Fix bug #10010 - Missing integer wrap protection in EA list reading can cause server...
[Samba.git] / source3 / nmbd / nmbd_responserecordsdb.c
blob78d4cc95d90b3946822e3e1c978827056dd3e195
1 /*
2 Unix SMB/CIFS implementation.
3 NBT netbios library routines
4 Copyright (C) Andrew Tridgell 1994-1998
5 Copyright (C) Luke Kenneth Casson Leighton 1994-1998
6 Copyright (C) Jeremy Allison 1994-1998
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
23 #include "includes.h"
24 #include "nmbd/nmbd.h"
26 int num_response_packets = 0;
28 /***************************************************************************
29 Add an expected response record into the list
30 **************************************************************************/
32 static void add_response_record(struct subnet_record *subrec,
33 struct response_record *rrec)
35 num_response_packets++; /* count of total number of packets still around */
37 DEBUG(4,("add_response_record: adding response record id:%hu to subnet %s. num_records:%d\n",
38 rrec->response_id, subrec->subnet_name, num_response_packets));
40 DLIST_ADD_END(subrec->responselist, rrec, struct response_record *);
43 /***************************************************************************
44 Remove an expected response record from the list
45 **************************************************************************/
47 void remove_response_record(struct subnet_record *subrec,
48 struct response_record *rrec)
50 /* It is possible this can be called twice,
51 with a rrec pointer that has been freed. So
52 before we inderect into rrec, search for it
53 on the responselist first. Bug #3617. JRA. */
55 struct response_record *p = NULL;
57 for (p = subrec->responselist; p; p = p->next) {
58 if (p == rrec) {
59 break;
63 if (p == NULL) {
64 /* We didn't find rrec on the list. */
65 return;
68 DLIST_REMOVE(subrec->responselist, rrec);
70 if(rrec->userdata) {
71 if(rrec->userdata->free_fn) {
72 (*rrec->userdata->free_fn)(rrec->userdata);
73 } else {
74 ZERO_STRUCTP(rrec->userdata);
75 SAFE_FREE(rrec->userdata);
79 /* Ensure we can delete. */
80 rrec->packet->locked = False;
81 free_packet(rrec->packet);
83 ZERO_STRUCTP(rrec);
84 SAFE_FREE(rrec);
86 num_response_packets--; /* count of total number of packets still around */
89 /****************************************************************************
90 Create a response record for an outgoing packet.
91 **************************************************************************/
93 struct response_record *make_response_record( struct subnet_record *subrec,
94 struct packet_struct *p,
95 response_function resp_fn,
96 timeout_response_function timeout_fn,
97 success_function success_fn,
98 fail_function fail_fn,
99 struct userdata_struct *userdata)
101 struct response_record *rrec;
102 struct nmb_packet *nmb = &p->packet.nmb;
104 if (!(rrec = SMB_MALLOC_P(struct response_record))) {
105 DEBUG(0,("make_response_queue_record: malloc fail for response_record.\n"));
106 return NULL;
109 memset((char *)rrec, '\0', sizeof(*rrec));
111 rrec->response_id = nmb->header.name_trn_id;
113 rrec->resp_fn = resp_fn;
114 rrec->timeout_fn = timeout_fn;
115 rrec->success_fn = success_fn;
116 rrec->fail_fn = fail_fn;
118 rrec->packet = p;
120 if(userdata) {
121 /* Intelligent userdata. */
122 if(userdata->copy_fn) {
123 if((rrec->userdata = (*userdata->copy_fn)(userdata)) == NULL) {
124 DEBUG(0,("make_response_queue_record: copy fail for userdata.\n"));
125 ZERO_STRUCTP(rrec);
126 SAFE_FREE(rrec);
127 return NULL;
129 } else {
130 /* Primitive userdata, do a memcpy. */
131 if((rrec->userdata = (struct userdata_struct *)
132 SMB_MALLOC(sizeof(struct userdata_struct)+userdata->userdata_len)) == NULL) {
133 DEBUG(0,("make_response_queue_record: malloc fail for userdata.\n"));
134 ZERO_STRUCTP(rrec);
135 SAFE_FREE(rrec);
136 return NULL;
138 rrec->userdata->copy_fn = userdata->copy_fn;
139 rrec->userdata->free_fn = userdata->free_fn;
140 rrec->userdata->userdata_len = userdata->userdata_len;
141 memcpy(rrec->userdata->data, userdata->data, userdata->userdata_len);
143 } else {
144 rrec->userdata = NULL;
147 rrec->num_msgs = 0;
149 if(!nmb->header.nm_flags.bcast)
150 rrec->repeat_interval = 5; /* 5 seconds for unicast packets. */
151 else
152 rrec->repeat_interval = 1; /* XXXX should be in ms */
153 rrec->repeat_count = 3; /* 3 retries */
154 rrec->repeat_time = time(NULL) + rrec->repeat_interval; /* initial retry time */
156 /* This packet is not being processed. */
157 rrec->in_expiration_processing = False;
159 /* Lock the packet so we won't lose it while it's on the list. */
160 p->locked = True;
162 add_response_record(subrec, rrec);
164 return rrec;
167 /****************************************************************************
168 Find a response in a subnet's name query response list.
169 **************************************************************************/
171 static struct response_record *find_response_record_on_subnet(
172 struct subnet_record *subrec, uint16 id)
174 struct response_record *rrec = NULL;
176 for (rrec = subrec->responselist; rrec; rrec = rrec->next) {
177 if (rrec->response_id == id) {
178 DEBUG(4, ("find_response_record: found response record id = %hu on subnet %s\n",
179 id, subrec->subnet_name));
180 break;
183 return rrec;
186 /****************************************************************************
187 Find a response in any subnet's name query response list.
188 **************************************************************************/
190 struct response_record *find_response_record(struct subnet_record **ppsubrec,
191 uint16 id)
193 struct response_record *rrec = NULL;
195 for ((*ppsubrec) = FIRST_SUBNET; (*ppsubrec);
196 (*ppsubrec) = NEXT_SUBNET_INCLUDING_UNICAST(*ppsubrec)) {
197 if((rrec = find_response_record_on_subnet(*ppsubrec, id)) != NULL)
198 return rrec;
201 /* There should never be response records on the remote_broadcast subnet.
202 Sanity check to ensure this is so. */
203 if(remote_broadcast_subnet->responselist != NULL) {
204 DEBUG(0,("find_response_record: response record found on subnet %s. This should \
205 never happen !\n", remote_broadcast_subnet->subnet_name));
208 /* Now check the WINS server subnet if it exists. */
209 if(wins_server_subnet != NULL) {
210 *ppsubrec = wins_server_subnet;
211 if((rrec = find_response_record_on_subnet(*ppsubrec, id))!= NULL)
212 return rrec;
215 DEBUG(3,("find_response_record: response packet id %hu received with no \
216 matching record.\n", id));
218 *ppsubrec = NULL;
220 return NULL;
223 /****************************************************************************
224 Check if a refresh is queued for a particular name on a particular subnet.
225 **************************************************************************/
227 bool is_refresh_already_queued(struct subnet_record *subrec, struct name_record *namerec)
229 struct response_record *rrec = NULL;
231 for (rrec = subrec->responselist; rrec; rrec = rrec->next) {
232 struct packet_struct *p = rrec->packet;
233 struct nmb_packet *nmb = &p->packet.nmb;
235 if((nmb->header.opcode == NMB_NAME_REFRESH_OPCODE_8) ||
236 (nmb->header.opcode == NMB_NAME_REFRESH_OPCODE_9)) {
237 /* Yes it's a queued refresh - check if the name is correct. */
238 if(nmb_name_equal(&nmb->question.question_name, &namerec->name))
239 return True;
243 return False;