));
1752 SSVAL(outbuf,smb_uid,SVAL(inbuf,smb_uid));
1753 SSVAL(outbuf,smb_mid,SVAL(inbuf,smb_mid));
1754 }
1755
1756 void construct_reply_common_req(struct smb_request *req, char *outbuf)
1757 {
1758 construct_reply_common(req, (char *)req->inbuf, outbuf);
1759 }
1760
1761 /*
1762 * How many bytes have we already accumulated up to the current wct field
1763 * offset?
1764 */
1765
1766 size_t req_wct_ofs(struct smb_request *req)
1767 {
1768 size_t buf_size;
1769
1770 if (req->chain_outbuf == NULL) {
1771 return smb_wct - 4;
1772 }
1773 buf_size = talloc_get_size(req->chain_outbuf);
1774 if ((buf_size % 4) != 0) {
1775 buf_size += (4 - (buf_size % 4));
1776 }
1777 return buf_size - 4;
1778 }
1779
1780 /*
1781 * Hack around reply_nterror & friends not being aware of chained requests,
1782 * generating illegal (i.e. wct==0) chain replies.
1783 */
1784
1785 static void fixup_chain_error_packet(struct smb_request *req)
1786 {
1787 uint8_t *outbuf = req->outbuf;
1788 req->outbuf = NULL;
1789 reply_outbuf(req, 2, 0);
1790 memcpy(req->outbuf, outbuf, smb_wct);
1791 TALLOC_FREE(outbuf);
1792 SCVAL(req->outbuf, smb_vwv0, 0xff);
1793 }
1794
1795 /**
1796 * @brief Find the smb_cmd offset of the last command pushed
1797 * @param[in] buf The buffer we're building up
1798 * @retval Where can we put our next andx cmd?
1799 *
1800 * While chaining requests, the "next" request we're looking at needs to put
1801 * its SMB_Command before the data the previous request already built up added
1802 * to the chain. Find the offset to the place where we have to put our cmd.
1803 */
1804
1805 static bool find_andx_cmd_ofs(uint8_t *buf, size_t *pofs)
1806 {
1807 uint8_t cmd;
1808 size_t ofs;
1809
1810 cmd = CVAL(buf, smb_com);
1811
1812 SMB_ASSERT(is_andx_req(cmd));
1813
1814 ofs = smb_vwv0;
1815
1816 while (CVAL(buf, ofs) != 0xff) {
1817
1818 if (!is_andx_req(CVAL(buf, ofs))) {
1819 return false;
1820 }
1821
1822 /*
1823 * ofs is from start of smb header, so add the 4 length
1824 * bytes. The next cmd is right after the wct field.
1825 */
1826 ofs = SVAL(buf, ofs+2) + 4 + 1;
1827
1828 SMB_ASSERT(ofs+4 < talloc_get_size(buf));
1829 }
1830
1831 *pofs = ofs;
1832 return true;
1833 }
1834
1835 /**
1836 * @brief Do the smb chaining at a buffer level
1837 * @param[in] poutbuf Pointer to the talloc'ed buffer to be modified
1838 * @param[in] smb_command The command that we want to issue
1839 * @param[in] wct How many words?
1840 * @param[in] vwv The words, already in network order
1841 * @param[in] bytes_alignment How shall we align "bytes"?
1842 * @param[in] num_bytes How many bytes?
1843 * @param[in] bytes The data the request ships
1844 *
1845 * smb_splice_chain() adds the vwv and bytes to the request already present in
1846 * *poutbuf.
1847 */
1848
1849 static bool smb_splice_chain(uint8_t **poutbuf, uint8_t smb_command,
1850 uint8_t wct, const uint16_t *vwv,
1851 size_t bytes_alignment,
1852 uint32_t num_bytes, const uint8_t *bytes)
1853 {
1854 uint8_t *outbuf;
1855 size_t old_size, new_size;
1856 size_t ofs;
1857 size_t chain_padding = 0;
1858 size_t bytes_padding = 0;
1859 bool first_request;
1860
1861 old_size = talloc_get_size(*poutbuf);
1862
1863 /*
1864 * old_size == smb_wct means we're pushing the first request in for
1865 * libsmb/
1866 */
1867
1868 first_request = (old_size == smb_wct);
1869
1870 if (!first_request && ((old_size % 4) != 0)) {
1871 /*
1872 * Align the wct field of subsequent requests to a 4-byte
1873 * boundary
1874 */
1875 chain_padding = 4 - (old_size % 4);
1876 }
1877
1878 /*
1879 * After the old request comes the new wct field (1 byte), the vwv's
1880 * and the num_bytes field. After at we might need to align the bytes
1881 * given to us to "bytes_alignment", increasing the num_bytes value.
1882 */
1883
1884 new_size = old_size + chain_padding + 1 + wct * sizeof(uint16_t) + 2;
1885
1886 if ((bytes_alignment != 0) && ((new_size % bytes_alignment) != 0)) {
1887 bytes_padding = bytes_alignment - (new_size % bytes_alignment);
1888 }
1889
1890 new_size += bytes_padding + num_bytes;
1891
1892 if ((smb_command != SMBwriteX) && (new_size > 0xffff)) {
1893 DEBUG(1, ("splice_chain: %u bytes won't fit\n",
1894 (unsigned)new_size));
1895 return false;
1896 }
1897
1898 outbuf = TALLOC_REALLOC_ARRAY(NULL, *poutbuf, uint8_t, new_size);
1899 if (outbuf == NULL) {
1900 DEBUG(0, ("talloc failed\n"));
1901 return false;
1902 }
1903 *poutbuf = outbuf;
1904
1905 if (first_request) {
1906 SCVAL(outbuf, smb_com, smb_command);
1907 } else {
1908 size_t andx_cmd_ofs;
1909
1910 if (!find_andx_cmd_ofs(outbuf, &andx_cmd_ofs)) {
1911 DEBUG(1, ("invalid command chain\n"));
1912 *poutbuf = TALLOC_REALLOC_ARRAY(
1913 NULL, *poutbuf, uint8_t, old_size);
1914 return false;
1915 }
1916
1917 if (chain_padding != 0) {
1918 memset(outbuf + old_size, 0, chain_padding);
1919 old_size += chain_padding;
1920 }
1921
1922 SCVAL(outbuf, andx_cmd_ofs, smb_command);
1923 SSVAL(outbuf, andx_cmd_ofs + 2, old_size - 4);
1924 }
1925
1926 ofs = old_size;
1927
1928 /*
1929 * Push the chained request:
1930 *
1931 * wct field
1932 */
1933
1934 SCVAL(outbuf, ofs, wct);
1935 ofs += 1;
1936
1937 /*
1938 * vwv array
1939 */
1940
1941 memcpy(outbuf + ofs, vwv, sizeof(uint16_t) * wct);
1942 ofs += sizeof(uint16_t) * wct;
1943
1944 /*
1945 * bcc (byte count)
1946 */
1947
1948 SSVAL(outbuf, ofs, num_bytes + bytes_padding);
1949 ofs += sizeof(uint16_t);
1950
1951 /*
1952 * padding
1953 */
1954
1955 if (bytes_padding != 0) {
1956 memset(outbuf + ofs, 0, bytes_padding);
1957 ofs += bytes_padding;
1958 }
1959
1960 /*
1961 * The bytes field
1962 */
1963
1964 memcpy(outbuf + ofs, bytes, num_bytes);
1965
1966 return true;
1967 }
1968
1969 /****************************************************************************
1970 Construct a chained reply and add it to the already made reply
1971 ****************************************************************************/
1972
1973 void chain_reply(struct smb_request *req)
1974 {
1975 size_t smblen = smb_len(req->inbuf);
1976 size_t already_used, length_needed;
1977 uint8_t chain_cmd;
1978 uint32_t chain_offset; /* uint32_t to avoid overflow */
1979
1980 uint8_t wct;
1981 uint16_t *vwv;
1982 uint16_t buflen;
1983 uint8_t *buf;
1984
1985 if (IVAL(req->outbuf, smb_rcls) != 0) {
1986 fixup_chain_error_packet(req);
1987 }
1988
1989 /*
1990 * Any of the AndX requests and replies have at least a wct of
1991 * 2. vwv[0] is the next command, vwv[1] is the offset from the
1992 * beginning of the SMB header to the next wct field.
1993 *
1994 * None of the AndX requests put anything valuable in vwv[0] and [1],
1995 * so we can overwrite it here to form the chain.
1996 */
1997
1998 if ((req->wct < 2) || (CVAL(req->outbuf, smb_wct) < 2)) {
1999 if (req->chain_outbuf == NULL) {
2000 req->chain_outbuf = TALLOC_REALLOC_ARRAY(
2001 req, req->outbuf, uint8_t,
2002 smb_len(req->outbuf) + 4);
2003 if (req->chain_outbuf == NULL) {
2004 smb_panic("talloc failed");
2005 }
2006 }
2007 req->outbuf = NULL;
2008 goto error;
2009 }
2010
2011 /*
2012 * Here we assume that this is the end of the chain. For that we need
2013 * to set "next command" to 0xff and the offset to 0. If we later find
2014 * more commands in the chain, this will be overwritten again.
2015 */
2016
2017 SCVAL(req->outbuf, smb_vwv0, 0xff);
2018 SCVAL(req->outbuf, smb_vwv0+1, 0);
2019 SSVAL(req->outbuf, smb_vwv1, 0);
2020
2021 if (req->chain_outbuf == NULL) {
2022 /*
2023 * In req->chain_outbuf we collect all the replies. Start the
2024 * chain by copying in the first reply.
2025 *
2026 * We do the realloc because later on we depend on
2027 * talloc_get_size to determine the length of
2028 * chain_outbuf. The reply_xxx routines might have
2029 * over-allocated (reply_pipe_read_and_X used to be such an
2030 * example).
2031 */
2032 req->chain_outbuf = TALLOC_REALLOC_ARRAY(
2033 req, req->outbuf, uint8_t, smb_len(req->outbuf) + 4);
2034 if (req->chain_outbuf == NULL) {
2035 smb_panic("talloc failed");
2036 }
2037 req->outbuf = NULL;
2038 } else {
2039 /*
2040 * Update smb headers where subsequent chained commands
2041 * may have updated them.
2042 */
2043 SSVAL(req->chain_outbuf, smb_tid, SVAL(req->outbuf, smb_tid));
2044 SSVAL(req->chain_outbuf, smb_uid, SVAL(req->outbuf, smb_uid));
2045
2046 if (!smb_splice_chain(&req->chain_outbuf,
2047 CVAL(req->outbuf, smb_com),
2048 CVAL(req->outbuf, smb_wct),
2049 (uint16_t *)(req->outbuf + smb_vwv),
2050 0, smb_buflen(req->outbuf),
2051 (uint8_t *)smb_buf(req->outbuf))) {
2052 goto error;
2053 }
2054 TALLOC_FREE(req->outbuf);
2055 }
2056
2057 /*
2058 * We use the old request's vwv field to grab the next chained command
2059 * and offset into the chained fields.
2060 */
2061
2062 chain_cmd = CVAL(req->vwv+0, 0);
2063 chain_offset = SVAL(req->vwv+1, 0);
2064
2065 if (chain_cmd == 0xff) {
2066 /*
2067 * End of chain, no more requests from the client. So ship the
2068 * replies.
2069 */
2070 smb_setlen((char *)(req->chain_outbuf),
2071 talloc_get_size(req->chain_outbuf) - 4);
2072
2073 if (!srv_send_smb(req->sconn, (char *)req->chain_outbuf,
2074 true, req->seqnum+1,
2075 IS_CONN_ENCRYPTED(req->conn)
2076 ||req->encrypted,
2077 &req->pcd)) {
2078 exit_server_cleanly("chain_reply: srv_send_smb "
2079 "failed.");
2080 }
2081 TALLOC_FREE(req->chain_outbuf);
2082 req->done = true;
2083 return;
2084 }
2085
2086 /* add a new perfcounter for this element of chain */
2087 SMB_PERFCOUNT_ADD(&req->pcd);
2088 SMB_PERFCOUNT_SET_OP(&req->pcd, chain_cmd);
2089 SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, smblen);
2090
2091 /*
2092 * Check if the client tries to fool us. The chain offset
2093 * needs to point beyond the current request in the chain, it
2094 * needs to strictly grow. Otherwise we might be tricked into
2095 * an endless loop always processing the same request over and
2096 * over again. We used to assume that vwv and the byte buffer
2097 * array in a chain are always attached, but OS/2 the
2098 * Write&X/Read&X chain puts the Read&X vwv array right behind
2099 * the Write&X vwv chain. The Write&X bcc array is put behind
2100 * the Read&X vwv array. So now we check whether the chain
2101 * offset points strictly behind the previous vwv
2102 * array. req->buf points right after the vwv array of the
2103 * previous request. See
2104 * https://bugzilla.samba.org/show_bug.cgi?id=8360 for more
2105 * information.
2106 */
2107
2108 already_used = PTR_DIFF(req->buf, smb_base(req->inbuf));
2109 if (chain_offset <= already_used) {
2110 goto error;
2111 }
2112
2113 /*
2114 * Next check: Make sure the chain offset does not point beyond the
2115 * overall smb request length.
2116 */
2117
2118 length_needed = chain_offset+1; /* wct */
2119 if (length_needed > smblen) {
2120 goto error;
2121 }
2122
2123 /*
2124 * Now comes the pointer magic. Goal here is to set up req->vwv and
2125 * req->buf correctly again to be able to call the subsequent
2126 * switch_message(). The chain offset (the former vwv[1]) points at
2127 * the new wct field.
2128 */
2129
2130 wct = CVAL(smb_base(req->inbuf), chain_offset);
2131
2132 /*
2133 * Next consistency check: Make the new vwv array fits in the overall
2134 * smb request.
2135 */
2136
2137 length_needed += (wct+1)*sizeof(uint16_t); /* vwv+buflen */
2138 if (length_needed > smblen) {
2139 goto error;
2140 }
2141 vwv = (uint16_t *)(smb_base(req->inbuf) + chain_offset + 1);
2142
2143 /*
2144 * Now grab the new byte buffer....
2145 */
2146
2147 buflen = SVAL(vwv+wct, 0);
2148
2149 /*
2150 * .. and check that it fits.
2151 */
2152
2153 length_needed += buflen;
2154 if (length_needed > smblen) {
2155 goto error;
2156 }
2157 buf = (uint8_t *)(vwv+wct+1);
2158
2159 req->cmd = chain_cmd;
2160 req->wct = wct;
2161 req->vwv = vwv;
2162 req->buflen = buflen;
2163 req->buf = buf;
2164
2165 switch_message(chain_cmd, req, smblen);
2166
2167 if (req->outbuf == NULL) {
2168 /*
2169 * This happens if the chained command has suspended itself or
2170 * if it has called srv_send_smb() itself.
2171 */
2172 return;
2173 }
2174
2175 /*
2176 * We end up here if the chained command was not itself chained or
2177 * suspended, but for example a close() command. We now need to splice
2178 * the chained commands' outbuf into the already built up chain_outbuf
2179 * and ship the result.
2180 */
2181 goto done;
2182
2183 error:
2184 /*
2185 * We end up here if there's any error in the chain syntax. Report a
2186 * DOS error, just like Windows does.
2187 */
2188 reply_force_doserror(req, ERRSRV, ERRerror);
2189 fixup_chain_error_packet(req);
2190
2191 done:
2192 /*
2193 * This scary statement intends to set the
2194 * FLAGS2_32_BIT_ERROR_CODES flg2 field in req->chain_outbuf
2195 * to the value req->outbuf carries
2196 */
2197 SSVAL(req->chain_outbuf, smb_flg2,
2198 (SVAL(req->chain_outbuf, smb_flg2) & ~FLAGS2_32_BIT_ERROR_CODES)
2199 | (SVAL(req->outbuf, smb_flg2) & FLAGS2_32_BIT_ERROR_CODES));
2200
2201 /*
2202 * Transfer the error codes from the subrequest to the main one
2203 */
2204 SSVAL(req->chain_outbuf, smb_rcls, SVAL(req->outbuf, smb_rcls));
2205 SSVAL(req->chain_outbuf, smb_err, SVAL(req->outbuf, smb_err));
2206
2207 if (!smb_splice_chain(&req->chain_outbuf,
2208 CVAL(req->outbuf, smb_com),
2209 CVAL(req->outbuf, smb_wct),
2210 (uint16_t *)(req->outbuf + smb_vwv),
2211 0, smb_buflen(req->outbuf),
2212 (uint8_t *)smb_buf(req->outbuf))) {
2213 exit_server_cleanly("chain_reply: smb_splice_chain failed\n");
2214 }
2215 TALLOC_FREE(req->outbuf);
2216
2217 smb_setlen((char *)(req->chain_outbuf),
2218 talloc_get_size(req->chain_outbuf) - 4);
2219
2220 show_msg((char *)(req->chain_outbuf));
2221
2222 if (!srv_send_smb(req->sconn, (char *)req->chain_outbuf,
2223 true, req->seqnum+1,
2224 IS_CONN_ENCRYPTED(req->conn)||req->encrypted,
2225 &req->pcd)) {
2226 exit_server_cleanly("chain_reply: srv_send_smb failed.");
2227 }
2228 TALLOC_FREE(req->chain_outbuf);
2229 req->done = true;
2230 }
2231
2232 /****************************************************************************
2233 Check if services need reloading.
2234 ****************************************************************************/
2235
2236 static void check_reload(struct smbd_server_connection *sconn, time_t t)
2237 {
2238
2239 if (last_smb_conf_reload_time == 0) {
2240 last_smb_conf_reload_time = t;
2241 }
2242
2243 if (t >= last_smb_conf_reload_time+SMBD_RELOAD_CHECK) {
2244 reload_services(sconn->msg_ctx, sconn->sock, True);
2245 last_smb_conf_reload_time = t;
2246 }
2247 }
2248
2249 static bool fd_is_readable(int fd)
2250 {
2251 int ret, revents;
2252
2253 ret = poll_one_fd(fd, POLLIN|POLLHUP, 0, &revents);
2254
2255 return ((ret > 0) && ((revents & (POLLIN|POLLHUP|POLLERR)) != 0));
2256
2257 }
2258
2259 static void smbd_server_connection_write_handler(struct smbd_server_connection *conn)
2260 {
2261 /* TODO: make write nonblocking */
2262 }
2263
2264 static void smbd_server_connection_read_handler(
2265 struct smbd_server_connection *conn, int fd)
2266 {
2267 uint8_t *inbuf = NULL;
2268 size_t inbuf_len = 0;
2269 size_t unread_bytes = 0;
2270 bool encrypted = false;
2271 TALLOC_CTX *mem_ctx = talloc_tos();
2272 NTSTATUS status;
2273 uint32_t seqnum;
2274
2275 bool from_client = (conn->sock == fd);
2276
2277 if (from_client) {
2278 smbd_lock_socket(conn);
2279
2280 if (lp_async_smb_echo_handler() && !fd_is_readable(fd)) {
2281 DEBUG(10,("the echo listener was faster\n"));
2282 smbd_unlock_socket(conn);
2283 return;
2284 }
2285
2286 /* TODO: make this completely nonblocking */
2287 status = receive_smb_talloc(mem_ctx, conn, fd,
2288 (char **)(void *)&inbuf,
2289 0, /* timeout */
2290 &unread_bytes,
2291 &encrypted,
2292 &inbuf_len, &seqnum,
2293 false /* trusted channel */);
2294 smbd_unlock_socket(conn);
2295 } else {
2296 /* TODO: make this completely nonblocking */
2297 status = receive_smb_talloc(mem_ctx, conn, fd,
2298 (char **)(void *)&inbuf,
2299 0, /* timeout */
2300 &unread_bytes,
2301 &encrypted,
2302 &inbuf_len, &seqnum,
2303 true /* trusted channel */);
2304 }
2305
2306 if (NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
2307 goto process;
2308 }
2309 if (NT_STATUS_IS_ERR(status)) {
2310 exit_server_cleanly("failed to receive smb request");
2311 }
2312 if (!NT_STATUS_IS_OK(status)) {
2313 return;
2314 }
2315
2316 process:
2317 process_smb(conn, inbuf, inbuf_len, unread_bytes,
2318 seqnum, encrypted, NULL);
2319 }
2320
2321 static void smbd_server_connection_handler(struct event_context *ev,
2322 struct fd_event *fde,
2323 uint16_t flags,
2324 void *private_data)
2325 {
2326 struct smbd_server_connection *conn = talloc_get_type(private_data,
2327 struct smbd_server_connection);
2328
2329 if (flags & EVENT_FD_WRITE) {
2330 smbd_server_connection_write_handler(conn);
2331 return;
2332 }
2333 if (flags & EVENT_FD_READ) {
2334 smbd_server_connection_read_handler(conn, conn->sock);
2335 return;
2336 }
2337 }
2338
2339 static void smbd_server_echo_handler(struct event_context *ev,
2340 struct fd_event *fde,
2341 uint16_t flags,
2342 void *private_data)
2343 {
2344 struct smbd_server_connection *conn = talloc_get_type(private_data,
2345 struct smbd_server_connection);
2346
2347 if (flags & EVENT_FD_WRITE) {
2348 smbd_server_connection_write_handler(conn);
2349 return;
2350 }
2351 if (flags & EVENT_FD_READ) {
2352 smbd_server_connection_read_handler(
2353 conn, conn->smb1.echo_handler.trusted_fd);
2354 return;
2355 }
2356 }
2357
2358 /****************************************************************************
2359 received when we should release a specific IP
2360 ****************************************************************************/
2361 static void release_ip(const char *ip, void *priv)
2362 {
2363 const char *addr = (const char *)priv;
2364 const char *p = addr;
2365
2366 if (strncmp("::ffff:", addr, 7) == 0) {
2367 p = addr + 7;
2368 }
2369
2370 DEBUG(10, ("Got release IP message for %s, "
2371 "our address is %s\n", ip, p));
2372
2373 if ((strcmp(p, ip) == 0) || ((p != addr) && strcmp(addr, ip) == 0)) {
2374 /* we can't afford to do a clean exit - that involves
2375 database writes, which would potentially mean we
2376 are still running after the failover has finished -
2377 we have to get rid of this process ID straight
2378 away */
2379 DEBUG(0,("Got release IP message for our IP %s - exiting immediately\n",
2380 ip));
2381 /* note we must exit with non-zero status so the unclean handler gets
2382 called in the parent, so that the brl database is tickled */
2383 _exit(1);
2384 }
2385 }
2386
2387 static void msg_release_ip(struct messaging_context *msg_ctx, void *private_data,
2388 uint32_t msg_type, struct server_id server_id, DATA_BLOB *data)
2389 {
2390 struct smbd_server_connection *sconn = talloc_get_type_abort(
2391 private_data, struct smbd_server_connection);
2392
2393 release_ip((char *)data->data, sconn->client_id.addr);
2394 }
2395
2396 #ifdef CLUSTER_SUPPORT
2397 static int client_get_tcp_info(int sock, struct sockaddr_storage *server,
2398 struct sockaddr_storage *client)
2399 {
2400 socklen_t length;
2401 length = sizeof(*server);
2402 if (getsockname(sock, (struct sockaddr *)server, &length) != 0) {
2403 return -1;
2404 }
2405 length = sizeof(*client);
2406 if (getpeername(sock, (struct sockaddr *)client, &length) != 0) {
2407 return -1;
2408 }
2409 return 0;
2410 }
2411 #endif
2412
2413 /*
2414 * Send keepalive packets to our client
2415 */
2416 static bool keepalive_fn(const struct timeval *now, void *private_data)
2417 {
2418 struct smbd_server_connection *sconn = smbd_server_conn;
2419 bool ret;
2420
2421 if (sconn->using_smb2) {
2422 /* Don't do keepalives on an SMB2 connection. */
2423 return false;
2424 }
2425
2426 smbd_lock_socket(smbd_server_conn);
2427 ret = send_keepalive(sconn->sock);
2428 smbd_unlock_socket(smbd_server_conn);
2429
2430 if (!ret) {
2431 char addr[INET6_ADDRSTRLEN];
2432 /*
2433 * Try and give an error message saying what
2434 * client failed.
2435 */
2436 DEBUG(0, ("send_keepalive failed for client %s. "
2437 "Error %s - exiting\n",
2438 get_peer_addr(sconn->sock, addr, sizeof(addr)),
2439 strerror(errno)));
2440 return False;
2441 }
2442 return True;
2443 }
2444
2445 /*
2446 * Do the recurring check if we're idle
2447 */
2448 static bool deadtime_fn(const struct timeval *now, void *private_data)
2449 {
2450 struct smbd_server_connection *sconn =
2451 (struct smbd_server_connection *)private_data;
2452
2453 if ((conn_num_open(sconn) == 0)
2454 || (conn_idle_all(sconn, now->tv_sec))) {
2455 DEBUG( 2, ( "Closing idle connection\n" ) );
2456 messaging_send(sconn->msg_ctx,
2457 messaging_server_id(sconn->msg_ctx),
2458 MSG_SHUTDOWN, &data_blob_null);
2459 return False;
2460 }
2461
2462 return True;
2463 }
2464
2465 /*
2466 * Do the recurring log file and smb.conf reload checks.
2467 */
2468
2469 static bool housekeeping_fn(const struct timeval *now, void *private_data)
2470 {
2471 struct smbd_server_connection *sconn = talloc_get_type_abort(
2472 private_data, struct smbd_server_connection);
2473
2474 DEBUG(5, ("housekeeping\n"));
2475
2476 change_to_root_user();
2477
2478 /* update printer queue caches if necessary */
2479 update_monitored_printq_cache(sconn->msg_ctx);
2480
2481 /* check if we need to reload services */
2482 check_reload(sconn, time_mono(NULL));
2483
2484 /* Change machine password if neccessary. */
2485 attempt_machine_password_change();
2486
2487 /*
2488 * Force a log file check.
2489 */
2490 force_check_log_size();
2491 check_log_size();
2492 return true;
2493 }
2494
2495 static int create_unlink_tmp(const char *dir)
2496 {
2497 char *fname;
2498 int fd;
2499
2500 fname = talloc_asprintf(talloc_tos(), "%s/listenerlock_XXXXXX", dir);
2501 if (fname == NULL) {
2502 errno = ENOMEM;
2503 return -1;
2504 }
2505 fd = mkstemp(fname);
2506 if (fd == -1) {
2507 TALLOC_FREE(fname);
2508 return -1;
2509 }
2510 if (unlink(fname) == -1) {
2511 int sys_errno = errno;
2512 close(fd);
2513 TALLOC_FREE(fname);
2514 errno = sys_errno;
2515 return -1;
2516 }
2517 TALLOC_FREE(fname);
2518 return fd;
2519 }
2520
2521 struct smbd_echo_state {
2522 struct tevent_context *ev;
2523 struct iovec *pending;
2524 struct smbd_server_connection *sconn;
2525 int parent_pipe;
2526
2527 struct tevent_fd *parent_fde;
2528
2529 struct tevent_fd *read_fde;
2530 struct tevent_req *write_req;
2531 };
2532
2533 static void smbd_echo_writer_done(struct tevent_req *req);
2534
2535 static void smbd_echo_activate_writer(struct smbd_echo_state *state)
2536 {
2537 int num_pending;
2538
2539 if (state->write_req != NULL) {
2540 return;
2541 }
2542
2543 num_pending = talloc_array_length(state->pending);
2544 if (num_pending == 0) {
2545 return;
2546 }
2547
2548 state->write_req = writev_send(state, state->ev, NULL,
2549 state->parent_pipe, false,
2550 state->pending, num_pending);
2551 if (state->write_req == NULL) {
2552 DEBUG(1, ("writev_send failed\n"));
2553 exit(1);
2554 }
2555
2556 talloc_steal(state->write_req, state->pending);
2557 state->pending = NULL;
2558
2559 tevent_req_set_callback(state->write_req, smbd_echo_writer_done,
2560 state);
2561 }
2562
2563 static void smbd_echo_writer_done(struct tevent_req *req)
2564 {
2565 struct smbd_echo_state *state = tevent_req_callback_data(
2566 req, struct smbd_echo_state);
2567 ssize_t written;
2568 int err;
2569
2570 written = writev_recv(req, &err);
2571 TALLOC_FREE(req);
2572 state->write_req = NULL;
2573 if (written == -1) {
2574 DEBUG(1, ("writev to parent failed: %s\n", strerror(err)));
2575 exit(1);
2576 }
2577 DEBUG(10,("echo_handler[%d]: forwarded pdu to main\n", (int)sys_getpid()));
2578 smbd_echo_activate_writer(state);
2579 }
2580
2581 static bool smbd_echo_reply(uint8_t *inbuf, size_t inbuf_len,
2582 uint32_t seqnum)
2583 {
2584 struct smb_request req;
2585 uint16_t num_replies;
2586 size_t out_len;
2587 char *outbuf;
2588 bool ok;
2589
2590 if ((inbuf_len == 4) && (CVAL(inbuf, 0) == SMBkeepalive)) {
2591 DEBUG(10, ("Got netbios keepalive\n"));
2592 /*
2593 * Just swallow it
2594 */
2595 return true;
2596 }
2597
2598 if (inbuf_len < smb_size) {
2599 DEBUG(10, ("Got short packet: %d bytes\n", (int)inbuf_len));
2600 return false;
2601 }
2602 if (!valid_smb_header(inbuf)) {
2603 DEBUG(10, ("Got invalid SMB header\n"));
2604 return false;
2605 }
2606
2607 if (!init_smb_request(&req, smbd_server_conn, inbuf, 0, false,
2608 seqnum)) {
2609 return false;
2610 }
2611 req.inbuf = inbuf;
2612
2613 DEBUG(10, ("smbecho handler got cmd %d (%s)\n", (int)req.cmd,
2614 smb_messages[req.cmd].name
2615 ? smb_messages[req.cmd].name : "unknown"));
2616
2617 if (req.cmd != SMBecho) {
2618 return false;
2619 }
2620 if (req.wct < 1) {
2621 return false;
2622 }
2623
2624 num_replies = SVAL(req.vwv+0, 0);
2625 if (num_replies != 1) {
2626 /* Not a Windows "Hey, you're still there?" request */
2627 return false;
2628 }
2629
2630 if (!create_outbuf(talloc_tos(), &req, (char *)req.inbuf, &outbuf,
2631 1, req.buflen)) {
2632 DEBUG(10, ("create_outbuf failed\n"));
2633 return false;
2634 }
2635 req.outbuf = (uint8_t *)outbuf;
2636
2637 SSVAL(req.outbuf, smb_vwv0, num_replies);
2638
2639 if (req.buflen > 0) {
2640 memcpy(smb_buf(req.outbuf), req.buf, req.buflen);
2641 }
2642
2643 out_len = smb_len(req.outbuf) + 4;
2644
2645 ok = srv_send_smb(req.sconn,
2646 (char *)outbuf,
2647 true, seqnum+1,
2648 false, &req.pcd);
2649 TALLOC_FREE(outbuf);
2650 if (!ok) {
2651 exit(1);
2652 }
2653
2654 return true;
2655 }
2656
2657 static void smbd_echo_exit(struct tevent_context *ev,
2658 struct tevent_fd *fde, uint16_t flags,
2659 void *private_data)
2660 {
2661 DEBUG(2, ("smbd_echo_exit: lost connection to parent\n"));
2662 exit(0);
2663 }
2664
2665 static void smbd_echo_reader(struct tevent_context *ev,
2666 struct tevent_fd *fde, uint16_t flags,
2667 void *private_data)
2668 {
2669 struct smbd_echo_state *state = talloc_get_type_abort(
2670 private_data, struct smbd_echo_state);
2671 struct smbd_server_connection *sconn = state->sconn;
2672 size_t unread, num_pending;
2673 NTSTATUS status;
2674 struct iovec *tmp;
2675 size_t iov_len;
2676 uint32_t seqnum = 0;
2677 bool reply;
2678 bool ok;
2679 bool encrypted = false;
2680
2681 smb_msleep(1000);
2682
2683 ok = smbd_lock_socket_internal(sconn);
2684 if (!ok) {
2685 DEBUG(0, ("%s: failed to lock socket\n",
2686 __location__));
2687 exit(1);
2688 }
2689
2690 if (!fd_is_readable(sconn->sock)) {
2691 DEBUG(10,("echo_handler[%d] the parent smbd was faster\n",
2692 (int)sys_getpid()));
2693 ok = smbd_unlock_socket_internal(sconn);
2694 if (!ok) {
2695 DEBUG(1, ("%s: failed to unlock socket in\n",
2696 __location__));
2697 exit(1);
2698 }
2699 return;
2700 }
2701
2702 num_pending = talloc_array_length(state->pending);
2703 tmp = talloc_realloc(state, state->pending, struct iovec,
2704 num_pending+1);
2705 if (tmp == NULL) {
2706 DEBUG(1, ("talloc_realloc failed\n"));
2707 exit(1);
2708 }
2709 state->pending = tmp;
2710
2711 DEBUG(10,("echo_handler[%d]: reading pdu\n", (int)sys_getpid()));
2712
2713 status = receive_smb_talloc(state->pending, sconn, sconn->sock,
2714 (char **)(void *)&state->pending[num_pending].iov_base,
2715 0 /* timeout */,
2716 &unread,
2717 &encrypted,
2718 &iov_len,
2719 &seqnum,
2720 false /* trusted_channel*/);
2721 if (!NT_STATUS_IS_OK(status)) {
2722 DEBUG(1, ("echo_handler[%d]: receive_smb_raw_talloc failed: %s\n",
2723 (int)sys_getpid(), nt_errstr(status)));
2724 exit(1);
2725 }
2726 state->pending[num_pending].iov_len = iov_len;
2727
2728 ok = smbd_unlock_socket_internal(sconn);
2729 if (!ok) {
2730 DEBUG(1, ("%s: failed to unlock socket in\n",
2731 __location__));
2732 exit(1);
2733 }
2734
2735 reply = smbd_echo_reply((uint8_t *)state->pending[num_pending].iov_base,
2736 state->pending[num_pending].iov_len,
2737 seqnum);
2738 if (reply) {
2739 DEBUG(10,("echo_handler[%d]: replied to client\n", (int)sys_getpid()));
2740 /* no check, shrinking by some bytes does not fail */
2741 state->pending = talloc_realloc(state, state->pending,
2742 struct iovec,
2743 num_pending);
2744 return;
2745 }
2746
2747 if (state->pending[num_pending].iov_len >= smb_size) {
2748 /*
2749 * place the seqnum in the packet so that the main process
2750 * can reply with signing
2751 */
2752 SIVAL((uint8_t *)state->pending[num_pending].iov_base,
2753 smb_ss_field, seqnum);
2754 SIVAL((uint8_t *)state->pending[num_pending].iov_base,
2755 smb_ss_field+4, NT_STATUS_V(NT_STATUS_OK));
2756 }
2757
2758 DEBUG(10,("echo_handler[%d]: forward to main\n", (int)sys_getpid()));
2759 smbd_echo_activate_writer(state);
2760 }
2761
2762 static void smbd_echo_loop(struct smbd_server_connection *sconn,
2763 int parent_pipe)
2764 {
2765 struct smbd_echo_state *state;
2766
2767 state = talloc_zero(sconn, struct smbd_echo_state);
2768 if (state == NULL) {
2769 DEBUG(1, ("talloc failed\n"));
2770 return;
2771 }
2772 state->sconn = sconn;
2773 state->parent_pipe = parent_pipe;
2774 state->ev = s3_tevent_context_init(state);
2775 if (state->ev == NULL) {
2776 DEBUG(1, ("tevent_context_init failed\n"));
2777 TALLOC_FREE(state);
2778 return;
2779 }
2780 state->parent_fde = tevent_add_fd(state->ev, state, parent_pipe,
2781 TEVENT_FD_READ, smbd_echo_exit,
2782 state);
2783 if (state->parent_fde == NULL) {
2784 DEBUG(1, ("tevent_add_fd failed\n"));
2785 TALLOC_FREE(state);
2786 return;
2787 }
2788 state->read_fde = tevent_add_fd(state->ev, state, sconn->sock,
2789 TEVENT_FD_READ, smbd_echo_reader,
2790 state);
2791 if (state->read_fde == NULL) {
2792 DEBUG(1, ("tevent_add_fd failed\n"));
2793 TALLOC_FREE(state);
2794 return;
2795 }
2796
2797 while (true) {
2798 if (tevent_loop_once(state->ev) == -1) {
2799 DEBUG(1, ("tevent_loop_once failed: %s\n",
2800 strerror(errno)));
2801 break;
2802 }
2803 }
2804 TALLOC_FREE(state);
2805 }
2806
2807 /*
2808 * Handle SMBecho requests in a forked child process
2809 */
2810 bool fork_echo_handler(struct smbd_server_connection *sconn)
2811 {
2812 int listener_pipe[2];
2813 int res;
2814 pid_t child;
2815
2816 res = pipe(listener_pipe);
2817 if (res == -1) {
2818 DEBUG(1, ("pipe() failed: %s\n", strerror(errno)));
2819 return false;
2820 }
2821 sconn->smb1.echo_handler.socket_lock_fd = create_unlink_tmp(lp_lockdir());
2822 if (sconn->smb1.echo_handler.socket_lock_fd == -1) {
2823 DEBUG(1, ("Could not create lock fd: %s\n", strerror(errno)));
2824 goto fail;
2825 }
2826
2827 child = sys_fork();
2828 if (child == 0) {
2829 NTSTATUS status;
2830
2831 close(listener_pipe[0]);
2832 set_blocking(listener_pipe[1], false);
2833
2834 status = reinit_after_fork(sconn->msg_ctx,
2835 smbd_event_context(),
2836 procid_self(), false);
2837 if (!NT_STATUS_IS_OK(status)) {
2838 DEBUG(1, ("reinit_after_fork failed: %s\n",
2839 nt_errstr(status)));
2840 exit(1);
2841 }
2842 smbd_echo_loop(sconn, listener_pipe[1]);
2843 exit(0);
2844 }
2845 close(listener_pipe[1]);
2846 listener_pipe[1] = -1;
2847 sconn->smb1.echo_handler.trusted_fd = listener_pipe[0];
2848
2849 DEBUG(10,("fork_echo_handler: main[%d] echo_child[%d]\n", (int)sys_getpid(), child));
2850
2851 /*
2852 * Without smb signing this is the same as the normal smbd
2853 * listener. This needs to change once signing comes in.
2854 */
2855 sconn->smb1.echo_handler.trusted_fde = event_add_fd(smbd_event_context(),
2856 sconn,
2857 sconn->smb1.echo_handler.trusted_fd,
2858 EVENT_FD_READ,
2859 smbd_server_echo_handler,
2860 sconn);
2861 if (sconn->smb1.echo_handler.trusted_fde == NULL) {
2862 DEBUG(1, ("event_add_fd failed\n"));
2863 goto fail;
2864 }
2865
2866 return true;
2867
2868 fail:
2869 if (listener_pipe[0] != -1) {
2870 close(listener_pipe[0]);
2871 }
2872 if (listener_pipe[1] != -1) {
2873 close(listener_pipe[1]);
2874 }
2875 sconn->smb1.echo_handler.trusted_fd = -1;
2876 if (sconn->smb1.echo_handler.socket_lock_fd != -1) {
2877 close(sconn->smb1.echo_handler.socket_lock_fd);
2878 }
2879 sconn->smb1.echo_handler.trusted_fd = -1;
2880 sconn->smb1.echo_handler.socket_lock_fd = -1;
2881 return false;
2882 }
2883
2884 #if CLUSTER_SUPPORT
2885
2886 static NTSTATUS smbd_register_ips(struct smbd_server_connection *sconn,
2887 struct sockaddr_storage *srv,
2888 struct sockaddr_storage *clnt)
2889 {
2890 struct ctdbd_connection *cconn;
2891 char tmp_addr[INET6_ADDRSTRLEN];
2892 char *addr;
2893
2894 cconn = messaging_ctdbd_connection();
2895 if (cconn == NULL) {
2896 return NT_STATUS_NO_MEMORY;
2897 }
2898
2899 client_socket_addr(sconn->sock, tmp_addr, sizeof(tmp_addr));
2900 addr = talloc_strdup(cconn, tmp_addr);
2901 if (addr == NULL) {
2902 return NT_STATUS_NO_MEMORY;
2903 }
2904 return ctdbd_register_ips(cconn, srv, clnt, release_ip, addr);
2905 }
2906
2907 #endif
2908
2909 /****************************************************************************
2910 Process commands from the client
2911 ****************************************************************************/
2912
2913 void smbd_process(struct smbd_server_connection *sconn)
2914 {
2915 TALLOC_CTX *frame = talloc_stackframe();
2916 struct sockaddr_storage ss;
2917 struct sockaddr *sa = NULL;
2918 socklen_t sa_socklen;
2919 struct tsocket_address *local_address = NULL;
2920 struct tsocket_address *remote_address = NULL;
2921 const char *remaddr = NULL;
2922 int ret;
2923
2924 if (lp_maxprotocol() == PROTOCOL_SMB2) {
2925 /*
2926 * We're not making the decision here,
2927 * we're just allowing the client
2928 * to decide between SMB1 and SMB2
2929 * with the first negprot
2930 * packet.
2931 */
2932 sconn->using_smb2 = true;
2933 }
2934
2935 /* Ensure child is set to blocking mode */
2936 set_blocking(sconn->sock,True);
2937
2938 set_socket_options(sconn->sock, "SO_KEEPALIVE");
2939 set_socket_options(sconn->sock, lp_socket_options());
2940
2941 sa = (struct sockaddr *)(void *)&ss;
2942 sa_socklen = sizeof(ss);
2943 ret = getpeername(sconn->sock, sa, &sa_socklen);
2944 if (ret != 0) {
2945 int level = (errno == ENOTCONN)?2:0;
2946 DEBUG(level,("getpeername() failed - %s\n", strerror(errno)));
2947 exit_server_cleanly("getpeername() failed.\n");
2948 }
2949 ret = tsocket_address_bsd_from_sockaddr(sconn,
2950 sa, sa_socklen,
2951 &remote_address);
2952 if (ret != 0) {
2953 DEBUG(0,("%s: tsocket_address_bsd_from_sockaddr remote failed - %s\n",
2954 __location__, strerror(errno)));
2955 exit_server_cleanly("tsocket_address_bsd_from_sockaddr remote failed.\n");
2956 }
2957
2958 sa = (struct sockaddr *)(void *)&ss;
2959 sa_socklen = sizeof(ss);
2960 ret = getsockname(sconn->sock, sa, &sa_socklen);
2961 if (ret != 0) {
2962 int level = (errno == ENOTCONN)?2:0;
2963 DEBUG(level,("getsockname() failed - %s\n", strerror(errno)));
2964 exit_server_cleanly("getsockname() failed.\n");
2965 }
2966 ret = tsocket_address_bsd_from_sockaddr(sconn,
2967 sa, sa_socklen,
2968 &local_address);
2969 if (ret != 0) {
2970 DEBUG(0,("%s: tsocket_address_bsd_from_sockaddr remote failed - %s\n",
2971 __location__, strerror(errno)));
2972 exit_server_cleanly("tsocket_address_bsd_from_sockaddr remote failed.\n");
2973 }
2974
2975 sconn->local_address = local_address;
2976 sconn->remote_address = remote_address;
2977
2978 if (tsocket_address_is_inet(remote_address, "ip")) {
2979 remaddr = tsocket_address_inet_addr_string(
2980 sconn->remote_address,
2981 talloc_tos());
2982 if (remaddr == NULL) {
2983
2984 }
2985 } else {
2986 remaddr = "0.0.0.0";
2987 }
2988
2989 /* this is needed so that we get decent entries
2990 in smbstatus for port 445 connects */
2991 set_remote_machine_name(remaddr, false);
2992 reload_services(sconn->msg_ctx, sconn->sock, true);
2993
2994 /*
2995 * Before the first packet, check the global hosts allow/ hosts deny
2996 * parameters before doing any parsing of packets passed to us by the
2997 * client. This prevents attacks on our parsing code from hosts not in
2998 * the hosts allow list.
2999 */
3000
3001 if (!allow_access(lp_hostsdeny(-1), lp_hostsallow(-1),
3002 sconn->client_id.name,
3003 sconn->client_id.addr)) {
3004 /*
3005 * send a negative session response "not listening on calling
3006 * name"
3007 */
3008 unsigned char buf[5] = {0x83, 0, 0, 1, 0x81};
3009 DEBUG( 1, ("Connection denied from %s to %s\n",
3010 tsocket_address_string(remote_address, talloc_tos()),
3011 tsocket_address_string(local_address, talloc_tos())));
3012 (void)srv_send_smb(sconn,(char *)buf, false,
3013 0, false, NULL);
3014 exit_server_cleanly("connection denied");
3015 }
3016
3017 DEBUG(10, ("Connection allowed from %s to %s\n",
3018 tsocket_address_string(remote_address, talloc_tos()),
3019 tsocket_address_string(local_address, talloc_tos())));
3020
3021 init_modules();
3022
3023 smb_perfcount_init();
3024
3025 if (!init_account_policy()) {
3026 exit_server("Could not open account policy tdb.\n");
3027 }
3028
3029 if (*lp_rootdir()) {
3030 if (chroot(lp_rootdir()) != 0) {
3031 DEBUG(0,("Failed to change root to %s\n", lp_rootdir()));
3032 exit_server("Failed to chroot()");
3033 }
3034 if (chdir("/") == -1) {
3035 DEBUG(0,("Failed to chdir to / on chroot to %s\n", lp_rootdir()));
3036 exit_server("Failed to chroot()");
3037 }
3038 DEBUG(0,("Changed root to %s\n", lp_rootdir()));
3039 }
3040
3041 if (!srv_init_signing(sconn)) {
3042 exit_server("Failed to init smb_signing");
3043 }
3044
3045 /* Setup oplocks */
3046 if (!init_oplocks(sconn->msg_ctx))
3047 exit_server("Failed to init oplocks");
3048
3049 /* register our message handlers */
3050 messaging_register(sconn->msg_ctx, NULL,
3051 MSG_SMB_FORCE_TDIS, msg_force_tdis);
3052 messaging_register(sconn->msg_ctx, sconn,
3053 MSG_SMB_RELEASE_IP, msg_release_ip);
3054 messaging_register(sconn->msg_ctx, NULL,
3055 MSG_SMB_CLOSE_FILE, msg_close_file);
3056
3057 /*
3058 * Use the default MSG_DEBUG handler to avoid rebroadcasting
3059 * MSGs to all child processes
3060 */
3061 messaging_deregister(sconn->msg_ctx,
3062 MSG_DEBUG, NULL);
3063 messaging_register(sconn->msg_ctx, NULL,
3064 MSG_DEBUG, debug_message);
3065
3066 if ((lp_keepalive() != 0)
3067 && !(event_add_idle(smbd_event_context(), NULL,
3068 timeval_set(lp_keepalive(), 0),
3069 "keepalive", keepalive_fn,
3070 NULL))) {
3071 DEBUG(0, ("Could not add keepalive event\n"));
3072 exit(1);
3073 }
3074
3075 if (!(event_add_idle(smbd_event_context(), NULL,
3076 timeval_set(IDLE_CLOSED_TIMEOUT, 0),
3077 "deadtime", deadtime_fn, sconn))) {
3078 DEBUG(0, ("Could not add deadtime event\n"));
3079 exit(1);
3080 }
3081
3082 if (!(event_add_idle(smbd_event_context(), NULL,
3083 timeval_set(SMBD_HOUSEKEEPING_INTERVAL, 0),
3084 "housekeeping", housekeeping_fn, sconn))) {
3085 DEBUG(0, ("Could not add housekeeping event\n"));
3086 exit(1);
3087 }
3088
3089 #ifdef CLUSTER_SUPPORT
3090
3091 if (lp_clustering()) {
3092 /*
3093 * We need to tell ctdb about our client's TCP
3094 * connection, so that for failover ctdbd can send
3095 * tickle acks, triggering a reconnection by the
3096 * client.
3097 */
3098
3099 struct sockaddr_storage srv, clnt;
3100
3101 if (client_get_tcp_info(sconn->sock, &srv, &clnt) == 0) {
3102 NTSTATUS status;
3103 status = smbd_register_ips(sconn, &srv, &clnt);
3104 if (!NT_STATUS_IS_OK(status)) {
3105 DEBUG(0, ("ctdbd_register_ips failed: %s\n",
3106 nt_errstr(status)));
3107 }
3108 } else
3109 {
3110 DEBUG(0,("Unable to get tcp info for "
3111 "CTDB_CONTROL_TCP_CLIENT: %s\n",
3112 strerror(errno)));
3113 }
3114 }
3115
3116 #endif
3117
3118 sconn->nbt.got_session = false;
3119
3120 sconn->smb1.negprot.max_recv = MIN(lp_maxxmit(),BUFFER_SIZE);
3121
3122 sconn->smb1.sessions.done_sesssetup = false;
3123 sconn->smb1.sessions.max_send = BUFFER_SIZE;
3124 sconn->smb1.sessions.last_session_tag = UID_FIELD_INVALID;
3125 /* users from session setup */
3126 sconn->smb1.sessions.session_userlist = NULL;
3127 /* workgroup from session setup. */
3128 sconn->smb1.sessions.session_workgroup = NULL;
3129 /* this holds info on user ids that are already validated for this VC */
3130 sconn->smb1.sessions.validated_users = NULL;
3131 sconn->smb1.sessions.next_vuid = VUID_OFFSET;
3132 sconn->smb1.sessions.num_validated_vuids = 0;
3133
3134 conn_init(sconn);
3135 if (!init_dptrs(sconn)) {
3136 exit_server("init_dptrs() failed");
3137 }
3138
3139 sconn->smb1.fde = event_add_fd(smbd_event_context(),
3140 sconn,
3141 sconn->sock,
3142 EVENT_FD_READ,
3143 smbd_server_connection_handler,
3144 sconn);
3145 if (!sconn->smb1.fde) {
3146 exit_server("failed to create smbd_server_connection fde");
3147 }
3148
3149 TALLOC_FREE(frame);
3150
3151 while (True) {
3152 NTSTATUS status;
3153
3154 frame = talloc_stackframe_pool(8192);
3155
3156 errno = 0;
3157
3158 status = smbd_server_connection_loop_once(sconn);
3159 if (!NT_STATUS_EQUAL(status, NT_STATUS_RETRY) &&
3160 !NT_STATUS_IS_OK(status)) {
3161 DEBUG(3, ("smbd_server_connection_loop_once failed: %s,"
3162 " exiting\n", nt_errstr(status)));
3163 break;
3164 }
3165
3166 TALLOC_FREE(frame);
3167 }
3168
3169 exit_server_cleanly(NULL);
3170 }
3171
3172 bool req_is_in_chain(struct smb_request *req)
3173 {
3174 if (req->vwv != (uint16_t *)(req->inbuf+smb_vwv)) {
3175 /*
3176 * We're right now handling a subsequent request, so we must
3177 * be in a chain
3178 */
3179 return true;
3180 }
3181
3182 if (!is_andx_req(req->cmd)) {
3183 return false;
3184 }
3185
3186 if (req->wct < 2) {
3187 /*
3188 * Okay, an illegal request, but definitely not chained :-)
3189 */
3190 return false;
3191 }
3192
3193 return (CVAL(req->vwv+0, 0) != 0xFF);
3194 }
Samba GIT mirror