2 Unix SMB/CIFS implementation.
3 Inter-process communication and named pipe handling
4 Copyright (C) Andrew Tridgell 1992-1998
7 Copyright (C) John H Terpstra 1995-1998
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 This file handles the named pipe and mailslot calls
25 in the SMBtrans protocol
32 #define NERR_notsupported 50
34 extern int smb_read_error
;
36 /*******************************************************************
37 copies parameters and data, as needed, into the smb buffer
39 *both* the data and params sections should be aligned. this
40 is fudged in the rpc pipes by
41 at present, only the data section is. this may be a possible
42 cause of some of the ipc problems being experienced. lkcl26dec97
44 ******************************************************************/
46 static void copy_trans_params_and_data(char *outbuf
, int align
,
47 char *rparam
, int param_offset
, int param_len
,
48 char *rdata
, int data_offset
, int data_len
)
50 char *copy_into
= smb_buf(outbuf
)+1;
58 DEBUG(5,("copy_trans_params_and_data: params[%d..%d] data[%d..%d]\n",
59 param_offset
, param_offset
+ param_len
,
60 data_offset
, data_offset
+ data_len
));
63 memcpy(copy_into
, &rparam
[param_offset
], param_len
);
65 copy_into
+= param_len
+ align
;
68 memcpy(copy_into
, &rdata
[data_offset
], data_len
);
71 /****************************************************************************
73 ****************************************************************************/
75 void send_trans_reply(char *outbuf
,
76 char *rparam
, int rparam_len
,
77 char *rdata
, int rdata_len
,
78 BOOL buffer_too_large
)
80 int this_ldata
,this_lparam
;
81 int tot_data_sent
= 0;
82 int tot_param_sent
= 0;
85 int ldata
= rdata
? rdata_len
: 0;
86 int lparam
= rparam
? rparam_len
: 0;
89 DEBUG(5,("send_trans_reply: buffer %d too large\n", ldata
));
91 this_lparam
= MIN(lparam
,max_send
- 500); /* hack */
92 this_ldata
= MIN(ldata
,max_send
- (500+this_lparam
));
94 align
= ((this_lparam
)%4);
96 if (buffer_too_large
) {
97 ERROR_BOTH(STATUS_BUFFER_OVERFLOW
,ERRDOS
,ERRmoredata
);
100 set_message(outbuf
,10,1+align
+this_ldata
+this_lparam
,True
);
102 copy_trans_params_and_data(outbuf
, align
,
103 rparam
, tot_param_sent
, this_lparam
,
104 rdata
, tot_data_sent
, this_ldata
);
106 SSVAL(outbuf
,smb_vwv0
,lparam
);
107 SSVAL(outbuf
,smb_vwv1
,ldata
);
108 SSVAL(outbuf
,smb_vwv3
,this_lparam
);
109 SSVAL(outbuf
,smb_vwv4
,smb_offset(smb_buf(outbuf
)+1,outbuf
));
110 SSVAL(outbuf
,smb_vwv5
,0);
111 SSVAL(outbuf
,smb_vwv6
,this_ldata
);
112 SSVAL(outbuf
,smb_vwv7
,smb_offset(smb_buf(outbuf
)+1+this_lparam
+align
,outbuf
));
113 SSVAL(outbuf
,smb_vwv8
,0);
114 SSVAL(outbuf
,smb_vwv9
,0);
117 if (!send_smb(smbd_server_fd(),outbuf
))
118 exit_server_cleanly("send_trans_reply: send_smb failed.");
120 tot_data_sent
= this_ldata
;
121 tot_param_sent
= this_lparam
;
123 while (tot_data_sent
< ldata
|| tot_param_sent
< lparam
)
125 this_lparam
= MIN(lparam
-tot_param_sent
, max_send
- 500); /* hack */
126 this_ldata
= MIN(ldata
-tot_data_sent
, max_send
- (500+this_lparam
));
134 align
= (this_lparam
%4);
136 set_message(outbuf
,10,1+this_ldata
+this_lparam
+align
,False
);
138 copy_trans_params_and_data(outbuf
, align
,
139 rparam
, tot_param_sent
, this_lparam
,
140 rdata
, tot_data_sent
, this_ldata
);
142 SSVAL(outbuf
,smb_vwv3
,this_lparam
);
143 SSVAL(outbuf
,smb_vwv4
,smb_offset(smb_buf(outbuf
)+1,outbuf
));
144 SSVAL(outbuf
,smb_vwv5
,tot_param_sent
);
145 SSVAL(outbuf
,smb_vwv6
,this_ldata
);
146 SSVAL(outbuf
,smb_vwv7
,smb_offset(smb_buf(outbuf
)+1+this_lparam
+align
,outbuf
));
147 SSVAL(outbuf
,smb_vwv8
,tot_data_sent
);
148 SSVAL(outbuf
,smb_vwv9
,0);
151 if (!send_smb(smbd_server_fd(),outbuf
))
152 exit_server_cleanly("send_trans_reply: send_smb failed.");
154 tot_data_sent
+= this_ldata
;
155 tot_param_sent
+= this_lparam
;
159 /****************************************************************************
160 Start the first part of an RPC reply which began with an SMBtrans request.
161 ****************************************************************************/
163 static BOOL
api_rpc_trans_reply(char *outbuf
, smb_np_struct
*p
)
165 BOOL is_data_outstanding
;
166 char *rdata
= (char *)SMB_MALLOC(p
->max_trans_reply
);
170 DEBUG(0,("api_rpc_trans_reply: malloc fail.\n"));
174 if((data_len
= read_from_pipe( p
, rdata
, p
->max_trans_reply
,
175 &is_data_outstanding
)) < 0) {
180 send_trans_reply(outbuf
, NULL
, 0, rdata
, data_len
, is_data_outstanding
);
186 /****************************************************************************
187 WaitNamedPipeHandleState
188 ****************************************************************************/
190 static BOOL
api_WNPHS(char *outbuf
, smb_np_struct
*p
, char *param
, int param_len
)
194 if (!param
|| param_len
< 2)
197 priority
= SVAL(param
,0);
198 DEBUG(4,("WaitNamedPipeHandleState priority %x\n", priority
));
200 if (wait_rpc_pipe_hnd_state(p
, priority
)) {
201 /* now send the reply */
202 send_trans_reply(outbuf
, NULL
, 0, NULL
, 0, False
);
209 /****************************************************************************
210 SetNamedPipeHandleState
211 ****************************************************************************/
213 static BOOL
api_SNPHS(char *outbuf
, smb_np_struct
*p
, char *param
, int param_len
)
217 if (!param
|| param_len
< 2)
221 DEBUG(4,("SetNamedPipeHandleState to code %x\n", id
));
223 if (set_rpc_pipe_hnd_state(p
, id
)) {
224 /* now send the reply */
225 send_trans_reply(outbuf
, NULL
, 0, NULL
, 0, False
);
232 /****************************************************************************
233 When no reply is generated, indicate unsupported.
234 ****************************************************************************/
236 static BOOL
api_no_reply(char *outbuf
, int max_rdata_len
)
241 SSVAL(rparam
,0,NERR_notsupported
);
242 SSVAL(rparam
,2,0); /* converter word */
244 DEBUG(3,("Unsupported API fd command\n"));
246 /* now send the reply */
247 send_trans_reply(outbuf
, rparam
, 4, NULL
, 0, False
);
252 /****************************************************************************
253 Handle remote api calls delivered to a named pipe already opened.
254 ****************************************************************************/
256 static int api_fd_reply(connection_struct
*conn
,uint16 vuid
,char *outbuf
,
257 uint16
*setup
,char *data
,char *params
,
258 int suwcnt
,int tdscnt
,int tpscnt
,int mdrcnt
,int mprcnt
)
261 smb_np_struct
*p
= NULL
;
265 DEBUG(5,("api_fd_reply\n"));
267 /* First find out the name of this file. */
269 DEBUG(0,("Unexpected named pipe transaction.\n"));
270 return ERROR_NT(NT_STATUS_INVALID_PARAMETER
);
273 /* Get the file handle and hence the file name. */
275 * NB. The setup array has already been transformed
276 * via SVAL and so is in gost byte order.
278 pnum
= ((int)setup
[1]) & 0xFFFF;
279 subcommand
= ((int)setup
[0]) & 0xFFFF;
281 if(!(p
= get_rpc_pipe(pnum
))) {
282 if (subcommand
== TRANSACT_WAITNAMEDPIPEHANDLESTATE
) {
283 /* Win9x does this call with a unicode pipe name, not a pnum. */
284 /* Just return success for now... */
285 DEBUG(3,("Got TRANSACT_WAITNAMEDPIPEHANDLESTATE on text pipe name\n"));
286 send_trans_reply(outbuf
, NULL
, 0, NULL
, 0, False
);
290 DEBUG(1,("api_fd_reply: INVALID PIPE HANDLE: %x\n", pnum
));
291 return ERROR_NT(NT_STATUS_INVALID_HANDLE
);
294 if (vuid
!= p
->vuid
) {
295 DEBUG(1, ("Got pipe request (pnum %x) using invalid VUID %d, "
296 "expected %d\n", pnum
, vuid
, p
->vuid
));
297 return ERROR_NT(NT_STATUS_INVALID_HANDLE
);
300 DEBUG(3,("Got API command 0x%x on pipe \"%s\" (pnum %x)\n", subcommand
, p
->name
, pnum
));
302 /* record maximum data length that can be transmitted in an SMBtrans */
303 p
->max_trans_reply
= mdrcnt
;
305 DEBUG(10,("api_fd_reply: p:%p max_trans_reply: %d\n", p
, p
->max_trans_reply
));
307 switch (subcommand
) {
308 case TRANSACT_DCERPCCMD
:
309 /* dce/rpc command */
310 reply
= write_to_pipe(p
, data
, tdscnt
);
312 reply
= api_rpc_trans_reply(outbuf
, p
);
314 case TRANSACT_WAITNAMEDPIPEHANDLESTATE
:
315 /* Wait Named Pipe Handle state */
316 reply
= api_WNPHS(outbuf
, p
, params
, tpscnt
);
318 case TRANSACT_SETNAMEDPIPEHANDLESTATE
:
319 /* Set Named Pipe Handle state */
320 reply
= api_SNPHS(outbuf
, p
, params
, tpscnt
);
323 return ERROR_NT(NT_STATUS_INVALID_PARAMETER
);
327 return api_no_reply(outbuf
, mdrcnt
);
332 /****************************************************************************
333 handle named pipe commands
334 ****************************************************************************/
335 static int named_pipe(connection_struct
*conn
,uint16 vuid
, char *outbuf
,char *name
,
336 uint16
*setup
,char *data
,char *params
,
337 int suwcnt
,int tdscnt
,int tpscnt
,
338 int msrcnt
,int mdrcnt
,int mprcnt
)
340 DEBUG(3,("named pipe command on <%s> name\n", name
));
342 if (strequal(name
,"LANMAN"))
343 return api_reply(conn
,vuid
,outbuf
,data
,params
,tdscnt
,tpscnt
,mdrcnt
,mprcnt
);
345 if (strequal(name
,"WKSSVC") ||
346 strequal(name
,"SRVSVC") ||
347 strequal(name
,"WINREG") ||
348 strequal(name
,"SAMR") ||
349 strequal(name
,"LSARPC"))
351 DEBUG(4,("named pipe command from Win95 (wow!)\n"));
352 return api_fd_reply(conn
,vuid
,outbuf
,setup
,data
,params
,suwcnt
,tdscnt
,tpscnt
,mdrcnt
,mprcnt
);
355 if (strlen(name
) < 1)
356 return api_fd_reply(conn
,vuid
,outbuf
,setup
,data
,params
,suwcnt
,tdscnt
,tpscnt
,mdrcnt
,mprcnt
);
359 DEBUG(3,("unknown named pipe: setup 0x%X setup1=%d\n", (int)setup
[0],(int)setup
[1]));
364 static NTSTATUS
handle_trans(connection_struct
*conn
,
365 struct trans_state
*state
,
366 char *outbuf
, int *outsize
)
368 char *local_machine_name
;
371 DEBUG(3,("trans <%s> data=%u params=%u setup=%u\n",
372 state
->name
,(unsigned int)state
->total_data
,(unsigned int)state
->total_param
,
373 (unsigned int)state
->setup_count
));
376 * WinCE wierdness....
379 local_machine_name
= talloc_asprintf(state
, "\\%s\\",
380 get_local_machine_name());
382 if (local_machine_name
== NULL
) {
383 return NT_STATUS_NO_MEMORY
;
386 if (strnequal(state
->name
, local_machine_name
,
387 strlen(local_machine_name
))) {
388 name_offset
= strlen(local_machine_name
)-1;
391 if (!strnequal(&state
->name
[name_offset
], "\\PIPE",
393 return NT_STATUS_NOT_SUPPORTED
;
396 name_offset
+= strlen("\\PIPE");
398 /* Win9x weirdness. When talking to a unicode server Win9x
399 only sends \PIPE instead of \PIPE\ */
401 if (state
->name
[name_offset
] == '\\')
404 DEBUG(5,("calling named_pipe\n"));
405 *outsize
= named_pipe(conn
, state
->vuid
, outbuf
,
406 state
->name
+name_offset
,
407 state
->setup
,state
->data
,
409 state
->setup_count
,state
->total_data
,
411 state
->max_setup_return
,
412 state
->max_data_return
,
413 state
->max_param_return
);
416 return NT_STATUS_NOT_SUPPORTED
;
419 if (state
->close_on_completion
)
420 close_cnum(conn
,state
->vuid
);
425 /****************************************************************************
427 ****************************************************************************/
429 int reply_trans(connection_struct
*conn
, char *inbuf
,char *outbuf
,
430 int size
, int bufsize
)
433 unsigned int dsoff
= SVAL(inbuf
, smb_dsoff
);
434 unsigned int dscnt
= SVAL(inbuf
, smb_dscnt
);
435 unsigned int psoff
= SVAL(inbuf
, smb_psoff
);
436 unsigned int pscnt
= SVAL(inbuf
, smb_pscnt
);
437 unsigned int av_size
= size
-4;
438 struct trans_state
*state
;
441 START_PROFILE(SMBtrans
);
443 result
= allow_new_trans(conn
->pending_trans
, SVAL(inbuf
, smb_mid
));
444 if (!NT_STATUS_IS_OK(result
)) {
445 DEBUG(2, ("Got invalid trans request: %s\n",
447 END_PROFILE(SMBtrans
);
448 return ERROR_NT(result
);
451 if ((state
= TALLOC_P(conn
->mem_ctx
, struct trans_state
)) == NULL
) {
452 DEBUG(0, ("talloc failed\n"));
453 END_PROFILE(SMBtrans
);
454 return ERROR_NT(NT_STATUS_NO_MEMORY
);
457 state
->cmd
= SMBtrans
;
459 state
->mid
= SVAL(inbuf
, smb_mid
);
460 state
->vuid
= SVAL(inbuf
, smb_uid
);
461 state
->setup_count
= CVAL(inbuf
, smb_suwcnt
);
463 state
->total_param
= SVAL(inbuf
, smb_tpscnt
);
465 state
->total_data
= SVAL(inbuf
, smb_tdscnt
);
467 state
->max_param_return
= SVAL(inbuf
, smb_mprcnt
);
468 state
->max_data_return
= SVAL(inbuf
, smb_mdrcnt
);
469 state
->max_setup_return
= CVAL(inbuf
, smb_msrcnt
);
470 state
->close_on_completion
= BITSETW(inbuf
+smb_vwv5
,0);
471 state
->one_way
= BITSETW(inbuf
+smb_vwv5
,1);
473 memset(state
->name
, '\0',sizeof(state
->name
));
474 srvstr_pull_buf(inbuf
, state
->name
, smb_buf(inbuf
),
475 sizeof(state
->name
), STR_TERMINATE
);
477 if ((dscnt
> state
->total_data
) || (pscnt
> state
->total_param
))
480 if (state
->total_data
) {
481 /* Can't use talloc here, the core routines do realloc on the
482 * params and data. Out of paranoia, 100 bytes too many. */
483 state
->data
= (char *)SMB_MALLOC(state
->total_data
+100);
484 if (state
->data
== NULL
) {
485 DEBUG(0,("reply_trans: data malloc fail for %u "
486 "bytes !\n", (unsigned int)state
->total_data
));
488 END_PROFILE(SMBtrans
);
489 return(ERROR_DOS(ERRDOS
,ERRnomem
));
491 /* null-terminate the slack space */
492 memset(&state
->data
[state
->total_data
], 0, 100);
494 if (dscnt
> state
->total_data
||
495 dsoff
+dscnt
< dsoff
) {
499 if (dsoff
> av_size
||
501 dsoff
+dscnt
> av_size
) {
505 memcpy(state
->data
,smb_base(inbuf
)+dsoff
,dscnt
);
508 if (state
->total_param
) {
509 /* Can't use talloc here, the core routines do realloc on the
510 * params and data. Out of paranoia, 100 bytes too many */
511 state
->param
= (char *)SMB_MALLOC(state
->total_param
+100);
512 if (state
->param
== NULL
) {
513 DEBUG(0,("reply_trans: param malloc fail for %u "
514 "bytes !\n", (unsigned int)state
->total_param
));
515 SAFE_FREE(state
->data
);
517 END_PROFILE(SMBtrans
);
518 return(ERROR_DOS(ERRDOS
,ERRnomem
));
520 /* null-terminate the slack space */
521 memset(&state
->param
[state
->total_param
], 0, 100);
523 if (pscnt
> state
->total_param
||
524 psoff
+pscnt
< psoff
) {
528 if (psoff
> av_size
||
530 psoff
+pscnt
> av_size
) {
534 memcpy(state
->param
,smb_base(inbuf
)+psoff
,pscnt
);
537 state
->received_data
= dscnt
;
538 state
->received_param
= pscnt
;
540 if (state
->setup_count
) {
542 if((state
->setup
= TALLOC_ARRAY(
543 state
, uint16
, state
->setup_count
)) == NULL
) {
544 DEBUG(0,("reply_trans: setup malloc fail for %u "
545 "bytes !\n", (unsigned int)
546 (state
->setup_count
* sizeof(uint16
))));
548 END_PROFILE(SMBtrans
);
549 return(ERROR_DOS(ERRDOS
,ERRnomem
));
551 if (inbuf
+smb_vwv14
+(state
->setup_count
*SIZEOFWORD
) >
554 if ((smb_vwv14
+(state
->setup_count
*SIZEOFWORD
) < smb_vwv14
) ||
555 (smb_vwv14
+(state
->setup_count
*SIZEOFWORD
) <
556 (state
->setup_count
*SIZEOFWORD
)))
559 for (i
=0;i
<state
->setup_count
;i
++)
560 state
->setup
[i
] = SVAL(inbuf
,smb_vwv14
+i
*SIZEOFWORD
);
563 state
->received_param
= pscnt
;
565 if ((state
->received_param
== state
->total_param
) &&
566 (state
->received_data
== state
->total_data
)) {
568 result
= handle_trans(conn
, state
, outbuf
, &outsize
);
570 SAFE_FREE(state
->data
);
571 SAFE_FREE(state
->param
);
574 if (!NT_STATUS_IS_OK(result
)) {
575 END_PROFILE(SMBtrans
);
576 return ERROR_NT(result
);
580 END_PROFILE(SMBtrans
);
581 return ERROR_NT(NT_STATUS_INTERNAL_ERROR
);
584 END_PROFILE(SMBtrans
);
588 DLIST_ADD(conn
->pending_trans
, state
);
590 /* We need to send an interim response then receive the rest
591 of the parameter/data bytes */
592 outsize
= set_message(outbuf
,0,0,True
);
594 END_PROFILE(SMBtrans
);
599 DEBUG(0,("reply_trans: invalid trans parameters\n"));
600 SAFE_FREE(state
->data
);
601 SAFE_FREE(state
->param
);
603 END_PROFILE(SMBtrans
);
604 return ERROR_NT(NT_STATUS_INVALID_PARAMETER
);
607 /****************************************************************************
608 Reply to a secondary SMBtrans.
609 ****************************************************************************/
611 int reply_transs(connection_struct
*conn
, char *inbuf
,char *outbuf
,
612 int size
, int bufsize
)
615 unsigned int pcnt
,poff
,dcnt
,doff
,pdisp
,ddisp
;
616 unsigned int av_size
= size
-4;
617 struct trans_state
*state
;
620 START_PROFILE(SMBtranss
);
624 for (state
= conn
->pending_trans
; state
!= NULL
;
625 state
= state
->next
) {
626 if (state
->mid
== SVAL(inbuf
,smb_mid
)) {
631 if ((state
== NULL
) || (state
->cmd
!= SMBtrans
)) {
632 END_PROFILE(SMBtranss
);
633 return ERROR_NT(NT_STATUS_INVALID_PARAMETER
);
636 /* Revise total_params and total_data in case they have changed
639 if (SVAL(inbuf
, smb_vwv0
) < state
->total_param
)
640 state
->total_param
= SVAL(inbuf
,smb_vwv0
);
641 if (SVAL(inbuf
, smb_vwv1
) < state
->total_data
)
642 state
->total_data
= SVAL(inbuf
,smb_vwv1
);
644 pcnt
= SVAL(inbuf
, smb_spscnt
);
645 poff
= SVAL(inbuf
, smb_spsoff
);
646 pdisp
= SVAL(inbuf
, smb_spsdisp
);
648 dcnt
= SVAL(inbuf
, smb_sdscnt
);
649 doff
= SVAL(inbuf
, smb_sdsoff
);
650 ddisp
= SVAL(inbuf
, smb_sdsdisp
);
652 state
->received_param
+= pcnt
;
653 state
->received_data
+= dcnt
;
655 if ((state
->received_data
> state
->total_data
) ||
656 (state
->received_param
> state
->total_param
))
660 if (pdisp
> state
->total_param
||
661 pcnt
> state
->total_param
||
662 pdisp
+pcnt
> state
->total_param
||
663 pdisp
+pcnt
< pdisp
) {
667 if (poff
> av_size
||
669 poff
+pcnt
> av_size
||
674 memcpy(state
->param
+pdisp
,smb_base(inbuf
)+poff
,
679 if (ddisp
> state
->total_data
||
680 dcnt
> state
->total_data
||
681 ddisp
+dcnt
> state
->total_data
||
682 ddisp
+dcnt
< ddisp
) {
686 if (ddisp
> av_size
||
688 ddisp
+dcnt
> av_size
||
689 ddisp
+dcnt
< ddisp
) {
693 memcpy(state
->data
+ddisp
, smb_base(inbuf
)+doff
,
697 if ((state
->received_param
< state
->total_param
) ||
698 (state
->received_data
< state
->total_data
)) {
699 END_PROFILE(SMBtranss
);
703 /* construct_reply_common has done us the favor to pre-fill the
704 * command field with SMBtranss which is wrong :-)
706 SCVAL(outbuf
,smb_com
,SMBtrans
);
708 result
= handle_trans(conn
, state
, outbuf
, &outsize
);
710 DLIST_REMOVE(conn
->pending_trans
, state
);
711 SAFE_FREE(state
->data
);
712 SAFE_FREE(state
->param
);
715 if ((outsize
== 0) || !NT_STATUS_IS_OK(result
)) {
716 END_PROFILE(SMBtranss
);
717 return(ERROR_DOS(ERRSRV
,ERRnosupport
));
720 END_PROFILE(SMBtranss
);
725 DEBUG(0,("reply_transs: invalid trans parameters\n"));
726 DLIST_REMOVE(conn
->pending_trans
, state
);
727 SAFE_FREE(state
->data
);
728 SAFE_FREE(state
->param
);
730 END_PROFILE(SMBtranss
);
731 return ERROR_NT(NT_STATUS_INVALID_PARAMETER
);
