CVE-2013-4496:samr: Remove ChangePasswordUser
[Samba.git] / source3 / libsmb / unexpected.c
blob2c01bb7515407784f174b9637167a8633c561d74
1 /*
2 Unix SMB/CIFS implementation.
3 handle unexpected packets
4 Copyright (C) Andrew Tridgell 2000
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 #include "includes.h"
22 #include "../lib/util/tevent_ntstatus.h"
23 #include "lib/async_req/async_sock.h"
24 #include "libsmb/nmblib.h"
26 static const char *nmbd_socket_dir(void)
28 return lp_parm_const_string(-1, "nmbd", "socket dir",
29 get_dyn_NMBDSOCKETDIR());
32 struct nb_packet_query {
33 enum packet_type type;
34 size_t mailslot_namelen;
35 int trn_id;
38 struct nb_packet_client;
40 struct nb_packet_server {
41 struct tevent_context *ev;
42 int listen_sock;
43 int max_clients;
44 int num_clients;
45 struct nb_packet_client *clients;
48 struct nb_packet_client {
49 struct nb_packet_client *prev, *next;
50 struct nb_packet_server *server;
52 enum packet_type type;
53 int trn_id;
54 char *mailslot_name;
56 int sock;
57 struct tevent_req *read_req;
58 struct tevent_queue *out_queue;
61 static int nb_packet_server_destructor(struct nb_packet_server *s);
62 static void nb_packet_server_listener(struct tevent_context *ev,
63 struct tevent_fd *fde,
64 uint16_t flags,
65 void *private_data);
67 NTSTATUS nb_packet_server_create(TALLOC_CTX *mem_ctx,
68 struct tevent_context *ev,
69 int max_clients,
70 struct nb_packet_server **presult)
72 struct nb_packet_server *result;
73 struct tevent_fd *fde;
74 NTSTATUS status;
75 int rc;
77 result = talloc_zero(mem_ctx, struct nb_packet_server);
78 if (result == NULL) {
79 status = NT_STATUS_NO_MEMORY;
80 goto fail;
82 result->ev = ev;
83 result->max_clients = max_clients;
85 result->listen_sock = create_pipe_sock(
86 nmbd_socket_dir(), "unexpected", 0755);
87 if (result->listen_sock == -1) {
88 status = map_nt_error_from_unix(errno);
89 goto fail;
91 rc = listen(result->listen_sock, 5);
92 if (rc < 0) {
93 status = map_nt_error_from_unix(errno);
94 goto fail;
96 talloc_set_destructor(result, nb_packet_server_destructor);
98 fde = tevent_add_fd(ev, result, result->listen_sock, TEVENT_FD_READ,
99 nb_packet_server_listener, result);
100 if (fde == NULL) {
101 status = NT_STATUS_NO_MEMORY;
102 goto fail;
105 *presult = result;
106 return NT_STATUS_OK;
107 fail:
108 TALLOC_FREE(result);
109 return status;
112 static int nb_packet_server_destructor(struct nb_packet_server *s)
114 if (s->listen_sock != -1) {
115 close(s->listen_sock);
116 s->listen_sock = -1;
118 return 0;
121 static int nb_packet_client_destructor(struct nb_packet_client *c);
122 static ssize_t nb_packet_client_more(uint8_t *buf, size_t buflen,
123 void *private_data);
124 static void nb_packet_got_query(struct tevent_req *req);
125 static void nb_packet_client_read_done(struct tevent_req *req);
127 static void nb_packet_server_listener(struct tevent_context *ev,
128 struct tevent_fd *fde,
129 uint16_t flags,
130 void *private_data)
132 struct nb_packet_server *server = talloc_get_type_abort(
133 private_data, struct nb_packet_server);
134 struct nb_packet_client *client;
135 struct tevent_req *req;
136 struct sockaddr_un sunaddr;
137 socklen_t len;
138 int sock;
140 len = sizeof(sunaddr);
142 sock = accept(server->listen_sock, (struct sockaddr *)(void *)&sunaddr,
143 &len);
144 if (sock == -1) {
145 return;
147 DEBUG(6,("accepted socket %d\n", sock));
149 client = talloc_zero(server, struct nb_packet_client);
150 if (client == NULL) {
151 DEBUG(10, ("talloc failed\n"));
152 close(sock);
153 return;
155 client->sock = sock;
156 client->server = server;
157 talloc_set_destructor(client, nb_packet_client_destructor);
159 client->out_queue = tevent_queue_create(
160 client, "unexpected packet output");
161 if (client->out_queue == NULL) {
162 DEBUG(10, ("tevent_queue_create failed\n"));
163 TALLOC_FREE(client);
164 return;
167 req = read_packet_send(client, ev, client->sock,
168 sizeof(struct nb_packet_query),
169 nb_packet_client_more, NULL);
170 if (req == NULL) {
171 DEBUG(10, ("read_packet_send failed\n"));
172 TALLOC_FREE(client);
173 return;
175 tevent_req_set_callback(req, nb_packet_got_query, client);
177 DLIST_ADD(server->clients, client);
178 server->num_clients += 1;
180 if (server->num_clients > server->max_clients) {
181 DEBUG(10, ("Too many clients, dropping oldest\n"));
184 * no TALLOC_FREE here, don't mess with the list structs
186 talloc_free(server->clients->prev);
190 static ssize_t nb_packet_client_more(uint8_t *buf, size_t buflen,
191 void *private_data)
193 struct nb_packet_query q;
194 if (buflen > sizeof(struct nb_packet_query)) {
195 return 0;
197 /* Take care of alignment */
198 memcpy(&q, buf, sizeof(q));
199 if (q.mailslot_namelen > 1024) {
200 DEBUG(10, ("Got invalid mailslot namelen %d\n",
201 (int)q.mailslot_namelen));
202 return -1;
204 return q.mailslot_namelen;
207 static int nb_packet_client_destructor(struct nb_packet_client *c)
209 if (c->sock != -1) {
210 close(c->sock);
211 c->sock = -1;
213 DLIST_REMOVE(c->server->clients, c);
214 c->server->num_clients -= 1;
215 return 0;
218 static void nb_packet_got_query(struct tevent_req *req)
220 struct nb_packet_client *client = tevent_req_callback_data(
221 req, struct nb_packet_client);
222 struct nb_packet_query q;
223 uint8_t *buf;
224 ssize_t nread, nwritten;
225 int err;
226 char c;
228 nread = read_packet_recv(req, talloc_tos(), &buf, &err);
229 TALLOC_FREE(req);
230 if (nread < (ssize_t)sizeof(struct nb_packet_query)) {
231 DEBUG(10, ("read_packet_recv returned %d (%s)\n",
232 (int)nread,
233 (nread == -1) ? strerror(err) : "wrong length"));
234 TALLOC_FREE(client);
235 return;
238 /* Take care of alignment */
239 memcpy(&q, buf, sizeof(q));
241 if (nread != sizeof(struct nb_packet_query) + q.mailslot_namelen) {
242 DEBUG(10, ("nb_packet_got_query: Invalid mailslot namelength\n"));
243 TALLOC_FREE(client);
244 return;
247 client->trn_id = q.trn_id;
248 client->type = q.type;
249 if (q.mailslot_namelen > 0) {
250 client->mailslot_name = talloc_strndup(
251 client, (char *)buf + sizeof(q),
252 q.mailslot_namelen);
253 if (client->mailslot_name == NULL) {
254 TALLOC_FREE(client);
255 return;
260 * Yes, this is a blocking write of 1 byte into a unix
261 * domain socket that has never been written to. Highly
262 * unlikely that this actually blocks.
264 c = 0;
265 nwritten = sys_write(client->sock, &c, sizeof(c));
266 if (nwritten != sizeof(c)) {
267 DEBUG(10, ("Could not write success indicator to client: %s\n",
268 strerror(errno)));
269 TALLOC_FREE(client);
270 return;
273 client->read_req = read_packet_send(client, client->server->ev,
274 client->sock, 1, NULL, NULL);
275 if (client->read_req == NULL) {
276 DEBUG(10, ("Could not activate reader for client exit "
277 "detection\n"));
278 TALLOC_FREE(client);
279 return;
281 tevent_req_set_callback(client->read_req, nb_packet_client_read_done,
282 client);
285 static void nb_packet_client_read_done(struct tevent_req *req)
287 struct nb_packet_client *client = tevent_req_callback_data(
288 req, struct nb_packet_client);
289 ssize_t nread;
290 uint8_t *buf;
291 int err;
293 nread = read_packet_recv(req, talloc_tos(), &buf, &err);
294 TALLOC_FREE(req);
295 if (nread == 1) {
296 DEBUG(10, ("Protocol error, received data on write-only "
297 "unexpected socket: 0x%2.2x\n", (*buf)));
299 TALLOC_FREE(client);
302 static void nb_packet_client_send(struct nb_packet_client *client,
303 struct packet_struct *p);
305 void nb_packet_dispatch(struct nb_packet_server *server,
306 struct packet_struct *p)
308 struct nb_packet_client *c;
309 uint16_t trn_id;
311 switch (p->packet_type) {
312 case NMB_PACKET:
313 trn_id = p->packet.nmb.header.name_trn_id;
314 break;
315 case DGRAM_PACKET:
316 trn_id = p->packet.dgram.header.dgm_id;
317 break;
318 default:
319 DEBUG(10, ("Got invalid packet type %d\n",
320 (int)p->packet_type));
321 return;
323 for (c = server->clients; c != NULL; c = c->next) {
325 if (c->type != p->packet_type) {
326 DEBUG(10, ("client expects packet %d, got %d\n",
327 c->type, p->packet_type));
328 continue;
331 if (p->packet_type == NMB_PACKET) {
333 * See if the client specified transaction
334 * ID. Filter if it did.
336 if ((c->trn_id != -1) &&
337 (c->trn_id != trn_id)) {
338 DEBUG(10, ("client expects trn %d, got %d\n",
339 c->trn_id, trn_id));
340 continue;
342 } else {
344 * See if the client specified a mailslot
345 * name. Filter if it did.
347 if ((c->mailslot_name != NULL) &&
348 !match_mailslot_name(p, c->mailslot_name)) {
349 continue;
352 nb_packet_client_send(c, p);
356 struct nb_packet_client_header {
357 size_t len;
358 enum packet_type type;
359 time_t timestamp;
360 struct in_addr ip;
361 int port;
364 struct nb_packet_client_state {
365 struct nb_packet_client *client;
366 struct iovec iov[2];
367 struct nb_packet_client_header hdr;
368 char buf[1024];
371 static void nb_packet_client_send_done(struct tevent_req *req);
373 static void nb_packet_client_send(struct nb_packet_client *client,
374 struct packet_struct *p)
376 struct nb_packet_client_state *state;
377 struct tevent_req *req;
379 if (tevent_queue_length(client->out_queue) > 10) {
381 * Skip clients that don't listen anyway, some form of DoS
382 * protection
384 return;
387 state = talloc_zero(client, struct nb_packet_client_state);
388 if (state == NULL) {
389 DEBUG(10, ("talloc failed\n"));
390 return;
393 state->client = client;
395 state->hdr.ip = p->ip;
396 state->hdr.port = p->port;
397 state->hdr.timestamp = p->timestamp;
398 state->hdr.type = p->packet_type;
399 state->hdr.len = build_packet(state->buf, sizeof(state->buf), p);
401 state->iov[0].iov_base = (char *)&state->hdr;
402 state->iov[0].iov_len = sizeof(state->hdr);
403 state->iov[1].iov_base = state->buf;
404 state->iov[1].iov_len = state->hdr.len;
406 TALLOC_FREE(client->read_req);
408 req = writev_send(client, client->server->ev, client->out_queue,
409 client->sock, true, state->iov, 2);
410 if (req == NULL) {
411 DEBUG(10, ("writev_send failed\n"));
412 return;
414 tevent_req_set_callback(req, nb_packet_client_send_done, state);
417 static void nb_packet_client_send_done(struct tevent_req *req)
419 struct nb_packet_client_state *state = tevent_req_callback_data(
420 req, struct nb_packet_client_state);
421 struct nb_packet_client *client = state->client;
422 ssize_t nwritten;
423 int err;
425 nwritten = writev_recv(req, &err);
427 TALLOC_FREE(req);
428 TALLOC_FREE(state);
430 if (nwritten == -1) {
431 DEBUG(10, ("writev failed: %s\n", strerror(err)));
432 TALLOC_FREE(client);
435 if (tevent_queue_length(client->out_queue) == 0) {
436 client->read_req = read_packet_send(client, client->server->ev,
437 client->sock, 1,
438 NULL, NULL);
439 if (client->read_req == NULL) {
440 DEBUG(10, ("Could not activate reader for client exit "
441 "detection\n"));
442 TALLOC_FREE(client);
443 return;
445 tevent_req_set_callback(client->read_req,
446 nb_packet_client_read_done,
447 client);
451 struct nb_packet_reader {
452 int sock;
455 struct nb_packet_reader_state {
456 struct tevent_context *ev;
457 struct sockaddr_un addr;
458 struct nb_packet_query query;
459 const char *mailslot_name;
460 struct iovec iov[2];
461 char c;
462 struct nb_packet_reader *reader;
465 static int nb_packet_reader_destructor(struct nb_packet_reader *r);
466 static void nb_packet_reader_connected(struct tevent_req *subreq);
467 static void nb_packet_reader_sent_query(struct tevent_req *subreq);
468 static void nb_packet_reader_got_ack(struct tevent_req *subreq);
470 struct tevent_req *nb_packet_reader_send(TALLOC_CTX *mem_ctx,
471 struct tevent_context *ev,
472 enum packet_type type,
473 int trn_id,
474 const char *mailslot_name)
476 struct tevent_req *req, *subreq;
477 struct nb_packet_reader_state *state;
478 char *path;
480 req = tevent_req_create(mem_ctx, &state,
481 struct nb_packet_reader_state);
482 if (req == NULL) {
483 return NULL;
485 state->ev = ev;
486 state->query.trn_id = trn_id;
487 state->query.type = type;
488 state->mailslot_name = mailslot_name;
490 if (mailslot_name != NULL) {
491 state->query.mailslot_namelen = strlen(mailslot_name);
494 state->reader = talloc_zero(state, struct nb_packet_reader);
495 if (tevent_req_nomem(state->reader, req)) {
496 return tevent_req_post(req, ev);
499 path = talloc_asprintf(talloc_tos(), "%s/%s", nmbd_socket_dir(),
500 "unexpected");
501 if (tevent_req_nomem(path, req)) {
502 return tevent_req_post(req, ev);
504 state->addr.sun_family = AF_UNIX;
505 strlcpy(state->addr.sun_path, path, sizeof(state->addr.sun_path));
506 TALLOC_FREE(path);
508 state->reader->sock = socket(AF_UNIX, SOCK_STREAM, 0);
509 if (state->reader->sock == -1) {
510 tevent_req_nterror(req, map_nt_error_from_unix(errno));
511 return tevent_req_post(req, ev);
513 talloc_set_destructor(state->reader, nb_packet_reader_destructor);
515 subreq = async_connect_send(state, ev, state->reader->sock,
516 (struct sockaddr *)(void *)&state->addr,
517 sizeof(state->addr), NULL, NULL, NULL);
518 if (tevent_req_nomem(subreq, req)) {
519 return tevent_req_post(req, ev);
521 tevent_req_set_callback(subreq, nb_packet_reader_connected, req);
522 return req;
525 static int nb_packet_reader_destructor(struct nb_packet_reader *r)
527 if (r->sock != -1) {
528 close(r->sock);
529 r->sock = -1;
531 return 0;
534 static void nb_packet_reader_connected(struct tevent_req *subreq)
536 struct tevent_req *req = tevent_req_callback_data(
537 subreq, struct tevent_req);
538 struct nb_packet_reader_state *state = tevent_req_data(
539 req, struct nb_packet_reader_state);
540 int res, err;
541 int num_iovecs = 1;
543 res = async_connect_recv(subreq, &err);
544 TALLOC_FREE(subreq);
545 if (res == -1) {
546 DEBUG(10, ("async_connect failed: %s\n", strerror(err)));
547 tevent_req_nterror(req, map_nt_error_from_unix(err));
548 return;
551 state->iov[0].iov_base = (char *)&state->query;
552 state->iov[0].iov_len = sizeof(state->query);
554 if (state->mailslot_name != NULL) {
555 num_iovecs = 2;
556 state->iov[1].iov_base = discard_const_p(
557 char, state->mailslot_name);
558 state->iov[1].iov_len = state->query.mailslot_namelen;
561 subreq = writev_send(state, state->ev, NULL, state->reader->sock,
562 true, state->iov, num_iovecs);
563 if (tevent_req_nomem(subreq, req)) {
564 return;
566 tevent_req_set_callback(subreq, nb_packet_reader_sent_query, req);
569 static void nb_packet_reader_sent_query(struct tevent_req *subreq)
571 struct tevent_req *req = tevent_req_callback_data(
572 subreq, struct tevent_req);
573 struct nb_packet_reader_state *state = tevent_req_data(
574 req, struct nb_packet_reader_state);
575 ssize_t written;
576 int err;
578 written = writev_recv(subreq, &err);
579 TALLOC_FREE(subreq);
580 if (written == -1) {
581 tevent_req_nterror(req, map_nt_error_from_unix(err));
582 return;
584 if (written != sizeof(state->query) + state->query.mailslot_namelen) {
585 tevent_req_nterror(req, NT_STATUS_UNEXPECTED_IO_ERROR);
586 return;
588 subreq = read_packet_send(state, state->ev, state->reader->sock,
589 sizeof(state->c), NULL, NULL);
590 if (tevent_req_nomem(subreq, req)) {
591 return;
593 tevent_req_set_callback(subreq, nb_packet_reader_got_ack, req);
596 static void nb_packet_reader_got_ack(struct tevent_req *subreq)
598 struct tevent_req *req = tevent_req_callback_data(
599 subreq, struct tevent_req);
600 struct nb_packet_reader_state *state = tevent_req_data(
601 req, struct nb_packet_reader_state);
602 ssize_t nread;
603 int err;
604 uint8_t *buf;
606 nread = read_packet_recv(subreq, state, &buf, &err);
607 TALLOC_FREE(subreq);
608 if (nread == -1) {
609 DEBUG(10, ("read_packet_recv returned %s\n",
610 strerror(err)));
611 tevent_req_nterror(req, map_nt_error_from_unix(err));
612 return;
614 if (nread != sizeof(state->c)) {
615 DEBUG(10, ("read = %d, expected %d\n", (int)nread,
616 (int)sizeof(state->c)));
617 tevent_req_nterror(req, NT_STATUS_UNEXPECTED_IO_ERROR);
618 return;
620 tevent_req_done(req);
623 NTSTATUS nb_packet_reader_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
624 struct nb_packet_reader **preader)
626 struct nb_packet_reader_state *state = tevent_req_data(
627 req, struct nb_packet_reader_state);
628 NTSTATUS status;
630 if (tevent_req_is_nterror(req, &status)) {
631 return status;
633 *preader = talloc_move(mem_ctx, &state->reader);
634 return NT_STATUS_OK;
637 struct nb_packet_read_state {
638 struct nb_packet_client_header hdr;
639 uint8_t *buf;
640 size_t buflen;
643 static ssize_t nb_packet_read_more(uint8_t *buf, size_t buflen, void *p);
644 static void nb_packet_read_done(struct tevent_req *subreq);
646 struct tevent_req *nb_packet_read_send(TALLOC_CTX *mem_ctx,
647 struct tevent_context *ev,
648 struct nb_packet_reader *reader)
650 struct tevent_req *req, *subreq;
651 struct nb_packet_read_state *state;
653 req = tevent_req_create(mem_ctx, &state, struct nb_packet_read_state);
654 if (req == NULL) {
655 return NULL;
657 subreq = read_packet_send(state, ev, reader->sock,
658 sizeof(struct nb_packet_client_header),
659 nb_packet_read_more, state);
660 if (tevent_req_nomem(subreq, req)) {
661 return tevent_req_post(req, ev);
663 tevent_req_set_callback(subreq, nb_packet_read_done, req);
664 return req;
667 static ssize_t nb_packet_read_more(uint8_t *buf, size_t buflen, void *p)
669 struct nb_packet_read_state *state = talloc_get_type_abort(
670 p, struct nb_packet_read_state);
672 if (buflen > sizeof(struct nb_packet_client_header)) {
674 * Been here, done
676 return 0;
678 memcpy(&state->hdr, buf, sizeof(struct nb_packet_client_header));
679 return state->hdr.len;
682 static void nb_packet_read_done(struct tevent_req *subreq)
684 struct tevent_req *req = tevent_req_callback_data(
685 subreq, struct tevent_req);
686 struct nb_packet_read_state *state = tevent_req_data(
687 req, struct nb_packet_read_state);
688 ssize_t nread;
689 int err;
691 nread = read_packet_recv(subreq, state, &state->buf, &err);
692 if (nread == -1) {
693 tevent_req_nterror(req, map_nt_error_from_unix(err));
694 return;
696 state->buflen = nread;
697 tevent_req_done(req);
700 NTSTATUS nb_packet_read_recv(struct tevent_req *req,
701 struct packet_struct **ppacket)
703 struct nb_packet_read_state *state = tevent_req_data(
704 req, struct nb_packet_read_state);
705 struct nb_packet_client_header hdr;
706 struct packet_struct *packet;
707 NTSTATUS status;
709 if (tevent_req_is_nterror(req, &status)) {
710 return status;
713 memcpy(&hdr, state->buf, sizeof(hdr));
715 packet = parse_packet(
716 (char *)state->buf + sizeof(struct nb_packet_client_header),
717 state->buflen - sizeof(struct nb_packet_client_header),
718 state->hdr.type, state->hdr.ip, state->hdr.port);
719 if (packet == NULL) {
720 return NT_STATUS_INVALID_NETWORK_RESPONSE;
722 *ppacket = packet;
723 return NT_STATUS_OK;