2 Unix SMB/CIFS implementation.
3 handle unexpected packets
4 Copyright (C) Andrew Tridgell 2000
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "../lib/util/tevent_ntstatus.h"
23 #include "lib/async_req/async_sock.h"
24 #include "libsmb/nmblib.h"
26 static const char *nmbd_socket_dir(void)
28 return lp_parm_const_string(-1, "nmbd", "socket dir",
29 get_dyn_NMBDSOCKETDIR());
32 struct nb_packet_query
{
33 enum packet_type type
;
34 size_t mailslot_namelen
;
38 struct nb_packet_client
;
40 struct nb_packet_server
{
41 struct tevent_context
*ev
;
45 struct nb_packet_client
*clients
;
48 struct nb_packet_client
{
49 struct nb_packet_client
*prev
, *next
;
50 struct nb_packet_server
*server
;
52 enum packet_type type
;
57 struct tevent_req
*read_req
;
58 struct tevent_queue
*out_queue
;
61 static int nb_packet_server_destructor(struct nb_packet_server
*s
);
62 static void nb_packet_server_listener(struct tevent_context
*ev
,
63 struct tevent_fd
*fde
,
67 NTSTATUS
nb_packet_server_create(TALLOC_CTX
*mem_ctx
,
68 struct tevent_context
*ev
,
70 struct nb_packet_server
**presult
)
72 struct nb_packet_server
*result
;
73 struct tevent_fd
*fde
;
77 result
= talloc_zero(mem_ctx
, struct nb_packet_server
);
79 status
= NT_STATUS_NO_MEMORY
;
83 result
->max_clients
= max_clients
;
85 result
->listen_sock
= create_pipe_sock(
86 nmbd_socket_dir(), "unexpected", 0755);
87 if (result
->listen_sock
== -1) {
88 status
= map_nt_error_from_unix(errno
);
91 rc
= listen(result
->listen_sock
, 5);
93 status
= map_nt_error_from_unix(errno
);
96 talloc_set_destructor(result
, nb_packet_server_destructor
);
98 fde
= tevent_add_fd(ev
, result
, result
->listen_sock
, TEVENT_FD_READ
,
99 nb_packet_server_listener
, result
);
101 status
= NT_STATUS_NO_MEMORY
;
112 static int nb_packet_server_destructor(struct nb_packet_server
*s
)
114 if (s
->listen_sock
!= -1) {
115 close(s
->listen_sock
);
121 static int nb_packet_client_destructor(struct nb_packet_client
*c
);
122 static ssize_t
nb_packet_client_more(uint8_t *buf
, size_t buflen
,
124 static void nb_packet_got_query(struct tevent_req
*req
);
125 static void nb_packet_client_read_done(struct tevent_req
*req
);
127 static void nb_packet_server_listener(struct tevent_context
*ev
,
128 struct tevent_fd
*fde
,
132 struct nb_packet_server
*server
= talloc_get_type_abort(
133 private_data
, struct nb_packet_server
);
134 struct nb_packet_client
*client
;
135 struct tevent_req
*req
;
136 struct sockaddr_un sunaddr
;
140 len
= sizeof(sunaddr
);
142 sock
= accept(server
->listen_sock
, (struct sockaddr
*)(void *)&sunaddr
,
147 DEBUG(6,("accepted socket %d\n", sock
));
149 client
= talloc_zero(server
, struct nb_packet_client
);
150 if (client
== NULL
) {
151 DEBUG(10, ("talloc failed\n"));
156 client
->server
= server
;
157 talloc_set_destructor(client
, nb_packet_client_destructor
);
159 client
->out_queue
= tevent_queue_create(
160 client
, "unexpected packet output");
161 if (client
->out_queue
== NULL
) {
162 DEBUG(10, ("tevent_queue_create failed\n"));
167 req
= read_packet_send(client
, ev
, client
->sock
,
168 sizeof(struct nb_packet_query
),
169 nb_packet_client_more
, NULL
);
171 DEBUG(10, ("read_packet_send failed\n"));
175 tevent_req_set_callback(req
, nb_packet_got_query
, client
);
177 DLIST_ADD(server
->clients
, client
);
178 server
->num_clients
+= 1;
180 if (server
->num_clients
> server
->max_clients
) {
181 DEBUG(10, ("Too many clients, dropping oldest\n"));
184 * no TALLOC_FREE here, don't mess with the list structs
186 talloc_free(server
->clients
->prev
);
190 static ssize_t
nb_packet_client_more(uint8_t *buf
, size_t buflen
,
193 struct nb_packet_query q
;
194 if (buflen
> sizeof(struct nb_packet_query
)) {
197 /* Take care of alignment */
198 memcpy(&q
, buf
, sizeof(q
));
199 if (q
.mailslot_namelen
> 1024) {
200 DEBUG(10, ("Got invalid mailslot namelen %d\n",
201 (int)q
.mailslot_namelen
));
204 return q
.mailslot_namelen
;
207 static int nb_packet_client_destructor(struct nb_packet_client
*c
)
213 DLIST_REMOVE(c
->server
->clients
, c
);
214 c
->server
->num_clients
-= 1;
218 static void nb_packet_got_query(struct tevent_req
*req
)
220 struct nb_packet_client
*client
= tevent_req_callback_data(
221 req
, struct nb_packet_client
);
222 struct nb_packet_query q
;
224 ssize_t nread
, nwritten
;
228 nread
= read_packet_recv(req
, talloc_tos(), &buf
, &err
);
230 if (nread
< (ssize_t
)sizeof(struct nb_packet_query
)) {
231 DEBUG(10, ("read_packet_recv returned %d (%s)\n",
233 (nread
== -1) ? strerror(err
) : "wrong length"));
238 /* Take care of alignment */
239 memcpy(&q
, buf
, sizeof(q
));
241 if (nread
!= sizeof(struct nb_packet_query
) + q
.mailslot_namelen
) {
242 DEBUG(10, ("nb_packet_got_query: Invalid mailslot namelength\n"));
247 client
->trn_id
= q
.trn_id
;
248 client
->type
= q
.type
;
249 if (q
.mailslot_namelen
> 0) {
250 client
->mailslot_name
= talloc_strndup(
251 client
, (char *)buf
+ sizeof(q
),
253 if (client
->mailslot_name
== NULL
) {
260 * Yes, this is a blocking write of 1 byte into a unix
261 * domain socket that has never been written to. Highly
262 * unlikely that this actually blocks.
265 nwritten
= sys_write(client
->sock
, &c
, sizeof(c
));
266 if (nwritten
!= sizeof(c
)) {
267 DEBUG(10, ("Could not write success indicator to client: %s\n",
273 client
->read_req
= read_packet_send(client
, client
->server
->ev
,
274 client
->sock
, 1, NULL
, NULL
);
275 if (client
->read_req
== NULL
) {
276 DEBUG(10, ("Could not activate reader for client exit "
281 tevent_req_set_callback(client
->read_req
, nb_packet_client_read_done
,
285 static void nb_packet_client_read_done(struct tevent_req
*req
)
287 struct nb_packet_client
*client
= tevent_req_callback_data(
288 req
, struct nb_packet_client
);
293 nread
= read_packet_recv(req
, talloc_tos(), &buf
, &err
);
296 DEBUG(10, ("Protocol error, received data on write-only "
297 "unexpected socket: 0x%2.2x\n", (*buf
)));
302 static void nb_packet_client_send(struct nb_packet_client
*client
,
303 struct packet_struct
*p
);
305 void nb_packet_dispatch(struct nb_packet_server
*server
,
306 struct packet_struct
*p
)
308 struct nb_packet_client
*c
;
311 switch (p
->packet_type
) {
313 trn_id
= p
->packet
.nmb
.header
.name_trn_id
;
316 trn_id
= p
->packet
.dgram
.header
.dgm_id
;
319 DEBUG(10, ("Got invalid packet type %d\n",
320 (int)p
->packet_type
));
323 for (c
= server
->clients
; c
!= NULL
; c
= c
->next
) {
325 if (c
->type
!= p
->packet_type
) {
326 DEBUG(10, ("client expects packet %d, got %d\n",
327 c
->type
, p
->packet_type
));
331 if (p
->packet_type
== NMB_PACKET
) {
333 * See if the client specified transaction
334 * ID. Filter if it did.
336 if ((c
->trn_id
!= -1) &&
337 (c
->trn_id
!= trn_id
)) {
338 DEBUG(10, ("client expects trn %d, got %d\n",
344 * See if the client specified a mailslot
345 * name. Filter if it did.
347 if ((c
->mailslot_name
!= NULL
) &&
348 !match_mailslot_name(p
, c
->mailslot_name
)) {
352 nb_packet_client_send(c
, p
);
356 struct nb_packet_client_header
{
358 enum packet_type type
;
364 struct nb_packet_client_state
{
365 struct nb_packet_client
*client
;
367 struct nb_packet_client_header hdr
;
371 static void nb_packet_client_send_done(struct tevent_req
*req
);
373 static void nb_packet_client_send(struct nb_packet_client
*client
,
374 struct packet_struct
*p
)
376 struct nb_packet_client_state
*state
;
377 struct tevent_req
*req
;
379 if (tevent_queue_length(client
->out_queue
) > 10) {
381 * Skip clients that don't listen anyway, some form of DoS
387 state
= talloc_zero(client
, struct nb_packet_client_state
);
389 DEBUG(10, ("talloc failed\n"));
393 state
->client
= client
;
395 state
->hdr
.ip
= p
->ip
;
396 state
->hdr
.port
= p
->port
;
397 state
->hdr
.timestamp
= p
->timestamp
;
398 state
->hdr
.type
= p
->packet_type
;
399 state
->hdr
.len
= build_packet(state
->buf
, sizeof(state
->buf
), p
);
401 state
->iov
[0].iov_base
= (char *)&state
->hdr
;
402 state
->iov
[0].iov_len
= sizeof(state
->hdr
);
403 state
->iov
[1].iov_base
= state
->buf
;
404 state
->iov
[1].iov_len
= state
->hdr
.len
;
406 TALLOC_FREE(client
->read_req
);
408 req
= writev_send(client
, client
->server
->ev
, client
->out_queue
,
409 client
->sock
, true, state
->iov
, 2);
411 DEBUG(10, ("writev_send failed\n"));
414 tevent_req_set_callback(req
, nb_packet_client_send_done
, state
);
417 static void nb_packet_client_send_done(struct tevent_req
*req
)
419 struct nb_packet_client_state
*state
= tevent_req_callback_data(
420 req
, struct nb_packet_client_state
);
421 struct nb_packet_client
*client
= state
->client
;
425 nwritten
= writev_recv(req
, &err
);
430 if (nwritten
== -1) {
431 DEBUG(10, ("writev failed: %s\n", strerror(err
)));
435 if (tevent_queue_length(client
->out_queue
) == 0) {
436 client
->read_req
= read_packet_send(client
, client
->server
->ev
,
439 if (client
->read_req
== NULL
) {
440 DEBUG(10, ("Could not activate reader for client exit "
445 tevent_req_set_callback(client
->read_req
,
446 nb_packet_client_read_done
,
451 struct nb_packet_reader
{
455 struct nb_packet_reader_state
{
456 struct tevent_context
*ev
;
457 struct sockaddr_un addr
;
458 struct nb_packet_query query
;
459 const char *mailslot_name
;
462 struct nb_packet_reader
*reader
;
465 static int nb_packet_reader_destructor(struct nb_packet_reader
*r
);
466 static void nb_packet_reader_connected(struct tevent_req
*subreq
);
467 static void nb_packet_reader_sent_query(struct tevent_req
*subreq
);
468 static void nb_packet_reader_got_ack(struct tevent_req
*subreq
);
470 struct tevent_req
*nb_packet_reader_send(TALLOC_CTX
*mem_ctx
,
471 struct tevent_context
*ev
,
472 enum packet_type type
,
474 const char *mailslot_name
)
476 struct tevent_req
*req
, *subreq
;
477 struct nb_packet_reader_state
*state
;
480 req
= tevent_req_create(mem_ctx
, &state
,
481 struct nb_packet_reader_state
);
486 state
->query
.trn_id
= trn_id
;
487 state
->query
.type
= type
;
488 state
->mailslot_name
= mailslot_name
;
490 if (mailslot_name
!= NULL
) {
491 state
->query
.mailslot_namelen
= strlen(mailslot_name
);
494 state
->reader
= talloc_zero(state
, struct nb_packet_reader
);
495 if (tevent_req_nomem(state
->reader
, req
)) {
496 return tevent_req_post(req
, ev
);
499 path
= talloc_asprintf(talloc_tos(), "%s/%s", nmbd_socket_dir(),
501 if (tevent_req_nomem(path
, req
)) {
502 return tevent_req_post(req
, ev
);
504 state
->addr
.sun_family
= AF_UNIX
;
505 strlcpy(state
->addr
.sun_path
, path
, sizeof(state
->addr
.sun_path
));
508 state
->reader
->sock
= socket(AF_UNIX
, SOCK_STREAM
, 0);
509 if (state
->reader
->sock
== -1) {
510 tevent_req_nterror(req
, map_nt_error_from_unix(errno
));
511 return tevent_req_post(req
, ev
);
513 talloc_set_destructor(state
->reader
, nb_packet_reader_destructor
);
515 subreq
= async_connect_send(state
, ev
, state
->reader
->sock
,
516 (struct sockaddr
*)(void *)&state
->addr
,
517 sizeof(state
->addr
), NULL
, NULL
, NULL
);
518 if (tevent_req_nomem(subreq
, req
)) {
519 return tevent_req_post(req
, ev
);
521 tevent_req_set_callback(subreq
, nb_packet_reader_connected
, req
);
525 static int nb_packet_reader_destructor(struct nb_packet_reader
*r
)
534 static void nb_packet_reader_connected(struct tevent_req
*subreq
)
536 struct tevent_req
*req
= tevent_req_callback_data(
537 subreq
, struct tevent_req
);
538 struct nb_packet_reader_state
*state
= tevent_req_data(
539 req
, struct nb_packet_reader_state
);
543 res
= async_connect_recv(subreq
, &err
);
546 DEBUG(10, ("async_connect failed: %s\n", strerror(err
)));
547 tevent_req_nterror(req
, map_nt_error_from_unix(err
));
551 state
->iov
[0].iov_base
= (char *)&state
->query
;
552 state
->iov
[0].iov_len
= sizeof(state
->query
);
554 if (state
->mailslot_name
!= NULL
) {
556 state
->iov
[1].iov_base
= discard_const_p(
557 char, state
->mailslot_name
);
558 state
->iov
[1].iov_len
= state
->query
.mailslot_namelen
;
561 subreq
= writev_send(state
, state
->ev
, NULL
, state
->reader
->sock
,
562 true, state
->iov
, num_iovecs
);
563 if (tevent_req_nomem(subreq
, req
)) {
566 tevent_req_set_callback(subreq
, nb_packet_reader_sent_query
, req
);
569 static void nb_packet_reader_sent_query(struct tevent_req
*subreq
)
571 struct tevent_req
*req
= tevent_req_callback_data(
572 subreq
, struct tevent_req
);
573 struct nb_packet_reader_state
*state
= tevent_req_data(
574 req
, struct nb_packet_reader_state
);
578 written
= writev_recv(subreq
, &err
);
581 tevent_req_nterror(req
, map_nt_error_from_unix(err
));
584 if (written
!= sizeof(state
->query
) + state
->query
.mailslot_namelen
) {
585 tevent_req_nterror(req
, NT_STATUS_UNEXPECTED_IO_ERROR
);
588 subreq
= read_packet_send(state
, state
->ev
, state
->reader
->sock
,
589 sizeof(state
->c
), NULL
, NULL
);
590 if (tevent_req_nomem(subreq
, req
)) {
593 tevent_req_set_callback(subreq
, nb_packet_reader_got_ack
, req
);
596 static void nb_packet_reader_got_ack(struct tevent_req
*subreq
)
598 struct tevent_req
*req
= tevent_req_callback_data(
599 subreq
, struct tevent_req
);
600 struct nb_packet_reader_state
*state
= tevent_req_data(
601 req
, struct nb_packet_reader_state
);
606 nread
= read_packet_recv(subreq
, state
, &buf
, &err
);
609 DEBUG(10, ("read_packet_recv returned %s\n",
611 tevent_req_nterror(req
, map_nt_error_from_unix(err
));
614 if (nread
!= sizeof(state
->c
)) {
615 DEBUG(10, ("read = %d, expected %d\n", (int)nread
,
616 (int)sizeof(state
->c
)));
617 tevent_req_nterror(req
, NT_STATUS_UNEXPECTED_IO_ERROR
);
620 tevent_req_done(req
);
623 NTSTATUS
nb_packet_reader_recv(struct tevent_req
*req
, TALLOC_CTX
*mem_ctx
,
624 struct nb_packet_reader
**preader
)
626 struct nb_packet_reader_state
*state
= tevent_req_data(
627 req
, struct nb_packet_reader_state
);
630 if (tevent_req_is_nterror(req
, &status
)) {
633 *preader
= talloc_move(mem_ctx
, &state
->reader
);
637 struct nb_packet_read_state
{
638 struct nb_packet_client_header hdr
;
643 static ssize_t
nb_packet_read_more(uint8_t *buf
, size_t buflen
, void *p
);
644 static void nb_packet_read_done(struct tevent_req
*subreq
);
646 struct tevent_req
*nb_packet_read_send(TALLOC_CTX
*mem_ctx
,
647 struct tevent_context
*ev
,
648 struct nb_packet_reader
*reader
)
650 struct tevent_req
*req
, *subreq
;
651 struct nb_packet_read_state
*state
;
653 req
= tevent_req_create(mem_ctx
, &state
, struct nb_packet_read_state
);
657 subreq
= read_packet_send(state
, ev
, reader
->sock
,
658 sizeof(struct nb_packet_client_header
),
659 nb_packet_read_more
, state
);
660 if (tevent_req_nomem(subreq
, req
)) {
661 return tevent_req_post(req
, ev
);
663 tevent_req_set_callback(subreq
, nb_packet_read_done
, req
);
667 static ssize_t
nb_packet_read_more(uint8_t *buf
, size_t buflen
, void *p
)
669 struct nb_packet_read_state
*state
= talloc_get_type_abort(
670 p
, struct nb_packet_read_state
);
672 if (buflen
> sizeof(struct nb_packet_client_header
)) {
678 memcpy(&state
->hdr
, buf
, sizeof(struct nb_packet_client_header
));
679 return state
->hdr
.len
;
682 static void nb_packet_read_done(struct tevent_req
*subreq
)
684 struct tevent_req
*req
= tevent_req_callback_data(
685 subreq
, struct tevent_req
);
686 struct nb_packet_read_state
*state
= tevent_req_data(
687 req
, struct nb_packet_read_state
);
691 nread
= read_packet_recv(subreq
, state
, &state
->buf
, &err
);
693 tevent_req_nterror(req
, map_nt_error_from_unix(err
));
696 state
->buflen
= nread
;
697 tevent_req_done(req
);
700 NTSTATUS
nb_packet_read_recv(struct tevent_req
*req
,
701 struct packet_struct
**ppacket
)
703 struct nb_packet_read_state
*state
= tevent_req_data(
704 req
, struct nb_packet_read_state
);
705 struct nb_packet_client_header hdr
;
706 struct packet_struct
*packet
;
709 if (tevent_req_is_nterror(req
, &status
)) {
713 memcpy(&hdr
, state
->buf
, sizeof(hdr
));
715 packet
= parse_packet(
716 (char *)state
->buf
+ sizeof(struct nb_packet_client_header
),
717 state
->buflen
- sizeof(struct nb_packet_client_header
),
718 state
->hdr
.type
, state
->hdr
.ip
, state
->hdr
.port
);
719 if (packet
== NULL
) {
720 return NT_STATUS_INVALID_NETWORK_RESPONSE
;