search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix bug 9678 - Windows 8 Roaming profiles fail
[Samba.git] / source3 / smbd / nttrans.c
blob0d74a585d100877a631668c3d8f0df9fb15df3ee
1 /*
2 Unix SMB/CIFS implementation.
3 SMB NT transaction handling
4 Copyright (C) Jeremy Allison 1994-2007
5 Copyright (C) Stefan (metze) Metzmacher 2003
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "system/filesys.h"
23 #include "smbd/smbd.h"
24 #include "smbd/globals.h"
25 #include "fake_file.h"
26 #include "../libcli/security/security.h"
27 #include "../librpc/gen_ndr/ndr_security.h"
28 #include "passdb/lookup_sid.h"
29 #include "auth.h"
30 #include "smbprofile.h"
31 #include "libsmb/libsmb.h"
32
33 extern const struct generic_mapping file_generic_mapping;
34
35 static char *nttrans_realloc(char **ptr, size_t size)
36 {
37 if (ptr==NULL) {
38 smb_panic("nttrans_realloc() called with NULL ptr");
39 }
40
41 *ptr = (char *)SMB_REALLOC(*ptr, size);
42 if(*ptr == NULL) {
43 return NULL;
44 }
45 memset(*ptr,'\0',size);
46 return *ptr;
47 }
48
49 /****************************************************************************
50 Send the required number of replies back.
51 We assume all fields other than the data fields are
52 set correctly for the type of call.
53 HACK ! Always assumes smb_setup field is zero.
54 ****************************************************************************/
55
56 static void send_nt_replies(connection_struct *conn,
57 struct smb_request *req, NTSTATUS nt_error,
58 char *params, int paramsize,
59 char *pdata, int datasize)
60 {
61 int data_to_send = datasize;
62 int params_to_send = paramsize;
63 int useable_space;
64 char *pp = params;
65 char *pd = pdata;
66 int params_sent_thistime, data_sent_thistime, total_sent_thistime;
67 int alignment_offset = 1;
68 int data_alignment_offset = 0;
69 struct smbd_server_connection *sconn = req->sconn;
70 int max_send = sconn->smb1.sessions.max_send;
71
72 /*
73 * If there genuinely are no parameters or data to send just send
74 * the empty packet.
75 */
76
77 if(params_to_send == 0 && data_to_send == 0) {
78 reply_outbuf(req, 18, 0);
79 if (NT_STATUS_V(nt_error)) {
80 error_packet_set((char *)req->outbuf,
81 0, 0, nt_error,
82 __LINE__,__FILE__);
83 }
84 show_msg((char *)req->outbuf);
85 if (!srv_send_smb(sconn,
86 (char *)req->outbuf,
87 true, req->seqnum+1,
88 IS_CONN_ENCRYPTED(conn),
89 &req->pcd)) {
90 exit_server_cleanly("send_nt_replies: srv_send_smb failed.");
91 }
92 TALLOC_FREE(req->outbuf);
93 return;
94 }
95
96 /*
97 * When sending params and data ensure that both are nicely aligned.
98 * Only do this alignment when there is also data to send - else
99 * can cause NT redirector problems.
100 */
101
102 if (((params_to_send % 4) != 0) && (data_to_send != 0)) {
103 data_alignment_offset = 4 - (params_to_send % 4);
104 }
105
106 /*
107 * Space is bufsize minus Netbios over TCP header minus SMB header.
108 * The alignment_offset is to align the param bytes on a four byte
109 * boundary (2 bytes for data len, one byte pad).
110 * NT needs this to work correctly.
111 */
112
113 useable_space = max_send - (smb_size
114 + 2 * 18 /* wct */
115 + alignment_offset
116 + data_alignment_offset);
117
118 if (useable_space < 0) {
119 char *msg = talloc_asprintf(
120 talloc_tos(),
121 "send_nt_replies failed sanity useable_space = %d!!!",
122 useable_space);
123 DEBUG(0, ("%s\n", msg));
124 exit_server_cleanly(msg);
125 }
126
127 while (params_to_send || data_to_send) {
128
129 /*
130 * Calculate whether we will totally or partially fill this packet.
131 */
132
133 total_sent_thistime = params_to_send + data_to_send;
134
135 /*
136 * We can never send more than useable_space.
137 */
138
139 total_sent_thistime = MIN(total_sent_thistime, useable_space);
140
141 reply_outbuf(req, 18,
142 total_sent_thistime + alignment_offset
143 + data_alignment_offset);
144
145 /*
146 * Set total params and data to be sent.
147 */
148
149 SIVAL(req->outbuf,smb_ntr_TotalParameterCount,paramsize);
150 SIVAL(req->outbuf,smb_ntr_TotalDataCount,datasize);
151
152 /*
153 * Calculate how many parameters and data we can fit into
154 * this packet. Parameters get precedence.
155 */
156
157 params_sent_thistime = MIN(params_to_send,useable_space);
158 data_sent_thistime = useable_space - params_sent_thistime;
159 data_sent_thistime = MIN(data_sent_thistime,data_to_send);
160
161 SIVAL(req->outbuf, smb_ntr_ParameterCount,
162 params_sent_thistime);
163
164 if(params_sent_thistime == 0) {
165 SIVAL(req->outbuf,smb_ntr_ParameterOffset,0);
166 SIVAL(req->outbuf,smb_ntr_ParameterDisplacement,0);
167 } else {
168 /*
169 * smb_ntr_ParameterOffset is the offset from the start of the SMB header to the
170 * parameter bytes, however the first 4 bytes of outbuf are
171 * the Netbios over TCP header. Thus use smb_base() to subtract
172 * them from the calculation.
173 */
174
175 SIVAL(req->outbuf,smb_ntr_ParameterOffset,
176 ((smb_buf(req->outbuf)+alignment_offset)
177 - smb_base(req->outbuf)));
178 /*
179 * Absolute displacement of param bytes sent in this packet.
180 */
181
182 SIVAL(req->outbuf, smb_ntr_ParameterDisplacement,
183 pp - params);
184 }
185
186 /*
187 * Deal with the data portion.
188 */
189
190 SIVAL(req->outbuf, smb_ntr_DataCount, data_sent_thistime);
191
192 if(data_sent_thistime == 0) {
193 SIVAL(req->outbuf,smb_ntr_DataOffset,0);
194 SIVAL(req->outbuf,smb_ntr_DataDisplacement, 0);
195 } else {
196 /*
197 * The offset of the data bytes is the offset of the
198 * parameter bytes plus the number of parameters being sent this time.
199 */
200
201 SIVAL(req->outbuf, smb_ntr_DataOffset,
202 ((smb_buf(req->outbuf)+alignment_offset) -
203 smb_base(req->outbuf))
204 + params_sent_thistime + data_alignment_offset);
205 SIVAL(req->outbuf,smb_ntr_DataDisplacement, pd - pdata);
206 }
207
208 /*
209 * Copy the param bytes into the packet.
210 */
211
212 if(params_sent_thistime) {
213 if (alignment_offset != 0) {
214 memset(smb_buf(req->outbuf), 0,
215 alignment_offset);
216 }
217 memcpy((smb_buf(req->outbuf)+alignment_offset), pp,
218 params_sent_thistime);
219 }
220
221 /*
222 * Copy in the data bytes
223 */
224
225 if(data_sent_thistime) {
226 if (data_alignment_offset != 0) {
227 memset((smb_buf(req->outbuf)+alignment_offset+
228 params_sent_thistime), 0,
229 data_alignment_offset);
230 }
231 memcpy(smb_buf(req->outbuf)+alignment_offset
232 +params_sent_thistime+data_alignment_offset,
233 pd,data_sent_thistime);
234 }
235
236 DEBUG(9,("nt_rep: params_sent_thistime = %d, data_sent_thistime = %d, useable_space = %d\n",
237 params_sent_thistime, data_sent_thistime, useable_space));
238 DEBUG(9,("nt_rep: params_to_send = %d, data_to_send = %d, paramsize = %d, datasize = %d\n",
239 params_to_send, data_to_send, paramsize, datasize));
240
241 if (NT_STATUS_V(nt_error)) {
242 error_packet_set((char *)req->outbuf,
243 0, 0, nt_error,
244 __LINE__,__FILE__);
245 }
246
247 /* Send the packet */
248 show_msg((char *)req->outbuf);
249 if (!srv_send_smb(sconn,
250 (char *)req->outbuf,
251 true, req->seqnum+1,
252 IS_CONN_ENCRYPTED(conn),
253 &req->pcd)) {
254 exit_server_cleanly("send_nt_replies: srv_send_smb failed.");
255 }
256
257 TALLOC_FREE(req->outbuf);
258
259 pp += params_sent_thistime;
260 pd += data_sent_thistime;
261
262 params_to_send -= params_sent_thistime;
263 data_to_send -= data_sent_thistime;
264
265 /*
266 * Sanity check
267 */
268
269 if(params_to_send < 0 || data_to_send < 0) {
270 DEBUG(0,("send_nt_replies failed sanity check pts = %d, dts = %d\n!!!",
271 params_to_send, data_to_send));
272 exit_server_cleanly("send_nt_replies: internal error");
273 }
274 }
275 }
276
277 /****************************************************************************
278 Reply to an NT create and X call on a pipe
279 ****************************************************************************/
280
281 static void nt_open_pipe(char *fname, connection_struct *conn,
282 struct smb_request *req, uint16_t *ppnum)
283 {
284 files_struct *fsp;
285 NTSTATUS status;
286
287 DEBUG(4,("nt_open_pipe: Opening pipe %s.\n", fname));
288
289 /* Strip \\ off the name if present. */
290 while (fname[0] == '\\') {
291 fname++;
292 }
293
294 status = open_np_file(req, fname, &fsp);
295 if (!NT_STATUS_IS_OK(status)) {
296 if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
297 reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND,
298 ERRDOS, ERRbadpipe);
299 return;
300 }
301 reply_nterror(req, status);
302 return;
303 }
304
305 *ppnum = fsp->fnum;
306 return;
307 }
308
309 /****************************************************************************
310 Reply to an NT create and X call for pipes.
311 ****************************************************************************/
312
313 static void do_ntcreate_pipe_open(connection_struct *conn,
314 struct smb_request *req)
315 {
316 char *fname = NULL;
317 uint16_t pnum = FNUM_FIELD_INVALID;
318 char *p = NULL;
319 uint32 flags = IVAL(req->vwv+3, 1);
320 TALLOC_CTX *ctx = talloc_tos();
321
322 srvstr_pull_req_talloc(ctx, req, &fname, req->buf, STR_TERMINATE);
323
324 if (!fname) {
325 reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND,
326 ERRDOS, ERRbadpipe);
327 return;
328 }
329 nt_open_pipe(fname, conn, req, &pnum);
330
331 if (req->outbuf) {
332 /* error reply */
333 return;
334 }
335
336 /*
337 * Deal with pipe return.
338 */
339
340 if (flags & EXTENDED_RESPONSE_REQUIRED) {
341 /* This is very strange. We
342 * return 50 words, but only set
343 * the wcnt to 42 ? It's definitely
344 * what happens on the wire....
345 */
346 reply_outbuf(req, 50, 0);
347 SCVAL(req->outbuf,smb_wct,42);
348 } else {
349 reply_outbuf(req, 34, 0);
350 }
351
352 SSVAL(req->outbuf, smb_vwv0, 0xff); /* andx chain ends */
353 SSVAL(req->outbuf, smb_vwv1, 0); /* no andx offset */
354
355 p = (char *)req->outbuf + smb_vwv2;
356 p++;
357 SSVAL(p,0,pnum);
358 p += 2;
359 SIVAL(p,0,FILE_WAS_OPENED);
360 p += 4;
361 p += 32;
362 SIVAL(p,0,FILE_ATTRIBUTE_NORMAL); /* File Attributes. */
363 p += 20;
364 /* File type. */
365 SSVAL(p,0,FILE_TYPE_MESSAGE_MODE_PIPE);
366 /* Device state. */
367 SSVAL(p,2, 0x5FF); /* ? */
368 p += 4;
369
370 if (flags & EXTENDED_RESPONSE_REQUIRED) {
371 p += 25;
372 SIVAL(p,0,FILE_GENERIC_ALL);
373 /*
374 * For pipes W2K3 seems to return
375 * 0x12019B next.
376 * This is ((FILE_GENERIC_READ|FILE_GENERIC_WRITE) & ~FILE_APPEND_DATA)
377 */
378 SIVAL(p,4,(FILE_GENERIC_READ|FILE_GENERIC_WRITE)&~FILE_APPEND_DATA);
379 }
380
381 DEBUG(5,("do_ntcreate_pipe_open: open pipe = %s\n", fname));
382 }
383
384 struct case_semantics_state {
385 connection_struct *conn;
386 bool case_sensitive;
387 bool case_preserve;
388 bool short_case_preserve;
389 };
390
391 /****************************************************************************
392 Restore case semantics.
393 ****************************************************************************/
394
395 static int restore_case_semantics(struct case_semantics_state *state)
396 {
397 state->conn->case_sensitive = state->case_sensitive;
398 state->conn->case_preserve = state->case_preserve;
399 state->conn->short_case_preserve = state->short_case_preserve;
400 return 0;
401 }
402
403 /****************************************************************************
404 Save case semantics.
405 ****************************************************************************/
406
407 static struct case_semantics_state *set_posix_case_semantics(TALLOC_CTX *mem_ctx,
408 connection_struct *conn)
409 {
410 struct case_semantics_state *result;
411
412 if (!(result = talloc(mem_ctx, struct case_semantics_state))) {
413 return NULL;
414 }
415
416 result->conn = conn;
417 result->case_sensitive = conn->case_sensitive;
418 result->case_preserve = conn->case_preserve;
419 result->short_case_preserve = conn->short_case_preserve;
420
421 /* Set to POSIX. */
422 conn->case_sensitive = True;
423 conn->case_preserve = True;
424 conn->short_case_preserve = True;
425
426 talloc_set_destructor(result, restore_case_semantics);
427
428 return result;
429 }
430
431 /****************************************************************************
432 Reply to an NT create and X call.
433 ****************************************************************************/
434
435 void reply_ntcreate_and_X(struct smb_request *req)
436 {
437 connection_struct *conn = req->conn;
438 struct smb_filename *smb_fname = NULL;
439 char *fname = NULL;
440 uint32 flags;
441 uint32 access_mask;
442 uint32 file_attributes;
443 uint32 share_access;
444 uint32 create_disposition;
445 uint32 create_options;
446 uint16 root_dir_fid;
447 uint64_t allocation_size;
448 /* Breakout the oplock request bits so we can set the
449 reply bits separately. */
450 uint32 fattr=0;
451 off_t file_len = 0;
452 int info = 0;
453 files_struct *fsp = NULL;
454 char *p = NULL;
455 struct timespec create_timespec;
456 struct timespec c_timespec;
457 struct timespec a_timespec;
458 struct timespec m_timespec;
459 struct timespec write_time_ts;
460 NTSTATUS status;
461 int oplock_request;
462 uint8_t oplock_granted = NO_OPLOCK_RETURN;
463 struct case_semantics_state *case_state = NULL;
464 TALLOC_CTX *ctx = talloc_tos();
465
466 START_PROFILE(SMBntcreateX);
467
468 if (req->wct < 24) {
469 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
470 goto out;
471 }
472
473 flags = IVAL(req->vwv+3, 1);
474 access_mask = IVAL(req->vwv+7, 1);
475 file_attributes = IVAL(req->vwv+13, 1);
476 share_access = IVAL(req->vwv+15, 1);
477 create_disposition = IVAL(req->vwv+17, 1);
478 create_options = IVAL(req->vwv+19, 1);
479 root_dir_fid = (uint16)IVAL(req->vwv+5, 1);
480
481 allocation_size = BVAL(req->vwv+9, 1);
482
483 srvstr_get_path_req(ctx, req, &fname, (const char *)req->buf,
484 STR_TERMINATE, &status);
485
486 if (!NT_STATUS_IS_OK(status)) {
487 reply_nterror(req, status);
488 goto out;
489 }
490
491 DEBUG(10,("reply_ntcreate_and_X: flags = 0x%x, access_mask = 0x%x "
492 "file_attributes = 0x%x, share_access = 0x%x, "
493 "create_disposition = 0x%x create_options = 0x%x "
494 "root_dir_fid = 0x%x, fname = %s\n",
495 (unsigned int)flags,
496 (unsigned int)access_mask,
497 (unsigned int)file_attributes,
498 (unsigned int)share_access,
499 (unsigned int)create_disposition,
500 (unsigned int)create_options,
501 (unsigned int)root_dir_fid,
502 fname));
503
504 /*
505 * we need to remove ignored bits when they come directly from the client
506 * because we reuse some of them for internal stuff
507 */
508 create_options &= ~NTCREATEX_OPTIONS_MUST_IGNORE_MASK;
509
510 /*
511 * If it's an IPC, use the pipe handler.
512 */
513
514 if (IS_IPC(conn)) {
515 if (lp_nt_pipe_support()) {
516 do_ntcreate_pipe_open(conn, req);
517 goto out;
518 }
519 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
520 goto out;
521 }
522
523 oplock_request = (flags & REQUEST_OPLOCK) ? EXCLUSIVE_OPLOCK : 0;
524 if (oplock_request) {
525 oplock_request |= (flags & REQUEST_BATCH_OPLOCK)
526 ? BATCH_OPLOCK : 0;
527 }
528
529 if (file_attributes & FILE_FLAG_POSIX_SEMANTICS) {
530 case_state = set_posix_case_semantics(ctx, conn);
531 if (!case_state) {
532 reply_nterror(req, NT_STATUS_NO_MEMORY);
533 goto out;
534 }
535 }
536
537 status = filename_convert(ctx,
538 conn,
539 req->flags2 & FLAGS2_DFS_PATHNAMES,
540 fname,
541 0,
542 NULL,
543 &smb_fname);
544
545 TALLOC_FREE(case_state);
546
547 if (!NT_STATUS_IS_OK(status)) {
548 if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
549 reply_botherror(req,
550 NT_STATUS_PATH_NOT_COVERED,
551 ERRSRV, ERRbadpath);
552 goto out;
553 }
554 reply_nterror(req, status);
555 goto out;
556 }
557
558 /*
559 * Bug #6898 - clients using Windows opens should
560 * never be able to set this attribute into the
561 * VFS.
562 */
563 file_attributes &= ~FILE_FLAG_POSIX_SEMANTICS;
564
565 status = SMB_VFS_CREATE_FILE(
566 conn, /* conn */
567 req, /* req */
568 root_dir_fid, /* root_dir_fid */
569 smb_fname, /* fname */
570 access_mask, /* access_mask */
571 share_access, /* share_access */
572 create_disposition, /* create_disposition*/
573 create_options, /* create_options */
574 file_attributes, /* file_attributes */
575 oplock_request, /* oplock_request */
576 allocation_size, /* allocation_size */
577 0, /* private_flags */
578 NULL, /* sd */
579 NULL, /* ea_list */
580 &fsp, /* result */
581 &info); /* pinfo */
582
583 if (!NT_STATUS_IS_OK(status)) {
584 if (open_was_deferred(req->sconn, req->mid)) {
585 /* We have re-scheduled this call, no error. */
586 goto out;
587 }
588 reply_openerror(req, status);
589 goto out;
590 }
591
592 /* Ensure we're pointing at the correct stat struct. */
593 TALLOC_FREE(smb_fname);
594 smb_fname = fsp->fsp_name;
595
596 /*
597 * If the caller set the extended oplock request bit
598 * and we granted one (by whatever means) - set the
599 * correct bit for extended oplock reply.
600 */
601
602 if (oplock_request &&
603 (lp_fake_oplocks(SNUM(conn))
604 || EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type))) {
605
606 /*
607 * Exclusive oplock granted
608 */
609
610 if (flags & REQUEST_BATCH_OPLOCK) {
611 oplock_granted = BATCH_OPLOCK_RETURN;
612 } else {
613 oplock_granted = EXCLUSIVE_OPLOCK_RETURN;
614 }
615 } else if (fsp->oplock_type == LEVEL_II_OPLOCK) {
616 oplock_granted = LEVEL_II_OPLOCK_RETURN;
617 } else {
618 oplock_granted = NO_OPLOCK_RETURN;
619 }
620
621 file_len = smb_fname->st.st_ex_size;
622
623 if (flags & EXTENDED_RESPONSE_REQUIRED) {
624 /* This is very strange. We
625 * return 50 words, but only set
626 * the wcnt to 42 ? It's definitely
627 * what happens on the wire....
628 */
629 reply_outbuf(req, 50, 0);
630 SCVAL(req->outbuf,smb_wct,42);
631 } else {
632 reply_outbuf(req, 34, 0);
633 }
634
635 SSVAL(req->outbuf, smb_vwv0, 0xff); /* andx chain ends */
636 SSVAL(req->outbuf, smb_vwv1, 0); /* no andx offset */
637
638 p = (char *)req->outbuf + smb_vwv2;
639
640 SCVAL(p, 0, oplock_granted);
641
642 p++;
643 SSVAL(p,0,fsp->fnum);
644 p += 2;
645 if ((create_disposition == FILE_SUPERSEDE)
646 && (info == FILE_WAS_OVERWRITTEN)) {
647 SIVAL(p,0,FILE_WAS_SUPERSEDED);
648 } else {
649 SIVAL(p,0,info);
650 }
651 p += 4;
652
653 fattr = dos_mode(conn, smb_fname);
654 if (fattr == 0) {
655 fattr = FILE_ATTRIBUTE_NORMAL;
656 }
657
658 /* Deal with other possible opens having a modified
659 write time. JRA. */
660 ZERO_STRUCT(write_time_ts);
661 get_file_infos(fsp->file_id, 0, NULL, &write_time_ts);
662 if (!null_timespec(write_time_ts)) {
663 update_stat_ex_mtime(&smb_fname->st, write_time_ts);
664 }
665
666 /* Create time. */
667 create_timespec = get_create_timespec(conn, fsp, smb_fname);
668 a_timespec = smb_fname->st.st_ex_atime;
669 m_timespec = smb_fname->st.st_ex_mtime;
670 c_timespec = get_change_timespec(conn, fsp, smb_fname);
671
672 if (lp_dos_filetime_resolution(SNUM(conn))) {
673 dos_filetime_timespec(&create_timespec);
674 dos_filetime_timespec(&a_timespec);
675 dos_filetime_timespec(&m_timespec);
676 dos_filetime_timespec(&c_timespec);
677 }
678
679 put_long_date_timespec(conn->ts_res, p, create_timespec); /* create time. */
680 p += 8;
681 put_long_date_timespec(conn->ts_res, p, a_timespec); /* access time */
682 p += 8;
683 put_long_date_timespec(conn->ts_res, p, m_timespec); /* write time */
684 p += 8;
685 put_long_date_timespec(conn->ts_res, p, c_timespec); /* change time */
686 p += 8;
687 SIVAL(p,0,fattr); /* File Attributes. */
688 p += 4;
689 SOFF_T(p, 0, SMB_VFS_GET_ALLOC_SIZE(conn,fsp,&smb_fname->st));
690 p += 8;
691 SOFF_T(p,0,file_len);
692 p += 8;
693 if (flags & EXTENDED_RESPONSE_REQUIRED) {
694 uint16_t file_status = (NO_EAS|NO_SUBSTREAMS|NO_REPARSETAG);
695 size_t num_names = 0;
696 unsigned int num_streams = 0;
697 struct stream_struct *streams = NULL;
698
699 /* Do we have any EA's ? */
700 status = get_ea_names_from_file(ctx, conn, fsp,
701 smb_fname->base_name, NULL, &num_names);
702 if (NT_STATUS_IS_OK(status) && num_names) {
703 file_status &= ~NO_EAS;
704 }
705 status = vfs_streaminfo(conn, NULL, smb_fname->base_name, ctx,
706 &num_streams, &streams);
707 /* There is always one stream, ::$DATA. */
708 if (NT_STATUS_IS_OK(status) && num_streams > 1) {
709 file_status &= ~NO_SUBSTREAMS;
710 }
711 TALLOC_FREE(streams);
712 SSVAL(p,2,file_status);
713 }
714 p += 4;
715 SCVAL(p,0,fsp->is_directory ? 1 : 0);
716
717 if (flags & EXTENDED_RESPONSE_REQUIRED) {
718 uint32 perms = 0;
719 p += 25;
720 if (fsp->is_directory ||
721 fsp->can_write ||
722 can_write_to_file(conn, smb_fname)) {
723 perms = FILE_GENERIC_ALL;
724 } else {
725 perms = FILE_GENERIC_READ|FILE_EXECUTE;
726 }
727 SIVAL(p,0,perms);
728 }
729
730 DEBUG(5,("reply_ntcreate_and_X: %s, open name = %s\n",
731 fsp_fnum_dbg(fsp), smb_fname_str_dbg(smb_fname)));
732
733 out:
734 END_PROFILE(SMBntcreateX);
735 return;
736 }
737
738 /****************************************************************************
739 Reply to a NT_TRANSACT_CREATE call to open a pipe.
740 ****************************************************************************/
741
742 static void do_nt_transact_create_pipe(connection_struct *conn,
743 struct smb_request *req,
744 uint16 **ppsetup, uint32 setup_count,
745 char **ppparams, uint32 parameter_count,
746 char **ppdata, uint32 data_count)
747 {
748 char *fname = NULL;
749 char *params = *ppparams;
750 uint16_t pnum = FNUM_FIELD_INVALID;
751 char *p = NULL;
752 NTSTATUS status;
753 size_t param_len;
754 uint32 flags;
755 TALLOC_CTX *ctx = talloc_tos();
756
757 /*
758 * Ensure minimum number of parameters sent.
759 */
760
761 if(parameter_count < 54) {
762 DEBUG(0,("do_nt_transact_create_pipe - insufficient parameters (%u)\n", (unsigned int)parameter_count));
763 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
764 return;
765 }
766
767 flags = IVAL(params,0);
768
769 srvstr_get_path(ctx, params, req->flags2, &fname, params+53,
770 parameter_count-53, STR_TERMINATE,
771 &status);
772 if (!NT_STATUS_IS_OK(status)) {
773 reply_nterror(req, status);
774 return;
775 }
776
777 nt_open_pipe(fname, conn, req, &pnum);
778
779 if (req->outbuf) {
780 /* Error return */
781 return;
782 }
783
784 /* Realloc the size of parameters and data we will return */
785 if (flags & EXTENDED_RESPONSE_REQUIRED) {
786 /* Extended response is 32 more byyes. */
787 param_len = 101;
788 } else {
789 param_len = 69;
790 }
791 params = nttrans_realloc(ppparams, param_len);
792 if(params == NULL) {
793 reply_nterror(req, NT_STATUS_NO_MEMORY);
794 return;
795 }
796
797 p = params;
798 SCVAL(p,0,NO_OPLOCK_RETURN);
799
800 p += 2;
801 SSVAL(p,0,pnum);
802 p += 2;
803 SIVAL(p,0,FILE_WAS_OPENED);
804 p += 8;
805
806 p += 32;
807 SIVAL(p,0,FILE_ATTRIBUTE_NORMAL); /* File Attributes. */
808 p += 20;
809 /* File type. */
810 SSVAL(p,0,FILE_TYPE_MESSAGE_MODE_PIPE);
811 /* Device state. */
812 SSVAL(p,2, 0x5FF); /* ? */
813 p += 4;
814
815 if (flags & EXTENDED_RESPONSE_REQUIRED) {
816 p += 25;
817 SIVAL(p,0,FILE_GENERIC_ALL);
818 /*
819 * For pipes W2K3 seems to return
820 * 0x12019B next.
821 * This is ((FILE_GENERIC_READ|FILE_GENERIC_WRITE) & ~FILE_APPEND_DATA)
822 */
823 SIVAL(p,4,(FILE_GENERIC_READ|FILE_GENERIC_WRITE)&~FILE_APPEND_DATA);
824 }
825
826 DEBUG(5,("do_nt_transact_create_pipe: open name = %s\n", fname));
827
828 /* Send the required number of replies */
829 send_nt_replies(conn, req, NT_STATUS_OK, params, param_len, *ppdata, 0);
830
831 return;
832 }
833
834 /*********************************************************************
835 Windows seems to do canonicalization of inheritance bits. Do the
836 same.
837 *********************************************************************/
838
839 static void canonicalize_inheritance_bits(struct security_descriptor *psd)
840 {
841 bool set_auto_inherited = false;
842
843 /*
844 * We need to filter out the
845 * SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ
846 * bits. If both are set we store SEC_DESC_DACL_AUTO_INHERITED
847 * as this alters whether SEC_ACE_FLAG_INHERITED_ACE is set
848 * when an ACE is inherited. Otherwise we zero these bits out.
849 * See:
850 *
851 * http://social.msdn.microsoft.com/Forums/eu/os_fileservices/thread/11f77b68-731e-407d-b1b3-064750716531
852 *
853 * for details.
854 */
855
856 if ((psd->type & (SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ))
857 == (SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ)) {
858 set_auto_inherited = true;
859 }
860
861 psd->type &= ~(SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ);
862 if (set_auto_inherited) {
863 psd->type |= SEC_DESC_DACL_AUTO_INHERITED;
864 }
865 }
866
867 /****************************************************************************
868 Internal fn to set security descriptors.
869 ****************************************************************************/
870
871 NTSTATUS set_sd(files_struct *fsp, struct security_descriptor *psd,
872 uint32_t security_info_sent)
873 {
874 NTSTATUS status;
875
876 if (!CAN_WRITE(fsp->conn)) {
877 return NT_STATUS_ACCESS_DENIED;
878 }
879
880 if (!lp_nt_acl_support(SNUM(fsp->conn))) {
881 return NT_STATUS_OK;
882 }
883
884 if (psd->owner_sid == NULL) {
885 security_info_sent &= ~SECINFO_OWNER;
886 }
887 if (psd->group_sid == NULL) {
888 security_info_sent &= ~SECINFO_GROUP;
889 }
890
891 /* Ensure we have at least one thing set. */
892 if ((security_info_sent & (SECINFO_OWNER|SECINFO_GROUP|SECINFO_DACL|SECINFO_SACL)) == 0) {
893 /* Just like W2K3 */
894 return NT_STATUS_OK;
895 }
896
897 /* Ensure we have the rights to do this. */
898 if (security_info_sent & SECINFO_OWNER) {
899 if (!(fsp->access_mask & SEC_STD_WRITE_OWNER)) {
900 return NT_STATUS_ACCESS_DENIED;
901 }
902 }
903
904 if (security_info_sent & SECINFO_GROUP) {
905 if (!(fsp->access_mask & SEC_STD_WRITE_OWNER)) {
906 return NT_STATUS_ACCESS_DENIED;
907 }
908 }
909
910 if (security_info_sent & SECINFO_DACL) {
911 if (!(fsp->access_mask & SEC_STD_WRITE_DAC)) {
912 return NT_STATUS_ACCESS_DENIED;
913 }
914 /* Convert all the generic bits. */
915 if (psd->dacl) {
916 security_acl_map_generic(psd->dacl, &file_generic_mapping);
917 }
918 }
919
920 if (security_info_sent & SECINFO_SACL) {
921 if (!(fsp->access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
922 return NT_STATUS_ACCESS_DENIED;
923 }
924 /* Convert all the generic bits. */
925 if (psd->sacl) {
926 security_acl_map_generic(psd->sacl, &file_generic_mapping);
927 }
928 }
929
930 canonicalize_inheritance_bits(psd);
931
932 if (DEBUGLEVEL >= 10) {
933 DEBUG(10,("set_sd for file %s\n", fsp_str_dbg(fsp)));
934 NDR_PRINT_DEBUG(security_descriptor, psd);
935 }
936
937 status = SMB_VFS_FSET_NT_ACL(fsp, security_info_sent, psd);
938
939 TALLOC_FREE(psd);
940
941 return status;
942 }
943
944 /****************************************************************************
945 Internal fn to set security descriptors from a data blob.
946 ****************************************************************************/
947
948 NTSTATUS set_sd_blob(files_struct *fsp, uint8_t *data, uint32_t sd_len,
949 uint32_t security_info_sent)
950 {
951 struct security_descriptor *psd = NULL;
952 NTSTATUS status;
953
954 if (sd_len == 0) {
955 return NT_STATUS_INVALID_PARAMETER;
956 }
957
958 status = unmarshall_sec_desc(talloc_tos(), data, sd_len, &psd);
959
960 if (!NT_STATUS_IS_OK(status)) {
961 return status;
962 }
963
964 return set_sd(fsp, psd, security_info_sent);
965 }
966
967 /****************************************************************************
968 Read a list of EA names and data from an incoming data buffer. Create an ea_list with them.
969 ****************************************************************************/
970
971 struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t data_size)
972 {
973 struct ea_list *ea_list_head = NULL;
974 size_t offset = 0;
975
976 if (data_size < 4) {
977 return NULL;
978 }
979
980 while (offset + 4 <= data_size) {
981 size_t next_offset = IVAL(pdata,offset);
982 struct ea_list *eal = read_ea_list_entry(ctx, pdata + offset + 4, data_size - offset - 4, NULL);
983
984 if (!eal) {
985 return NULL;
986 }
987
988 DLIST_ADD_END(ea_list_head, eal, struct ea_list *);
989 if (next_offset == 0) {
990 break;
991 }
992
993 /* Integer wrap protection for the increment. */
994 if (offset + next_offset < offset) {
995 break;
996 }
997
998 offset += next_offset;
999
1000 /* Integer wrap protection for while loop. */
1001 if (offset + 4 < offset) {
1002 break;
1003 }
1004
1005 }
1006
1007 return ea_list_head;
1008 }
1009
1010 /****************************************************************************
1011 Reply to a NT_TRANSACT_CREATE call (needs to process SD's).
1012 ****************************************************************************/
1013
1014 static void call_nt_transact_create(connection_struct *conn,
1015 struct smb_request *req,
1016 uint16 **ppsetup, uint32 setup_count,
1017 char **ppparams, uint32 parameter_count,
1018 char **ppdata, uint32 data_count,
1019 uint32 max_data_count)
1020 {
1021 struct smb_filename *smb_fname = NULL;
1022 char *fname = NULL;
1023 char *params = *ppparams;
1024 char *data = *ppdata;
1025 /* Breakout the oplock request bits so we can set the reply bits separately. */
1026 uint32 fattr=0;
1027 off_t file_len = 0;
1028 int info = 0;
1029 files_struct *fsp = NULL;
1030 char *p = NULL;
1031 uint32 flags;
1032 uint32 access_mask;
1033 uint32 file_attributes;
1034 uint32 share_access;
1035 uint32 create_disposition;
1036 uint32 create_options;
1037 uint32 sd_len;
1038 struct security_descriptor *sd = NULL;
1039 uint32 ea_len;
1040 uint16 root_dir_fid;
1041 struct timespec create_timespec;
1042 struct timespec c_timespec;
1043 struct timespec a_timespec;
1044 struct timespec m_timespec;
1045 struct timespec write_time_ts;
1046 struct ea_list *ea_list = NULL;
1047 NTSTATUS status;
1048 size_t param_len;
1049 uint64_t allocation_size;
1050 int oplock_request;
1051 uint8_t oplock_granted;
1052 struct case_semantics_state *case_state = NULL;
1053 TALLOC_CTX *ctx = talloc_tos();
1054
1055 DEBUG(5,("call_nt_transact_create\n"));
1056
1057 /*
1058 * If it's an IPC, use the pipe handler.
1059 */
1060
1061 if (IS_IPC(conn)) {
1062 if (lp_nt_pipe_support()) {
1063 do_nt_transact_create_pipe(
1064 conn, req,
1065 ppsetup, setup_count,
1066 ppparams, parameter_count,
1067 ppdata, data_count);
1068 goto out;
1069 }
1070 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1071 goto out;
1072 }
1073
1074 /*
1075 * Ensure minimum number of parameters sent.
1076 */
1077
1078 if(parameter_count < 54) {
1079 DEBUG(0,("call_nt_transact_create - insufficient parameters (%u)\n", (unsigned int)parameter_count));
1080 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1081 goto out;
1082 }
1083
1084 flags = IVAL(params,0);
1085 access_mask = IVAL(params,8);
1086 file_attributes = IVAL(params,20);
1087 share_access = IVAL(params,24);
1088 create_disposition = IVAL(params,28);
1089 create_options = IVAL(params,32);
1090 sd_len = IVAL(params,36);
1091 ea_len = IVAL(params,40);
1092 root_dir_fid = (uint16)IVAL(params,4);
1093 allocation_size = BVAL(params,12);
1094
1095 /*
1096 * we need to remove ignored bits when they come directly from the client
1097 * because we reuse some of them for internal stuff
1098 */
1099 create_options &= ~NTCREATEX_OPTIONS_MUST_IGNORE_MASK;
1100
1101 /* Ensure the data_len is correct for the sd and ea values given. */
1102 if ((ea_len + sd_len > data_count)
1103 || (ea_len > data_count) || (sd_len > data_count)
1104 || (ea_len + sd_len < ea_len) || (ea_len + sd_len < sd_len)) {
1105 DEBUG(10, ("call_nt_transact_create - ea_len = %u, sd_len = "
1106 "%u, data_count = %u\n", (unsigned int)ea_len,
1107 (unsigned int)sd_len, (unsigned int)data_count));
1108 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1109 goto out;
1110 }
1111
1112 if (sd_len) {
1113 DEBUG(10, ("call_nt_transact_create - sd_len = %d\n",
1114 sd_len));
1115
1116 status = unmarshall_sec_desc(ctx, (uint8_t *)data, sd_len,
1117 &sd);
1118 if (!NT_STATUS_IS_OK(status)) {
1119 DEBUG(10, ("call_nt_transact_create: "
1120 "unmarshall_sec_desc failed: %s\n",
1121 nt_errstr(status)));
1122 reply_nterror(req, status);
1123 goto out;
1124 }
1125 }
1126
1127 if (ea_len) {
1128 if (!lp_ea_support(SNUM(conn))) {
1129 DEBUG(10, ("call_nt_transact_create - ea_len = %u but "
1130 "EA's not supported.\n",
1131 (unsigned int)ea_len));
1132 reply_nterror(req, NT_STATUS_EAS_NOT_SUPPORTED);
1133 goto out;
1134 }
1135
1136 if (ea_len < 10) {
1137 DEBUG(10,("call_nt_transact_create - ea_len = %u - "
1138 "too small (should be more than 10)\n",
1139 (unsigned int)ea_len ));
1140 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1141 goto out;
1142 }
1143
1144 /* We have already checked that ea_len <= data_count here. */
1145 ea_list = read_nttrans_ea_list(talloc_tos(), data + sd_len,
1146 ea_len);
1147 if (ea_list == NULL) {
1148 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1149 goto out;
1150 }
1151 }
1152
1153 srvstr_get_path(ctx, params, req->flags2, &fname,
1154 params+53, parameter_count-53,
1155 STR_TERMINATE, &status);
1156 if (!NT_STATUS_IS_OK(status)) {
1157 reply_nterror(req, status);
1158 goto out;
1159 }
1160
1161 if (file_attributes & FILE_FLAG_POSIX_SEMANTICS) {
1162 case_state = set_posix_case_semantics(ctx, conn);
1163 if (!case_state) {
1164 reply_nterror(req, NT_STATUS_NO_MEMORY);
1165 goto out;
1166 }
1167 }
1168
1169 status = filename_convert(ctx,
1170 conn,
1171 req->flags2 & FLAGS2_DFS_PATHNAMES,
1172 fname,
1173 0,
1174 NULL,
1175 &smb_fname);
1176
1177 TALLOC_FREE(case_state);
1178
1179 if (!NT_STATUS_IS_OK(status)) {
1180 if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
1181 reply_botherror(req,
1182 NT_STATUS_PATH_NOT_COVERED,
1183 ERRSRV, ERRbadpath);
1184 goto out;
1185 }
1186 reply_nterror(req, status);
1187 goto out;
1188 }
1189
1190 oplock_request = (flags & REQUEST_OPLOCK) ? EXCLUSIVE_OPLOCK : 0;
1191 if (oplock_request) {
1192 oplock_request |= (flags & REQUEST_BATCH_OPLOCK)
1193 ? BATCH_OPLOCK : 0;
1194 }
1195
1196 /*
1197 * Bug #6898 - clients using Windows opens should
1198 * never be able to set this attribute into the
1199 * VFS.
1200 */
1201 file_attributes &= ~FILE_FLAG_POSIX_SEMANTICS;
1202
1203 status = SMB_VFS_CREATE_FILE(
1204 conn, /* conn */
1205 req, /* req */
1206 root_dir_fid, /* root_dir_fid */
1207 smb_fname, /* fname */
1208 access_mask, /* access_mask */
1209 share_access, /* share_access */
1210 create_disposition, /* create_disposition*/
1211 create_options, /* create_options */
1212 file_attributes, /* file_attributes */
1213 oplock_request, /* oplock_request */
1214 allocation_size, /* allocation_size */
1215 0, /* private_flags */
1216 sd, /* sd */
1217 ea_list, /* ea_list */
1218 &fsp, /* result */
1219 &info); /* pinfo */
1220
1221 if(!NT_STATUS_IS_OK(status)) {
1222 if (open_was_deferred(req->sconn, req->mid)) {
1223 /* We have re-scheduled this call, no error. */
1224 return;
1225 }
1226 reply_openerror(req, status);
1227 goto out;
1228 }
1229
1230 /* Ensure we're pointing at the correct stat struct. */
1231 TALLOC_FREE(smb_fname);
1232 smb_fname = fsp->fsp_name;
1233
1234 /*
1235 * If the caller set the extended oplock request bit
1236 * and we granted one (by whatever means) - set the
1237 * correct bit for extended oplock reply.
1238 */
1239
1240 if (oplock_request &&
1241 (lp_fake_oplocks(SNUM(conn))
1242 || EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type))) {
1243
1244 /*
1245 * Exclusive oplock granted
1246 */
1247
1248 if (flags & REQUEST_BATCH_OPLOCK) {
1249 oplock_granted = BATCH_OPLOCK_RETURN;
1250 } else {
1251 oplock_granted = EXCLUSIVE_OPLOCK_RETURN;
1252 }
1253 } else if (fsp->oplock_type == LEVEL_II_OPLOCK) {
1254 oplock_granted = LEVEL_II_OPLOCK_RETURN;
1255 } else {
1256 oplock_granted = NO_OPLOCK_RETURN;
1257 }
1258
1259 file_len = smb_fname->st.st_ex_size;
1260
1261 /* Realloc the size of parameters and data we will return */
1262 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1263 /* Extended response is 32 more byyes. */
1264 param_len = 101;
1265 } else {
1266 param_len = 69;
1267 }
1268 params = nttrans_realloc(ppparams, param_len);
1269 if(params == NULL) {
1270 reply_nterror(req, NT_STATUS_NO_MEMORY);
1271 goto out;
1272 }
1273
1274 p = params;
1275 SCVAL(p, 0, oplock_granted);
1276
1277 p += 2;
1278 SSVAL(p,0,fsp->fnum);
1279 p += 2;
1280 if ((create_disposition == FILE_SUPERSEDE)
1281 && (info == FILE_WAS_OVERWRITTEN)) {
1282 SIVAL(p,0,FILE_WAS_SUPERSEDED);
1283 } else {
1284 SIVAL(p,0,info);
1285 }
1286 p += 8;
1287
1288 fattr = dos_mode(conn, smb_fname);
1289 if (fattr == 0) {
1290 fattr = FILE_ATTRIBUTE_NORMAL;
1291 }
1292
1293 /* Deal with other possible opens having a modified
1294 write time. JRA. */
1295 ZERO_STRUCT(write_time_ts);
1296 get_file_infos(fsp->file_id, 0, NULL, &write_time_ts);
1297 if (!null_timespec(write_time_ts)) {
1298 update_stat_ex_mtime(&smb_fname->st, write_time_ts);
1299 }
1300
1301 /* Create time. */
1302 create_timespec = get_create_timespec(conn, fsp, smb_fname);
1303 a_timespec = smb_fname->st.st_ex_atime;
1304 m_timespec = smb_fname->st.st_ex_mtime;
1305 c_timespec = get_change_timespec(conn, fsp, smb_fname);
1306
1307 if (lp_dos_filetime_resolution(SNUM(conn))) {
1308 dos_filetime_timespec(&create_timespec);
1309 dos_filetime_timespec(&a_timespec);
1310 dos_filetime_timespec(&m_timespec);
1311 dos_filetime_timespec(&c_timespec);
1312 }
1313
1314 put_long_date_timespec(conn->ts_res, p, create_timespec); /* create time. */
1315 p += 8;
1316 put_long_date_timespec(conn->ts_res, p, a_timespec); /* access time */
1317 p += 8;
1318 put_long_date_timespec(conn->ts_res, p, m_timespec); /* write time */
1319 p += 8;
1320 put_long_date_timespec(conn->ts_res, p, c_timespec); /* change time */
1321 p += 8;
1322 SIVAL(p,0,fattr); /* File Attributes. */
1323 p += 4;
1324 SOFF_T(p, 0, SMB_VFS_GET_ALLOC_SIZE(conn, fsp, &smb_fname->st));
1325 p += 8;
1326 SOFF_T(p,0,file_len);
1327 p += 8;
1328 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1329 uint16_t file_status = (NO_EAS|NO_SUBSTREAMS|NO_REPARSETAG);
1330 size_t num_names = 0;
1331 unsigned int num_streams = 0;
1332 struct stream_struct *streams = NULL;
1333
1334 /* Do we have any EA's ? */
1335 status = get_ea_names_from_file(ctx, conn, fsp,
1336 smb_fname->base_name, NULL, &num_names);
1337 if (NT_STATUS_IS_OK(status) && num_names) {
1338 file_status &= ~NO_EAS;
1339 }
1340 status = vfs_streaminfo(conn, NULL, smb_fname->base_name, ctx,
1341 &num_streams, &streams);
1342 /* There is always one stream, ::$DATA. */
1343 if (NT_STATUS_IS_OK(status) && num_streams > 1) {
1344 file_status &= ~NO_SUBSTREAMS;
1345 }
1346 TALLOC_FREE(streams);
1347 SSVAL(p,2,file_status);
1348 }
1349 p += 4;
1350 SCVAL(p,0,fsp->is_directory ? 1 : 0);
1351
1352 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1353 uint32 perms = 0;
1354 p += 25;
1355 if (fsp->is_directory ||
1356 fsp->can_write ||
1357 can_write_to_file(conn, smb_fname)) {
1358 perms = FILE_GENERIC_ALL;
1359 } else {
1360 perms = FILE_GENERIC_READ|FILE_EXECUTE;
1361 }
1362 SIVAL(p,0,perms);
1363 }
1364
1365 DEBUG(5,("call_nt_transact_create: open name = %s\n",
1366 smb_fname_str_dbg(smb_fname)));
1367
1368 /* Send the required number of replies */
1369 send_nt_replies(conn, req, NT_STATUS_OK, params, param_len, *ppdata, 0);
1370 out:
1371 return;
1372 }
1373
1374 /****************************************************************************
1375 Reply to a NT CANCEL request.
1376 conn POINTER CAN BE NULL HERE !
1377 ****************************************************************************/
1378
1379 void reply_ntcancel(struct smb_request *req)
1380 {
1381 /*
1382 * Go through and cancel any pending change notifies.
1383 */
1384
1385 START_PROFILE(SMBntcancel);
1386 srv_cancel_sign_response(req->sconn);
1387 remove_pending_change_notify_requests_by_mid(req->sconn, req->mid);
1388 remove_pending_lock_requests_by_mid_smb1(req->sconn, req->mid);
1389
1390 DEBUG(3,("reply_ntcancel: cancel called on mid = %llu.\n",
1391 (unsigned long long)req->mid));
1392
1393 END_PROFILE(SMBntcancel);
1394 return;
1395 }
1396
1397 /****************************************************************************
1398 Copy a file.
1399 ****************************************************************************/
1400
1401 static NTSTATUS copy_internals(TALLOC_CTX *ctx,
1402 connection_struct *conn,
1403 struct smb_request *req,
1404 struct smb_filename *smb_fname_src,
1405 struct smb_filename *smb_fname_dst,
1406 uint32 attrs)
1407 {
1408 files_struct *fsp1,*fsp2;
1409 uint32 fattr;
1410 int info;
1411 off_t ret=-1;
1412 NTSTATUS status = NT_STATUS_OK;
1413 char *parent;
1414
1415 if (!CAN_WRITE(conn)) {
1416 status = NT_STATUS_MEDIA_WRITE_PROTECTED;
1417 goto out;
1418 }
1419
1420 /* Source must already exist. */
1421 if (!VALID_STAT(smb_fname_src->st)) {
1422 status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
1423 goto out;
1424 }
1425
1426 /* Ensure attributes match. */
1427 fattr = dos_mode(conn, smb_fname_src);
1428 if ((fattr & ~attrs) & (FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM)) {
1429 status = NT_STATUS_NO_SUCH_FILE;
1430 goto out;
1431 }
1432
1433 /* Disallow if dst file already exists. */
1434 if (VALID_STAT(smb_fname_dst->st)) {
1435 status = NT_STATUS_OBJECT_NAME_COLLISION;
1436 goto out;
1437 }
1438
1439 /* No links from a directory. */
1440 if (S_ISDIR(smb_fname_src->st.st_ex_mode)) {
1441 status = NT_STATUS_FILE_IS_A_DIRECTORY;
1442 goto out;
1443 }
1444
1445 DEBUG(10,("copy_internals: doing file copy %s to %s\n",
1446 smb_fname_str_dbg(smb_fname_src),
1447 smb_fname_str_dbg(smb_fname_dst)));
1448
1449 status = SMB_VFS_CREATE_FILE(
1450 conn, /* conn */
1451 req, /* req */
1452 0, /* root_dir_fid */
1453 smb_fname_src, /* fname */
1454 FILE_READ_DATA|FILE_READ_ATTRIBUTES|
1455 FILE_READ_EA, /* access_mask */
1456 (FILE_SHARE_READ | FILE_SHARE_WRITE | /* share_access */
1457 FILE_SHARE_DELETE),
1458 FILE_OPEN, /* create_disposition*/
1459 0, /* create_options */
1460 FILE_ATTRIBUTE_NORMAL, /* file_attributes */
1461 NO_OPLOCK, /* oplock_request */
1462 0, /* allocation_size */
1463 0, /* private_flags */
1464 NULL, /* sd */
1465 NULL, /* ea_list */
1466 &fsp1, /* result */
1467 &info); /* pinfo */
1468
1469 if (!NT_STATUS_IS_OK(status)) {
1470 goto out;
1471 }
1472
1473 status = SMB_VFS_CREATE_FILE(
1474 conn, /* conn */
1475 req, /* req */
1476 0, /* root_dir_fid */
1477 smb_fname_dst, /* fname */
1478 FILE_WRITE_DATA|FILE_WRITE_ATTRIBUTES|
1479 FILE_WRITE_EA, /* access_mask */
1480 (FILE_SHARE_READ | FILE_SHARE_WRITE | /* share_access */
1481 FILE_SHARE_DELETE),
1482 FILE_CREATE, /* create_disposition*/
1483 0, /* create_options */
1484 fattr, /* file_attributes */
1485 NO_OPLOCK, /* oplock_request */
1486 0, /* allocation_size */
1487 0, /* private_flags */
1488 NULL, /* sd */
1489 NULL, /* ea_list */
1490 &fsp2, /* result */
1491 &info); /* pinfo */
1492
1493 if (!NT_STATUS_IS_OK(status)) {
1494 close_file(NULL, fsp1, ERROR_CLOSE);
1495 goto out;
1496 }
1497
1498 if (smb_fname_src->st.st_ex_size) {
1499 ret = vfs_transfer_file(fsp1, fsp2, smb_fname_src->st.st_ex_size);
1500 }
1501
1502 /*
1503 * As we are opening fsp1 read-only we only expect
1504 * an error on close on fsp2 if we are out of space.
1505 * Thus we don't look at the error return from the
1506 * close of fsp1.
1507 */
1508 close_file(NULL, fsp1, NORMAL_CLOSE);
1509
1510 /* Ensure the modtime is set correctly on the destination file. */
1511 set_close_write_time(fsp2, smb_fname_src->st.st_ex_mtime);
1512
1513 status = close_file(NULL, fsp2, NORMAL_CLOSE);
1514
1515 /* Grrr. We have to do this as open_file_ntcreate adds FILE_ATTRIBUTE_ARCHIVE when it
1516 creates the file. This isn't the correct thing to do in the copy
1517 case. JRA */
1518 if (!parent_dirname(talloc_tos(), smb_fname_dst->base_name, &parent,
1519 NULL)) {
1520 status = NT_STATUS_NO_MEMORY;
1521 goto out;
1522 }
1523 file_set_dosmode(conn, smb_fname_dst, fattr, parent, false);
1524 TALLOC_FREE(parent);
1525
1526 if (ret < (off_t)smb_fname_src->st.st_ex_size) {
1527 status = NT_STATUS_DISK_FULL;
1528 goto out;
1529 }
1530 out:
1531 if (!NT_STATUS_IS_OK(status)) {
1532 DEBUG(3,("copy_internals: Error %s copy file %s to %s\n",
1533 nt_errstr(status), smb_fname_str_dbg(smb_fname_src),
1534 smb_fname_str_dbg(smb_fname_dst)));
1535 }
1536
1537 return status;
1538 }
1539
1540 /****************************************************************************
1541 Reply to a NT rename request.
1542 ****************************************************************************/
1543
1544 void reply_ntrename(struct smb_request *req)
1545 {
1546 connection_struct *conn = req->conn;
1547 struct smb_filename *smb_fname_old = NULL;
1548 struct smb_filename *smb_fname_new = NULL;
1549 char *oldname = NULL;
1550 char *newname = NULL;
1551 const char *p;
1552 NTSTATUS status;
1553 bool src_has_wcard = False;
1554 bool dest_has_wcard = False;
1555 uint32 attrs;
1556 uint32_t ucf_flags_src = 0;
1557 uint32_t ucf_flags_dst = 0;
1558 uint16 rename_type;
1559 TALLOC_CTX *ctx = talloc_tos();
1560 bool stream_rename = false;
1561
1562 START_PROFILE(SMBntrename);
1563
1564 if (req->wct < 4) {
1565 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1566 goto out;
1567 }
1568
1569 attrs = SVAL(req->vwv+0, 0);
1570 rename_type = SVAL(req->vwv+1, 0);
1571
1572 p = (const char *)req->buf + 1;
1573 p += srvstr_get_path_req_wcard(ctx, req, &oldname, p, STR_TERMINATE,
1574 &status, &src_has_wcard);
1575 if (!NT_STATUS_IS_OK(status)) {
1576 reply_nterror(req, status);
1577 goto out;
1578 }
1579
1580 if (ms_has_wild(oldname)) {
1581 reply_nterror(req, NT_STATUS_OBJECT_PATH_SYNTAX_BAD);
1582 goto out;
1583 }
1584
1585 p++;
1586 p += srvstr_get_path_req_wcard(ctx, req, &newname, p, STR_TERMINATE,
1587 &status, &dest_has_wcard);
1588 if (!NT_STATUS_IS_OK(status)) {
1589 reply_nterror(req, status);
1590 goto out;
1591 }
1592
1593 if (!lp_posix_pathnames()) {
1594 /* The newname must begin with a ':' if the
1595 oldname contains a ':'. */
1596 if (strchr_m(oldname, ':')) {
1597 if (newname[0] != ':') {
1598 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1599 goto out;
1600 }
1601 stream_rename = true;
1602 }
1603 }
1604
1605 /*
1606 * If this is a rename operation, allow wildcards and save the
1607 * destination's last component.
1608 */
1609 if (rename_type == RENAME_FLAG_RENAME) {
1610 ucf_flags_src = UCF_COND_ALLOW_WCARD_LCOMP;
1611 ucf_flags_dst = UCF_COND_ALLOW_WCARD_LCOMP | UCF_SAVE_LCOMP;
1612 }
1613
1614 /* rename_internals() calls unix_convert(), so don't call it here. */
1615 status = filename_convert(ctx, conn,
1616 req->flags2 & FLAGS2_DFS_PATHNAMES,
1617 oldname,
1618 ucf_flags_src,
1619 NULL,
1620 &smb_fname_old);
1621 if (!NT_STATUS_IS_OK(status)) {
1622 if (NT_STATUS_EQUAL(status,
1623 NT_STATUS_PATH_NOT_COVERED)) {
1624 reply_botherror(req,
1625 NT_STATUS_PATH_NOT_COVERED,
1626 ERRSRV, ERRbadpath);
1627 goto out;
1628 }
1629 reply_nterror(req, status);
1630 goto out;
1631 }
1632
1633 status = filename_convert(ctx, conn,
1634 req->flags2 & FLAGS2_DFS_PATHNAMES,
1635 newname,
1636 ucf_flags_dst,
1637 &dest_has_wcard,
1638 &smb_fname_new);
1639 if (!NT_STATUS_IS_OK(status)) {
1640 if (NT_STATUS_EQUAL(status,
1641 NT_STATUS_PATH_NOT_COVERED)) {
1642 reply_botherror(req,
1643 NT_STATUS_PATH_NOT_COVERED,
1644 ERRSRV, ERRbadpath);
1645 goto out;
1646 }
1647 reply_nterror(req, status);
1648 goto out;
1649 }
1650
1651 if (stream_rename) {
1652 /* smb_fname_new must be the same as smb_fname_old. */
1653 TALLOC_FREE(smb_fname_new->base_name);
1654 smb_fname_new->base_name = talloc_strdup(smb_fname_new,
1655 smb_fname_old->base_name);
1656 if (!smb_fname_new->base_name) {
1657 reply_nterror(req, NT_STATUS_NO_MEMORY);
1658 goto out;
1659 }
1660 }
1661
1662 DEBUG(3,("reply_ntrename: %s -> %s\n",
1663 smb_fname_str_dbg(smb_fname_old),
1664 smb_fname_str_dbg(smb_fname_new)));
1665
1666 switch(rename_type) {
1667 case RENAME_FLAG_RENAME:
1668 status = rename_internals(ctx, conn, req,
1669 smb_fname_old, smb_fname_new,
1670 attrs, False, src_has_wcard,
1671 dest_has_wcard,
1672 DELETE_ACCESS);
1673 break;
1674 case RENAME_FLAG_HARD_LINK:
1675 if (src_has_wcard || dest_has_wcard) {
1676 /* No wildcards. */
1677 status = NT_STATUS_OBJECT_PATH_SYNTAX_BAD;
1678 } else {
1679 status = hardlink_internals(ctx, conn,
1680 req,
1681 false,
1682 smb_fname_old,
1683 smb_fname_new);
1684 }
1685 break;
1686 case RENAME_FLAG_COPY:
1687 if (src_has_wcard || dest_has_wcard) {
1688 /* No wildcards. */
1689 status = NT_STATUS_OBJECT_PATH_SYNTAX_BAD;
1690 } else {
1691 status = copy_internals(ctx, conn, req,
1692 smb_fname_old,
1693 smb_fname_new,
1694 attrs);
1695 }
1696 break;
1697 case RENAME_FLAG_MOVE_CLUSTER_INFORMATION:
1698 status = NT_STATUS_INVALID_PARAMETER;
1699 break;
1700 default:
1701 status = NT_STATUS_ACCESS_DENIED; /* Default error. */
1702 break;
1703 }
1704
1705 if (!NT_STATUS_IS_OK(status)) {
1706 if (open_was_deferred(req->sconn, req->mid)) {
1707 /* We have re-scheduled this call. */
1708 goto out;
1709 }
1710
1711 reply_nterror(req, status);
1712 goto out;
1713 }
1714
1715 reply_outbuf(req, 0, 0);
1716 out:
1717 END_PROFILE(SMBntrename);
1718 return;
1719 }
1720
1721 /****************************************************************************
1722 Reply to a notify change - queue the request and
1723 don't allow a directory to be opened.
1724 ****************************************************************************/
1725
1726 static void smbd_smb1_notify_reply(struct smb_request *req,
1727 NTSTATUS error_code,
1728 uint8_t *buf, size_t len)
1729 {
1730 send_nt_replies(req->conn, req, error_code, (char *)buf, len, NULL, 0);
1731 }
1732
1733 static void call_nt_transact_notify_change(connection_struct *conn,
1734 struct smb_request *req,
1735 uint16 **ppsetup,
1736 uint32 setup_count,
1737 char **ppparams,
1738 uint32 parameter_count,
1739 char **ppdata, uint32 data_count,
1740 uint32 max_data_count,
1741 uint32 max_param_count)
1742 {
1743 uint16 *setup = *ppsetup;
1744 files_struct *fsp;
1745 uint32 filter;
1746 NTSTATUS status;
1747 bool recursive;
1748
1749 if(setup_count < 6) {
1750 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1751 return;
1752 }
1753
1754 fsp = file_fsp(req, SVAL(setup,4));
1755 filter = IVAL(setup, 0);
1756 recursive = (SVAL(setup, 6) != 0) ? True : False;
1757
1758 DEBUG(3,("call_nt_transact_notify_change\n"));
1759
1760 if(!fsp) {
1761 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
1762 return;
1763 }
1764
1765 {
1766 char *filter_string;
1767
1768 if (!(filter_string = notify_filter_string(NULL, filter))) {
1769 reply_nterror(req,NT_STATUS_NO_MEMORY);
1770 return;
1771 }
1772
1773 DEBUG(3,("call_nt_transact_notify_change: notify change "
1774 "called on %s, filter = %s, recursive = %d\n",
1775 fsp_str_dbg(fsp), filter_string, recursive));
1776
1777 TALLOC_FREE(filter_string);
1778 }
1779
1780 if((!fsp->is_directory) || (conn != fsp->conn)) {
1781 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1782 return;
1783 }
1784
1785 if (fsp->notify == NULL) {
1786
1787 status = change_notify_create(fsp, filter, recursive);
1788
1789 if (!NT_STATUS_IS_OK(status)) {
1790 DEBUG(10, ("change_notify_create returned %s\n",
1791 nt_errstr(status)));
1792 reply_nterror(req, status);
1793 return;
1794 }
1795 }
1796
1797 if (change_notify_fsp_has_changes(fsp)) {
1798
1799 /*
1800 * We've got changes pending, respond immediately
1801 */
1802
1803 /*
1804 * TODO: write a torture test to check the filtering behaviour
1805 * here.
1806 */
1807
1808 change_notify_reply(req,
1809 NT_STATUS_OK,
1810 max_param_count,
1811 fsp->notify,
1812 smbd_smb1_notify_reply);
1813
1814 /*
1815 * change_notify_reply() above has independently sent its
1816 * results
1817 */
1818 return;
1819 }
1820
1821 /*
1822 * No changes pending, queue the request
1823 */
1824
1825 status = change_notify_add_request(req,
1826 max_param_count,
1827 filter,
1828 recursive, fsp,
1829 smbd_smb1_notify_reply);
1830 if (!NT_STATUS_IS_OK(status)) {
1831 reply_nterror(req, status);
1832 }
1833 return;
1834 }
1835
1836 /****************************************************************************
1837 Reply to an NT transact rename command.
1838 ****************************************************************************/
1839
1840 static void call_nt_transact_rename(connection_struct *conn,
1841 struct smb_request *req,
1842 uint16 **ppsetup, uint32 setup_count,
1843 char **ppparams, uint32 parameter_count,
1844 char **ppdata, uint32 data_count,
1845 uint32 max_data_count)
1846 {
1847 char *params = *ppparams;
1848 char *new_name = NULL;
1849 files_struct *fsp = NULL;
1850 bool dest_has_wcard = False;
1851 NTSTATUS status;
1852 TALLOC_CTX *ctx = talloc_tos();
1853
1854 if(parameter_count < 5) {
1855 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1856 return;
1857 }
1858
1859 fsp = file_fsp(req, SVAL(params, 0));
1860 if (!check_fsp(conn, req, fsp)) {
1861 return;
1862 }
1863 srvstr_get_path_wcard(ctx, params, req->flags2, &new_name, params+4,
1864 parameter_count - 4,
1865 STR_TERMINATE, &status, &dest_has_wcard);
1866 if (!NT_STATUS_IS_OK(status)) {
1867 reply_nterror(req, status);
1868 return;
1869 }
1870
1871 /*
1872 * W2K3 ignores this request as the RAW-RENAME test
1873 * demonstrates, so we do.
1874 */
1875 send_nt_replies(conn, req, NT_STATUS_OK, NULL, 0, NULL, 0);
1876
1877 DEBUG(3,("nt transact rename from = %s, to = %s ignored!\n",
1878 fsp_str_dbg(fsp), new_name));
1879
1880 return;
1881 }
1882
1883 /******************************************************************************
1884 Fake up a completely empty SD.
1885 *******************************************************************************/
1886
1887 static NTSTATUS get_null_nt_acl(TALLOC_CTX *mem_ctx, struct security_descriptor **ppsd)
1888 {
1889 size_t sd_size;
1890
1891 *ppsd = make_standard_sec_desc( mem_ctx, &global_sid_World, &global_sid_World, NULL, &sd_size);
1892 if(!*ppsd) {
1893 DEBUG(0,("get_null_nt_acl: Unable to malloc space for security descriptor.\n"));
1894 return NT_STATUS_NO_MEMORY;
1895 }
1896
1897 return NT_STATUS_OK;
1898 }
1899
1900 /****************************************************************************
1901 Reply to query a security descriptor.
1902 Callable from SMB2 and SMB2.
1903 If it returns NT_STATUS_BUFFER_TOO_SMALL, pdata_size is initialized with
1904 the required size.
1905 ****************************************************************************/
1906
1907 NTSTATUS smbd_do_query_security_desc(connection_struct *conn,
1908 TALLOC_CTX *mem_ctx,
1909 files_struct *fsp,
1910 uint32_t security_info_wanted,
1911 uint32_t max_data_count,
1912 uint8_t **ppmarshalled_sd,
1913 size_t *psd_size)
1914 {
1915 NTSTATUS status;
1916 struct security_descriptor *psd = NULL;
1917 TALLOC_CTX *frame = talloc_stackframe();
1918
1919 /*
1920 * Get the permissions to return.
1921 */
1922
1923 if ((security_info_wanted & SECINFO_SACL) &&
1924 !(fsp->access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
1925 DEBUG(10, ("Access to SACL denied.\n"));
1926 TALLOC_FREE(frame);
1927 return NT_STATUS_ACCESS_DENIED;
1928 }
1929
1930 if ((security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|SECINFO_GROUP)) &&
1931 !(fsp->access_mask & SEC_STD_READ_CONTROL)) {
1932 DEBUG(10, ("Access to DACL, OWNER, or GROUP denied.\n"));
1933 TALLOC_FREE(frame);
1934 return NT_STATUS_ACCESS_DENIED;
1935 }
1936
1937 if (security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|
1938 SECINFO_GROUP|SECINFO_SACL)) {
1939 /* Don't return SECINFO_LABEL if anything else was
1940 requested. See bug #8458. */
1941 security_info_wanted &= ~SECINFO_LABEL;
1942 }
1943
1944 if (!lp_nt_acl_support(SNUM(conn))) {
1945 status = get_null_nt_acl(frame, &psd);
1946 } else if (security_info_wanted & SECINFO_LABEL) {
1947 /* Like W2K3 return a null object. */
1948 status = get_null_nt_acl(frame, &psd);
1949 } else {
1950 status = SMB_VFS_FGET_NT_ACL(
1951 fsp, security_info_wanted, frame, &psd);
1952 }
1953 if (!NT_STATUS_IS_OK(status)) {
1954 TALLOC_FREE(frame);
1955 return status;
1956 }
1957
1958 if (!(security_info_wanted & SECINFO_OWNER)) {
1959 psd->owner_sid = NULL;
1960 }
1961 if (!(security_info_wanted & SECINFO_GROUP)) {
1962 psd->group_sid = NULL;
1963 }
1964 if (!(security_info_wanted & SECINFO_DACL)) {
1965 psd->type &= ~SEC_DESC_DACL_PRESENT;
1966 psd->dacl = NULL;
1967 }
1968 if (!(security_info_wanted & SECINFO_SACL)) {
1969 psd->type &= ~SEC_DESC_SACL_PRESENT;
1970 psd->sacl = NULL;
1971 }
1972
1973 /* If the SACL/DACL is NULL, but was requested, we mark that it is
1974 * present in the reply to match Windows behavior */
1975 if (psd->sacl == NULL &&
1976 security_info_wanted & SECINFO_SACL)
1977 psd->type |= SEC_DESC_SACL_PRESENT;
1978 if (psd->dacl == NULL &&
1979 security_info_wanted & SECINFO_DACL)
1980 psd->type |= SEC_DESC_DACL_PRESENT;
1981
1982 if (security_info_wanted & SECINFO_LABEL) {
1983 /* Like W2K3 return a null object. */
1984 psd->owner_sid = NULL;
1985 psd->group_sid = NULL;
1986 psd->dacl = NULL;
1987 psd->sacl = NULL;
1988 psd->type &= ~(SEC_DESC_DACL_PRESENT|SEC_DESC_SACL_PRESENT);
1989 }
1990
1991 *psd_size = ndr_size_security_descriptor(psd, 0);
1992
1993 DEBUG(3,("smbd_do_query_security_desc: sd_size = %lu.\n",
1994 (unsigned long)*psd_size));
1995
1996 if (DEBUGLEVEL >= 10) {
1997 DEBUG(10,("smbd_do_query_security_desc for file %s\n",
1998 fsp_str_dbg(fsp)));
1999 NDR_PRINT_DEBUG(security_descriptor, psd);
2000 }
2001
2002 if (max_data_count < *psd_size) {
2003 TALLOC_FREE(frame);
2004 return NT_STATUS_BUFFER_TOO_SMALL;
2005 }
2006
2007 status = marshall_sec_desc(mem_ctx, psd,
2008 ppmarshalled_sd, psd_size);
2009
2010 if (!NT_STATUS_IS_OK(status)) {
2011 TALLOC_FREE(frame);
2012 return status;
2013 }
2014
2015 TALLOC_FREE(frame);
2016 return NT_STATUS_OK;
2017 }
2018
2019 /****************************************************************************
2020 SMB1 reply to query a security descriptor.
2021 ****************************************************************************/
2022
2023 static void call_nt_transact_query_security_desc(connection_struct *conn,
2024 struct smb_request *req,
2025 uint16 **ppsetup,
2026 uint32 setup_count,
2027 char **ppparams,
2028 uint32 parameter_count,
2029 char **ppdata,
2030 uint32 data_count,
2031 uint32 max_data_count)
2032 {
2033 char *params = *ppparams;
2034 char *data = *ppdata;
2035 size_t sd_size = 0;
2036 uint32 security_info_wanted;
2037 files_struct *fsp = NULL;
2038 NTSTATUS status;
2039 uint8_t *marshalled_sd = NULL;
2040
2041 if(parameter_count < 8) {
2042 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2043 return;
2044 }
2045
2046 fsp = file_fsp(req, SVAL(params,0));
2047 if(!fsp) {
2048 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
2049 return;
2050 }
2051
2052 security_info_wanted = IVAL(params,4);
2053
2054 DEBUG(3,("call_nt_transact_query_security_desc: file = %s, "
2055 "info_wanted = 0x%x\n", fsp_str_dbg(fsp),
2056 (unsigned int)security_info_wanted));
2057
2058 params = nttrans_realloc(ppparams, 4);
2059 if(params == NULL) {
2060 reply_nterror(req, NT_STATUS_NO_MEMORY);
2061 return;
2062 }
2063
2064 /*
2065 * Get the permissions to return.
2066 */
2067
2068 status = smbd_do_query_security_desc(conn,
2069 talloc_tos(),
2070 fsp,
2071 security_info_wanted,
2072 max_data_count,
2073 &marshalled_sd,
2074 &sd_size);
2075
2076 if (NT_STATUS_EQUAL(status, NT_STATUS_BUFFER_TOO_SMALL)) {
2077 SIVAL(params,0,(uint32_t)sd_size);
2078 send_nt_replies(conn, req, NT_STATUS_BUFFER_TOO_SMALL,
2079 params, 4, NULL, 0);
2080 return;
2081 }
2082
2083 if (!NT_STATUS_IS_OK(status)) {
2084 reply_nterror(req, status);
2085 return;
2086 }
2087
2088 SMB_ASSERT(sd_size > 0);
2089
2090 SIVAL(params,0,(uint32_t)sd_size);
2091
2092 if (max_data_count < sd_size) {
2093 send_nt_replies(conn, req, NT_STATUS_BUFFER_TOO_SMALL,
2094 params, 4, NULL, 0);
2095 return;
2096 }
2097
2098 /*
2099 * Allocate the data we will return.
2100 */
2101
2102 data = nttrans_realloc(ppdata, sd_size);
2103 if(data == NULL) {
2104 reply_nterror(req, NT_STATUS_NO_MEMORY);
2105 return;
2106 }
2107
2108 memcpy(data, marshalled_sd, sd_size);
2109
2110 send_nt_replies(conn, req, NT_STATUS_OK, params, 4, data, (int)sd_size);
2111
2112 return;
2113 }
2114
2115 /****************************************************************************
2116 Reply to set a security descriptor. Map to UNIX perms or POSIX ACLs.
2117 ****************************************************************************/
2118
2119 static void call_nt_transact_set_security_desc(connection_struct *conn,
2120 struct smb_request *req,
2121 uint16 **ppsetup,
2122 uint32 setup_count,
2123 char **ppparams,
2124 uint32 parameter_count,
2125 char **ppdata,
2126 uint32 data_count,
2127 uint32 max_data_count)
2128 {
2129 char *params= *ppparams;
2130 char *data = *ppdata;
2131 files_struct *fsp = NULL;
2132 uint32 security_info_sent = 0;
2133 NTSTATUS status;
2134
2135 if(parameter_count < 8) {
2136 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2137 return;
2138 }
2139
2140 if((fsp = file_fsp(req, SVAL(params,0))) == NULL) {
2141 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
2142 return;
2143 }
2144
2145 if (!CAN_WRITE(fsp->conn)) {
2146 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
2147 return;
2148 }
2149
2150 if(!lp_nt_acl_support(SNUM(conn))) {
2151 goto done;
2152 }
2153
2154 security_info_sent = IVAL(params,4);
2155
2156 DEBUG(3,("call_nt_transact_set_security_desc: file = %s, sent 0x%x\n",
2157 fsp_str_dbg(fsp), (unsigned int)security_info_sent));
2158
2159 if (data_count == 0) {
2160 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2161 return;
2162 }
2163
2164 status = set_sd_blob(fsp, (uint8 *)data, data_count, security_info_sent);
2165
2166 if (!NT_STATUS_IS_OK(status)) {
2167 reply_nterror(req, status);
2168 return;
2169 }
2170
2171 done:
2172 send_nt_replies(conn, req, NT_STATUS_OK, NULL, 0, NULL, 0);
2173 return;
2174 }
2175
2176 /****************************************************************************
2177 Reply to NT IOCTL
2178 ****************************************************************************/
2179
2180 static void call_nt_transact_ioctl(connection_struct *conn,
2181 struct smb_request *req,
2182 uint16 **ppsetup, uint32 setup_count,
2183 char **ppparams, uint32 parameter_count,
2184 char **ppdata, uint32 data_count,
2185 uint32 max_data_count)
2186 {
2187 NTSTATUS status;
2188 uint32 function;
2189 uint16 fidnum;
2190 files_struct *fsp;
2191 uint8 isFSctl;
2192 uint8 compfilter;
2193 char *out_data = NULL;
2194 uint32 out_data_len = 0;
2195 char *pdata = *ppdata;
2196 TALLOC_CTX *ctx = talloc_tos();
2197
2198 if (setup_count != 8) {
2199 DEBUG(3,("call_nt_transact_ioctl: invalid setup count %d\n", setup_count));
2200 reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
2201 return;
2202 }
2203
2204 function = IVAL(*ppsetup, 0);
2205 fidnum = SVAL(*ppsetup, 4);
2206 isFSctl = CVAL(*ppsetup, 6);
2207 compfilter = CVAL(*ppsetup, 7);
2208
2209 DEBUG(10, ("call_nt_transact_ioctl: function[0x%08X] FID[0x%04X] isFSctl[0x%02X] compfilter[0x%02X]\n",
2210 function, fidnum, isFSctl, compfilter));
2211
2212 fsp=file_fsp(req, fidnum);
2213
2214 /*
2215 * We don't really implement IOCTLs, especially on files.
2216 */
2217 if (!isFSctl) {
2218 DEBUG(10, ("isFSctl: 0x%02X indicates IOCTL, not FSCTL!\n",
2219 isFSctl));
2220 reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
2221 return;
2222 }
2223
2224 /* Has to be for an open file! */
2225 if (!check_fsp_open(conn, req, fsp)) {
2226 return;
2227 }
2228
2229 SMB_PERFCOUNT_SET_IOCTL(&req->pcd, function);
2230
2231 /*
2232 * out_data might be allocated by the VFS module, but talloc should be
2233 * used, and should be cleaned up when the request ends.
2234 */
2235 status = SMB_VFS_FSCTL(fsp,
2236 ctx,
2237 function,
2238 req->flags2,
2239 (uint8_t *)pdata,
2240 data_count,
2241 (uint8_t **)&out_data,
2242 max_data_count,
2243 &out_data_len);
2244 if (!NT_STATUS_IS_OK(status)) {
2245 reply_nterror(req, status);
2246 } else {
2247 send_nt_replies(conn, req, NT_STATUS_OK, NULL, 0, out_data, out_data_len);
2248 }
2249 }
2250
2251
2252 #ifdef HAVE_SYS_QUOTAS
2253 /****************************************************************************
2254 Reply to get user quota
2255 ****************************************************************************/
2256
2257 static void call_nt_transact_get_user_quota(connection_struct *conn,
2258 struct smb_request *req,
2259 uint16 **ppsetup,
2260 uint32 setup_count,
2261 char **ppparams,
2262 uint32 parameter_count,
2263 char **ppdata,
2264 uint32 data_count,
2265 uint32 max_data_count)
2266 {
2267 NTSTATUS nt_status = NT_STATUS_OK;
2268 char *params = *ppparams;
2269 char *pdata = *ppdata;
2270 char *entry;
2271 int data_len=0,param_len=0;
2272 int qt_len=0;
2273 int entry_len = 0;
2274 files_struct *fsp = NULL;
2275 uint16 level = 0;
2276 size_t sid_len;
2277 struct dom_sid sid;
2278 bool start_enum = True;
2279 SMB_NTQUOTA_STRUCT qt;
2280 SMB_NTQUOTA_LIST *tmp_list;
2281 SMB_NTQUOTA_HANDLE *qt_handle = NULL;
2282
2283 ZERO_STRUCT(qt);
2284
2285 /* access check */
2286 if (get_current_uid(conn) != 0) {
2287 DEBUG(1,("get_user_quota: access_denied service [%s] user "
2288 "[%s]\n", lp_servicename(talloc_tos(), SNUM(conn)),
2289 conn->session_info->unix_info->unix_name));
2290 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
2291 return;
2292 }
2293
2294 /*
2295 * Ensure minimum number of parameters sent.
2296 */
2297
2298 if (parameter_count < 4) {
2299 DEBUG(0,("TRANSACT_GET_USER_QUOTA: requires %d >= 4 bytes parameters\n",parameter_count));
2300 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2301 return;
2302 }
2303
2304 /* maybe we can check the quota_fnum */
2305 fsp = file_fsp(req, SVAL(params,0));
2306 if (!check_fsp_ntquota_handle(conn, req, fsp)) {
2307 DEBUG(3,("TRANSACT_GET_USER_QUOTA: no valid QUOTA HANDLE\n"));
2308 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
2309 return;
2310 }
2311
2312 /* the NULL pointer checking for fsp->fake_file_handle->pd
2313 * is done by CHECK_NTQUOTA_HANDLE_OK()
2314 */
2315 qt_handle = (SMB_NTQUOTA_HANDLE *)fsp->fake_file_handle->private_data;
2316
2317 level = SVAL(params,2);
2318
2319 /* unknown 12 bytes leading in params */
2320
2321 switch (level) {
2322 case TRANSACT_GET_USER_QUOTA_LIST_CONTINUE:
2323 /* seems that we should continue with the enum here --metze */
2324
2325 if (qt_handle->quota_list!=NULL &&
2326 qt_handle->tmp_list==NULL) {
2327
2328 /* free the list */
2329 free_ntquota_list(&(qt_handle->quota_list));
2330
2331 /* Realloc the size of parameters and data we will return */
2332 param_len = 4;
2333 params = nttrans_realloc(ppparams, param_len);
2334 if(params == NULL) {
2335 reply_nterror(req, NT_STATUS_NO_MEMORY);
2336 return;
2337 }
2338
2339 data_len = 0;
2340 SIVAL(params,0,data_len);
2341
2342 break;
2343 }
2344
2345 start_enum = False;
2346
2347 case TRANSACT_GET_USER_QUOTA_LIST_START:
2348
2349 if (qt_handle->quota_list==NULL &&
2350 qt_handle->tmp_list==NULL) {
2351 start_enum = True;
2352 }
2353
2354 if (start_enum && vfs_get_user_ntquota_list(fsp,&(qt_handle->quota_list))!=0) {
2355 reply_nterror(req, NT_STATUS_INTERNAL_ERROR);
2356 return;
2357 }
2358
2359 /* Realloc the size of parameters and data we will return */
2360 param_len = 4;
2361 params = nttrans_realloc(ppparams, param_len);
2362 if(params == NULL) {
2363 reply_nterror(req, NT_STATUS_NO_MEMORY);
2364 return;
2365 }
2366
2367 /* we should not trust the value in max_data_count*/
2368 max_data_count = MIN(max_data_count,2048);
2369
2370 pdata = nttrans_realloc(ppdata, max_data_count);/* should be max data count from client*/
2371 if(pdata == NULL) {
2372 reply_nterror(req, NT_STATUS_NO_MEMORY);
2373 return;
2374 }
2375
2376 entry = pdata;
2377
2378 /* set params Size of returned Quota Data 4 bytes*/
2379 /* but set it later when we know it */
2380
2381 /* for each entry push the data */
2382
2383 if (start_enum) {
2384 qt_handle->tmp_list = qt_handle->quota_list;
2385 }
2386
2387 tmp_list = qt_handle->tmp_list;
2388
2389 for (;((tmp_list!=NULL)&&((qt_len +40+SID_MAX_SIZE)<max_data_count));
2390 tmp_list=tmp_list->next,entry+=entry_len,qt_len+=entry_len) {
2391
2392 sid_len = ndr_size_dom_sid(
2393 &tmp_list->quotas->sid, 0);
2394 entry_len = 40 + sid_len;
2395
2396 /* nextoffset entry 4 bytes */
2397 SIVAL(entry,0,entry_len);
2398
2399 /* then the len of the SID 4 bytes */
2400 SIVAL(entry,4,sid_len);
2401
2402 /* unknown data 8 bytes uint64_t */
2403 SBIG_UINT(entry,8,(uint64_t)0); /* this is not 0 in windows...-metze*/
2404
2405 /* the used disk space 8 bytes uint64_t */
2406 SBIG_UINT(entry,16,tmp_list->quotas->usedspace);
2407
2408 /* the soft quotas 8 bytes uint64_t */
2409 SBIG_UINT(entry,24,tmp_list->quotas->softlim);
2410
2411 /* the hard quotas 8 bytes uint64_t */
2412 SBIG_UINT(entry,32,tmp_list->quotas->hardlim);
2413
2414 /* and now the SID */
2415 sid_linearize(entry+40, sid_len, &tmp_list->quotas->sid);
2416 }
2417
2418 qt_handle->tmp_list = tmp_list;
2419
2420 /* overwrite the offset of the last entry */
2421 SIVAL(entry-entry_len,0,0);
2422
2423 data_len = 4+qt_len;
2424 /* overwrite the params quota_data_len */
2425 SIVAL(params,0,data_len);
2426
2427 break;
2428
2429 case TRANSACT_GET_USER_QUOTA_FOR_SID:
2430
2431 /* unknown 4 bytes IVAL(pdata,0) */
2432
2433 if (data_count < 8) {
2434 DEBUG(0,("TRANSACT_GET_USER_QUOTA_FOR_SID: requires %d >= %d bytes data\n",data_count,8));
2435 reply_nterror(req, NT_STATUS_INVALID_LEVEL);
2436 return;
2437 }
2438
2439 sid_len = IVAL(pdata,4);
2440 /* Ensure this is less than 1mb. */
2441 if (sid_len > (1024*1024)) {
2442 reply_nterror(req, NT_STATUS_NO_MEMORY);
2443 return;
2444 }
2445
2446 if (data_count < 8+sid_len) {
2447 DEBUG(0,("TRANSACT_GET_USER_QUOTA_FOR_SID: requires %d >= %lu bytes data\n",data_count,(unsigned long)(8+sid_len)));
2448 reply_nterror(req, NT_STATUS_INVALID_LEVEL);
2449 return;
2450 }
2451
2452 data_len = 4+40+sid_len;
2453
2454 if (max_data_count < data_len) {
2455 DEBUG(0,("TRANSACT_GET_USER_QUOTA_FOR_SID: max_data_count(%d) < data_len(%d)\n",
2456 max_data_count, data_len));
2457 param_len = 4;
2458 SIVAL(params,0,data_len);
2459 data_len = 0;
2460 nt_status = NT_STATUS_BUFFER_TOO_SMALL;
2461 break;
2462 }
2463
2464 if (!sid_parse(pdata+8,sid_len,&sid)) {
2465 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2466 return;
2467 }
2468
2469 if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
2470 ZERO_STRUCT(qt);
2471 /*
2472 * we have to return zero's in all fields
2473 * instead of returning an error here
2474 * --metze
2475 */
2476 }
2477
2478 /* Realloc the size of parameters and data we will return */
2479 param_len = 4;
2480 params = nttrans_realloc(ppparams, param_len);
2481 if(params == NULL) {
2482 reply_nterror(req, NT_STATUS_NO_MEMORY);
2483 return;
2484 }
2485
2486 pdata = nttrans_realloc(ppdata, data_len);
2487 if(pdata == NULL) {
2488 reply_nterror(req, NT_STATUS_NO_MEMORY);
2489 return;
2490 }
2491
2492 entry = pdata;
2493
2494 /* set params Size of returned Quota Data 4 bytes*/
2495 SIVAL(params,0,data_len);
2496
2497 /* nextoffset entry 4 bytes */
2498 SIVAL(entry,0,0);
2499
2500 /* then the len of the SID 4 bytes */
2501 SIVAL(entry,4,sid_len);
2502
2503 /* unknown data 8 bytes uint64_t */
2504 SBIG_UINT(entry,8,(uint64_t)0); /* this is not 0 in windows...-mezte*/
2505
2506 /* the used disk space 8 bytes uint64_t */
2507 SBIG_UINT(entry,16,qt.usedspace);
2508
2509 /* the soft quotas 8 bytes uint64_t */
2510 SBIG_UINT(entry,24,qt.softlim);
2511
2512 /* the hard quotas 8 bytes uint64_t */
2513 SBIG_UINT(entry,32,qt.hardlim);
2514
2515 /* and now the SID */
2516 sid_linearize(entry+40, sid_len, &sid);
2517
2518 break;
2519
2520 default:
2521 DEBUG(0, ("do_nt_transact_get_user_quota: %s: unknown "
2522 "level 0x%04hX\n",
2523 fsp_fnum_dbg(fsp), level));
2524 reply_nterror(req, NT_STATUS_INVALID_LEVEL);
2525 return;
2526 break;
2527 }
2528
2529 send_nt_replies(conn, req, nt_status, params, param_len,
2530 pdata, data_len);
2531 }
2532
2533 /****************************************************************************
2534 Reply to set user quota
2535 ****************************************************************************/
2536
2537 static void call_nt_transact_set_user_quota(connection_struct *conn,
2538 struct smb_request *req,
2539 uint16 **ppsetup,
2540 uint32 setup_count,
2541 char **ppparams,
2542 uint32 parameter_count,
2543 char **ppdata,
2544 uint32 data_count,
2545 uint32 max_data_count)
2546 {
2547 char *params = *ppparams;
2548 char *pdata = *ppdata;
2549 int data_len=0,param_len=0;
2550 SMB_NTQUOTA_STRUCT qt;
2551 size_t sid_len;
2552 struct dom_sid sid;
2553 files_struct *fsp = NULL;
2554
2555 ZERO_STRUCT(qt);
2556
2557 /* access check */
2558 if (get_current_uid(conn) != 0) {
2559 DEBUG(1,("set_user_quota: access_denied service [%s] user "
2560 "[%s]\n", lp_servicename(talloc_tos(), SNUM(conn)),
2561 conn->session_info->unix_info->unix_name));
2562 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
2563 return;
2564 }
2565
2566 /*
2567 * Ensure minimum number of parameters sent.
2568 */
2569
2570 if (parameter_count < 2) {
2571 DEBUG(0,("TRANSACT_SET_USER_QUOTA: requires %d >= 2 bytes parameters\n",parameter_count));
2572 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2573 return;
2574 }
2575
2576 /* maybe we can check the quota_fnum */
2577 fsp = file_fsp(req, SVAL(params,0));
2578 if (!check_fsp_ntquota_handle(conn, req, fsp)) {
2579 DEBUG(3,("TRANSACT_GET_USER_QUOTA: no valid QUOTA HANDLE\n"));
2580 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
2581 return;
2582 }
2583
2584 if (data_count < 40) {
2585 DEBUG(0,("TRANSACT_SET_USER_QUOTA: requires %d >= %d bytes data\n",data_count,40));
2586 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2587 return;
2588 }
2589
2590 /* offset to next quota record.
2591 * 4 bytes IVAL(pdata,0)
2592 * unused here...
2593 */
2594
2595 /* sid len */
2596 sid_len = IVAL(pdata,4);
2597
2598 if (data_count < 40+sid_len || (40+sid_len < sid_len)) {
2599 DEBUG(0,("TRANSACT_SET_USER_QUOTA: requires %d >= %lu bytes data\n",data_count,(unsigned long)40+sid_len));
2600 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2601 return;
2602 }
2603
2604 /* unknown 8 bytes in pdata
2605 * maybe its the change time in NTTIME
2606 */
2607
2608 /* the used space 8 bytes (uint64_t)*/
2609 qt.usedspace = BVAL(pdata,16);
2610
2611 /* the soft quotas 8 bytes (uint64_t)*/
2612 qt.softlim = BVAL(pdata,24);
2613
2614 /* the hard quotas 8 bytes (uint64_t)*/
2615 qt.hardlim = BVAL(pdata,32);
2616
2617 if (!sid_parse(pdata+40,sid_len,&sid)) {
2618 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2619 return;
2620 }
2621
2622 DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid)));
2623
2624 /* 44 unknown bytes left... */
2625
2626 if (vfs_set_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
2627 reply_nterror(req, NT_STATUS_INTERNAL_ERROR);
2628 return;
2629 }
2630
2631 send_nt_replies(conn, req, NT_STATUS_OK, params, param_len,
2632 pdata, data_len);
2633 }
2634 #endif /* HAVE_SYS_QUOTAS */
2635
2636 static void handle_nttrans(connection_struct *conn,
2637 struct trans_state *state,
2638 struct smb_request *req)
2639 {
2640 if (get_Protocol() >= PROTOCOL_NT1) {
2641 req->flags2 |= 0x40; /* IS_LONG_NAME */
2642 SSVAL(discard_const_p(uint8_t, req->inbuf),smb_flg2,req->flags2);
2643 }
2644
2645
2646 SMB_PERFCOUNT_SET_SUBOP(&req->pcd, state->call);
2647
2648 /* Now we must call the relevant NT_TRANS function */
2649 switch(state->call) {
2650 case NT_TRANSACT_CREATE:
2651 {
2652 START_PROFILE(NT_transact_create);
2653 call_nt_transact_create(
2654 conn, req,
2655 &state->setup, state->setup_count,
2656 &state->param, state->total_param,
2657 &state->data, state->total_data,
2658 state->max_data_return);
2659 END_PROFILE(NT_transact_create);
2660 break;
2661 }
2662
2663 case NT_TRANSACT_IOCTL:
2664 {
2665 START_PROFILE(NT_transact_ioctl);
2666 call_nt_transact_ioctl(
2667 conn, req,
2668 &state->setup, state->setup_count,
2669 &state->param, state->total_param,
2670 &state->data, state->total_data,
2671 state->max_data_return);
2672 END_PROFILE(NT_transact_ioctl);
2673 break;
2674 }
2675
2676 case NT_TRANSACT_SET_SECURITY_DESC:
2677 {
2678 START_PROFILE(NT_transact_set_security_desc);
2679 call_nt_transact_set_security_desc(
2680 conn, req,
2681 &state->setup, state->setup_count,
2682 &state->param, state->total_param,
2683 &state->data, state->total_data,
2684 state->max_data_return);
2685 END_PROFILE(NT_transact_set_security_desc);
2686 break;
2687 }
2688
2689 case NT_TRANSACT_NOTIFY_CHANGE:
2690 {
2691 START_PROFILE(NT_transact_notify_change);
2692 call_nt_transact_notify_change(
2693 conn, req,
2694 &state->setup, state->setup_count,
2695 &state->param, state->total_param,
2696 &state->data, state->total_data,
2697 state->max_data_return,
2698 state->max_param_return);
2699 END_PROFILE(NT_transact_notify_change);
2700 break;
2701 }
2702
2703 case NT_TRANSACT_RENAME:
2704 {
2705 START_PROFILE(NT_transact_rename);
2706 call_nt_transact_rename(
2707 conn, req,
2708 &state->setup, state->setup_count,
2709 &state->param, state->total_param,
2710 &state->data, state->total_data,
2711 state->max_data_return);
2712 END_PROFILE(NT_transact_rename);
2713 break;
2714 }
2715
2716 case NT_TRANSACT_QUERY_SECURITY_DESC:
2717 {
2718 START_PROFILE(NT_transact_query_security_desc);
2719 call_nt_transact_query_security_desc(
2720 conn, req,
2721 &state->setup, state->setup_count,
2722 &state->param, state->total_param,
2723 &state->data, state->total_data,
2724 state->max_data_return);
2725 END_PROFILE(NT_transact_query_security_desc);
2726 break;
2727 }
2728
2729 #ifdef HAVE_SYS_QUOTAS
2730 case NT_TRANSACT_GET_USER_QUOTA:
2731 {
2732 START_PROFILE(NT_transact_get_user_quota);
2733 call_nt_transact_get_user_quota(
2734 conn, req,
2735 &state->setup, state->setup_count,
2736 &state->param, state->total_param,
2737 &state->data, state->total_data,
2738 state->max_data_return);
2739 END_PROFILE(NT_transact_get_user_quota);
2740 break;
2741 }
2742
2743 case NT_TRANSACT_SET_USER_QUOTA:
2744 {
2745 START_PROFILE(NT_transact_set_user_quota);
2746 call_nt_transact_set_user_quota(
2747 conn, req,
2748 &state->setup, state->setup_count,
2749 &state->param, state->total_param,
2750 &state->data, state->total_data,
2751 state->max_data_return);
2752 END_PROFILE(NT_transact_set_user_quota);
2753 break;
2754 }
2755 #endif /* HAVE_SYS_QUOTAS */
2756
2757 default:
2758 /* Error in request */
2759 DEBUG(0,("handle_nttrans: Unknown request %d in "
2760 "nttrans call\n", state->call));
2761 reply_nterror(req, NT_STATUS_INVALID_LEVEL);
2762 return;
2763 }
2764 return;
2765 }
2766
2767 /****************************************************************************
2768 Reply to a SMBNTtrans.
2769 ****************************************************************************/
2770
2771 void reply_nttrans(struct smb_request *req)
2772 {
2773 connection_struct *conn = req->conn;
2774 uint32_t pscnt;
2775 uint32_t psoff;
2776 uint32_t dscnt;
2777 uint32_t dsoff;
2778 uint16 function_code;
2779 NTSTATUS result;
2780 struct trans_state *state;
2781
2782 START_PROFILE(SMBnttrans);
2783
2784 if (req->wct < 19) {
2785 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2786 END_PROFILE(SMBnttrans);
2787 return;
2788 }
2789
2790 pscnt = IVAL(req->vwv+9, 1);
2791 psoff = IVAL(req->vwv+11, 1);
2792 dscnt = IVAL(req->vwv+13, 1);
2793 dsoff = IVAL(req->vwv+15, 1);
2794 function_code = SVAL(req->vwv+18, 0);
2795
2796 if (IS_IPC(conn) && (function_code != NT_TRANSACT_CREATE)) {
2797 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
2798 END_PROFILE(SMBnttrans);
2799 return;
2800 }
2801
2802 result = allow_new_trans(conn->pending_trans, req->mid);
2803 if (!NT_STATUS_IS_OK(result)) {
2804 DEBUG(2, ("Got invalid nttrans request: %s\n", nt_errstr(result)));
2805 reply_nterror(req, result);
2806 END_PROFILE(SMBnttrans);
2807 return;
2808 }
2809
2810 if ((state = talloc(conn, struct trans_state)) == NULL) {
2811 reply_nterror(req, NT_STATUS_NO_MEMORY);
2812 END_PROFILE(SMBnttrans);
2813 return;
2814 }
2815
2816 state->cmd = SMBnttrans;
2817
2818 state->mid = req->mid;
2819 state->vuid = req->vuid;
2820 state->total_data = IVAL(req->vwv+3, 1);
2821 state->data = NULL;
2822 state->total_param = IVAL(req->vwv+1, 1);
2823 state->param = NULL;
2824 state->max_data_return = IVAL(req->vwv+7, 1);
2825 state->max_param_return = IVAL(req->vwv+5, 1);
2826
2827 /* setup count is in *words* */
2828 state->setup_count = 2*CVAL(req->vwv+17, 1);
2829 state->setup = NULL;
2830 state->call = function_code;
2831
2832 DEBUG(10, ("num_setup=%u, "
2833 "param_total=%u, this_param=%u, max_param=%u, "
2834 "data_total=%u, this_data=%u, max_data=%u, "
2835 "param_offset=%u, data_offset=%u\n",
2836 (unsigned)state->setup_count,
2837 (unsigned)state->total_param, (unsigned)pscnt,
2838 (unsigned)state->max_param_return,
2839 (unsigned)state->total_data, (unsigned)dscnt,
2840 (unsigned)state->max_data_return,
2841 (unsigned)psoff, (unsigned)dsoff));
2842
2843 /*
2844 * All nttrans messages we handle have smb_wct == 19 +
2845 * state->setup_count. Ensure this is so as a sanity check.
2846 */
2847
2848 if(req->wct != 19 + (state->setup_count/2)) {
2849 DEBUG(2,("Invalid smb_wct %d in nttrans call (should be %d)\n",
2850 req->wct, 19 + (state->setup_count/2)));
2851 goto bad_param;
2852 }
2853
2854 /* Don't allow more than 128mb for each value. */
2855 if ((state->total_data > (1024*1024*128)) ||
2856 (state->total_param > (1024*1024*128))) {
2857 reply_nterror(req, NT_STATUS_NO_MEMORY);
2858 END_PROFILE(SMBnttrans);
2859 return;
2860 }
2861
2862 if ((dscnt > state->total_data) || (pscnt > state->total_param))
2863 goto bad_param;
2864
2865 if (state->total_data) {
2866
2867 if (trans_oob(state->total_data, 0, dscnt)
2868 || trans_oob(smb_len(req->inbuf), dsoff, dscnt)) {
2869 goto bad_param;
2870 }
2871
2872 /* Can't use talloc here, the core routines do realloc on the
2873 * params and data. */
2874 if ((state->data = (char *)SMB_MALLOC(state->total_data)) == NULL) {
2875 DEBUG(0,("reply_nttrans: data malloc fail for %u "
2876 "bytes !\n", (unsigned int)state->total_data));
2877 TALLOC_FREE(state);
2878 reply_nterror(req, NT_STATUS_NO_MEMORY);
2879 END_PROFILE(SMBnttrans);
2880 return;
2881 }
2882
2883 memcpy(state->data,smb_base(req->inbuf)+dsoff,dscnt);
2884 }
2885
2886 if (state->total_param) {
2887
2888 if (trans_oob(state->total_param, 0, pscnt)
2889 || trans_oob(smb_len(req->inbuf), psoff, pscnt)) {
2890 goto bad_param;
2891 }
2892
2893 /* Can't use talloc here, the core routines do realloc on the
2894 * params and data. */
2895 if ((state->param = (char *)SMB_MALLOC(state->total_param)) == NULL) {
2896 DEBUG(0,("reply_nttrans: param malloc fail for %u "
2897 "bytes !\n", (unsigned int)state->total_param));
2898 SAFE_FREE(state->data);
2899 TALLOC_FREE(state);
2900 reply_nterror(req, NT_STATUS_NO_MEMORY);
2901 END_PROFILE(SMBnttrans);
2902 return;
2903 }
2904
2905 memcpy(state->param,smb_base(req->inbuf)+psoff,pscnt);
2906 }
2907
2908 state->received_data = dscnt;
2909 state->received_param = pscnt;
2910
2911 if(state->setup_count > 0) {
2912 DEBUG(10,("reply_nttrans: state->setup_count = %d\n",
2913 state->setup_count));
2914
2915 /*
2916 * No overflow possible here, state->setup_count is an
2917 * unsigned int, being filled by a single byte from
2918 * CVAL(req->vwv+13, 0) above. The cast in the comparison
2919 * below is not necessary, it's here to clarify things. The
2920 * validity of req->vwv and req->wct has been checked in
2921 * init_smb_request already.
2922 */
2923 if ((state->setup_count/2) + 19 > (unsigned int)req->wct) {
2924 goto bad_param;
2925 }
2926
2927 state->setup = (uint16 *)TALLOC(state, state->setup_count);
2928 if (state->setup == NULL) {
2929 DEBUG(0,("reply_nttrans : Out of memory\n"));
2930 SAFE_FREE(state->data);
2931 SAFE_FREE(state->param);
2932 TALLOC_FREE(state);
2933 reply_nterror(req, NT_STATUS_NO_MEMORY);
2934 END_PROFILE(SMBnttrans);
2935 return;
2936 }
2937
2938 memcpy(state->setup, req->vwv+19, state->setup_count);
2939 dump_data(10, (uint8 *)state->setup, state->setup_count);
2940 }
2941
2942 if ((state->received_data == state->total_data) &&
2943 (state->received_param == state->total_param)) {
2944 handle_nttrans(conn, state, req);
2945 SAFE_FREE(state->param);
2946 SAFE_FREE(state->data);
2947 TALLOC_FREE(state);
2948 END_PROFILE(SMBnttrans);
2949 return;
2950 }
2951
2952 DLIST_ADD(conn->pending_trans, state);
2953
2954 /* We need to send an interim response then receive the rest
2955 of the parameter/data bytes */
2956 reply_outbuf(req, 0, 0);
2957 show_msg((char *)req->outbuf);
2958 END_PROFILE(SMBnttrans);
2959 return;
2960
2961 bad_param:
2962
2963 DEBUG(0,("reply_nttrans: invalid trans parameters\n"));
2964 SAFE_FREE(state->data);
2965 SAFE_FREE(state->param);
2966 TALLOC_FREE(state);
2967 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2968 END_PROFILE(SMBnttrans);
2969 return;
2970 }
2971
2972 /****************************************************************************
2973 Reply to a SMBnttranss
2974 ****************************************************************************/
2975
2976 void reply_nttranss(struct smb_request *req)
2977 {
2978 connection_struct *conn = req->conn;
2979 uint32_t pcnt,poff,dcnt,doff,pdisp,ddisp;
2980 struct trans_state *state;
2981
2982 START_PROFILE(SMBnttranss);
2983
2984 show_msg((const char *)req->inbuf);
2985
2986 /* Windows clients expect all replies to
2987 an NT transact secondary (SMBnttranss 0xA1)
2988 to have a command code of NT transact
2989 (SMBnttrans 0xA0). See bug #8989 for details. */
2990 req->cmd = SMBnttrans;
2991
2992 if (req->wct < 18) {
2993 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2994 END_PROFILE(SMBnttranss);
2995 return;
2996 }
2997
2998 for (state = conn->pending_trans; state != NULL;
2999 state = state->next) {
3000 if (state->mid == req->mid) {
3001 break;
3002 }
3003 }
3004
3005 if ((state == NULL) || (state->cmd != SMBnttrans)) {
3006 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
3007 END_PROFILE(SMBnttranss);
3008 return;
3009 }
3010
3011 /* Revise state->total_param and state->total_data in case they have
3012 changed downwards */
3013 if (IVAL(req->vwv+1, 1) < state->total_param) {
3014 state->total_param = IVAL(req->vwv+1, 1);
3015 }
3016 if (IVAL(req->vwv+3, 1) < state->total_data) {
3017 state->total_data = IVAL(req->vwv+3, 1);
3018 }
3019
3020 pcnt = IVAL(req->vwv+5, 1);
3021 poff = IVAL(req->vwv+7, 1);
3022 pdisp = IVAL(req->vwv+9, 1);
3023
3024 dcnt = IVAL(req->vwv+11, 1);
3025 doff = IVAL(req->vwv+13, 1);
3026 ddisp = IVAL(req->vwv+15, 1);
3027
3028 state->received_param += pcnt;
3029 state->received_data += dcnt;
3030
3031 if ((state->received_data > state->total_data) ||
3032 (state->received_param > state->total_param))
3033 goto bad_param;
3034
3035 if (pcnt) {
3036 if (trans_oob(state->total_param, pdisp, pcnt)
3037 || trans_oob(smb_len(req->inbuf), poff, pcnt)) {
3038 goto bad_param;
3039 }
3040 memcpy(state->param+pdisp, smb_base(req->inbuf)+poff,pcnt);
3041 }
3042
3043 if (dcnt) {
3044 if (trans_oob(state->total_data, ddisp, dcnt)
3045 || trans_oob(smb_len(req->inbuf), doff, dcnt)) {
3046 goto bad_param;
3047 }
3048 memcpy(state->data+ddisp, smb_base(req->inbuf)+doff,dcnt);
3049 }
3050
3051 if ((state->received_param < state->total_param) ||
3052 (state->received_data < state->total_data)) {
3053 END_PROFILE(SMBnttranss);
3054 return;
3055 }
3056
3057 handle_nttrans(conn, state, req);
3058
3059 DLIST_REMOVE(conn->pending_trans, state);
3060 SAFE_FREE(state->data);
3061 SAFE_FREE(state->param);
3062 TALLOC_FREE(state);
3063 END_PROFILE(SMBnttranss);
3064 return;
3065
3066 bad_param:
3067
3068 DEBUG(0,("reply_nttranss: invalid trans parameters\n"));
3069 DLIST_REMOVE(conn->pending_trans, state);
3070 SAFE_FREE(state->data);
3071 SAFE_FREE(state->param);
3072 TALLOC_FREE(state);
3073 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
3074 END_PROFILE(SMBnttranss);
3075 return;
3076 }
Samba GIT mirror