search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
tiny refactoring
[Samba.git] / source / smbd / nttrans.c
blobd5abb372cfa938491fa99547b594d838443c07bf
1 /*
2 Unix SMB/CIFS implementation.
3 SMB NT transaction handling
4 Copyright (C) Jeremy Allison 1994-2007
5 Copyright (C) Stefan (metze) Metzmacher 2003
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22
23 extern int max_send;
24 extern enum protocol_types Protocol;
25 extern struct current_user current_user;
26
27 static const char *known_nt_pipes[] = {
28 "\\LANMAN",
29 "\\srvsvc",
30 "\\samr",
31 "\\wkssvc",
32 "\\NETLOGON",
33 "\\ntlsa",
34 "\\ntsvcs",
35 "\\lsass",
36 "\\lsarpc",
37 "\\winreg",
38 "\\initshutdown",
39 "\\spoolss",
40 "\\netdfs",
41 "\\rpcecho",
42 "\\svcctl",
43 "\\eventlog",
44 "\\unixinfo",
45 NULL
46 };
47
48 static char *nttrans_realloc(char **ptr, size_t size)
49 {
50 if (ptr==NULL) {
51 smb_panic("nttrans_realloc() called with NULL ptr");
52 }
53
54 *ptr = (char *)SMB_REALLOC(*ptr, size);
55 if(*ptr == NULL) {
56 return NULL;
57 }
58 memset(*ptr,'\0',size);
59 return *ptr;
60 }
61
62 /****************************************************************************
63 Send the required number of replies back.
64 We assume all fields other than the data fields are
65 set correctly for the type of call.
66 HACK ! Always assumes smb_setup field is zero.
67 ****************************************************************************/
68
69 void send_nt_replies(struct smb_request *req, NTSTATUS nt_error,
70 char *params, int paramsize,
71 char *pdata, int datasize)
72 {
73 int data_to_send = datasize;
74 int params_to_send = paramsize;
75 int useable_space;
76 char *pp = params;
77 char *pd = pdata;
78 int params_sent_thistime, data_sent_thistime, total_sent_thistime;
79 int alignment_offset = 3;
80 int data_alignment_offset = 0;
81
82 /*
83 * If there genuinely are no parameters or data to send just send
84 * the empty packet.
85 */
86
87 if(params_to_send == 0 && data_to_send == 0) {
88 reply_outbuf(req, 18, 0);
89 show_msg((char *)req->outbuf);
90 return;
91 }
92
93 /*
94 * When sending params and data ensure that both are nicely aligned.
95 * Only do this alignment when there is also data to send - else
96 * can cause NT redirector problems.
97 */
98
99 if (((params_to_send % 4) != 0) && (data_to_send != 0)) {
100 data_alignment_offset = 4 - (params_to_send % 4);
101 }
102
103 /*
104 * Space is bufsize minus Netbios over TCP header minus SMB header.
105 * The alignment_offset is to align the param bytes on a four byte
106 * boundary (2 bytes for data len, one byte pad).
107 * NT needs this to work correctly.
108 */
109
110 useable_space = max_send - (smb_size
111 + 2 * 18 /* wct */
112 + alignment_offset
113 + data_alignment_offset);
114
115 /*
116 * useable_space can never be more than max_send minus the
117 * alignment offset.
118 */
119
120 useable_space = MIN(useable_space,
121 max_send - (alignment_offset+data_alignment_offset));
122
123
124 while (params_to_send || data_to_send) {
125
126 /*
127 * Calculate whether we will totally or partially fill this packet.
128 */
129
130 total_sent_thistime = params_to_send + data_to_send +
131 alignment_offset + data_alignment_offset;
132
133 /*
134 * We can never send more than useable_space.
135 */
136
137 total_sent_thistime = MIN(total_sent_thistime, useable_space);
138
139 reply_outbuf(req, 18, total_sent_thistime);
140
141 /*
142 * Set total params and data to be sent.
143 */
144
145 SIVAL(req->outbuf,smb_ntr_TotalParameterCount,paramsize);
146 SIVAL(req->outbuf,smb_ntr_TotalDataCount,datasize);
147
148 /*
149 * Calculate how many parameters and data we can fit into
150 * this packet. Parameters get precedence.
151 */
152
153 params_sent_thistime = MIN(params_to_send,useable_space);
154 data_sent_thistime = useable_space - params_sent_thistime;
155 data_sent_thistime = MIN(data_sent_thistime,data_to_send);
156
157 SIVAL(req->outbuf, smb_ntr_ParameterCount,
158 params_sent_thistime);
159
160 if(params_sent_thistime == 0) {
161 SIVAL(req->outbuf,smb_ntr_ParameterOffset,0);
162 SIVAL(req->outbuf,smb_ntr_ParameterDisplacement,0);
163 } else {
164 /*
165 * smb_ntr_ParameterOffset is the offset from the start of the SMB header to the
166 * parameter bytes, however the first 4 bytes of outbuf are
167 * the Netbios over TCP header. Thus use smb_base() to subtract
168 * them from the calculation.
169 */
170
171 SIVAL(req->outbuf,smb_ntr_ParameterOffset,
172 ((smb_buf(req->outbuf)+alignment_offset)
173 - smb_base(req->outbuf)));
174 /*
175 * Absolute displacement of param bytes sent in this packet.
176 */
177
178 SIVAL(req->outbuf, smb_ntr_ParameterDisplacement,
179 pp - params);
180 }
181
182 /*
183 * Deal with the data portion.
184 */
185
186 SIVAL(req->outbuf, smb_ntr_DataCount, data_sent_thistime);
187
188 if(data_sent_thistime == 0) {
189 SIVAL(req->outbuf,smb_ntr_DataOffset,0);
190 SIVAL(req->outbuf,smb_ntr_DataDisplacement, 0);
191 } else {
192 /*
193 * The offset of the data bytes is the offset of the
194 * parameter bytes plus the number of parameters being sent this time.
195 */
196
197 SIVAL(req->outbuf, smb_ntr_DataOffset,
198 ((smb_buf(req->outbuf)+alignment_offset) -
199 smb_base(req->outbuf))
200 + params_sent_thistime + data_alignment_offset);
201 SIVAL(req->outbuf,smb_ntr_DataDisplacement, pd - pdata);
202 }
203
204 /*
205 * Copy the param bytes into the packet.
206 */
207
208 if(params_sent_thistime) {
209 if (alignment_offset != 0) {
210 memset(smb_buf(req->outbuf), 0,
211 alignment_offset);
212 }
213 memcpy((smb_buf(req->outbuf)+alignment_offset), pp,
214 params_sent_thistime);
215 }
216
217 /*
218 * Copy in the data bytes
219 */
220
221 if(data_sent_thistime) {
222 if (data_alignment_offset != 0) {
223 memset((smb_buf(req->outbuf)+alignment_offset+
224 params_sent_thistime), 0,
225 data_alignment_offset);
226 }
227 memcpy(smb_buf(req->outbuf)+alignment_offset
228 +params_sent_thistime+data_alignment_offset,
229 pd,data_sent_thistime);
230 }
231
232 DEBUG(9,("nt_rep: params_sent_thistime = %d, data_sent_thistime = %d, useable_space = %d\n",
233 params_sent_thistime, data_sent_thistime, useable_space));
234 DEBUG(9,("nt_rep: params_to_send = %d, data_to_send = %d, paramsize = %d, datasize = %d\n",
235 params_to_send, data_to_send, paramsize, datasize));
236
237 if (NT_STATUS_V(nt_error)) {
238 error_packet_set((char *)req->outbuf,
239 0, 0, nt_error,
240 __LINE__,__FILE__);
241 }
242
243 /* Send the packet */
244 show_msg((char *)req->outbuf);
245 if (!send_smb(smbd_server_fd(),(char *)req->outbuf)) {
246 exit_server_cleanly("send_nt_replies: send_smb failed.");
247 }
248
249 TALLOC_FREE(req->outbuf);
250
251 pp += params_sent_thistime;
252 pd += data_sent_thistime;
253
254 params_to_send -= params_sent_thistime;
255 data_to_send -= data_sent_thistime;
256
257 /*
258 * Sanity check
259 */
260
261 if(params_to_send < 0 || data_to_send < 0) {
262 DEBUG(0,("send_nt_replies failed sanity check pts = %d, dts = %d\n!!!",
263 params_to_send, data_to_send));
264 return;
265 }
266 }
267 }
268
269 /****************************************************************************
270 Is it an NTFS stream name ?
271 ****************************************************************************/
272
273 bool is_ntfs_stream_name(const char *fname)
274 {
275 if (lp_posix_pathnames()) {
276 return False;
277 }
278 return (strchr_m(fname, ':') != NULL) ? True : False;
279 }
280
281 struct case_semantics_state {
282 connection_struct *conn;
283 bool case_sensitive;
284 bool case_preserve;
285 bool short_case_preserve;
286 };
287
288 /****************************************************************************
289 Restore case semantics.
290 ****************************************************************************/
291 static int restore_case_semantics(struct case_semantics_state *state)
292 {
293 state->conn->case_sensitive = state->case_sensitive;
294 state->conn->case_preserve = state->case_preserve;
295 state->conn->short_case_preserve = state->short_case_preserve;
296 return 0;
297 }
298
299 /****************************************************************************
300 Save case semantics.
301 ****************************************************************************/
302 static struct case_semantics_state *set_posix_case_semantics(TALLOC_CTX *mem_ctx,
303 connection_struct *conn)
304 {
305 struct case_semantics_state *result;
306
307 if (!(result = talloc(mem_ctx, struct case_semantics_state))) {
308 DEBUG(0, ("talloc failed\n"));
309 return NULL;
310 }
311
312 result->conn = conn;
313 result->case_sensitive = conn->case_sensitive;
314 result->case_preserve = conn->case_preserve;
315 result->short_case_preserve = conn->short_case_preserve;
316
317 /* Set to POSIX. */
318 conn->case_sensitive = True;
319 conn->case_preserve = True;
320 conn->short_case_preserve = True;
321
322 talloc_set_destructor(result, restore_case_semantics);
323
324 return result;
325 }
326
327 /****************************************************************************
328 Reply to an NT create and X call on a pipe
329 ****************************************************************************/
330
331 static void nt_open_pipe(char *fname, connection_struct *conn,
332 struct smb_request *req, int *ppnum)
333 {
334 smb_np_struct *p = NULL;
335 int i;
336
337 DEBUG(4,("nt_open_pipe: Opening pipe %s.\n", fname));
338
339 /* See if it is one we want to handle. */
340
341 if (lp_disable_spoolss() && strequal(fname, "\\spoolss")) {
342 reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND,
343 ERRDOS, ERRbadpipe);
344 return;
345 }
346
347 for( i = 0; known_nt_pipes[i]; i++ ) {
348 if( strequal(fname,known_nt_pipes[i])) {
349 break;
350 }
351 }
352
353 if ( known_nt_pipes[i] == NULL ) {
354 reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND,
355 ERRDOS, ERRbadpipe);
356 return;
357 }
358
359 /* Strip \\ off the name. */
360 fname++;
361
362 DEBUG(3,("nt_open_pipe: Known pipe %s opening.\n", fname));
363
364 p = open_rpc_pipe_p(fname, conn, req->vuid);
365 if (!p) {
366 reply_doserror(req, ERRSRV, ERRnofids);
367 return;
368 }
369
370 /* TODO: Add pipe to db */
371
372 if ( !store_pipe_opendb( p ) ) {
373 DEBUG(3,("nt_open_pipe: failed to store %s pipe open.\n", fname));
374 }
375
376 *ppnum = p->pnum;
377 return;
378 }
379
380 /****************************************************************************
381 Reply to an NT create and X call for pipes.
382 ****************************************************************************/
383
384 static void do_ntcreate_pipe_open(connection_struct *conn,
385 struct smb_request *req)
386 {
387 char *fname = NULL;
388 int pnum = -1;
389 char *p = NULL;
390 uint32 flags = IVAL(req->inbuf,smb_ntcreate_Flags);
391 TALLOC_CTX *ctx = talloc_tos();
392
393 srvstr_pull_buf_talloc(ctx, (char *)req->inbuf, req->flags2, &fname,
394 smb_buf(req->inbuf), STR_TERMINATE);
395
396 if (!fname) {
397 reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND,
398 ERRDOS, ERRbadpipe);
399 return;
400 }
401 nt_open_pipe(fname, conn, req, &pnum);
402
403 if (req->outbuf) {
404 /* error reply */
405 return;
406 }
407
408 /*
409 * Deal with pipe return.
410 */
411
412 if (flags & EXTENDED_RESPONSE_REQUIRED) {
413 /* This is very strange. We
414 * return 50 words, but only set
415 * the wcnt to 42 ? It's definately
416 * what happens on the wire....
417 */
418 reply_outbuf(req, 50, 0);
419 SCVAL(req->outbuf,smb_wct,42);
420 } else {
421 reply_outbuf(req, 34, 0);
422 }
423
424 p = (char *)req->outbuf + smb_vwv2;
425 p++;
426 SSVAL(p,0,pnum);
427 p += 2;
428 SIVAL(p,0,FILE_WAS_OPENED);
429 p += 4;
430 p += 32;
431 SIVAL(p,0,FILE_ATTRIBUTE_NORMAL); /* File Attributes. */
432 p += 20;
433 /* File type. */
434 SSVAL(p,0,FILE_TYPE_MESSAGE_MODE_PIPE);
435 /* Device state. */
436 SSVAL(p,2, 0x5FF); /* ? */
437 p += 4;
438
439 if (flags & EXTENDED_RESPONSE_REQUIRED) {
440 p += 25;
441 SIVAL(p,0,FILE_GENERIC_ALL);
442 /*
443 * For pipes W2K3 seems to return
444 * 0x12019B next.
445 * This is ((FILE_GENERIC_READ|FILE_GENERIC_WRITE) & ~FILE_APPEND_DATA)
446 */
447 SIVAL(p,4,(FILE_GENERIC_READ|FILE_GENERIC_WRITE)&~FILE_APPEND_DATA);
448 }
449
450 DEBUG(5,("do_ntcreate_pipe_open: open pipe = %s\n", fname));
451
452 chain_reply(req);
453 }
454
455 /****************************************************************************
456 Reply to an NT create and X call for a quota file.
457 ****************************************************************************/
458
459 static void reply_ntcreate_and_X_quota(connection_struct *conn,
460 struct smb_request *req,
461 enum FAKE_FILE_TYPE fake_file_type,
462 const char *fname)
463 {
464 char *p;
465 uint32 desired_access = IVAL(req->inbuf,smb_ntcreate_DesiredAccess);
466 files_struct *fsp;
467 NTSTATUS status;
468
469 status = open_fake_file(conn, fake_file_type, fname, desired_access,
470 &fsp);
471
472 if (!NT_STATUS_IS_OK(status)) {
473 reply_nterror(req, status);
474 return;
475 }
476
477 reply_outbuf(req, 34, 0);
478
479 p = (char *)req->outbuf + smb_vwv2;
480
481 /* SCVAL(p,0,NO_OPLOCK_RETURN); */
482 p++;
483 SSVAL(p,0,fsp->fnum);
484
485 DEBUG(5,("reply_ntcreate_and_X_quota: fnum = %d, open name = %s\n", fsp->fnum, fsp->fsp_name));
486
487 chain_reply(req);
488 }
489
490 /****************************************************************************
491 Reply to an NT create and X call.
492 ****************************************************************************/
493
494 void reply_ntcreate_and_X(connection_struct *conn,
495 struct smb_request *req)
496 {
497 char *fname = NULL;
498 uint32 flags;
499 uint32 access_mask;
500 uint32 file_attributes;
501 uint32 share_access;
502 uint32 create_disposition;
503 uint32 create_options;
504 uint16 root_dir_fid;
505 SMB_BIG_UINT allocation_size;
506 /* Breakout the oplock request bits so we can set the
507 reply bits separately. */
508 int oplock_request = 0;
509 uint32 fattr=0;
510 SMB_OFF_T file_len = 0;
511 SMB_STRUCT_STAT sbuf;
512 int info = 0;
513 files_struct *fsp = NULL;
514 char *p = NULL;
515 struct timespec c_timespec;
516 struct timespec a_timespec;
517 struct timespec m_timespec;
518 bool extended_oplock_granted = False;
519 NTSTATUS status;
520 struct case_semantics_state *case_state = NULL;
521 TALLOC_CTX *ctx = talloc_tos();
522
523 START_PROFILE(SMBntcreateX);
524
525 if (req->wct < 24) {
526 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
527 return;
528 }
529
530 flags = IVAL(req->inbuf,smb_ntcreate_Flags);
531 access_mask = IVAL(req->inbuf,smb_ntcreate_DesiredAccess);
532 file_attributes = IVAL(req->inbuf,smb_ntcreate_FileAttributes);
533 share_access = IVAL(req->inbuf,smb_ntcreate_ShareAccess);
534 create_disposition = IVAL(req->inbuf,smb_ntcreate_CreateDisposition);
535 create_options = IVAL(req->inbuf,smb_ntcreate_CreateOptions);
536 root_dir_fid = (uint16)IVAL(req->inbuf,smb_ntcreate_RootDirectoryFid);
537
538 allocation_size = (SMB_BIG_UINT)IVAL(req->inbuf,smb_ntcreate_AllocationSize);
539 #ifdef LARGE_SMB_OFF_T
540 allocation_size |= (((SMB_BIG_UINT)IVAL(req->inbuf,smb_ntcreate_AllocationSize + 4)) << 32);
541 #endif
542
543 DEBUG(10,("reply_ntcreate_and_X: flags = 0x%x, access_mask = 0x%x "
544 "file_attributes = 0x%x, share_access = 0x%x, "
545 "create_disposition = 0x%x create_options = 0x%x "
546 "root_dir_fid = 0x%x\n",
547 (unsigned int)flags,
548 (unsigned int)access_mask,
549 (unsigned int)file_attributes,
550 (unsigned int)share_access,
551 (unsigned int)create_disposition,
552 (unsigned int)create_options,
553 (unsigned int)root_dir_fid ));
554
555 /*
556 * If it's an IPC, use the pipe handler.
557 */
558
559 if (IS_IPC(conn)) {
560 if (lp_nt_pipe_support()) {
561 do_ntcreate_pipe_open(conn, req);
562 END_PROFILE(SMBntcreateX);
563 return;
564 } else {
565 reply_doserror(req, ERRDOS, ERRnoaccess);
566 END_PROFILE(SMBntcreateX);
567 return;
568 }
569 }
570
571 if (create_options & FILE_OPEN_BY_FILE_ID) {
572 reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
573 END_PROFILE(SMBntcreateX);
574 return;
575 }
576
577 /*
578 * Get the file name.
579 */
580
581 if(root_dir_fid != 0) {
582 /*
583 * This filename is relative to a directory fid.
584 */
585 char *rel_fname = NULL;
586 files_struct *dir_fsp = file_fsp(
587 SVAL(req->inbuf, smb_ntcreate_RootDirectoryFid));
588
589 if(!dir_fsp) {
590 reply_doserror(req, ERRDOS, ERRbadfid);
591 END_PROFILE(SMBntcreateX);
592 return;
593 }
594
595 if(!dir_fsp->is_directory) {
596
597 srvstr_get_path(ctx, (char *)req->inbuf,
598 req->flags2, &fname,
599 smb_buf(req->inbuf), 0,
600 STR_TERMINATE, &status);
601 if (!NT_STATUS_IS_OK(status)) {
602 reply_nterror(req, status);
603 END_PROFILE(SMBntcreateX);
604 return;
605 }
606
607 /*
608 * Check to see if this is a mac fork of some kind.
609 */
610
611 if( is_ntfs_stream_name(fname)) {
612 reply_nterror(
613 req, NT_STATUS_OBJECT_PATH_NOT_FOUND);
614 END_PROFILE(SMBntcreateX);
615 return;
616 }
617
618 /*
619 we need to handle the case when we get a
620 relative open relative to a file and the
621 pathname is blank - this is a reopen!
622 (hint from demyn plantenberg)
623 */
624
625 reply_doserror(req, ERRDOS, ERRbadfid);
626 END_PROFILE(SMBntcreateX);
627 return;
628 }
629
630 if (ISDOT(dir_fsp->fsp_name)) {
631 /*
632 * We're at the toplevel dir, the final file name
633 * must not contain ./, as this is filtered out
634 * normally by srvstr_get_path and unix_convert
635 * explicitly rejects paths containing ./.
636 */
637 fname = talloc_strdup(ctx,"");
638 if (!fname) {
639 reply_nterror(req, NT_STATUS_NO_MEMORY);
640 END_PROFILE(SMBntcreateX);
641 return;
642 }
643 } else {
644 size_t dir_name_len = strlen(dir_fsp->fsp_name);
645
646 /*
647 * Copy in the base directory name.
648 */
649
650 fname = TALLOC_ARRAY(ctx, char, dir_name_len+2);
651 if (!fname) {
652 reply_nterror(
653 req, NT_STATUS_NO_MEMORY);
654 END_PROFILE(SMBntcreateX);
655 return;
656 }
657 memcpy(fname, dir_fsp->fsp_name, dir_name_len+1);
658
659 /*
660 * Ensure it ends in a '/'.
661 * We used TALLOC_SIZE +2 to add space for the '/'.
662 */
663
664 if(dir_name_len &&
665 (fname[dir_name_len-1] != '\\') &&
666 (fname[dir_name_len-1] != '/')) {
667 fname[dir_name_len] = '/';
668 fname[dir_name_len+1] = '\0';
669 }
670 }
671
672 srvstr_get_path(ctx, (char *)req->inbuf, req->flags2, &rel_fname,
673 smb_buf(req->inbuf), 0,
674 STR_TERMINATE, &status);
675 if (!NT_STATUS_IS_OK(status)) {
676 reply_nterror(req, status);
677 END_PROFILE(SMBntcreateX);
678 return;
679 }
680 fname = talloc_asprintf(ctx, "%s%s",
681 fname,
682 rel_fname);
683 if (!fname) {
684 reply_nterror(
685 req, NT_STATUS_NO_MEMORY);
686 END_PROFILE(SMBntcreateX);
687 return;
688 }
689 } else {
690 srvstr_get_path(ctx, (char *)req->inbuf, req->flags2, &fname,
691 smb_buf(req->inbuf), 0,
692 STR_TERMINATE, &status);
693 if (!NT_STATUS_IS_OK(status)) {
694 reply_nterror(req, status);
695 END_PROFILE(SMBntcreateX);
696 return;
697 }
698
699 /*
700 * Check to see if this is a mac fork of some kind.
701 */
702
703 if( is_ntfs_stream_name(fname)) {
704 enum FAKE_FILE_TYPE fake_file_type = is_fake_file(fname);
705 if (fake_file_type!=FAKE_FILE_TYPE_NONE) {
706 /*
707 * Here we go! support for changing the disk quotas --metze
708 *
709 * We need to fake up to open this MAGIC QUOTA file
710 * and return a valid FID.
711 *
712 * w2k close this file directly after openening
713 * xp also tries a QUERY_FILE_INFO on the file and then close it
714 */
715 reply_ntcreate_and_X_quota(conn, req,
716 fake_file_type, fname);
717 } else {
718 reply_nterror(req, NT_STATUS_OBJECT_PATH_NOT_FOUND);
719 }
720 END_PROFILE(SMBntcreateX);
721 return;
722 }
723 }
724
725 /*
726 * Now contruct the smb_open_mode value from the filename,
727 * desired access and the share access.
728 */
729 status = resolve_dfspath(ctx, conn,
730 req->flags2 & FLAGS2_DFS_PATHNAMES,
731 fname,
732 &fname);
733 if (!NT_STATUS_IS_OK(status)) {
734 if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
735 reply_botherror(req, NT_STATUS_PATH_NOT_COVERED,
736 ERRSRV, ERRbadpath);
737 }
738 else {
739 reply_nterror(req, status);
740 }
741 END_PROFILE(SMBntcreateX);
742 return;
743 }
744
745 oplock_request = (flags & REQUEST_OPLOCK) ? EXCLUSIVE_OPLOCK : 0;
746 if (oplock_request) {
747 oplock_request |= (flags & REQUEST_BATCH_OPLOCK) ? BATCH_OPLOCK : 0;
748 }
749
750 /*
751 * Ordinary file or directory.
752 */
753
754 /*
755 * Check if POSIX semantics are wanted.
756 */
757
758 if (file_attributes & FILE_FLAG_POSIX_SEMANTICS) {
759 case_state = set_posix_case_semantics(NULL, conn);
760 file_attributes &= ~FILE_FLAG_POSIX_SEMANTICS;
761 }
762
763 status = unix_convert(ctx, conn, fname, False, &fname, NULL, &sbuf);
764 if (!NT_STATUS_IS_OK(status)) {
765 TALLOC_FREE(case_state);
766 reply_nterror(req, status);
767 END_PROFILE(SMBntcreateX);
768 return;
769 }
770 /* All file access must go through check_name() */
771 status = check_name(conn, fname);
772 if (!NT_STATUS_IS_OK(status)) {
773 TALLOC_FREE(case_state);
774 reply_nterror(req, status);
775 END_PROFILE(SMBntcreateX);
776 return;
777 }
778
779 /* This is the correct thing to do (check every time) but can_delete is
780 expensive (it may have to read the parent directory permissions). So
781 for now we're not doing it unless we have a strong hint the client
782 is really going to delete this file. If the client is forcing FILE_CREATE
783 let the filesystem take care of the permissions. */
784
785 /* Setting FILE_SHARE_DELETE is the hint. */
786
787 if (lp_acl_check_permissions(SNUM(conn))
788 && (create_disposition != FILE_CREATE)
789 && (share_access & FILE_SHARE_DELETE)
790 && (access_mask & DELETE_ACCESS)) {
791 if (((dos_mode(conn, fname, &sbuf) & FILE_ATTRIBUTE_READONLY)
792 && !lp_delete_readonly(SNUM(conn))) ||
793 !can_delete_file_in_directory(conn, fname)) {
794 TALLOC_FREE(case_state);
795 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
796 END_PROFILE(SMBntcreateX);
797 return;
798 }
799 }
800
801 #if 0
802 /* We need to support SeSecurityPrivilege for this. */
803 if ((access_mask & SEC_RIGHT_SYSTEM_SECURITY) &&
804 !user_has_privileges(current_user.nt_user_token,
805 &se_security)) {
806 TALLOC_FREE(case_state);
807 END_PROFILE(SMBntcreateX);
808 return ERROR_NT(NT_STATUS_PRIVILEGE_NOT_HELD);
809 }
810 #endif
811
812 /*
813 * If it's a request for a directory open, deal with it separately.
814 */
815
816 if(create_options & FILE_DIRECTORY_FILE) {
817
818 /* Can't open a temp directory. IFS kit test. */
819 if (file_attributes & FILE_ATTRIBUTE_TEMPORARY) {
820 TALLOC_FREE(case_state);
821 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
822 END_PROFILE(SMBntcreateX);
823 return;
824 }
825
826 oplock_request = 0;
827 status = open_directory(conn, req, fname, &sbuf,
828 access_mask,
829 share_access,
830 create_disposition,
831 create_options,
832 file_attributes,
833 &info, &fsp);
834
835 } else {
836
837 /*
838 * Ordinary file case.
839 */
840
841 /* NB. We have a potential bug here. If we
842 * cause an oplock break to ourselves, then we
843 * could end up processing filename related
844 * SMB requests whilst we await the oplock
845 * break response. As we may have changed the
846 * filename case semantics to be POSIX-like,
847 * this could mean a filename request could
848 * fail when it should succeed. This is a rare
849 * condition, but eventually we must arrange
850 * to restore the correct case semantics
851 * before issuing an oplock break request to
852 * our client. JRA. */
853
854 status = open_file_ntcreate(conn, req, fname, &sbuf,
855 access_mask,
856 share_access,
857 create_disposition,
858 create_options,
859 file_attributes,
860 oplock_request,
861 &info, &fsp);
862
863 /* We cheat here. There are two cases we
864 * care about. One is a directory rename,
865 * where the NT client will attempt to
866 * open the source directory for
867 * DELETE access. Note that when the
868 * NT client does this it does *not*
869 * set the directory bit in the
870 * request packet. This is translated
871 * into a read/write open
872 * request. POSIX states that any open
873 * for write request on a directory
874 * will generate an EISDIR error, so
875 * we can catch this here and open a
876 * pseudo handle that is flagged as a
877 * directory. The second is an open
878 * for a permissions read only, which
879 * we handle in the open_file_stat case. JRA.
880 */
881
882 if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_IS_A_DIRECTORY)) {
883
884 /*
885 * Fail the open if it was explicitly a non-directory
886 * file.
887 */
888
889 if (create_options & FILE_NON_DIRECTORY_FILE) {
890 TALLOC_FREE(case_state);
891 reply_force_nterror(req,
892 NT_STATUS_FILE_IS_A_DIRECTORY);
893 END_PROFILE(SMBntcreateX);
894 return;
895 }
896
897 oplock_request = 0;
898 status = open_directory(conn, req, fname,
899 &sbuf,
900 access_mask,
901 share_access,
902 create_disposition,
903 create_options,
904 file_attributes,
905 &info, &fsp);
906 }
907 }
908
909 TALLOC_FREE(case_state);
910
911 if (!NT_STATUS_IS_OK(status)) {
912 if (open_was_deferred(req->mid)) {
913 /* We have re-scheduled this call. */
914 END_PROFILE(SMBntcreateX);
915 return;
916 }
917 reply_openerror(req, status);
918 END_PROFILE(SMBntcreateX);
919 return;
920 }
921
922 file_len = sbuf.st_size;
923 fattr = dos_mode(conn,fname,&sbuf);
924 if(fattr == 0) {
925 fattr = FILE_ATTRIBUTE_NORMAL;
926 }
927 if (!fsp->is_directory && (fattr & aDIR)) {
928 close_file(fsp,ERROR_CLOSE);
929 reply_doserror(req, ERRDOS, ERRnoaccess);
930 END_PROFILE(SMBntcreateX);
931 return;
932 }
933
934 /* Save the requested allocation size. */
935 if ((info == FILE_WAS_CREATED) || (info == FILE_WAS_OVERWRITTEN)) {
936 if (allocation_size && (allocation_size > (SMB_BIG_UINT)file_len)) {
937 fsp->initial_allocation_size = smb_roundup(fsp->conn, allocation_size);
938 if (fsp->is_directory) {
939 close_file(fsp,ERROR_CLOSE);
940 /* Can't set allocation size on a directory. */
941 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
942 END_PROFILE(SMBntcreateX);
943 return;
944 }
945 if (vfs_allocate_file_space(fsp, fsp->initial_allocation_size) == -1) {
946 close_file(fsp,ERROR_CLOSE);
947 reply_nterror(req, NT_STATUS_DISK_FULL);
948 END_PROFILE(SMBntcreateX);
949 return;
950 }
951 } else {
952 fsp->initial_allocation_size = smb_roundup(fsp->conn,(SMB_BIG_UINT)file_len);
953 }
954 }
955
956 /*
957 * If the caller set the extended oplock request bit
958 * and we granted one (by whatever means) - set the
959 * correct bit for extended oplock reply.
960 */
961
962 if (oplock_request && lp_fake_oplocks(SNUM(conn))) {
963 extended_oplock_granted = True;
964 }
965
966 if(oplock_request && EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type)) {
967 extended_oplock_granted = True;
968 }
969
970 if (flags & EXTENDED_RESPONSE_REQUIRED) {
971 /* This is very strange. We
972 * return 50 words, but only set
973 * the wcnt to 42 ? It's definately
974 * what happens on the wire....
975 */
976 reply_outbuf(req, 50, 0);
977 SCVAL(req->outbuf,smb_wct,42);
978 } else {
979 reply_outbuf(req, 34, 0);
980 }
981
982 p = (char *)req->outbuf + smb_vwv2;
983
984 /*
985 * Currently as we don't support level II oplocks we just report
986 * exclusive & batch here.
987 */
988
989 if (extended_oplock_granted) {
990 if (flags & REQUEST_BATCH_OPLOCK) {
991 SCVAL(p,0, BATCH_OPLOCK_RETURN);
992 } else {
993 SCVAL(p,0, EXCLUSIVE_OPLOCK_RETURN);
994 }
995 } else if (fsp->oplock_type == LEVEL_II_OPLOCK) {
996 SCVAL(p,0, LEVEL_II_OPLOCK_RETURN);
997 } else {
998 SCVAL(p,0,NO_OPLOCK_RETURN);
999 }
1000
1001 p++;
1002 SSVAL(p,0,fsp->fnum);
1003 p += 2;
1004 if ((create_disposition == FILE_SUPERSEDE) && (info == FILE_WAS_OVERWRITTEN)) {
1005 SIVAL(p,0,FILE_WAS_SUPERSEDED);
1006 } else {
1007 SIVAL(p,0,info);
1008 }
1009 p += 4;
1010
1011 /* Create time. */
1012 c_timespec = get_create_timespec(&sbuf,lp_fake_dir_create_times(SNUM(conn)));
1013 a_timespec = get_atimespec(&sbuf);
1014 m_timespec = get_mtimespec(&sbuf);
1015
1016 if (lp_dos_filetime_resolution(SNUM(conn))) {
1017 dos_filetime_timespec(&c_timespec);
1018 dos_filetime_timespec(&a_timespec);
1019 dos_filetime_timespec(&m_timespec);
1020 }
1021
1022 put_long_date_timespec(p, c_timespec); /* create time. */
1023 p += 8;
1024 put_long_date_timespec(p, a_timespec); /* access time */
1025 p += 8;
1026 put_long_date_timespec(p, m_timespec); /* write time */
1027 p += 8;
1028 put_long_date_timespec(p, m_timespec); /* change time */
1029 p += 8;
1030 SIVAL(p,0,fattr); /* File Attributes. */
1031 p += 4;
1032 SOFF_T(p, 0, get_allocation_size(conn,fsp,&sbuf));
1033 p += 8;
1034 SOFF_T(p,0,file_len);
1035 p += 8;
1036 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1037 SSVAL(p,2,0x7);
1038 }
1039 p += 4;
1040 SCVAL(p,0,fsp->is_directory ? 1 : 0);
1041
1042 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1043 uint32 perms = 0;
1044 p += 25;
1045 if (fsp->is_directory || can_write_to_file(conn, fname, &sbuf)) {
1046 perms = FILE_GENERIC_ALL;
1047 } else {
1048 perms = FILE_GENERIC_READ|FILE_EXECUTE;
1049 }
1050 SIVAL(p,0,perms);
1051 }
1052
1053 DEBUG(5,("reply_ntcreate_and_X: fnum = %d, open name = %s\n", fsp->fnum, fsp->fsp_name));
1054
1055 chain_reply(req);
1056 END_PROFILE(SMBntcreateX);
1057 return;
1058 }
1059
1060 /****************************************************************************
1061 Reply to a NT_TRANSACT_CREATE call to open a pipe.
1062 ****************************************************************************/
1063
1064 static void do_nt_transact_create_pipe(connection_struct *conn,
1065 struct smb_request *req,
1066 uint16 **ppsetup, uint32 setup_count,
1067 char **ppparams, uint32 parameter_count,
1068 char **ppdata, uint32 data_count)
1069 {
1070 char *fname = NULL;
1071 char *params = *ppparams;
1072 int pnum = -1;
1073 char *p = NULL;
1074 NTSTATUS status;
1075 size_t param_len;
1076 uint32 flags;
1077 TALLOC_CTX *ctx = talloc_tos();
1078
1079 /*
1080 * Ensure minimum number of parameters sent.
1081 */
1082
1083 if(parameter_count < 54) {
1084 DEBUG(0,("do_nt_transact_create_pipe - insufficient parameters (%u)\n", (unsigned int)parameter_count));
1085 reply_doserror(req, ERRDOS, ERRnoaccess);
1086 return;
1087 }
1088
1089 flags = IVAL(params,0);
1090
1091 srvstr_get_path(ctx, params, req->flags2, &fname, params+53,
1092 parameter_count-53, STR_TERMINATE,
1093 &status);
1094 if (!NT_STATUS_IS_OK(status)) {
1095 reply_nterror(req, status);
1096 return;
1097 }
1098
1099 nt_open_pipe(fname, conn, req, &pnum);
1100
1101 if (req->outbuf) {
1102 /* Error return */
1103 return;
1104 }
1105
1106 /* Realloc the size of parameters and data we will return */
1107 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1108 /* Extended response is 32 more byyes. */
1109 param_len = 101;
1110 } else {
1111 param_len = 69;
1112 }
1113 params = nttrans_realloc(ppparams, param_len);
1114 if(params == NULL) {
1115 reply_doserror(req, ERRDOS, ERRnomem);
1116 return;
1117 }
1118
1119 p = params;
1120 SCVAL(p,0,NO_OPLOCK_RETURN);
1121
1122 p += 2;
1123 SSVAL(p,0,pnum);
1124 p += 2;
1125 SIVAL(p,0,FILE_WAS_OPENED);
1126 p += 8;
1127
1128 p += 32;
1129 SIVAL(p,0,FILE_ATTRIBUTE_NORMAL); /* File Attributes. */
1130 p += 20;
1131 /* File type. */
1132 SSVAL(p,0,FILE_TYPE_MESSAGE_MODE_PIPE);
1133 /* Device state. */
1134 SSVAL(p,2, 0x5FF); /* ? */
1135 p += 4;
1136
1137 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1138 p += 25;
1139 SIVAL(p,0,FILE_GENERIC_ALL);
1140 /*
1141 * For pipes W2K3 seems to return
1142 * 0x12019B next.
1143 * This is ((FILE_GENERIC_READ|FILE_GENERIC_WRITE) & ~FILE_APPEND_DATA)
1144 */
1145 SIVAL(p,4,(FILE_GENERIC_READ|FILE_GENERIC_WRITE)&~FILE_APPEND_DATA);
1146 }
1147
1148 DEBUG(5,("do_nt_transact_create_pipe: open name = %s\n", fname));
1149
1150 /* Send the required number of replies */
1151 send_nt_replies(req, NT_STATUS_OK, params, param_len, *ppdata, 0);
1152
1153 return;
1154 }
1155
1156 /****************************************************************************
1157 Internal fn to set security descriptors.
1158 ****************************************************************************/
1159
1160 static NTSTATUS set_sd(files_struct *fsp, char *data, uint32 sd_len, uint32 security_info_sent)
1161 {
1162 prs_struct pd;
1163 SEC_DESC *psd = NULL;
1164 TALLOC_CTX *mem_ctx;
1165 NTSTATUS status;
1166
1167 if (sd_len == 0 || !lp_nt_acl_support(SNUM(fsp->conn))) {
1168 return NT_STATUS_OK;
1169 }
1170
1171 /*
1172 * Init the parse struct we will unmarshall from.
1173 */
1174
1175 if ((mem_ctx = talloc_init("set_sd")) == NULL) {
1176 DEBUG(0,("set_sd: talloc_init failed.\n"));
1177 return NT_STATUS_NO_MEMORY;
1178 }
1179
1180 prs_init(&pd, 0, mem_ctx, UNMARSHALL);
1181
1182 /*
1183 * Setup the prs_struct to point at the memory we just
1184 * allocated.
1185 */
1186
1187 prs_give_memory( &pd, data, sd_len, False);
1188
1189 /*
1190 * Finally, unmarshall from the data buffer.
1191 */
1192
1193 if(!sec_io_desc( "sd data", &psd, &pd, 1)) {
1194 DEBUG(0,("set_sd: Error in unmarshalling security descriptor.\n"));
1195 /*
1196 * Return access denied for want of a better error message..
1197 */
1198 talloc_destroy(mem_ctx);
1199 return NT_STATUS_NO_MEMORY;
1200 }
1201
1202 if (psd->owner_sid==0) {
1203 security_info_sent &= ~OWNER_SECURITY_INFORMATION;
1204 }
1205 if (psd->group_sid==0) {
1206 security_info_sent &= ~GROUP_SECURITY_INFORMATION;
1207 }
1208 if (psd->sacl==0) {
1209 security_info_sent &= ~SACL_SECURITY_INFORMATION;
1210 }
1211 if (psd->dacl==0) {
1212 security_info_sent &= ~DACL_SECURITY_INFORMATION;
1213 }
1214
1215 status = SMB_VFS_FSET_NT_ACL( fsp, fsp->fh->fd, security_info_sent, psd);
1216
1217 talloc_destroy(mem_ctx);
1218 return status;
1219 }
1220
1221 /****************************************************************************
1222 Read a list of EA names and data from an incoming data buffer. Create an ea_list with them.
1223 ****************************************************************************/
1224
1225 static struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t data_size)
1226 {
1227 struct ea_list *ea_list_head = NULL;
1228 size_t offset = 0;
1229
1230 if (data_size < 4) {
1231 return NULL;
1232 }
1233
1234 while (offset + 4 <= data_size) {
1235 size_t next_offset = IVAL(pdata,offset);
1236 struct ea_list *eal = read_ea_list_entry(ctx, pdata + offset + 4, data_size - offset - 4, NULL);
1237
1238 if (!eal) {
1239 return NULL;
1240 }
1241
1242 DLIST_ADD_END(ea_list_head, eal, struct ea_list *);
1243 if (next_offset == 0) {
1244 break;
1245 }
1246 offset += next_offset;
1247 }
1248
1249 return ea_list_head;
1250 }
1251
1252 /****************************************************************************
1253 Reply to a NT_TRANSACT_CREATE call (needs to process SD's).
1254 ****************************************************************************/
1255
1256 static void call_nt_transact_create(connection_struct *conn,
1257 struct smb_request *req,
1258 uint16 **ppsetup, uint32 setup_count,
1259 char **ppparams, uint32 parameter_count,
1260 char **ppdata, uint32 data_count,
1261 uint32 max_data_count)
1262 {
1263 char *fname = NULL;
1264 char *params = *ppparams;
1265 char *data = *ppdata;
1266 /* Breakout the oplock request bits so we can set the reply bits separately. */
1267 int oplock_request = 0;
1268 uint32 fattr=0;
1269 SMB_OFF_T file_len = 0;
1270 SMB_STRUCT_STAT sbuf;
1271 int info = 0;
1272 files_struct *fsp = NULL;
1273 char *p = NULL;
1274 bool extended_oplock_granted = False;
1275 uint32 flags;
1276 uint32 access_mask;
1277 uint32 file_attributes;
1278 uint32 share_access;
1279 uint32 create_disposition;
1280 uint32 create_options;
1281 uint32 sd_len;
1282 uint32 ea_len;
1283 uint16 root_dir_fid;
1284 struct timespec c_timespec;
1285 struct timespec a_timespec;
1286 struct timespec m_timespec;
1287 struct ea_list *ea_list = NULL;
1288 char *pdata = NULL;
1289 NTSTATUS status;
1290 size_t param_len;
1291 struct case_semantics_state *case_state = NULL;
1292 SMB_BIG_UINT allocation_size;
1293 TALLOC_CTX *ctx = talloc_tos();
1294
1295 DEBUG(5,("call_nt_transact_create\n"));
1296
1297 /*
1298 * If it's an IPC, use the pipe handler.
1299 */
1300
1301 if (IS_IPC(conn)) {
1302 if (lp_nt_pipe_support()) {
1303 do_nt_transact_create_pipe(
1304 conn, req,
1305 ppsetup, setup_count,
1306 ppparams, parameter_count,
1307 ppdata, data_count);
1308 return;
1309 } else {
1310 reply_doserror(req, ERRDOS, ERRnoaccess);
1311 return;
1312 }
1313 }
1314
1315 /*
1316 * Ensure minimum number of parameters sent.
1317 */
1318
1319 if(parameter_count < 54) {
1320 DEBUG(0,("call_nt_transact_create - insufficient parameters (%u)\n", (unsigned int)parameter_count));
1321 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1322 return;
1323 }
1324
1325 flags = IVAL(params,0);
1326 access_mask = IVAL(params,8);
1327 file_attributes = IVAL(params,20);
1328 share_access = IVAL(params,24);
1329 create_disposition = IVAL(params,28);
1330 create_options = IVAL(params,32);
1331 sd_len = IVAL(params,36);
1332 ea_len = IVAL(params,40);
1333 root_dir_fid = (uint16)IVAL(params,4);
1334 allocation_size = (SMB_BIG_UINT)IVAL(params,12);
1335 #ifdef LARGE_SMB_OFF_T
1336 allocation_size |= (((SMB_BIG_UINT)IVAL(params,16)) << 32);
1337 #endif
1338
1339 /* Ensure the data_len is correct for the sd and ea values given. */
1340 if ((ea_len + sd_len > data_count) ||
1341 (ea_len > data_count) || (sd_len > data_count) ||
1342 (ea_len + sd_len < ea_len) || (ea_len + sd_len < sd_len)) {
1343 DEBUG(10,("call_nt_transact_create - ea_len = %u, sd_len = %u, data_count = %u\n",
1344 (unsigned int)ea_len, (unsigned int)sd_len, (unsigned int)data_count ));
1345 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1346 return;
1347 }
1348
1349 if (ea_len) {
1350 if (!lp_ea_support(SNUM(conn))) {
1351 DEBUG(10,("call_nt_transact_create - ea_len = %u but EA's not supported.\n",
1352 (unsigned int)ea_len ));
1353 reply_nterror(req, NT_STATUS_EAS_NOT_SUPPORTED);
1354 return;
1355 }
1356
1357 if (ea_len < 10) {
1358 DEBUG(10,("call_nt_transact_create - ea_len = %u - too small (should be more than 10)\n",
1359 (unsigned int)ea_len ));
1360 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1361 return;
1362 }
1363 }
1364
1365 if (create_options & FILE_OPEN_BY_FILE_ID) {
1366 reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
1367 return;
1368 }
1369
1370 /*
1371 * Get the file name.
1372 */
1373
1374 if(root_dir_fid != 0) {
1375 /*
1376 * This filename is relative to a directory fid.
1377 */
1378 char *tmpname = NULL;
1379 files_struct *dir_fsp = file_fsp(SVAL(params,4));
1380
1381 if(!dir_fsp) {
1382 reply_doserror(req, ERRDOS, ERRbadfid);
1383 return;
1384 }
1385
1386 if(!dir_fsp->is_directory) {
1387 srvstr_get_path(ctx, params, req->flags2, &fname,
1388 params+53,
1389 parameter_count-53, STR_TERMINATE,
1390 &status);
1391 if (!NT_STATUS_IS_OK(status)) {
1392 reply_nterror(req, status);
1393 return;
1394 }
1395
1396 /*
1397 * Check to see if this is a mac fork of some kind.
1398 */
1399
1400 if( is_ntfs_stream_name(fname)) {
1401 reply_nterror(req,
1402 NT_STATUS_OBJECT_PATH_NOT_FOUND);
1403 return;
1404 }
1405
1406 reply_doserror(req, ERRDOS, ERRbadfid);
1407 return;
1408 }
1409
1410 if (ISDOT(dir_fsp->fsp_name)) {
1411 /*
1412 * We're at the toplevel dir, the final file name
1413 * must not contain ./, as this is filtered out
1414 * normally by srvstr_get_path and unix_convert
1415 * explicitly rejects paths containing ./.
1416 */
1417 fname = talloc_strdup(ctx,"");
1418 if (!fname) {
1419 reply_nterror(req, NT_STATUS_NO_MEMORY);
1420 return;
1421 }
1422 } else {
1423 size_t dir_name_len = strlen(dir_fsp->fsp_name);
1424
1425 /*
1426 * Copy in the base directory name.
1427 */
1428
1429 fname = TALLOC_ARRAY(ctx, char, dir_name_len+2);
1430 if (!fname) {
1431 reply_nterror(req, NT_STATUS_NO_MEMORY);
1432 return;
1433 }
1434 memcpy(fname, dir_fsp->fsp_name, dir_name_len+1);
1435
1436 /*
1437 * Ensure it ends in a '/'.
1438 * We used TALLOC_SIZE +2 to add space for the '/'.
1439 */
1440
1441 if(dir_name_len &&
1442 (fname[dir_name_len-1] != '\\') &&
1443 (fname[dir_name_len-1] != '/')) {
1444 fname[dir_name_len] = '/';
1445 fname[dir_name_len+1] = '\0';
1446 }
1447 }
1448
1449 srvstr_get_path(ctx, params, req->flags2, &tmpname,
1450 params+53,
1451 parameter_count-53, STR_TERMINATE,
1452 &status);
1453 if (!NT_STATUS_IS_OK(status)) {
1454 reply_nterror(req, status);
1455 return;
1456 }
1457 fname = talloc_asprintf(ctx, "%s%s",
1458 fname,
1459 tmpname);
1460 if (!fname) {
1461 reply_nterror(
1462 req, NT_STATUS_NO_MEMORY);
1463 return;
1464 }
1465 } else {
1466 srvstr_get_path(ctx, params, req->flags2, &fname, params+53,
1467 parameter_count-53,
1468 STR_TERMINATE, &status);
1469 if (!NT_STATUS_IS_OK(status)) {
1470 reply_nterror(req, status);
1471 return;
1472 }
1473
1474 /*
1475 * Check to see if this is a mac fork of some kind.
1476 */
1477
1478 if( is_ntfs_stream_name(fname)) {
1479 reply_nterror(req, NT_STATUS_OBJECT_PATH_NOT_FOUND);
1480 return;
1481 }
1482 }
1483
1484 oplock_request = (flags & REQUEST_OPLOCK) ? EXCLUSIVE_OPLOCK : 0;
1485 if (oplock_request) {
1486 oplock_request |= (flags & REQUEST_BATCH_OPLOCK) ? BATCH_OPLOCK : 0;
1487 }
1488
1489 /*
1490 * Ordinary file or directory.
1491 */
1492
1493 /*
1494 * Check if POSIX semantics are wanted.
1495 */
1496
1497 if (file_attributes & FILE_FLAG_POSIX_SEMANTICS) {
1498 case_state = set_posix_case_semantics(NULL, conn);
1499 file_attributes &= ~FILE_FLAG_POSIX_SEMANTICS;
1500 }
1501
1502 status = resolve_dfspath(ctx, conn,
1503 req->flags2 & FLAGS2_DFS_PATHNAMES,
1504 fname,
1505 &fname);
1506 if (!NT_STATUS_IS_OK(status)) {
1507 TALLOC_FREE(case_state);
1508 if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
1509 reply_botherror(req, NT_STATUS_PATH_NOT_COVERED,
1510 ERRSRV, ERRbadpath);
1511 return;
1512 }
1513 reply_nterror(req, status);
1514 return;
1515 }
1516
1517 status = unix_convert(ctx, conn, fname, False, &fname, NULL, &sbuf);
1518 if (!NT_STATUS_IS_OK(status)) {
1519 TALLOC_FREE(case_state);
1520 reply_nterror(req, status);
1521 return;
1522 }
1523 /* All file access must go through check_name() */
1524 status = check_name(conn, fname);
1525 if (!NT_STATUS_IS_OK(status)) {
1526 TALLOC_FREE(case_state);
1527 reply_nterror(req, status);
1528 return;
1529 }
1530
1531 /* This is the correct thing to do (check every time) but can_delete is
1532 expensive (it may have to read the parent directory permissions). So
1533 for now we're not doing it unless we have a strong hint the client
1534 is really going to delete this file. If the client is forcing FILE_CREATE
1535 let the filesystem take care of the permissions. */
1536
1537 /* Setting FILE_SHARE_DELETE is the hint. */
1538
1539 if (lp_acl_check_permissions(SNUM(conn))
1540 && (create_disposition != FILE_CREATE)
1541 && (share_access & FILE_SHARE_DELETE)
1542 && (access_mask & DELETE_ACCESS)) {
1543 if (((dos_mode(conn, fname, &sbuf) & FILE_ATTRIBUTE_READONLY)
1544 && !lp_delete_readonly(SNUM(conn))) ||
1545 !can_delete_file_in_directory(conn, fname)) {
1546 TALLOC_FREE(case_state);
1547 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1548 return;
1549 }
1550 }
1551
1552 #if 0
1553 /* We need to support SeSecurityPrivilege for this. */
1554 if ((access_mask & SEC_RIGHT_SYSTEM_SECURITY) &&
1555 !user_has_privileges(current_user.nt_user_token,
1556 &se_security)) {
1557 TALLOC_FREE(case_state);
1558 reply_nterror(req, NT_STATUS_PRIVILEGE_NOT_HELD);
1559 return;
1560 }
1561 #endif
1562
1563 if (ea_len) {
1564 pdata = data + sd_len;
1565
1566 /* We have already checked that ea_len <= data_count here. */
1567 ea_list = read_nttrans_ea_list(talloc_tos(), pdata,
1568 ea_len);
1569 if (!ea_list ) {
1570 TALLOC_FREE(case_state);
1571 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1572 return;
1573 }
1574 }
1575
1576 /*
1577 * If it's a request for a directory open, deal with it separately.
1578 */
1579
1580 if(create_options & FILE_DIRECTORY_FILE) {
1581
1582 /* Can't open a temp directory. IFS kit test. */
1583 if (file_attributes & FILE_ATTRIBUTE_TEMPORARY) {
1584 TALLOC_FREE(case_state);
1585 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1586 return;
1587 }
1588
1589 /*
1590 * We will get a create directory here if the Win32
1591 * app specified a security descriptor in the
1592 * CreateDirectory() call.
1593 */
1594
1595 oplock_request = 0;
1596 status = open_directory(conn, req, fname, &sbuf,
1597 access_mask,
1598 share_access,
1599 create_disposition,
1600 create_options,
1601 file_attributes,
1602 &info, &fsp);
1603 } else {
1604
1605 /*
1606 * Ordinary file case.
1607 */
1608
1609 status = open_file_ntcreate(conn,req,fname,&sbuf,
1610 access_mask,
1611 share_access,
1612 create_disposition,
1613 create_options,
1614 file_attributes,
1615 oplock_request,
1616 &info, &fsp);
1617
1618 if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_IS_A_DIRECTORY)) {
1619
1620 /*
1621 * Fail the open if it was explicitly a non-directory file.
1622 */
1623
1624 if (create_options & FILE_NON_DIRECTORY_FILE) {
1625 TALLOC_FREE(case_state);
1626 reply_force_nterror(
1627 req,
1628 NT_STATUS_FILE_IS_A_DIRECTORY);
1629 return;
1630 }
1631
1632 oplock_request = 0;
1633 status = open_directory(conn, req, fname,
1634 &sbuf,
1635 access_mask,
1636 share_access,
1637 create_disposition,
1638 create_options,
1639 file_attributes,
1640 &info, &fsp);
1641 }
1642 }
1643
1644 TALLOC_FREE(case_state);
1645
1646 if(!NT_STATUS_IS_OK(status)) {
1647 if (open_was_deferred(req->mid)) {
1648 /* We have re-scheduled this call. */
1649 return;
1650 }
1651 reply_openerror(req, status);
1652 return;
1653 }
1654
1655 /*
1656 * According to the MS documentation, the only time the security
1657 * descriptor is applied to the opened file is iff we *created* the
1658 * file; an existing file stays the same.
1659 *
1660 * Also, it seems (from observation) that you can open the file with
1661 * any access mask but you can still write the sd. We need to override
1662 * the granted access before we call set_sd
1663 * Patch for bug #2242 from Tom Lackemann <cessnatomny@yahoo.com>.
1664 */
1665
1666 if (lp_nt_acl_support(SNUM(conn)) && sd_len && info == FILE_WAS_CREATED) {
1667 uint32 saved_access_mask = fsp->access_mask;
1668
1669 /* We have already checked that sd_len <= data_count here. */
1670
1671 fsp->access_mask = FILE_GENERIC_ALL;
1672
1673 status = set_sd( fsp, data, sd_len, ALL_SECURITY_INFORMATION);
1674 if (!NT_STATUS_IS_OK(status)) {
1675 close_file(fsp,ERROR_CLOSE);
1676 TALLOC_FREE(case_state);
1677 reply_nterror(req, status);
1678 return;
1679 }
1680 fsp->access_mask = saved_access_mask;
1681 }
1682
1683 if (ea_len && (info == FILE_WAS_CREATED)) {
1684 status = set_ea(conn, fsp, fname, ea_list);
1685 if (!NT_STATUS_IS_OK(status)) {
1686 close_file(fsp,ERROR_CLOSE);
1687 TALLOC_FREE(case_state);
1688 reply_nterror(req, status);
1689 return;
1690 }
1691 }
1692
1693 TALLOC_FREE(case_state);
1694
1695 file_len = sbuf.st_size;
1696 fattr = dos_mode(conn,fname,&sbuf);
1697 if(fattr == 0) {
1698 fattr = FILE_ATTRIBUTE_NORMAL;
1699 }
1700 if (!fsp->is_directory && (fattr & aDIR)) {
1701 close_file(fsp,ERROR_CLOSE);
1702 reply_doserror(req, ERRDOS, ERRnoaccess);
1703 return;
1704 }
1705
1706 /* Save the requested allocation size. */
1707 if ((info == FILE_WAS_CREATED) || (info == FILE_WAS_OVERWRITTEN)) {
1708 if (allocation_size && (allocation_size > file_len)) {
1709 fsp->initial_allocation_size = smb_roundup(fsp->conn, allocation_size);
1710 if (fsp->is_directory) {
1711 close_file(fsp,ERROR_CLOSE);
1712 /* Can't set allocation size on a directory. */
1713 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1714 return;
1715 }
1716 if (vfs_allocate_file_space(fsp, fsp->initial_allocation_size) == -1) {
1717 close_file(fsp,ERROR_CLOSE);
1718 reply_nterror(req, NT_STATUS_DISK_FULL);
1719 return;
1720 }
1721 } else {
1722 fsp->initial_allocation_size = smb_roundup(fsp->conn, (SMB_BIG_UINT)file_len);
1723 }
1724 }
1725
1726 /*
1727 * If the caller set the extended oplock request bit
1728 * and we granted one (by whatever means) - set the
1729 * correct bit for extended oplock reply.
1730 */
1731
1732 if (oplock_request && lp_fake_oplocks(SNUM(conn))) {
1733 extended_oplock_granted = True;
1734 }
1735
1736 if(oplock_request && EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type)) {
1737 extended_oplock_granted = True;
1738 }
1739
1740 /* Realloc the size of parameters and data we will return */
1741 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1742 /* Extended response is 32 more byyes. */
1743 param_len = 101;
1744 } else {
1745 param_len = 69;
1746 }
1747 params = nttrans_realloc(ppparams, param_len);
1748 if(params == NULL) {
1749 reply_doserror(req, ERRDOS, ERRnomem);
1750 return;
1751 }
1752
1753 p = params;
1754 if (extended_oplock_granted) {
1755 if (flags & REQUEST_BATCH_OPLOCK) {
1756 SCVAL(p,0, BATCH_OPLOCK_RETURN);
1757 } else {
1758 SCVAL(p,0, EXCLUSIVE_OPLOCK_RETURN);
1759 }
1760 } else if (fsp->oplock_type == LEVEL_II_OPLOCK) {
1761 SCVAL(p,0, LEVEL_II_OPLOCK_RETURN);
1762 } else {
1763 SCVAL(p,0,NO_OPLOCK_RETURN);
1764 }
1765
1766 p += 2;
1767 SSVAL(p,0,fsp->fnum);
1768 p += 2;
1769 if ((create_disposition == FILE_SUPERSEDE) && (info == FILE_WAS_OVERWRITTEN)) {
1770 SIVAL(p,0,FILE_WAS_SUPERSEDED);
1771 } else {
1772 SIVAL(p,0,info);
1773 }
1774 p += 8;
1775
1776 /* Create time. */
1777 c_timespec = get_create_timespec(&sbuf,lp_fake_dir_create_times(SNUM(conn)));
1778 a_timespec = get_atimespec(&sbuf);
1779 m_timespec = get_mtimespec(&sbuf);
1780
1781 if (lp_dos_filetime_resolution(SNUM(conn))) {
1782 dos_filetime_timespec(&c_timespec);
1783 dos_filetime_timespec(&a_timespec);
1784 dos_filetime_timespec(&m_timespec);
1785 }
1786
1787 put_long_date_timespec(p, c_timespec); /* create time. */
1788 p += 8;
1789 put_long_date_timespec(p, a_timespec); /* access time */
1790 p += 8;
1791 put_long_date_timespec(p, m_timespec); /* write time */
1792 p += 8;
1793 put_long_date_timespec(p, m_timespec); /* change time */
1794 p += 8;
1795 SIVAL(p,0,fattr); /* File Attributes. */
1796 p += 4;
1797 SOFF_T(p, 0, get_allocation_size(conn,fsp,&sbuf));
1798 p += 8;
1799 SOFF_T(p,0,file_len);
1800 p += 8;
1801 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1802 SSVAL(p,2,0x7);
1803 }
1804 p += 4;
1805 SCVAL(p,0,fsp->is_directory ? 1 : 0);
1806
1807 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1808 uint32 perms = 0;
1809 p += 25;
1810 if (fsp->is_directory || can_write_to_file(conn, fname, &sbuf)) {
1811 perms = FILE_GENERIC_ALL;
1812 } else {
1813 perms = FILE_GENERIC_READ|FILE_EXECUTE;
1814 }
1815 SIVAL(p,0,perms);
1816 }
1817
1818 DEBUG(5,("call_nt_transact_create: open name = %s\n", fname));
1819
1820 /* Send the required number of replies */
1821 send_nt_replies(req, NT_STATUS_OK, params, param_len, *ppdata, 0);
1822
1823 return;
1824 }
1825
1826 /****************************************************************************
1827 Reply to a NT CANCEL request.
1828 conn POINTER CAN BE NULL HERE !
1829 ****************************************************************************/
1830
1831 void reply_ntcancel(connection_struct *conn, struct smb_request *req)
1832 {
1833 /*
1834 * Go through and cancel any pending change notifies.
1835 */
1836
1837 START_PROFILE(SMBntcancel);
1838 remove_pending_change_notify_requests_by_mid(req->mid);
1839 remove_pending_lock_requests_by_mid(req->mid);
1840 srv_cancel_sign_response(req->mid);
1841
1842 DEBUG(3,("reply_ntcancel: cancel called on mid = %d.\n", req->mid));
1843
1844 END_PROFILE(SMBntcancel);
1845 return;
1846 }
1847
1848 /****************************************************************************
1849 Copy a file.
1850 ****************************************************************************/
1851
1852 static NTSTATUS copy_internals(TALLOC_CTX *ctx,
1853 connection_struct *conn,
1854 struct smb_request *req,
1855 const char *oldname_in,
1856 const char *newname_in,
1857 uint32 attrs)
1858 {
1859 SMB_STRUCT_STAT sbuf1, sbuf2;
1860 char *oldname = NULL;
1861 char *newname = NULL;
1862 char *last_component_oldname = NULL;
1863 char *last_component_newname = NULL;
1864 files_struct *fsp1,*fsp2;
1865 uint32 fattr;
1866 int info;
1867 SMB_OFF_T ret=-1;
1868 NTSTATUS status = NT_STATUS_OK;
1869
1870 ZERO_STRUCT(sbuf1);
1871 ZERO_STRUCT(sbuf2);
1872
1873 if (!CAN_WRITE(conn)) {
1874 return NT_STATUS_MEDIA_WRITE_PROTECTED;
1875 }
1876
1877 status = unix_convert(ctx, conn, oldname_in, False, &oldname,
1878 &last_component_oldname, &sbuf1);
1879 if (!NT_STATUS_IS_OK(status)) {
1880 return status;
1881 }
1882
1883 status = check_name(conn, oldname);
1884 if (!NT_STATUS_IS_OK(status)) {
1885 return status;
1886 }
1887
1888 /* Source must already exist. */
1889 if (!VALID_STAT(sbuf1)) {
1890 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1891 }
1892 /* Ensure attributes match. */
1893 fattr = dos_mode(conn,oldname,&sbuf1);
1894 if ((fattr & ~attrs) & (aHIDDEN | aSYSTEM)) {
1895 return NT_STATUS_NO_SUCH_FILE;
1896 }
1897
1898 status = unix_convert(ctx, conn, newname_in, False, &newname,
1899 &last_component_newname, &sbuf2);
1900 if (!NT_STATUS_IS_OK(status)) {
1901 return status;
1902 }
1903
1904 status = check_name(conn, newname);
1905 if (!NT_STATUS_IS_OK(status)) {
1906 return status;
1907 }
1908
1909 /* Disallow if newname already exists. */
1910 if (VALID_STAT(sbuf2)) {
1911 return NT_STATUS_OBJECT_NAME_COLLISION;
1912 }
1913
1914 /* No links from a directory. */
1915 if (S_ISDIR(sbuf1.st_mode)) {
1916 return NT_STATUS_FILE_IS_A_DIRECTORY;
1917 }
1918
1919 /* Ensure this is within the share. */
1920 status = check_reduced_name(conn, oldname);
1921 if (!NT_STATUS_IS_OK(status)) {
1922 return status;
1923 }
1924
1925 DEBUG(10,("copy_internals: doing file copy %s to %s\n",
1926 oldname, newname));
1927
1928 status = open_file_ntcreate(conn, req, oldname, &sbuf1,
1929 FILE_READ_DATA, /* Read-only. */
1930 FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,
1931 FILE_OPEN,
1932 0, /* No create options. */
1933 FILE_ATTRIBUTE_NORMAL,
1934 NO_OPLOCK,
1935 &info, &fsp1);
1936
1937 if (!NT_STATUS_IS_OK(status)) {
1938 return status;
1939 }
1940
1941 status = open_file_ntcreate(conn, req, newname, &sbuf2,
1942 FILE_WRITE_DATA, /* Read-only. */
1943 FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,
1944 FILE_CREATE,
1945 0, /* No create options. */
1946 fattr,
1947 NO_OPLOCK,
1948 &info, &fsp2);
1949
1950 if (!NT_STATUS_IS_OK(status)) {
1951 close_file(fsp1,ERROR_CLOSE);
1952 return status;
1953 }
1954
1955 if (sbuf1.st_size) {
1956 ret = vfs_transfer_file(fsp1, fsp2, sbuf1.st_size);
1957 }
1958
1959 /*
1960 * As we are opening fsp1 read-only we only expect
1961 * an error on close on fsp2 if we are out of space.
1962 * Thus we don't look at the error return from the
1963 * close of fsp1.
1964 */
1965 close_file(fsp1,NORMAL_CLOSE);
1966
1967 /* Ensure the modtime is set correctly on the destination file. */
1968 fsp_set_pending_modtime(fsp2, get_mtimespec(&sbuf1));
1969
1970 status = close_file(fsp2,NORMAL_CLOSE);
1971
1972 /* Grrr. We have to do this as open_file_ntcreate adds aARCH when it
1973 creates the file. This isn't the correct thing to do in the copy
1974 case. JRA */
1975 file_set_dosmode(conn, newname, fattr, &sbuf2,
1976 parent_dirname(newname),false);
1977
1978 if (ret < (SMB_OFF_T)sbuf1.st_size) {
1979 return NT_STATUS_DISK_FULL;
1980 }
1981
1982 if (!NT_STATUS_IS_OK(status)) {
1983 DEBUG(3,("copy_internals: Error %s copy file %s to %s\n",
1984 nt_errstr(status), oldname, newname));
1985 }
1986 return status;
1987 }
1988
1989 /****************************************************************************
1990 Reply to a NT rename request.
1991 ****************************************************************************/
1992
1993 void reply_ntrename(connection_struct *conn, struct smb_request *req)
1994 {
1995 char *oldname = NULL;
1996 char *newname = NULL;
1997 char *p;
1998 NTSTATUS status;
1999 bool src_has_wcard = False;
2000 bool dest_has_wcard = False;
2001 uint32 attrs;
2002 uint16 rename_type;
2003 TALLOC_CTX *ctx = talloc_tos();
2004
2005 START_PROFILE(SMBntrename);
2006
2007 if (req->wct < 4) {
2008 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2009 END_PROFILE(SMBntrename);
2010 return;
2011 }
2012
2013 attrs = SVAL(req->inbuf,smb_vwv0);
2014 rename_type = SVAL(req->inbuf,smb_vwv1);
2015
2016 p = smb_buf(req->inbuf) + 1;
2017 p += srvstr_get_path_wcard(ctx, (char *)req->inbuf, req->flags2, &oldname, p,
2018 0, STR_TERMINATE, &status,
2019 &src_has_wcard);
2020 if (!NT_STATUS_IS_OK(status)) {
2021 reply_nterror(req, status);
2022 END_PROFILE(SMBntrename);
2023 return;
2024 }
2025
2026 if( is_ntfs_stream_name(oldname)) {
2027 /* Can't rename a stream. */
2028 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
2029 END_PROFILE(SMBntrename);
2030 return;
2031 }
2032
2033 if (ms_has_wild(oldname)) {
2034 reply_nterror(req, NT_STATUS_OBJECT_PATH_SYNTAX_BAD);
2035 END_PROFILE(SMBntrename);
2036 return;
2037 }
2038
2039 p++;
2040 p += srvstr_get_path_wcard(ctx, (char *)req->inbuf, req->flags2, &newname, p,
2041 0, STR_TERMINATE, &status,
2042 &dest_has_wcard);
2043 if (!NT_STATUS_IS_OK(status)) {
2044 reply_nterror(req, status);
2045 END_PROFILE(SMBntrename);
2046 return;
2047 }
2048
2049 status = resolve_dfspath(ctx, conn,
2050 req->flags2 & FLAGS2_DFS_PATHNAMES,
2051 oldname,
2052 &oldname);
2053 if (!NT_STATUS_IS_OK(status)) {
2054 if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
2055 reply_botherror(req, NT_STATUS_PATH_NOT_COVERED,
2056 ERRSRV, ERRbadpath);
2057 END_PROFILE(SMBntrename);
2058 return;
2059 }
2060 reply_nterror(req, status);
2061 END_PROFILE(SMBntrename);
2062 return;
2063 }
2064
2065 status = resolve_dfspath(ctx, conn,
2066 req->flags2 & FLAGS2_DFS_PATHNAMES,
2067 newname,
2068 &newname);
2069 if (!NT_STATUS_IS_OK(status)) {
2070 if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
2071 reply_botherror(req, NT_STATUS_PATH_NOT_COVERED,
2072 ERRSRV, ERRbadpath);
2073 END_PROFILE(SMBntrename);
2074 return;
2075 }
2076 reply_nterror(req, status);
2077 END_PROFILE(SMBntrename);
2078 return;
2079 }
2080
2081 DEBUG(3,("reply_ntrename : %s -> %s\n",oldname,newname));
2082
2083 switch(rename_type) {
2084 case RENAME_FLAG_RENAME:
2085 status = rename_internals(ctx, conn, req, oldname,
2086 newname, attrs, False, src_has_wcard,
2087 dest_has_wcard);
2088 break;
2089 case RENAME_FLAG_HARD_LINK:
2090 if (src_has_wcard || dest_has_wcard) {
2091 /* No wildcards. */
2092 status = NT_STATUS_OBJECT_PATH_SYNTAX_BAD;
2093 } else {
2094 status = hardlink_internals(ctx,
2095 conn,
2096 oldname,
2097 newname);
2098 }
2099 break;
2100 case RENAME_FLAG_COPY:
2101 if (src_has_wcard || dest_has_wcard) {
2102 /* No wildcards. */
2103 status = NT_STATUS_OBJECT_PATH_SYNTAX_BAD;
2104 } else {
2105 status = copy_internals(ctx, conn, req, oldname,
2106 newname, attrs);
2107 }
2108 break;
2109 case RENAME_FLAG_MOVE_CLUSTER_INFORMATION:
2110 status = NT_STATUS_INVALID_PARAMETER;
2111 break;
2112 default:
2113 status = NT_STATUS_ACCESS_DENIED; /* Default error. */
2114 break;
2115 }
2116
2117 if (!NT_STATUS_IS_OK(status)) {
2118 if (open_was_deferred(req->mid)) {
2119 /* We have re-scheduled this call. */
2120 END_PROFILE(SMBntrename);
2121 return;
2122 }
2123
2124 reply_nterror(req, status);
2125 END_PROFILE(SMBntrename);
2126 return;
2127 }
2128
2129 reply_outbuf(req, 0, 0);
2130
2131 END_PROFILE(SMBntrename);
2132 return;
2133 }
2134
2135 /****************************************************************************
2136 Reply to a notify change - queue the request and
2137 don't allow a directory to be opened.
2138 ****************************************************************************/
2139
2140 static void call_nt_transact_notify_change(connection_struct *conn,
2141 struct smb_request *req,
2142 uint16 **ppsetup,
2143 uint32 setup_count,
2144 char **ppparams,
2145 uint32 parameter_count,
2146 char **ppdata, uint32 data_count,
2147 uint32 max_data_count,
2148 uint32 max_param_count)
2149 {
2150 uint16 *setup = *ppsetup;
2151 files_struct *fsp;
2152 uint32 filter;
2153 NTSTATUS status;
2154 bool recursive;
2155
2156 if(setup_count < 6) {
2157 reply_doserror(req, ERRDOS, ERRbadfunc);
2158 return;
2159 }
2160
2161 fsp = file_fsp(SVAL(setup,4));
2162 filter = IVAL(setup, 0);
2163 recursive = (SVAL(setup, 6) != 0) ? True : False;
2164
2165 DEBUG(3,("call_nt_transact_notify_change\n"));
2166
2167 if(!fsp) {
2168 reply_doserror(req, ERRDOS, ERRbadfid);
2169 return;
2170 }
2171
2172 {
2173 char *filter_string;
2174
2175 if (!(filter_string = notify_filter_string(NULL, filter))) {
2176 reply_nterror(req,NT_STATUS_NO_MEMORY);
2177 return;
2178 }
2179
2180 DEBUG(3,("call_nt_transact_notify_change: notify change "
2181 "called on %s, filter = %s, recursive = %d\n",
2182 fsp->fsp_name, filter_string, recursive));
2183
2184 TALLOC_FREE(filter_string);
2185 }
2186
2187 if((!fsp->is_directory) || (conn != fsp->conn)) {
2188 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2189 return;
2190 }
2191
2192 if (fsp->notify == NULL) {
2193
2194 status = change_notify_create(fsp, filter, recursive);
2195
2196 if (!NT_STATUS_IS_OK(status)) {
2197 DEBUG(10, ("change_notify_create returned %s\n",
2198 nt_errstr(status)));
2199 reply_nterror(req, status);
2200 return;
2201 }
2202 }
2203
2204 if (fsp->notify->num_changes != 0) {
2205
2206 /*
2207 * We've got changes pending, respond immediately
2208 */
2209
2210 /*
2211 * TODO: write a torture test to check the filtering behaviour
2212 * here.
2213 */
2214
2215 change_notify_reply(req->inbuf, max_param_count, fsp->notify);
2216
2217 /*
2218 * change_notify_reply() above has independently sent its
2219 * results
2220 */
2221 return;
2222 }
2223
2224 /*
2225 * No changes pending, queue the request
2226 */
2227
2228 status = change_notify_add_request(req->inbuf, max_param_count, filter,
2229 recursive, fsp);
2230 if (!NT_STATUS_IS_OK(status)) {
2231 reply_nterror(req, status);
2232 }
2233 return;
2234 }
2235
2236 /****************************************************************************
2237 Reply to an NT transact rename command.
2238 ****************************************************************************/
2239
2240 static void call_nt_transact_rename(connection_struct *conn,
2241 struct smb_request *req,
2242 uint16 **ppsetup, uint32 setup_count,
2243 char **ppparams, uint32 parameter_count,
2244 char **ppdata, uint32 data_count,
2245 uint32 max_data_count)
2246 {
2247 char *params = *ppparams;
2248 char *new_name = NULL;
2249 files_struct *fsp = NULL;
2250 bool replace_if_exists = False;
2251 bool dest_has_wcard = False;
2252 NTSTATUS status;
2253 TALLOC_CTX *ctx = talloc_tos();
2254
2255 if(parameter_count < 5) {
2256 reply_doserror(req, ERRDOS, ERRbadfunc);
2257 return;
2258 }
2259
2260 fsp = file_fsp(SVAL(params, 0));
2261 replace_if_exists = (SVAL(params,2) & RENAME_REPLACE_IF_EXISTS) ? True : False;
2262 if (!check_fsp(conn, req, fsp, &current_user)) {
2263 return;
2264 }
2265 srvstr_get_path_wcard(ctx, params, req->flags2, &new_name, params+4,
2266 parameter_count - 4,
2267 STR_TERMINATE, &status, &dest_has_wcard);
2268 if (!NT_STATUS_IS_OK(status)) {
2269 reply_nterror(req, status);
2270 return;
2271 }
2272
2273 status = rename_internals(ctx,
2274 conn,
2275 req,
2276 fsp->fsp_name,
2277 new_name,
2278 0,
2279 replace_if_exists,
2280 False,
2281 dest_has_wcard);
2282
2283 if (!NT_STATUS_IS_OK(status)) {
2284 if (open_was_deferred(req->mid)) {
2285 /* We have re-scheduled this call. */
2286 return;
2287 }
2288 reply_nterror(req, status);
2289 return;
2290 }
2291
2292 /*
2293 * Rename was successful.
2294 */
2295 send_nt_replies(req, NT_STATUS_OK, NULL, 0, NULL, 0);
2296
2297 DEBUG(3,("nt transact rename from = %s, to = %s succeeded.\n",
2298 fsp->fsp_name, new_name));
2299
2300 return;
2301 }
2302
2303 /******************************************************************************
2304 Fake up a completely empty SD.
2305 *******************************************************************************/
2306
2307 static NTSTATUS get_null_nt_acl(TALLOC_CTX *mem_ctx, SEC_DESC **ppsd)
2308 {
2309 size_t sd_size;
2310
2311 *ppsd = make_standard_sec_desc( mem_ctx, &global_sid_World, &global_sid_World, NULL, &sd_size);
2312 if(!*ppsd) {
2313 DEBUG(0,("get_null_nt_acl: Unable to malloc space for security descriptor.\n"));
2314 return NT_STATUS_NO_MEMORY;
2315 }
2316
2317 return NT_STATUS_OK;
2318 }
2319
2320 /****************************************************************************
2321 Reply to query a security descriptor.
2322 ****************************************************************************/
2323
2324 static void call_nt_transact_query_security_desc(connection_struct *conn,
2325 struct smb_request *req,
2326 uint16 **ppsetup,
2327 uint32 setup_count,
2328 char **ppparams,
2329 uint32 parameter_count,
2330 char **ppdata,
2331 uint32 data_count,
2332 uint32 max_data_count)
2333 {
2334 char *params = *ppparams;
2335 char *data = *ppdata;
2336 prs_struct pd;
2337 SEC_DESC *psd = NULL;
2338 size_t sd_size;
2339 uint32 security_info_wanted;
2340 TALLOC_CTX *mem_ctx;
2341 files_struct *fsp = NULL;
2342 NTSTATUS status;
2343
2344 if(parameter_count < 8) {
2345 reply_doserror(req, ERRDOS, ERRbadfunc);
2346 return;
2347 }
2348
2349 fsp = file_fsp(SVAL(params,0));
2350 if(!fsp) {
2351 reply_doserror(req, ERRDOS, ERRbadfid);
2352 return;
2353 }
2354
2355 security_info_wanted = IVAL(params,4);
2356
2357 DEBUG(3,("call_nt_transact_query_security_desc: file = %s, info_wanted = 0x%x\n", fsp->fsp_name,
2358 (unsigned int)security_info_wanted ));
2359
2360 params = nttrans_realloc(ppparams, 4);
2361 if(params == NULL) {
2362 reply_doserror(req, ERRDOS, ERRnomem);
2363 return;
2364 }
2365
2366 if ((mem_ctx = talloc_init("call_nt_transact_query_security_desc")) == NULL) {
2367 DEBUG(0,("call_nt_transact_query_security_desc: talloc_init failed.\n"));
2368 reply_doserror(req, ERRDOS, ERRnomem);
2369 return;
2370 }
2371
2372 /*
2373 * Get the permissions to return.
2374 */
2375
2376 if (!lp_nt_acl_support(SNUM(conn))) {
2377 status = get_null_nt_acl(mem_ctx, &psd);
2378 } else {
2379 status = SMB_VFS_FGET_NT_ACL(fsp, fsp->fh->fd,
2380 security_info_wanted, &psd);
2381 }
2382
2383 if (!NT_STATUS_IS_OK(status)) {
2384 talloc_destroy(mem_ctx);
2385 reply_nterror(req, status);
2386 return;
2387 }
2388
2389 sd_size = sec_desc_size(psd);
2390
2391 DEBUG(3,("call_nt_transact_query_security_desc: sd_size = %lu.\n",(unsigned long)sd_size));
2392
2393 SIVAL(params,0,(uint32)sd_size);
2394
2395 if(max_data_count < sd_size) {
2396
2397 send_nt_replies(req, NT_STATUS_BUFFER_TOO_SMALL,
2398 params, 4, *ppdata, 0);
2399 talloc_destroy(mem_ctx);
2400 return;
2401 }
2402
2403 /*
2404 * Allocate the data we will point this at.
2405 */
2406
2407 data = nttrans_realloc(ppdata, sd_size);
2408 if(data == NULL) {
2409 talloc_destroy(mem_ctx);
2410 reply_doserror(req, ERRDOS, ERRnomem);
2411 return;
2412 }
2413
2414 /*
2415 * Init the parse struct we will marshall into.
2416 */
2417
2418 prs_init(&pd, 0, mem_ctx, MARSHALL);
2419
2420 /*
2421 * Setup the prs_struct to point at the memory we just
2422 * allocated.
2423 */
2424
2425 prs_give_memory( &pd, data, (uint32)sd_size, False);
2426
2427 /*
2428 * Finally, linearize into the outgoing buffer.
2429 */
2430
2431 if(!sec_io_desc( "sd data", &psd, &pd, 1)) {
2432 DEBUG(0,("call_nt_transact_query_security_desc: Error in marshalling \
2433 security descriptor.\n"));
2434 /*
2435 * Return access denied for want of a better error message..
2436 */
2437 talloc_destroy(mem_ctx);
2438 reply_unixerror(req, ERRDOS, ERRnoaccess);
2439 return;
2440 }
2441
2442 /*
2443 * Now we can delete the security descriptor.
2444 */
2445
2446 talloc_destroy(mem_ctx);
2447
2448 send_nt_replies(req, NT_STATUS_OK, params, 4, data, (int)sd_size);
2449 return;
2450 }
2451
2452 /****************************************************************************
2453 Reply to set a security descriptor. Map to UNIX perms or POSIX ACLs.
2454 ****************************************************************************/
2455
2456 static void call_nt_transact_set_security_desc(connection_struct *conn,
2457 struct smb_request *req,
2458 uint16 **ppsetup,
2459 uint32 setup_count,
2460 char **ppparams,
2461 uint32 parameter_count,
2462 char **ppdata,
2463 uint32 data_count,
2464 uint32 max_data_count)
2465 {
2466 char *params= *ppparams;
2467 char *data = *ppdata;
2468 files_struct *fsp = NULL;
2469 uint32 security_info_sent = 0;
2470 NTSTATUS nt_status;
2471
2472 if(parameter_count < 8) {
2473 reply_doserror(req, ERRDOS, ERRbadfunc);
2474 return;
2475 }
2476
2477 if((fsp = file_fsp(SVAL(params,0))) == NULL) {
2478 reply_doserror(req, ERRDOS, ERRbadfid);
2479 return;
2480 }
2481
2482 if(!lp_nt_acl_support(SNUM(conn))) {
2483 goto done;
2484 }
2485
2486 security_info_sent = IVAL(params,4);
2487
2488 DEBUG(3,("call_nt_transact_set_security_desc: file = %s, sent 0x%x\n", fsp->fsp_name,
2489 (unsigned int)security_info_sent ));
2490
2491 if (data_count == 0) {
2492 reply_doserror(req, ERRDOS, ERRnoaccess);
2493 return;
2494 }
2495
2496 if (!NT_STATUS_IS_OK(nt_status = set_sd( fsp, data, data_count, security_info_sent))) {
2497 reply_nterror(req, nt_status);
2498 return;
2499 }
2500
2501 done:
2502
2503 send_nt_replies(req, NT_STATUS_OK, NULL, 0, NULL, 0);
2504 return;
2505 }
2506
2507 /****************************************************************************
2508 Reply to NT IOCTL
2509 ****************************************************************************/
2510
2511 static void call_nt_transact_ioctl(connection_struct *conn,
2512 struct smb_request *req,
2513 uint16 **ppsetup, uint32 setup_count,
2514 char **ppparams, uint32 parameter_count,
2515 char **ppdata, uint32 data_count,
2516 uint32 max_data_count)
2517 {
2518 uint32 function;
2519 uint16 fidnum;
2520 files_struct *fsp;
2521 uint8 isFSctl;
2522 uint8 compfilter;
2523 static bool logged_message;
2524 char *pdata = *ppdata;
2525
2526 if (setup_count != 8) {
2527 DEBUG(3,("call_nt_transact_ioctl: invalid setup count %d\n", setup_count));
2528 reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
2529 return;
2530 }
2531
2532 function = IVAL(*ppsetup, 0);
2533 fidnum = SVAL(*ppsetup, 4);
2534 isFSctl = CVAL(*ppsetup, 6);
2535 compfilter = CVAL(*ppsetup, 7);
2536
2537 DEBUG(10,("call_nt_transact_ioctl: function[0x%08X] FID[0x%04X] isFSctl[0x%02X] compfilter[0x%02X]\n",
2538 function, fidnum, isFSctl, compfilter));
2539
2540 fsp=file_fsp(fidnum);
2541 /* this check is done in each implemented function case for now
2542 because I don't want to break anything... --metze
2543 FSP_BELONGS_CONN(fsp,conn);*/
2544
2545 switch (function) {
2546 case FSCTL_SET_SPARSE:
2547 /* pretend this succeeded - tho strictly we should
2548 mark the file sparse (if the local fs supports it)
2549 so we can know if we need to pre-allocate or not */
2550
2551 DEBUG(10,("FSCTL_SET_SPARSE: called on FID[0x%04X](but not implemented)\n", fidnum));
2552 send_nt_replies(req, NT_STATUS_OK, NULL, 0, NULL, 0);
2553 return;
2554
2555 case FSCTL_CREATE_OR_GET_OBJECT_ID:
2556 {
2557 unsigned char objid[16];
2558
2559 /* This should return the object-id on this file.
2560 * I think I'll make this be the inode+dev. JRA.
2561 */
2562
2563 DEBUG(10,("FSCTL_CREATE_OR_GET_OBJECT_ID: called on FID[0x%04X]\n",fidnum));
2564
2565 if (!fsp_belongs_conn(conn, req, fsp, &current_user)) {
2566 return;
2567 }
2568
2569 data_count = 64;
2570 pdata = nttrans_realloc(ppdata, data_count);
2571 if (pdata == NULL) {
2572 reply_nterror(req, NT_STATUS_NO_MEMORY);
2573 return;
2574 }
2575 push_file_id_16(pdata, &fsp->file_id);
2576 memcpy(pdata+16,create_volume_objectid(conn,objid),16);
2577 push_file_id_16(pdata+32, &fsp->file_id);
2578 send_nt_replies(req, NT_STATUS_OK, NULL, 0,
2579 pdata, data_count);
2580 return;
2581 }
2582
2583 case FSCTL_GET_REPARSE_POINT:
2584 /* pretend this fail - my winXP does it like this
2585 * --metze
2586 */
2587
2588 DEBUG(10,("FSCTL_GET_REPARSE_POINT: called on FID[0x%04X](but not implemented)\n",fidnum));
2589 reply_nterror(req, NT_STATUS_NOT_A_REPARSE_POINT);
2590 return;
2591
2592 case FSCTL_SET_REPARSE_POINT:
2593 /* pretend this fail - I'm assuming this because of the FSCTL_GET_REPARSE_POINT case.
2594 * --metze
2595 */
2596
2597 DEBUG(10,("FSCTL_SET_REPARSE_POINT: called on FID[0x%04X](but not implemented)\n",fidnum));
2598 reply_nterror(req, NT_STATUS_NOT_A_REPARSE_POINT);
2599 return;
2600
2601 case FSCTL_GET_SHADOW_COPY_DATA: /* don't know if this name is right...*/
2602 {
2603 /*
2604 * This is called to retrieve the number of Shadow Copies (a.k.a. snapshots)
2605 * and return their volume names. If max_data_count is 16, then it is just
2606 * asking for the number of volumes and length of the combined names.
2607 *
2608 * pdata is the data allocated by our caller, but that uses
2609 * total_data_count (which is 0 in our case) rather than max_data_count.
2610 * Allocate the correct amount and return the pointer to let
2611 * it be deallocated when we return.
2612 */
2613 SHADOW_COPY_DATA *shadow_data = NULL;
2614 TALLOC_CTX *shadow_mem_ctx = NULL;
2615 bool labels = False;
2616 uint32 labels_data_count = 0;
2617 uint32 i;
2618 char *cur_pdata;
2619
2620 if (!fsp_belongs_conn(conn, req, fsp, &current_user)) {
2621 return;
2622 }
2623
2624 if (max_data_count < 16) {
2625 DEBUG(0,("FSCTL_GET_SHADOW_COPY_DATA: max_data_count(%u) < 16 is invalid!\n",
2626 max_data_count));
2627 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2628 return;
2629 }
2630
2631 if (max_data_count > 16) {
2632 labels = True;
2633 }
2634
2635 shadow_mem_ctx = talloc_init("SHADOW_COPY_DATA");
2636 if (shadow_mem_ctx == NULL) {
2637 DEBUG(0,("talloc_init(SHADOW_COPY_DATA) failed!\n"));
2638 reply_nterror(req, NT_STATUS_NO_MEMORY);
2639 return;
2640 }
2641
2642 shadow_data = TALLOC_ZERO_P(shadow_mem_ctx,SHADOW_COPY_DATA);
2643 if (shadow_data == NULL) {
2644 DEBUG(0,("TALLOC_ZERO() failed!\n"));
2645 talloc_destroy(shadow_mem_ctx);
2646 reply_nterror(req, NT_STATUS_NO_MEMORY);
2647 return;
2648 }
2649
2650 shadow_data->mem_ctx = shadow_mem_ctx;
2651
2652 /*
2653 * Call the VFS routine to actually do the work.
2654 */
2655 if (SMB_VFS_GET_SHADOW_COPY_DATA(fsp, shadow_data, labels)!=0) {
2656 talloc_destroy(shadow_data->mem_ctx);
2657 if (errno == ENOSYS) {
2658 DEBUG(5,("FSCTL_GET_SHADOW_COPY_DATA: connectpath %s, not supported.\n",
2659 conn->connectpath));
2660 reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
2661 return;
2662 } else {
2663 DEBUG(0,("FSCTL_GET_SHADOW_COPY_DATA: connectpath %s, failed.\n",
2664 conn->connectpath));
2665 reply_nterror(req, NT_STATUS_UNSUCCESSFUL);
2666 return;
2667 }
2668 }
2669
2670 labels_data_count = (shadow_data->num_volumes*2*sizeof(SHADOW_COPY_LABEL))+2;
2671
2672 if (!labels) {
2673 data_count = 16;
2674 } else {
2675 data_count = 12+labels_data_count+4;
2676 }
2677
2678 if (max_data_count<data_count) {
2679 DEBUG(0,("FSCTL_GET_SHADOW_COPY_DATA: max_data_count(%u) too small (%u) bytes needed!\n",
2680 max_data_count,data_count));
2681 talloc_destroy(shadow_data->mem_ctx);
2682 reply_nterror(req, NT_STATUS_BUFFER_TOO_SMALL);
2683 return;
2684 }
2685
2686 pdata = nttrans_realloc(ppdata, data_count);
2687 if (pdata == NULL) {
2688 talloc_destroy(shadow_data->mem_ctx);
2689 reply_nterror(req, NT_STATUS_NO_MEMORY);
2690 return;
2691 }
2692
2693 cur_pdata = pdata;
2694
2695 /* num_volumes 4 bytes */
2696 SIVAL(pdata,0,shadow_data->num_volumes);
2697
2698 if (labels) {
2699 /* num_labels 4 bytes */
2700 SIVAL(pdata,4,shadow_data->num_volumes);
2701 }
2702
2703 /* needed_data_count 4 bytes */
2704 SIVAL(pdata,8,labels_data_count);
2705
2706 cur_pdata+=12;
2707
2708 DEBUG(10,("FSCTL_GET_SHADOW_COPY_DATA: %u volumes for path[%s].\n",
2709 shadow_data->num_volumes,fsp->fsp_name));
2710 if (labels && shadow_data->labels) {
2711 for (i=0;i<shadow_data->num_volumes;i++) {
2712 srvstr_push(pdata, req->flags2,
2713 cur_pdata, shadow_data->labels[i],
2714 2*sizeof(SHADOW_COPY_LABEL),
2715 STR_UNICODE|STR_TERMINATE);
2716 cur_pdata+=2*sizeof(SHADOW_COPY_LABEL);
2717 DEBUGADD(10,("Label[%u]: '%s'\n",i,shadow_data->labels[i]));
2718 }
2719 }
2720
2721 talloc_destroy(shadow_data->mem_ctx);
2722
2723 send_nt_replies(req, NT_STATUS_OK, NULL, 0,
2724 pdata, data_count);
2725
2726 return;
2727 }
2728
2729 case FSCTL_FIND_FILES_BY_SID: /* I hope this name is right */
2730 {
2731 /* pretend this succeeded -
2732 *
2733 * we have to send back a list with all files owned by this SID
2734 *
2735 * but I have to check that --metze
2736 */
2737 DOM_SID sid;
2738 uid_t uid;
2739 size_t sid_len = MIN(data_count-4,SID_MAX_SIZE);
2740
2741 DEBUG(10,("FSCTL_FIND_FILES_BY_SID: called on FID[0x%04X]\n",fidnum));
2742
2743 if (!fsp_belongs_conn(conn, req, fsp, &current_user)) {
2744 return;
2745 }
2746
2747 /* unknown 4 bytes: this is not the length of the sid :-( */
2748 /*unknown = IVAL(pdata,0);*/
2749
2750 sid_parse(pdata+4,sid_len,&sid);
2751 DEBUGADD(10,("for SID: %s\n",sid_string_static(&sid)));
2752
2753 if (!sid_to_uid(&sid, &uid)) {
2754 DEBUG(0,("sid_to_uid: failed, sid[%s] sid_len[%lu]\n",
2755 sid_string_static(&sid),(unsigned long)sid_len));
2756 uid = (-1);
2757 }
2758
2759 /* we can take a look at the find source :-)
2760 *
2761 * find ./ -uid $uid -name '*' is what we need here
2762 *
2763 *
2764 * and send 4bytes len and then NULL terminated unicode strings
2765 * for each file
2766 *
2767 * but I don't know how to deal with the paged results
2768 * (maybe we can hang the result anywhere in the fsp struct)
2769 *
2770 * we don't send all files at once
2771 * and at the next we should *not* start from the beginning,
2772 * so we have to cache the result
2773 *
2774 * --metze
2775 */
2776
2777 /* this works for now... */
2778 send_nt_replies(req, NT_STATUS_OK, NULL, 0, NULL, 0);
2779 return;
2780 }
2781 default:
2782 if (!logged_message) {
2783 logged_message = True; /* Only print this once... */
2784 DEBUG(0,("call_nt_transact_ioctl(0x%x): Currently not implemented.\n",
2785 function));
2786 }
2787 }
2788
2789 reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
2790 }
2791
2792
2793 #ifdef HAVE_SYS_QUOTAS
2794 /****************************************************************************
2795 Reply to get user quota
2796 ****************************************************************************/
2797
2798 static void call_nt_transact_get_user_quota(connection_struct *conn,
2799 struct smb_request *req,
2800 uint16 **ppsetup,
2801 uint32 setup_count,
2802 char **ppparams,
2803 uint32 parameter_count,
2804 char **ppdata,
2805 uint32 data_count,
2806 uint32 max_data_count)
2807 {
2808 NTSTATUS nt_status = NT_STATUS_OK;
2809 char *params = *ppparams;
2810 char *pdata = *ppdata;
2811 char *entry;
2812 int data_len=0,param_len=0;
2813 int qt_len=0;
2814 int entry_len = 0;
2815 files_struct *fsp = NULL;
2816 uint16 level = 0;
2817 size_t sid_len;
2818 DOM_SID sid;
2819 bool start_enum = True;
2820 SMB_NTQUOTA_STRUCT qt;
2821 SMB_NTQUOTA_LIST *tmp_list;
2822 SMB_NTQUOTA_HANDLE *qt_handle = NULL;
2823
2824 ZERO_STRUCT(qt);
2825
2826 /* access check */
2827 if (current_user.ut.uid != 0) {
2828 DEBUG(1,("get_user_quota: access_denied service [%s] user [%s]\n",
2829 lp_servicename(SNUM(conn)),conn->user));
2830 reply_doserror(req, ERRDOS, ERRnoaccess);
2831 return;
2832 }
2833
2834 /*
2835 * Ensure minimum number of parameters sent.
2836 */
2837
2838 if (parameter_count < 4) {
2839 DEBUG(0,("TRANSACT_GET_USER_QUOTA: requires %d >= 4 bytes parameters\n",parameter_count));
2840 reply_doserror(req, ERRDOS, ERRinvalidparam);
2841 return;
2842 }
2843
2844 /* maybe we can check the quota_fnum */
2845 fsp = file_fsp(SVAL(params,0));
2846 if (!CHECK_NTQUOTA_HANDLE_OK(fsp,conn)) {
2847 DEBUG(3,("TRANSACT_GET_USER_QUOTA: no valid QUOTA HANDLE\n"));
2848 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
2849 return;
2850 }
2851
2852 /* the NULL pointer checking for fsp->fake_file_handle->pd
2853 * is done by CHECK_NTQUOTA_HANDLE_OK()
2854 */
2855 qt_handle = (SMB_NTQUOTA_HANDLE *)fsp->fake_file_handle->pd;
2856
2857 level = SVAL(params,2);
2858
2859 /* unknown 12 bytes leading in params */
2860
2861 switch (level) {
2862 case TRANSACT_GET_USER_QUOTA_LIST_CONTINUE:
2863 /* seems that we should continue with the enum here --metze */
2864
2865 if (qt_handle->quota_list!=NULL &&
2866 qt_handle->tmp_list==NULL) {
2867
2868 /* free the list */
2869 free_ntquota_list(&(qt_handle->quota_list));
2870
2871 /* Realloc the size of parameters and data we will return */
2872 param_len = 4;
2873 params = nttrans_realloc(ppparams, param_len);
2874 if(params == NULL) {
2875 reply_doserror(req, ERRDOS, ERRnomem);
2876 return;
2877 }
2878
2879 data_len = 0;
2880 SIVAL(params,0,data_len);
2881
2882 break;
2883 }
2884
2885 start_enum = False;
2886
2887 case TRANSACT_GET_USER_QUOTA_LIST_START:
2888
2889 if (qt_handle->quota_list==NULL &&
2890 qt_handle->tmp_list==NULL) {
2891 start_enum = True;
2892 }
2893
2894 if (start_enum && vfs_get_user_ntquota_list(fsp,&(qt_handle->quota_list))!=0) {
2895 reply_doserror(req, ERRSRV, ERRerror);
2896 return;
2897 }
2898
2899 /* Realloc the size of parameters and data we will return */
2900 param_len = 4;
2901 params = nttrans_realloc(ppparams, param_len);
2902 if(params == NULL) {
2903 reply_doserror(req, ERRDOS, ERRnomem);
2904 return;
2905 }
2906
2907 /* we should not trust the value in max_data_count*/
2908 max_data_count = MIN(max_data_count,2048);
2909
2910 pdata = nttrans_realloc(ppdata, max_data_count);/* should be max data count from client*/
2911 if(pdata == NULL) {
2912 reply_doserror(req, ERRDOS, ERRnomem);
2913 return;
2914 }
2915
2916 entry = pdata;
2917
2918 /* set params Size of returned Quota Data 4 bytes*/
2919 /* but set it later when we know it */
2920
2921 /* for each entry push the data */
2922
2923 if (start_enum) {
2924 qt_handle->tmp_list = qt_handle->quota_list;
2925 }
2926
2927 tmp_list = qt_handle->tmp_list;
2928
2929 for (;((tmp_list!=NULL)&&((qt_len +40+SID_MAX_SIZE)<max_data_count));
2930 tmp_list=tmp_list->next,entry+=entry_len,qt_len+=entry_len) {
2931
2932 sid_len = sid_size(&tmp_list->quotas->sid);
2933 entry_len = 40 + sid_len;
2934
2935 /* nextoffset entry 4 bytes */
2936 SIVAL(entry,0,entry_len);
2937
2938 /* then the len of the SID 4 bytes */
2939 SIVAL(entry,4,sid_len);
2940
2941 /* unknown data 8 bytes SMB_BIG_UINT */
2942 SBIG_UINT(entry,8,(SMB_BIG_UINT)0); /* this is not 0 in windows...-metze*/
2943
2944 /* the used disk space 8 bytes SMB_BIG_UINT */
2945 SBIG_UINT(entry,16,tmp_list->quotas->usedspace);
2946
2947 /* the soft quotas 8 bytes SMB_BIG_UINT */
2948 SBIG_UINT(entry,24,tmp_list->quotas->softlim);
2949
2950 /* the hard quotas 8 bytes SMB_BIG_UINT */
2951 SBIG_UINT(entry,32,tmp_list->quotas->hardlim);
2952
2953 /* and now the SID */
2954 sid_linearize(entry+40, sid_len, &tmp_list->quotas->sid);
2955 }
2956
2957 qt_handle->tmp_list = tmp_list;
2958
2959 /* overwrite the offset of the last entry */
2960 SIVAL(entry-entry_len,0,0);
2961
2962 data_len = 4+qt_len;
2963 /* overwrite the params quota_data_len */
2964 SIVAL(params,0,data_len);
2965
2966 break;
2967
2968 case TRANSACT_GET_USER_QUOTA_FOR_SID:
2969
2970 /* unknown 4 bytes IVAL(pdata,0) */
2971
2972 if (data_count < 8) {
2973 DEBUG(0,("TRANSACT_GET_USER_QUOTA_FOR_SID: requires %d >= %d bytes data\n",data_count,8));
2974 reply_doserror(req, ERRDOS, ERRunknownlevel);
2975 return;
2976 }
2977
2978 sid_len = IVAL(pdata,4);
2979 /* Ensure this is less than 1mb. */
2980 if (sid_len > (1024*1024)) {
2981 reply_doserror(req, ERRDOS, ERRnomem);
2982 return;
2983 }
2984
2985 if (data_count < 8+sid_len) {
2986 DEBUG(0,("TRANSACT_GET_USER_QUOTA_FOR_SID: requires %d >= %lu bytes data\n",data_count,(unsigned long)(8+sid_len)));
2987 reply_doserror(req, ERRDOS, ERRunknownlevel);
2988 return;
2989 }
2990
2991 data_len = 4+40+sid_len;
2992
2993 if (max_data_count < data_len) {
2994 DEBUG(0,("TRANSACT_GET_USER_QUOTA_FOR_SID: max_data_count(%d) < data_len(%d)\n",
2995 max_data_count, data_len));
2996 param_len = 4;
2997 SIVAL(params,0,data_len);
2998 data_len = 0;
2999 nt_status = NT_STATUS_BUFFER_TOO_SMALL;
3000 break;
3001 }
3002
3003 sid_parse(pdata+8,sid_len,&sid);
3004
3005 if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
3006 ZERO_STRUCT(qt);
3007 /*
3008 * we have to return zero's in all fields
3009 * instead of returning an error here
3010 * --metze
3011 */
3012 }
3013
3014 /* Realloc the size of parameters and data we will return */
3015 param_len = 4;
3016 params = nttrans_realloc(ppparams, param_len);
3017 if(params == NULL) {
3018 reply_doserror(req, ERRDOS, ERRnomem);
3019 return;
3020 }
3021
3022 pdata = nttrans_realloc(ppdata, data_len);
3023 if(pdata == NULL) {
3024 reply_doserror(req, ERRDOS, ERRnomem);
3025 return;
3026 }
3027
3028 entry = pdata;
3029
3030 /* set params Size of returned Quota Data 4 bytes*/
3031 SIVAL(params,0,data_len);
3032
3033 /* nextoffset entry 4 bytes */
3034 SIVAL(entry,0,0);
3035
3036 /* then the len of the SID 4 bytes */
3037 SIVAL(entry,4,sid_len);
3038
3039 /* unknown data 8 bytes SMB_BIG_UINT */
3040 SBIG_UINT(entry,8,(SMB_BIG_UINT)0); /* this is not 0 in windows...-mezte*/
3041
3042 /* the used disk space 8 bytes SMB_BIG_UINT */
3043 SBIG_UINT(entry,16,qt.usedspace);
3044
3045 /* the soft quotas 8 bytes SMB_BIG_UINT */
3046 SBIG_UINT(entry,24,qt.softlim);
3047
3048 /* the hard quotas 8 bytes SMB_BIG_UINT */
3049 SBIG_UINT(entry,32,qt.hardlim);
3050
3051 /* and now the SID */
3052 sid_linearize(entry+40, sid_len, &sid);
3053
3054 break;
3055
3056 default:
3057 DEBUG(0,("do_nt_transact_get_user_quota: fnum %d unknown level 0x%04hX\n",fsp->fnum,level));
3058 reply_doserror(req, ERRSRV, ERRerror);
3059 return;
3060 break;
3061 }
3062
3063 send_nt_replies(req, nt_status, params, param_len,
3064 pdata, data_len);
3065 }
3066
3067 /****************************************************************************
3068 Reply to set user quota
3069 ****************************************************************************/
3070
3071 static void call_nt_transact_set_user_quota(connection_struct *conn,
3072 struct smb_request *req,
3073 uint16 **ppsetup,
3074 uint32 setup_count,
3075 char **ppparams,
3076 uint32 parameter_count,
3077 char **ppdata,
3078 uint32 data_count,
3079 uint32 max_data_count)
3080 {
3081 char *params = *ppparams;
3082 char *pdata = *ppdata;
3083 int data_len=0,param_len=0;
3084 SMB_NTQUOTA_STRUCT qt;
3085 size_t sid_len;
3086 DOM_SID sid;
3087 files_struct *fsp = NULL;
3088
3089 ZERO_STRUCT(qt);
3090
3091 /* access check */
3092 if (current_user.ut.uid != 0) {
3093 DEBUG(1,("set_user_quota: access_denied service [%s] user [%s]\n",
3094 lp_servicename(SNUM(conn)),conn->user));
3095 reply_doserror(req, ERRDOS, ERRnoaccess);
3096 return;
3097 }
3098
3099 /*
3100 * Ensure minimum number of parameters sent.
3101 */
3102
3103 if (parameter_count < 2) {
3104 DEBUG(0,("TRANSACT_SET_USER_QUOTA: requires %d >= 2 bytes parameters\n",parameter_count));
3105 reply_doserror(req, ERRDOS, ERRinvalidparam);
3106 return;
3107 }
3108
3109 /* maybe we can check the quota_fnum */
3110 fsp = file_fsp(SVAL(params,0));
3111 if (!CHECK_NTQUOTA_HANDLE_OK(fsp,conn)) {
3112 DEBUG(3,("TRANSACT_GET_USER_QUOTA: no valid QUOTA HANDLE\n"));
3113 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
3114 return;
3115 }
3116
3117 if (data_count < 40) {
3118 DEBUG(0,("TRANSACT_SET_USER_QUOTA: requires %d >= %d bytes data\n",data_count,40));
3119 reply_doserror(req, ERRDOS, ERRunknownlevel);
3120 return;
3121 }
3122
3123 /* offset to next quota record.
3124 * 4 bytes IVAL(pdata,0)
3125 * unused here...
3126 */
3127
3128 /* sid len */
3129 sid_len = IVAL(pdata,4);
3130
3131 if (data_count < 40+sid_len) {
3132 DEBUG(0,("TRANSACT_SET_USER_QUOTA: requires %d >= %lu bytes data\n",data_count,(unsigned long)40+sid_len));
3133 reply_doserror(req, ERRDOS, ERRunknownlevel);
3134 return;
3135 }
3136
3137 /* unknown 8 bytes in pdata
3138 * maybe its the change time in NTTIME
3139 */
3140
3141 /* the used space 8 bytes (SMB_BIG_UINT)*/
3142 qt.usedspace = (SMB_BIG_UINT)IVAL(pdata,16);
3143 #ifdef LARGE_SMB_OFF_T
3144 qt.usedspace |= (((SMB_BIG_UINT)IVAL(pdata,20)) << 32);
3145 #else /* LARGE_SMB_OFF_T */
3146 if ((IVAL(pdata,20) != 0)&&
3147 ((qt.usedspace != 0xFFFFFFFF)||
3148 (IVAL(pdata,20)!=0xFFFFFFFF))) {
3149 /* more than 32 bits? */
3150 reply_doserror(req, ERRDOS, ERRunknownlevel);
3151 return;
3152 }
3153 #endif /* LARGE_SMB_OFF_T */
3154
3155 /* the soft quotas 8 bytes (SMB_BIG_UINT)*/
3156 qt.softlim = (SMB_BIG_UINT)IVAL(pdata,24);
3157 #ifdef LARGE_SMB_OFF_T
3158 qt.softlim |= (((SMB_BIG_UINT)IVAL(pdata,28)) << 32);
3159 #else /* LARGE_SMB_OFF_T */
3160 if ((IVAL(pdata,28) != 0)&&
3161 ((qt.softlim != 0xFFFFFFFF)||
3162 (IVAL(pdata,28)!=0xFFFFFFFF))) {
3163 /* more than 32 bits? */
3164 reply_doserror(req, ERRDOS, ERRunknownlevel);
3165 return;
3166 }
3167 #endif /* LARGE_SMB_OFF_T */
3168
3169 /* the hard quotas 8 bytes (SMB_BIG_UINT)*/
3170 qt.hardlim = (SMB_BIG_UINT)IVAL(pdata,32);
3171 #ifdef LARGE_SMB_OFF_T
3172 qt.hardlim |= (((SMB_BIG_UINT)IVAL(pdata,36)) << 32);
3173 #else /* LARGE_SMB_OFF_T */
3174 if ((IVAL(pdata,36) != 0)&&
3175 ((qt.hardlim != 0xFFFFFFFF)||
3176 (IVAL(pdata,36)!=0xFFFFFFFF))) {
3177 /* more than 32 bits? */
3178 reply_doserror(req, ERRDOS, ERRunknownlevel);
3179 return;
3180 }
3181 #endif /* LARGE_SMB_OFF_T */
3182
3183 sid_parse(pdata+40,sid_len,&sid);
3184 DEBUGADD(8,("SID: %s\n",sid_string_static(&sid)));
3185
3186 /* 44 unknown bytes left... */
3187
3188 if (vfs_set_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
3189 reply_doserror(req, ERRSRV, ERRerror);
3190 return;
3191 }
3192
3193 send_nt_replies(req, NT_STATUS_OK, params, param_len,
3194 pdata, data_len);
3195 }
3196 #endif /* HAVE_SYS_QUOTAS */
3197
3198 static void handle_nttrans(connection_struct *conn,
3199 struct trans_state *state,
3200 struct smb_request *req)
3201 {
3202 if (Protocol >= PROTOCOL_NT1) {
3203 req->flags2 |= 0x40; /* IS_LONG_NAME */
3204 SSVAL(req->inbuf,smb_flg2,req->flags2);
3205 }
3206
3207 /* Now we must call the relevant NT_TRANS function */
3208 switch(state->call) {
3209 case NT_TRANSACT_CREATE:
3210 {
3211 START_PROFILE(NT_transact_create);
3212 call_nt_transact_create(
3213 conn, req,
3214 &state->setup, state->setup_count,
3215 &state->param, state->total_param,
3216 &state->data, state->total_data,
3217 state->max_data_return);
3218 END_PROFILE(NT_transact_create);
3219 break;
3220 }
3221
3222 case NT_TRANSACT_IOCTL:
3223 {
3224 START_PROFILE(NT_transact_ioctl);
3225 call_nt_transact_ioctl(
3226 conn, req,
3227 &state->setup, state->setup_count,
3228 &state->param, state->total_param,
3229 &state->data, state->total_data,
3230 state->max_data_return);
3231 END_PROFILE(NT_transact_ioctl);
3232 break;
3233 }
3234
3235 case NT_TRANSACT_SET_SECURITY_DESC:
3236 {
3237 START_PROFILE(NT_transact_set_security_desc);
3238 call_nt_transact_set_security_desc(
3239 conn, req,
3240 &state->setup, state->setup_count,
3241 &state->param, state->total_param,
3242 &state->data, state->total_data,
3243 state->max_data_return);
3244 END_PROFILE(NT_transact_set_security_desc);
3245 break;
3246 }
3247
3248 case NT_TRANSACT_NOTIFY_CHANGE:
3249 {
3250 START_PROFILE(NT_transact_notify_change);
3251 call_nt_transact_notify_change(
3252 conn, req,
3253 &state->setup, state->setup_count,
3254 &state->param, state->total_param,
3255 &state->data, state->total_data,
3256 state->max_data_return,
3257 state->max_param_return);
3258 END_PROFILE(NT_transact_notify_change);
3259 break;
3260 }
3261
3262 case NT_TRANSACT_RENAME:
3263 {
3264 START_PROFILE(NT_transact_rename);
3265 call_nt_transact_rename(
3266 conn, req,
3267 &state->setup, state->setup_count,
3268 &state->param, state->total_param,
3269 &state->data, state->total_data,
3270 state->max_data_return);
3271 END_PROFILE(NT_transact_rename);
3272 break;
3273 }
3274
3275 case NT_TRANSACT_QUERY_SECURITY_DESC:
3276 {
3277 START_PROFILE(NT_transact_query_security_desc);
3278 call_nt_transact_query_security_desc(
3279 conn, req,
3280 &state->setup, state->setup_count,
3281 &state->param, state->total_param,
3282 &state->data, state->total_data,
3283 state->max_data_return);
3284 END_PROFILE(NT_transact_query_security_desc);
3285 break;
3286 }
3287
3288 #ifdef HAVE_SYS_QUOTAS
3289 case NT_TRANSACT_GET_USER_QUOTA:
3290 {
3291 START_PROFILE(NT_transact_get_user_quota);
3292 call_nt_transact_get_user_quota(
3293 conn, req,
3294 &state->setup, state->setup_count,
3295 &state->param, state->total_param,
3296 &state->data, state->total_data,
3297 state->max_data_return);
3298 END_PROFILE(NT_transact_get_user_quota);
3299 break;
3300 }
3301
3302 case NT_TRANSACT_SET_USER_QUOTA:
3303 {
3304 START_PROFILE(NT_transact_set_user_quota);
3305 call_nt_transact_set_user_quota(
3306 conn, req,
3307 &state->setup, state->setup_count,
3308 &state->param, state->total_param,
3309 &state->data, state->total_data,
3310 state->max_data_return);
3311 END_PROFILE(NT_transact_set_user_quota);
3312 break;
3313 }
3314 #endif /* HAVE_SYS_QUOTAS */
3315
3316 default:
3317 /* Error in request */
3318 DEBUG(0,("handle_nttrans: Unknown request %d in "
3319 "nttrans call\n", state->call));
3320 reply_doserror(req, ERRSRV, ERRerror);
3321 return;
3322 }
3323 return;
3324 }
3325
3326 /****************************************************************************
3327 Reply to a SMBNTtrans.
3328 ****************************************************************************/
3329
3330 void reply_nttrans(connection_struct *conn, struct smb_request *req)
3331 {
3332 uint32 pscnt;
3333 uint32 psoff;
3334 uint32 dscnt;
3335 uint32 dsoff;
3336 uint16 function_code;
3337 NTSTATUS result;
3338 struct trans_state *state;
3339 int size;
3340
3341 START_PROFILE(SMBnttrans);
3342
3343 if (req->wct < 19) {
3344 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
3345 END_PROFILE(SMBnttrans);
3346 return;
3347 }
3348
3349 size = smb_len(req->inbuf) + 4;
3350 pscnt = IVAL(req->inbuf,smb_nt_ParameterCount);
3351 psoff = IVAL(req->inbuf,smb_nt_ParameterOffset);
3352 dscnt = IVAL(req->inbuf,smb_nt_DataCount);
3353 dsoff = IVAL(req->inbuf,smb_nt_DataOffset);
3354 function_code = SVAL(req->inbuf, smb_nt_Function);
3355
3356 if (IS_IPC(conn) && (function_code != NT_TRANSACT_CREATE)) {
3357 reply_doserror(req, ERRSRV, ERRaccess);
3358 END_PROFILE(SMBnttrans);
3359 return;
3360 }
3361
3362 result = allow_new_trans(conn->pending_trans, req->mid);
3363 if (!NT_STATUS_IS_OK(result)) {
3364 DEBUG(2, ("Got invalid nttrans request: %s\n", nt_errstr(result)));
3365 reply_nterror(req, result);
3366 END_PROFILE(SMBnttrans);
3367 return;
3368 }
3369
3370 if ((state = TALLOC_P(conn->mem_ctx, struct trans_state)) == NULL) {
3371 reply_doserror(req, ERRSRV, ERRaccess);
3372 END_PROFILE(SMBnttrans);
3373 return;
3374 }
3375
3376 state->cmd = SMBnttrans;
3377
3378 state->mid = req->mid;
3379 state->vuid = req->vuid;
3380 state->total_data = IVAL(req->inbuf, smb_nt_TotalDataCount);
3381 state->data = NULL;
3382 state->total_param = IVAL(req->inbuf, smb_nt_TotalParameterCount);
3383 state->param = NULL;
3384 state->max_data_return = IVAL(req->inbuf,smb_nt_MaxDataCount);
3385 state->max_param_return = IVAL(req->inbuf,smb_nt_MaxParameterCount);
3386
3387 /* setup count is in *words* */
3388 state->setup_count = 2*CVAL(req->inbuf,smb_nt_SetupCount);
3389 state->setup = NULL;
3390 state->call = function_code;
3391
3392 /*
3393 * All nttrans messages we handle have smb_wct == 19 +
3394 * state->setup_count. Ensure this is so as a sanity check.
3395 */
3396
3397 if(req->wct != 19 + (state->setup_count/2)) {
3398 DEBUG(2,("Invalid smb_wct %d in nttrans call (should be %d)\n",
3399 req->wct, 19 + (state->setup_count/2)));
3400 goto bad_param;
3401 }
3402
3403 /* Don't allow more than 128mb for each value. */
3404 if ((state->total_data > (1024*1024*128)) ||
3405 (state->total_param > (1024*1024*128))) {
3406 reply_doserror(req, ERRDOS, ERRnomem);
3407 END_PROFILE(SMBnttrans);
3408 return;
3409 }
3410
3411 if ((dscnt > state->total_data) || (pscnt > state->total_param))
3412 goto bad_param;
3413
3414 if (state->total_data) {
3415 /* Can't use talloc here, the core routines do realloc on the
3416 * params and data. */
3417 if ((state->data = (char *)SMB_MALLOC(state->total_data)) == NULL) {
3418 DEBUG(0,("reply_nttrans: data malloc fail for %u "
3419 "bytes !\n", (unsigned int)state->total_data));
3420 TALLOC_FREE(state);
3421 reply_doserror(req, ERRDOS, ERRnomem);
3422 END_PROFILE(SMBnttrans);
3423 return;
3424 }
3425 if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt))
3426 goto bad_param;
3427 if ((smb_base(req->inbuf)+dsoff+dscnt
3428 > (char *)req->inbuf + size) ||
3429 (smb_base(req->inbuf)+dsoff+dscnt < smb_base(req->inbuf)))
3430 goto bad_param;
3431
3432 memcpy(state->data,smb_base(req->inbuf)+dsoff,dscnt);
3433 }
3434
3435 if (state->total_param) {
3436 /* Can't use talloc here, the core routines do realloc on the
3437 * params and data. */
3438 if ((state->param = (char *)SMB_MALLOC(state->total_param)) == NULL) {
3439 DEBUG(0,("reply_nttrans: param malloc fail for %u "
3440 "bytes !\n", (unsigned int)state->total_param));
3441 SAFE_FREE(state->data);
3442 TALLOC_FREE(state);
3443 reply_doserror(req, ERRDOS, ERRnomem);
3444 END_PROFILE(SMBnttrans);
3445 return;
3446 }
3447 if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt))
3448 goto bad_param;
3449 if ((smb_base(req->inbuf)+psoff+pscnt
3450 > (char *)req->inbuf + size) ||
3451 (smb_base(req->inbuf)+psoff+pscnt < smb_base(req->inbuf)))
3452 goto bad_param;
3453
3454 memcpy(state->param,smb_base(req->inbuf)+psoff,pscnt);
3455 }
3456
3457 state->received_data = dscnt;
3458 state->received_param = pscnt;
3459
3460 if(state->setup_count > 0) {
3461 DEBUG(10,("reply_nttrans: state->setup_count = %d\n",
3462 state->setup_count));
3463 state->setup = (uint16 *)TALLOC(state, state->setup_count);
3464 if (state->setup == NULL) {
3465 DEBUG(0,("reply_nttrans : Out of memory\n"));
3466 SAFE_FREE(state->data);
3467 SAFE_FREE(state->param);
3468 TALLOC_FREE(state);
3469 reply_doserror(req, ERRDOS, ERRnomem);
3470 END_PROFILE(SMBnttrans);
3471 return;
3472 }
3473
3474 if ((smb_nt_SetupStart + state->setup_count < smb_nt_SetupStart) ||
3475 (smb_nt_SetupStart + state->setup_count < state->setup_count)) {
3476 goto bad_param;
3477 }
3478 if (smb_nt_SetupStart + state->setup_count > size) {
3479 goto bad_param;
3480 }
3481
3482 memcpy( state->setup, &req->inbuf[smb_nt_SetupStart],
3483 state->setup_count);
3484 dump_data(10, (uint8 *)state->setup, state->setup_count);
3485 }
3486
3487 if ((state->received_data == state->total_data) &&
3488 (state->received_param == state->total_param)) {
3489 handle_nttrans(conn, state, req);
3490 SAFE_FREE(state->param);
3491 SAFE_FREE(state->data);
3492 TALLOC_FREE(state);
3493 END_PROFILE(SMBnttrans);
3494 return;
3495 }
3496
3497 DLIST_ADD(conn->pending_trans, state);
3498
3499 /* We need to send an interim response then receive the rest
3500 of the parameter/data bytes */
3501 reply_outbuf(req, 0, 0);
3502 show_msg((char *)req->outbuf);
3503 END_PROFILE(SMBnttrans);
3504 return;
3505
3506 bad_param:
3507
3508 DEBUG(0,("reply_nttrans: invalid trans parameters\n"));
3509 SAFE_FREE(state->data);
3510 SAFE_FREE(state->param);
3511 TALLOC_FREE(state);
3512 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
3513 END_PROFILE(SMBnttrans);
3514 return;
3515 }
3516
3517 /****************************************************************************
3518 Reply to a SMBnttranss
3519 ****************************************************************************/
3520
3521 void reply_nttranss(connection_struct *conn, struct smb_request *req)
3522 {
3523 unsigned int pcnt,poff,dcnt,doff,pdisp,ddisp;
3524 struct trans_state *state;
3525
3526 int size;
3527
3528 START_PROFILE(SMBnttranss);
3529
3530 show_msg((char *)req->inbuf);
3531
3532 if (req->wct < 18) {
3533 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
3534 END_PROFILE(SMBnttranss);
3535 return;
3536 }
3537
3538 for (state = conn->pending_trans; state != NULL;
3539 state = state->next) {
3540 if (state->mid == req->mid) {
3541 break;
3542 }
3543 }
3544
3545 if ((state == NULL) || (state->cmd != SMBnttrans)) {
3546 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
3547 END_PROFILE(SMBnttranss);
3548 return;
3549 }
3550
3551 /* Revise state->total_param and state->total_data in case they have
3552 changed downwards */
3553 if (IVAL(req->inbuf, smb_nts_TotalParameterCount)
3554 < state->total_param) {
3555 state->total_param = IVAL(req->inbuf,
3556 smb_nts_TotalParameterCount);
3557 }
3558 if (IVAL(req->inbuf, smb_nts_TotalDataCount) < state->total_data) {
3559 state->total_data = IVAL(req->inbuf, smb_nts_TotalDataCount);
3560 }
3561
3562 size = smb_len(req->inbuf) + 4;
3563
3564 pcnt = IVAL(req->inbuf,smb_nts_ParameterCount);
3565 poff = IVAL(req->inbuf, smb_nts_ParameterOffset);
3566 pdisp = IVAL(req->inbuf, smb_nts_ParameterDisplacement);
3567
3568 dcnt = IVAL(req->inbuf, smb_nts_DataCount);
3569 ddisp = IVAL(req->inbuf, smb_nts_DataDisplacement);
3570 doff = IVAL(req->inbuf, smb_nts_DataOffset);
3571
3572 state->received_param += pcnt;
3573 state->received_data += dcnt;
3574
3575 if ((state->received_data > state->total_data) ||
3576 (state->received_param > state->total_param))
3577 goto bad_param;
3578
3579 if (pcnt) {
3580 if (pdisp+pcnt > state->total_param)
3581 goto bad_param;
3582 if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt))
3583 goto bad_param;
3584 if (pdisp > state->total_param)
3585 goto bad_param;
3586 if ((smb_base(req->inbuf) + poff + pcnt
3587 > (char *)req->inbuf + size) ||
3588 (smb_base(req->inbuf) + poff + pcnt
3589 < smb_base(req->inbuf)))
3590 goto bad_param;
3591 if (state->param + pdisp < state->param)
3592 goto bad_param;
3593
3594 memcpy(state->param+pdisp, smb_base(req->inbuf)+poff,
3595 pcnt);
3596 }
3597
3598 if (dcnt) {
3599 if (ddisp+dcnt > state->total_data)
3600 goto bad_param;
3601 if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt))
3602 goto bad_param;
3603 if (ddisp > state->total_data)
3604 goto bad_param;
3605 if ((smb_base(req->inbuf) + doff + dcnt
3606 > (char *)req->inbuf + size) ||
3607 (smb_base(req->inbuf) + doff + dcnt
3608 < smb_base(req->inbuf)))
3609 goto bad_param;
3610 if (state->data + ddisp < state->data)
3611 goto bad_param;
3612
3613 memcpy(state->data+ddisp, smb_base(req->inbuf)+doff,
3614 dcnt);
3615 }
3616
3617 if ((state->received_param < state->total_param) ||
3618 (state->received_data < state->total_data)) {
3619 END_PROFILE(SMBnttranss);
3620 return;
3621 }
3622
3623 /*
3624 * construct_reply_common will copy smb_com from inbuf to
3625 * outbuf. SMBnttranss is wrong here.
3626 */
3627 SCVAL(req->inbuf,smb_com,SMBnttrans);
3628
3629 handle_nttrans(conn, state, req);
3630
3631 DLIST_REMOVE(conn->pending_trans, state);
3632 SAFE_FREE(state->data);
3633 SAFE_FREE(state->param);
3634 TALLOC_FREE(state);
3635 END_PROFILE(SMBnttranss);
3636 return;
3637
3638 bad_param:
3639
3640 DEBUG(0,("reply_nttranss: invalid trans parameters\n"));
3641 DLIST_REMOVE(conn->pending_trans, state);
3642 SAFE_FREE(state->data);
3643 SAFE_FREE(state->param);
3644 TALLOC_FREE(state);
3645 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
3646 END_PROFILE(SMBnttranss);
3647 return;
3648 }
Samba GIT mirror