search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3: Fix bug 8360
[Samba.git] / source3 / smbd / process.c
blobccbaec594ac72aa139cd2a680679ec1cb36e699f
1 /*
2 Unix SMB/CIFS implementation.
3 process incoming packets - main loop
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Volker Lendecke 2005-2007
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "../lib/tsocket/tsocket.h"
23 #include "system/filesys.h"
24 #include "smbd/smbd.h"
25 #include "smbd/globals.h"
26 #include "librpc/gen_ndr/netlogon.h"
27 #include "../lib/async_req/async_sock.h"
28 #include "ctdbd_conn.h"
29 #include "../lib/util/select.h"
30 #include "printing/pcap.h"
31 #include "system/select.h"
32 #include "passdb.h"
33 #include "auth.h"
34 #include "messages.h"
35 #include "smbprofile.h"
36 #include "rpc_server/spoolss/srv_spoolss_nt.h"
37 #include "libsmb/libsmb.h"
38
39 extern bool global_machine_password_needs_changing;
40
41 static void construct_reply_common(struct smb_request *req, const char *inbuf,
42 char *outbuf);
43 static struct pending_message_list *get_deferred_open_message_smb(uint64_t mid);
44
45 static bool smbd_lock_socket_internal(struct smbd_server_connection *sconn)
46 {
47 bool ok;
48
49 if (sconn->smb1.echo_handler.socket_lock_fd == -1) {
50 return true;
51 }
52
53 sconn->smb1.echo_handler.ref_count++;
54
55 if (sconn->smb1.echo_handler.ref_count > 1) {
56 return true;
57 }
58
59 DEBUG(10,("pid[%d] wait for socket lock\n", (int)sys_getpid()));
60
61 do {
62 ok = fcntl_lock(
63 sconn->smb1.echo_handler.socket_lock_fd,
64 SMB_F_SETLKW, 0, 0, F_WRLCK);
65 } while (!ok && (errno == EINTR));
66
67 if (!ok) {
68 DEBUG(1, ("fcntl_lock failed: %s\n", strerror(errno)));
69 return false;
70 }
71
72 DEBUG(10,("pid[%d] got for socket lock\n", (int)sys_getpid()));
73
74 return true;
75 }
76
77 void smbd_lock_socket(struct smbd_server_connection *sconn)
78 {
79 if (!smbd_lock_socket_internal(sconn)) {
80 exit_server_cleanly("failed to lock socket");
81 }
82 }
83
84 static bool smbd_unlock_socket_internal(struct smbd_server_connection *sconn)
85 {
86 bool ok;
87
88 if (sconn->smb1.echo_handler.socket_lock_fd == -1) {
89 return true;
90 }
91
92 sconn->smb1.echo_handler.ref_count--;
93
94 if (sconn->smb1.echo_handler.ref_count > 0) {
95 return true;
96 }
97
98 do {
99 ok = fcntl_lock(
100 sconn->smb1.echo_handler.socket_lock_fd,
101 SMB_F_SETLKW, 0, 0, F_UNLCK);
102 } while (!ok && (errno == EINTR));
103
104 if (!ok) {
105 DEBUG(1, ("fcntl_lock failed: %s\n", strerror(errno)));
106 return false;
107 }
108
109 DEBUG(10,("pid[%d] unlocked socket\n", (int)sys_getpid()));
110
111 return true;
112 }
113
114 void smbd_unlock_socket(struct smbd_server_connection *sconn)
115 {
116 if (!smbd_unlock_socket_internal(sconn)) {
117 exit_server_cleanly("failed to unlock socket");
118 }
119 }
120
121 /* Accessor function for smb_read_error for smbd functions. */
122
123 /****************************************************************************
124 Send an smb to a fd.
125 ****************************************************************************/
126
127 bool srv_send_smb(struct smbd_server_connection *sconn, char *buffer,
128 bool do_signing, uint32_t seqnum,
129 bool do_encrypt,
130 struct smb_perfcount_data *pcd)
131 {
132 size_t len = 0;
133 size_t nwritten=0;
134 ssize_t ret;
135 char *buf_out = buffer;
136
137 smbd_lock_socket(sconn);
138
139 if (do_signing) {
140 /* Sign the outgoing packet if required. */
141 srv_calculate_sign_mac(sconn, buf_out, seqnum);
142 }
143
144 if (do_encrypt) {
145 NTSTATUS status = srv_encrypt_buffer(buffer, &buf_out);
146 if (!NT_STATUS_IS_OK(status)) {
147 DEBUG(0, ("send_smb: SMB encryption failed "
148 "on outgoing packet! Error %s\n",
149 nt_errstr(status) ));
150 goto out;
151 }
152 }
153
154 len = smb_len(buf_out) + 4;
155
156 ret = write_data(sconn->sock, buf_out+nwritten, len - nwritten);
157 if (ret <= 0) {
158
159 char addr[INET6_ADDRSTRLEN];
160 /*
161 * Try and give an error message saying what
162 * client failed.
163 */
164 DEBUG(1,("pid[%d] Error writing %d bytes to client %s. %d. (%s)\n",
165 (int)sys_getpid(), (int)len,
166 get_peer_addr(sconn->sock, addr, sizeof(addr)),
167 (int)ret, strerror(errno) ));
168
169 srv_free_enc_buffer(buf_out);
170 goto out;
171 }
172
173 SMB_PERFCOUNT_SET_MSGLEN_OUT(pcd, len);
174 srv_free_enc_buffer(buf_out);
175 out:
176 SMB_PERFCOUNT_END(pcd);
177
178 smbd_unlock_socket(sconn);
179 return true;
180 }
181
182 /*******************************************************************
183 Setup the word count and byte count for a smb message.
184 ********************************************************************/
185
186 int srv_set_message(char *buf,
187 int num_words,
188 int num_bytes,
189 bool zero)
190 {
191 if (zero && (num_words || num_bytes)) {
192 memset(buf + smb_size,'\0',num_words*2 + num_bytes);
193 }
194 SCVAL(buf,smb_wct,num_words);
195 SSVAL(buf,smb_vwv + num_words*SIZEOFWORD,num_bytes);
196 smb_setlen(buf,(smb_size + num_words*2 + num_bytes - 4));
197 return (smb_size + num_words*2 + num_bytes);
198 }
199
200 static bool valid_smb_header(const uint8_t *inbuf)
201 {
202 if (is_encrypted_packet(inbuf)) {
203 return true;
204 }
205 /*
206 * This used to be (strncmp(smb_base(inbuf),"\377SMB",4) == 0)
207 * but it just looks weird to call strncmp for this one.
208 */
209 return (IVAL(smb_base(inbuf), 0) == 0x424D53FF);
210 }
211
212 /* Socket functions for smbd packet processing. */
213
214 static bool valid_packet_size(size_t len)
215 {
216 /*
217 * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
218 * of header. Don't print the error if this fits.... JRA.
219 */
220
221 if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
222 DEBUG(0,("Invalid packet length! (%lu bytes).\n",
223 (unsigned long)len));
224 return false;
225 }
226 return true;
227 }
228
229 static NTSTATUS read_packet_remainder(int fd, char *buffer,
230 unsigned int timeout, ssize_t len)
231 {
232 NTSTATUS status;
233
234 if (len <= 0) {
235 return NT_STATUS_OK;
236 }
237
238 status = read_fd_with_timeout(fd, buffer, len, len, timeout, NULL);
239 if (!NT_STATUS_IS_OK(status)) {
240 char addr[INET6_ADDRSTRLEN];
241 DEBUG(0, ("read_fd_with_timeout failed for client %s read "
242 "error = %s.\n",
243 get_peer_addr(fd, addr, sizeof(addr)),
244 nt_errstr(status)));
245 }
246 return status;
247 }
248
249 /****************************************************************************
250 Attempt a zerocopy writeX read. We know here that len > smb_size-4
251 ****************************************************************************/
252
253 /*
254 * Unfortunately, earlier versions of smbclient/libsmbclient
255 * don't send this "standard" writeX header. I've fixed this
256 * for 3.2 but we'll use the old method with earlier versions.
257 * Windows and CIFSFS at least use this standard size. Not
258 * sure about MacOSX.
259 */
260
261 #define STANDARD_WRITE_AND_X_HEADER_SIZE (smb_size - 4 + /* basic header */ \
262 (2*14) + /* word count (including bcc) */ \
263 1 /* pad byte */)
264
265 static NTSTATUS receive_smb_raw_talloc_partial_read(TALLOC_CTX *mem_ctx,
266 const char lenbuf[4],
267 struct smbd_server_connection *sconn,
268 int sock,
269 char **buffer,
270 unsigned int timeout,
271 size_t *p_unread,
272 size_t *len_ret)
273 {
274 /* Size of a WRITEX call (+4 byte len). */
275 char writeX_header[4 + STANDARD_WRITE_AND_X_HEADER_SIZE];
276 ssize_t len = smb_len_large(lenbuf); /* Could be a UNIX large writeX. */
277 ssize_t toread;
278 NTSTATUS status;
279
280 memcpy(writeX_header, lenbuf, 4);
281
282 status = read_fd_with_timeout(
283 sock, writeX_header + 4,
284 STANDARD_WRITE_AND_X_HEADER_SIZE,
285 STANDARD_WRITE_AND_X_HEADER_SIZE,
286 timeout, NULL);
287
288 if (!NT_STATUS_IS_OK(status)) {
289 DEBUG(0, ("read_fd_with_timeout failed for client %s read "
290 "error = %s.\n", sconn->client_id.addr,
291 nt_errstr(status)));
292 return status;
293 }
294
295 /*
296 * Ok - now try and see if this is a possible
297 * valid writeX call.
298 */
299
300 if (is_valid_writeX_buffer(sconn, (uint8_t *)writeX_header)) {
301 /*
302 * If the data offset is beyond what
303 * we've read, drain the extra bytes.
304 */
305 uint16_t doff = SVAL(writeX_header,smb_vwv11);
306 ssize_t newlen;
307
308 if (doff > STANDARD_WRITE_AND_X_HEADER_SIZE) {
309 size_t drain = doff - STANDARD_WRITE_AND_X_HEADER_SIZE;
310 if (drain_socket(sock, drain) != drain) {
311 smb_panic("receive_smb_raw_talloc_partial_read:"
312 " failed to drain pending bytes");
313 }
314 } else {
315 doff = STANDARD_WRITE_AND_X_HEADER_SIZE;
316 }
317
318 /* Spoof down the length and null out the bcc. */
319 set_message_bcc(writeX_header, 0);
320 newlen = smb_len(writeX_header);
321
322 /* Copy the header we've written. */
323
324 *buffer = (char *)TALLOC_MEMDUP(mem_ctx,
325 writeX_header,
326 sizeof(writeX_header));
327
328 if (*buffer == NULL) {
329 DEBUG(0, ("Could not allocate inbuf of length %d\n",
330 (int)sizeof(writeX_header)));
331 return NT_STATUS_NO_MEMORY;
332 }
333
334 /* Work out the remaining bytes. */
335 *p_unread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
336 *len_ret = newlen + 4;
337 return NT_STATUS_OK;
338 }
339
340 if (!valid_packet_size(len)) {
341 return NT_STATUS_INVALID_PARAMETER;
342 }
343
344 /*
345 * Not a valid writeX call. Just do the standard
346 * talloc and return.
347 */
348
349 *buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
350
351 if (*buffer == NULL) {
352 DEBUG(0, ("Could not allocate inbuf of length %d\n",
353 (int)len+4));
354 return NT_STATUS_NO_MEMORY;
355 }
356
357 /* Copy in what we already read. */
358 memcpy(*buffer,
359 writeX_header,
360 4 + STANDARD_WRITE_AND_X_HEADER_SIZE);
361 toread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
362
363 if(toread > 0) {
364 status = read_packet_remainder(
365 sock,
366 (*buffer) + 4 + STANDARD_WRITE_AND_X_HEADER_SIZE,
367 timeout, toread);
368
369 if (!NT_STATUS_IS_OK(status)) {
370 DEBUG(10, ("receive_smb_raw_talloc_partial_read: %s\n",
371 nt_errstr(status)));
372 return status;
373 }
374 }
375
376 *len_ret = len + 4;
377 return NT_STATUS_OK;
378 }
379
380 static NTSTATUS receive_smb_raw_talloc(TALLOC_CTX *mem_ctx,
381 struct smbd_server_connection *sconn,
382 int sock,
383 char **buffer, unsigned int timeout,
384 size_t *p_unread, size_t *plen)
385 {
386 char lenbuf[4];
387 size_t len;
388 int min_recv_size = lp_min_receive_file_size();
389 NTSTATUS status;
390
391 *p_unread = 0;
392
393 status = read_smb_length_return_keepalive(sock, lenbuf, timeout,
394 &len);
395 if (!NT_STATUS_IS_OK(status)) {
396 return status;
397 }
398
399 if (CVAL(lenbuf,0) == 0 && min_recv_size &&
400 (smb_len_large(lenbuf) > /* Could be a UNIX large writeX. */
401 (min_recv_size + STANDARD_WRITE_AND_X_HEADER_SIZE)) &&
402 !srv_is_signing_active(sconn) &&
403 sconn->smb1.echo_handler.trusted_fde == NULL) {
404
405 return receive_smb_raw_talloc_partial_read(
406 mem_ctx, lenbuf, sconn, sock, buffer, timeout,
407 p_unread, plen);
408 }
409
410 if (!valid_packet_size(len)) {
411 return NT_STATUS_INVALID_PARAMETER;
412 }
413
414 /*
415 * The +4 here can't wrap, we've checked the length above already.
416 */
417
418 *buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
419
420 if (*buffer == NULL) {
421 DEBUG(0, ("Could not allocate inbuf of length %d\n",
422 (int)len+4));
423 return NT_STATUS_NO_MEMORY;
424 }
425
426 memcpy(*buffer, lenbuf, sizeof(lenbuf));
427
428 status = read_packet_remainder(sock, (*buffer)+4, timeout, len);
429 if (!NT_STATUS_IS_OK(status)) {
430 return status;
431 }
432
433 *plen = len + 4;
434 return NT_STATUS_OK;
435 }
436
437 static NTSTATUS receive_smb_talloc(TALLOC_CTX *mem_ctx,
438 struct smbd_server_connection *sconn,
439 int sock,
440 char **buffer, unsigned int timeout,
441 size_t *p_unread, bool *p_encrypted,
442 size_t *p_len,
443 uint32_t *seqnum,
444 bool trusted_channel)
445 {
446 size_t len = 0;
447 NTSTATUS status;
448
449 *p_encrypted = false;
450
451 status = receive_smb_raw_talloc(mem_ctx, sconn, sock, buffer, timeout,
452 p_unread, &len);
453 if (!NT_STATUS_IS_OK(status)) {
454 DEBUG(1, ("read_smb_length_return_keepalive failed for "
455 "client %s read error = %s.\n",
456 sconn->client_id.addr, nt_errstr(status)));
457 return status;
458 }
459
460 if (is_encrypted_packet((uint8_t *)*buffer)) {
461 status = srv_decrypt_buffer(*buffer);
462 if (!NT_STATUS_IS_OK(status)) {
463 DEBUG(0, ("receive_smb_talloc: SMB decryption failed on "
464 "incoming packet! Error %s\n",
465 nt_errstr(status) ));
466 return status;
467 }
468 *p_encrypted = true;
469 }
470
471 /* Check the incoming SMB signature. */
472 if (!srv_check_sign_mac(sconn, *buffer, seqnum, trusted_channel)) {
473 DEBUG(0, ("receive_smb: SMB Signature verification failed on "
474 "incoming packet!\n"));
475 return NT_STATUS_INVALID_NETWORK_RESPONSE;
476 }
477
478 *p_len = len;
479 return NT_STATUS_OK;
480 }
481
482 /*
483 * Initialize a struct smb_request from an inbuf
484 */
485
486 static bool init_smb_request(struct smb_request *req,
487 struct smbd_server_connection *sconn,
488 const uint8 *inbuf,
489 size_t unread_bytes, bool encrypted,
490 uint32_t seqnum)
491 {
492 size_t req_size = smb_len(inbuf) + 4;
493 /* Ensure we have at least smb_size bytes. */
494 if (req_size < smb_size) {
495 DEBUG(0,("init_smb_request: invalid request size %u\n",
496 (unsigned int)req_size ));
497 return false;
498 }
499 req->cmd = CVAL(inbuf, smb_com);
500 req->flags2 = SVAL(inbuf, smb_flg2);
501 req->smbpid = SVAL(inbuf, smb_pid);
502 req->mid = (uint64_t)SVAL(inbuf, smb_mid);
503 req->seqnum = seqnum;
504 req->vuid = SVAL(inbuf, smb_uid);
505 req->tid = SVAL(inbuf, smb_tid);
506 req->wct = CVAL(inbuf, smb_wct);
507 req->vwv = (uint16_t *)(inbuf+smb_vwv);
508 req->buflen = smb_buflen(inbuf);
509 req->buf = (const uint8_t *)smb_buf(inbuf);
510 req->unread_bytes = unread_bytes;
511 req->encrypted = encrypted;
512 req->sconn = sconn;
513 req->conn = conn_find(sconn,req->tid);
514 req->chain_fsp = NULL;
515 req->chain_outbuf = NULL;
516 req->done = false;
517 req->smb2req = NULL;
518 smb_init_perfcount_data(&req->pcd);
519
520 /* Ensure we have at least wct words and 2 bytes of bcc. */
521 if (smb_size + req->wct*2 > req_size) {
522 DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n",
523 (unsigned int)req->wct,
524 (unsigned int)req_size));
525 return false;
526 }
527 /* Ensure bcc is correct. */
528 if (((uint8 *)smb_buf(inbuf)) + req->buflen > inbuf + req_size) {
529 DEBUG(0,("init_smb_request: invalid bcc number %u "
530 "(wct = %u, size %u)\n",
531 (unsigned int)req->buflen,
532 (unsigned int)req->wct,
533 (unsigned int)req_size));
534 return false;
535 }
536
537 req->outbuf = NULL;
538 return true;
539 }
540
541 static void process_smb(struct smbd_server_connection *conn,
542 uint8_t *inbuf, size_t nread, size_t unread_bytes,
543 uint32_t seqnum, bool encrypted,
544 struct smb_perfcount_data *deferred_pcd);
545
546 static void smbd_deferred_open_timer(struct event_context *ev,
547 struct timed_event *te,
548 struct timeval _tval,
549 void *private_data)
550 {
551 struct pending_message_list *msg = talloc_get_type(private_data,
552 struct pending_message_list);
553 TALLOC_CTX *mem_ctx = talloc_tos();
554 uint64_t mid = (uint64_t)SVAL(msg->buf.data,smb_mid);
555 uint8_t *inbuf;
556
557 inbuf = (uint8_t *)talloc_memdup(mem_ctx, msg->buf.data,
558 msg->buf.length);
559 if (inbuf == NULL) {
560 exit_server("smbd_deferred_open_timer: talloc failed\n");
561 return;
562 }
563
564 /* We leave this message on the queue so the open code can
565 know this is a retry. */
566 DEBUG(5,("smbd_deferred_open_timer: trigger mid %llu.\n",
567 (unsigned long long)mid ));
568
569 /* Mark the message as processed so this is not
570 * re-processed in error. */
571 msg->processed = true;
572
573 process_smb(smbd_server_conn, inbuf,
574 msg->buf.length, 0,
575 msg->seqnum, msg->encrypted, &msg->pcd);
576
577 /* If it's still there and was processed, remove it. */
578 msg = get_deferred_open_message_smb(mid);
579 if (msg && msg->processed) {
580 remove_deferred_open_message_smb(mid);
581 }
582 }
583
584 /****************************************************************************
585 Function to push a message onto the tail of a linked list of smb messages ready
586 for processing.
587 ****************************************************************************/
588
589 static bool push_queued_message(struct smb_request *req,
590 struct timeval request_time,
591 struct timeval end_time,
592 char *private_data, size_t private_len)
593 {
594 int msg_len = smb_len(req->inbuf) + 4;
595 struct pending_message_list *msg;
596
597 msg = TALLOC_ZERO_P(NULL, struct pending_message_list);
598
599 if(msg == NULL) {
600 DEBUG(0,("push_message: malloc fail (1)\n"));
601 return False;
602 }
603
604 msg->buf = data_blob_talloc(msg, req->inbuf, msg_len);
605 if(msg->buf.data == NULL) {
606 DEBUG(0,("push_message: malloc fail (2)\n"));
607 TALLOC_FREE(msg);
608 return False;
609 }
610
611 msg->request_time = request_time;
612 msg->seqnum = req->seqnum;
613 msg->encrypted = req->encrypted;
614 msg->processed = false;
615 SMB_PERFCOUNT_DEFER_OP(&req->pcd, &msg->pcd);
616
617 if (private_data) {
618 msg->private_data = data_blob_talloc(msg, private_data,
619 private_len);
620 if (msg->private_data.data == NULL) {
621 DEBUG(0,("push_message: malloc fail (3)\n"));
622 TALLOC_FREE(msg);
623 return False;
624 }
625 }
626
627 msg->te = event_add_timed(smbd_event_context(),
628 msg,
629 end_time,
630 smbd_deferred_open_timer,
631 msg);
632 if (!msg->te) {
633 DEBUG(0,("push_message: event_add_timed failed\n"));
634 TALLOC_FREE(msg);
635 return false;
636 }
637
638 DLIST_ADD_END(deferred_open_queue, msg, struct pending_message_list *);
639
640 DEBUG(10,("push_message: pushed message length %u on "
641 "deferred_open_queue\n", (unsigned int)msg_len));
642
643 return True;
644 }
645
646 /****************************************************************************
647 Function to delete a sharing violation open message by mid.
648 ****************************************************************************/
649
650 void remove_deferred_open_message_smb(uint64_t mid)
651 {
652 struct pending_message_list *pml;
653
654 if (smbd_server_conn->using_smb2) {
655 remove_deferred_open_message_smb2(smbd_server_conn, mid);
656 return;
657 }
658
659 for (pml = deferred_open_queue; pml; pml = pml->next) {
660 if (mid == (uint64_t)SVAL(pml->buf.data,smb_mid)) {
661 DEBUG(10,("remove_deferred_open_message_smb: "
662 "deleting mid %llu len %u\n",
663 (unsigned long long)mid,
664 (unsigned int)pml->buf.length ));
665 DLIST_REMOVE(deferred_open_queue, pml);
666 TALLOC_FREE(pml);
667 return;
668 }
669 }
670 }
671
672 /****************************************************************************
673 Move a sharing violation open retry message to the front of the list and
674 schedule it for immediate processing.
675 ****************************************************************************/
676
677 void schedule_deferred_open_message_smb(uint64_t mid)
678 {
679 struct pending_message_list *pml;
680 int i = 0;
681
682 if (smbd_server_conn->using_smb2) {
683 schedule_deferred_open_message_smb2(smbd_server_conn, mid);
684 return;
685 }
686
687 for (pml = deferred_open_queue; pml; pml = pml->next) {
688 uint64_t msg_mid = (uint64_t)SVAL(pml->buf.data,smb_mid);
689
690 DEBUG(10,("schedule_deferred_open_message_smb: [%d] "
691 "msg_mid = %llu\n",
692 i++,
693 (unsigned long long)msg_mid ));
694
695 if (mid == msg_mid) {
696 struct timed_event *te;
697
698 if (pml->processed) {
699 /* A processed message should not be
700 * rescheduled. */
701 DEBUG(0,("schedule_deferred_open_message_smb: LOGIC ERROR "
702 "message mid %llu was already processed\n",
703 (unsigned long long)msg_mid ));
704 continue;
705 }
706
707 DEBUG(10,("schedule_deferred_open_message_smb: "
708 "scheduling mid %llu\n",
709 (unsigned long long)mid ));
710
711 te = event_add_timed(smbd_event_context(),
712 pml,
713 timeval_zero(),
714 smbd_deferred_open_timer,
715 pml);
716 if (!te) {
717 DEBUG(10,("schedule_deferred_open_message_smb: "
718 "event_add_timed() failed, "
719 "skipping mid %llu\n",
720 (unsigned long long)msg_mid ));
721 }
722
723 TALLOC_FREE(pml->te);
724 pml->te = te;
725 DLIST_PROMOTE(deferred_open_queue, pml);
726 return;
727 }
728 }
729
730 DEBUG(10,("schedule_deferred_open_message_smb: failed to "
731 "find message mid %llu\n",
732 (unsigned long long)mid ));
733 }
734
735 /****************************************************************************
736 Return true if this mid is on the deferred queue and was not yet processed.
737 ****************************************************************************/
738
739 bool open_was_deferred(uint64_t mid)
740 {
741 struct pending_message_list *pml;
742
743 if (smbd_server_conn->using_smb2) {
744 return open_was_deferred_smb2(smbd_server_conn, mid);
745 }
746
747 for (pml = deferred_open_queue; pml; pml = pml->next) {
748 if (((uint64_t)SVAL(pml->buf.data,smb_mid)) == mid && !pml->processed) {
749 return True;
750 }
751 }
752 return False;
753 }
754
755 /****************************************************************************
756 Return the message queued by this mid.
757 ****************************************************************************/
758
759 static struct pending_message_list *get_deferred_open_message_smb(uint64_t mid)
760 {
761 struct pending_message_list *pml;
762
763 for (pml = deferred_open_queue; pml; pml = pml->next) {
764 if (((uint64_t)SVAL(pml->buf.data,smb_mid)) == mid) {
765 return pml;
766 }
767 }
768 return NULL;
769 }
770
771 /****************************************************************************
772 Get the state data queued by this mid.
773 ****************************************************************************/
774
775 bool get_deferred_open_message_state(struct smb_request *smbreq,
776 struct timeval *p_request_time,
777 void **pp_state)
778 {
779 struct pending_message_list *pml;
780
781 if (smbd_server_conn->using_smb2) {
782 return get_deferred_open_message_state_smb2(smbreq->smb2req,
783 p_request_time,
784 pp_state);
785 }
786
787 pml = get_deferred_open_message_smb(smbreq->mid);
788 if (!pml) {
789 return false;
790 }
791 if (p_request_time) {
792 *p_request_time = pml->request_time;
793 }
794 if (pp_state) {
795 *pp_state = (void *)pml->private_data.data;
796 }
797 return true;
798 }
799
800 /****************************************************************************
801 Function to push a deferred open smb message onto a linked list of local smb
802 messages ready for processing.
803 ****************************************************************************/
804
805 bool push_deferred_open_message_smb(struct smb_request *req,
806 struct timeval request_time,
807 struct timeval timeout,
808 struct file_id id,
809 char *private_data, size_t priv_len)
810 {
811 struct timeval end_time;
812
813 if (req->smb2req) {
814 return push_deferred_open_message_smb2(req->smb2req,
815 request_time,
816 timeout,
817 id,
818 private_data,
819 priv_len);
820 }
821
822 if (req->unread_bytes) {
823 DEBUG(0,("push_deferred_open_message_smb: logic error ! "
824 "unread_bytes = %u\n",
825 (unsigned int)req->unread_bytes ));
826 smb_panic("push_deferred_open_message_smb: "
827 "logic error unread_bytes != 0" );
828 }
829
830 end_time = timeval_sum(&request_time, &timeout);
831
832 DEBUG(10,("push_deferred_open_message_smb: pushing message "
833 "len %u mid %llu timeout time [%u.%06u]\n",
834 (unsigned int) smb_len(req->inbuf)+4,
835 (unsigned long long)req->mid,
836 (unsigned int)end_time.tv_sec,
837 (unsigned int)end_time.tv_usec));
838
839 return push_queued_message(req, request_time, end_time,
840 private_data, priv_len);
841 }
842
843 struct idle_event {
844 struct timed_event *te;
845 struct timeval interval;
846 char *name;
847 bool (*handler)(const struct timeval *now, void *private_data);
848 void *private_data;
849 };
850
851 static void smbd_idle_event_handler(struct event_context *ctx,
852 struct timed_event *te,
853 struct timeval now,
854 void *private_data)
855 {
856 struct idle_event *event =
857 talloc_get_type_abort(private_data, struct idle_event);
858
859 TALLOC_FREE(event->te);
860
861 DEBUG(10,("smbd_idle_event_handler: %s %p called\n",
862 event->name, event->te));
863
864 if (!event->handler(&now, event->private_data)) {
865 DEBUG(10,("smbd_idle_event_handler: %s %p stopped\n",
866 event->name, event->te));
867 /* Don't repeat, delete ourselves */
868 TALLOC_FREE(event);
869 return;
870 }
871
872 DEBUG(10,("smbd_idle_event_handler: %s %p rescheduled\n",
873 event->name, event->te));
874
875 event->te = event_add_timed(ctx, event,
876 timeval_sum(&now, &event->interval),
877 smbd_idle_event_handler, event);
878
879 /* We can't do much but fail here. */
880 SMB_ASSERT(event->te != NULL);
881 }
882
883 struct idle_event *event_add_idle(struct event_context *event_ctx,
884 TALLOC_CTX *mem_ctx,
885 struct timeval interval,
886 const char *name,
887 bool (*handler)(const struct timeval *now,
888 void *private_data),
889 void *private_data)
890 {
891 struct idle_event *result;
892 struct timeval now = timeval_current();
893
894 result = TALLOC_P(mem_ctx, struct idle_event);
895 if (result == NULL) {
896 DEBUG(0, ("talloc failed\n"));
897 return NULL;
898 }
899
900 result->interval = interval;
901 result->handler = handler;
902 result->private_data = private_data;
903
904 if (!(result->name = talloc_asprintf(result, "idle_evt(%s)", name))) {
905 DEBUG(0, ("talloc failed\n"));
906 TALLOC_FREE(result);
907 return NULL;
908 }
909
910 result->te = event_add_timed(event_ctx, result,
911 timeval_sum(&now, &interval),
912 smbd_idle_event_handler, result);
913 if (result->te == NULL) {
914 DEBUG(0, ("event_add_timed failed\n"));
915 TALLOC_FREE(result);
916 return NULL;
917 }
918
919 DEBUG(10,("event_add_idle: %s %p\n", result->name, result->te));
920 return result;
921 }
922
923 static void smbd_sig_term_handler(struct tevent_context *ev,
924 struct tevent_signal *se,
925 int signum,
926 int count,
927 void *siginfo,
928 void *private_data)
929 {
930 exit_server_cleanly("termination signal");
931 }
932
933 void smbd_setup_sig_term_handler(void)
934 {
935 struct tevent_signal *se;
936
937 se = tevent_add_signal(smbd_event_context(),
938 smbd_event_context(),
939 SIGTERM, 0,
940 smbd_sig_term_handler,
941 NULL);
942 if (!se) {
943 exit_server("failed to setup SIGTERM handler");
944 }
945 }
946
947 static void smbd_sig_hup_handler(struct tevent_context *ev,
948 struct tevent_signal *se,
949 int signum,
950 int count,
951 void *siginfo,
952 void *private_data)
953 {
954 struct messaging_context *msg_ctx = talloc_get_type_abort(
955 private_data, struct messaging_context);
956 change_to_root_user();
957 DEBUG(1,("Reloading services after SIGHUP\n"));
958 reload_services(msg_ctx, smbd_server_conn->sock, False);
959 if (am_parent) {
960 pcap_cache_reload(ev, msg_ctx, &reload_pcap_change_notify);
961 }
962 }
963
964 void smbd_setup_sig_hup_handler(struct tevent_context *ev,
965 struct messaging_context *msg_ctx)
966 {
967 struct tevent_signal *se;
968
969 se = tevent_add_signal(ev, ev, SIGHUP, 0, smbd_sig_hup_handler,
970 msg_ctx);
971 if (!se) {
972 exit_server("failed to setup SIGHUP handler");
973 }
974 }
975
976 static NTSTATUS smbd_server_connection_loop_once(struct smbd_server_connection *conn)
977 {
978 int timeout;
979 int num_pfds = 0;
980 int ret;
981 bool retry;
982
983 timeout = SMBD_SELECT_TIMEOUT * 1000;
984
985 /*
986 * Are there any timed events waiting ? If so, ensure we don't
987 * select for longer than it would take to wait for them.
988 */
989
990 event_add_to_poll_args(smbd_event_context(), conn,
991 &conn->pfds, &num_pfds, &timeout);
992
993 /* Process a signal and timed events now... */
994 if (run_events_poll(smbd_event_context(), 0, NULL, 0)) {
995 return NT_STATUS_RETRY;
996 }
997
998 {
999 int sav;
1000 START_PROFILE(smbd_idle);
1001
1002 ret = sys_poll(conn->pfds, num_pfds, timeout);
1003 sav = errno;
1004
1005 END_PROFILE(smbd_idle);
1006 errno = sav;
1007 }
1008
1009 if (ret == -1) {
1010 if (errno == EINTR) {
1011 return NT_STATUS_RETRY;
1012 }
1013 return map_nt_error_from_unix(errno);
1014 }
1015
1016 retry = run_events_poll(smbd_event_context(), ret, conn->pfds,
1017 num_pfds);
1018 if (retry) {
1019 return NT_STATUS_RETRY;
1020 }
1021
1022 /* Did we timeout ? */
1023 if (ret == 0) {
1024 return NT_STATUS_RETRY;
1025 }
1026
1027 /* should not be reached */
1028 return NT_STATUS_INTERNAL_ERROR;
1029 }
1030
1031 /*
1032 * Only allow 5 outstanding trans requests. We're allocating memory, so
1033 * prevent a DoS.
1034 */
1035
1036 NTSTATUS allow_new_trans(struct trans_state *list, uint64_t mid)
1037 {
1038 int count = 0;
1039 for (; list != NULL; list = list->next) {
1040
1041 if (list->mid == mid) {
1042 return NT_STATUS_INVALID_PARAMETER;
1043 }
1044
1045 count += 1;
1046 }
1047 if (count > 5) {
1048 return NT_STATUS_INSUFFICIENT_RESOURCES;
1049 }
1050
1051 return NT_STATUS_OK;
1052 }
1053
1054 /*
1055 These flags determine some of the permissions required to do an operation
1056
1057 Note that I don't set NEED_WRITE on some write operations because they
1058 are used by some brain-dead clients when printing, and I don't want to
1059 force write permissions on print services.
1060 */
1061 #define AS_USER (1<<0)
1062 #define NEED_WRITE (1<<1) /* Must be paired with AS_USER */
1063 #define TIME_INIT (1<<2)
1064 #define CAN_IPC (1<<3) /* Must be paired with AS_USER */
1065 #define AS_GUEST (1<<5) /* Must *NOT* be paired with AS_USER */
1066 #define DO_CHDIR (1<<6)
1067
1068 /*
1069 define a list of possible SMB messages and their corresponding
1070 functions. Any message that has a NULL function is unimplemented -
1071 please feel free to contribute implementations!
1072 */
1073 static const struct smb_message_struct {
1074 const char *name;
1075 void (*fn)(struct smb_request *req);
1076 int flags;
1077 } smb_messages[256] = {
1078
1079 /* 0x00 */ { "SMBmkdir",reply_mkdir,AS_USER | NEED_WRITE},
1080 /* 0x01 */ { "SMBrmdir",reply_rmdir,AS_USER | NEED_WRITE},
1081 /* 0x02 */ { "SMBopen",reply_open,AS_USER },
1082 /* 0x03 */ { "SMBcreate",reply_mknew,AS_USER},
1083 /* 0x04 */ { "SMBclose",reply_close,AS_USER | CAN_IPC },
1084 /* 0x05 */ { "SMBflush",reply_flush,AS_USER},
1085 /* 0x06 */ { "SMBunlink",reply_unlink,AS_USER | NEED_WRITE },
1086 /* 0x07 */ { "SMBmv",reply_mv,AS_USER | NEED_WRITE },
1087 /* 0x08 */ { "SMBgetatr",reply_getatr,AS_USER},
1088 /* 0x09 */ { "SMBsetatr",reply_setatr,AS_USER | NEED_WRITE},
1089 /* 0x0a */ { "SMBread",reply_read,AS_USER},
1090 /* 0x0b */ { "SMBwrite",reply_write,AS_USER | CAN_IPC },
1091 /* 0x0c */ { "SMBlock",reply_lock,AS_USER},
1092 /* 0x0d */ { "SMBunlock",reply_unlock,AS_USER},
1093 /* 0x0e */ { "SMBctemp",reply_ctemp,AS_USER },
1094 /* 0x0f */ { "SMBmknew",reply_mknew,AS_USER},
1095 /* 0x10 */ { "SMBcheckpath",reply_checkpath,AS_USER},
1096 /* 0x11 */ { "SMBexit",reply_exit,DO_CHDIR},
1097 /* 0x12 */ { "SMBlseek",reply_lseek,AS_USER},
1098 /* 0x13 */ { "SMBlockread",reply_lockread,AS_USER},
1099 /* 0x14 */ { "SMBwriteunlock",reply_writeunlock,AS_USER},
1100 /* 0x15 */ { NULL, NULL, 0 },
1101 /* 0x16 */ { NULL, NULL, 0 },
1102 /* 0x17 */ { NULL, NULL, 0 },
1103 /* 0x18 */ { NULL, NULL, 0 },
1104 /* 0x19 */ { NULL, NULL, 0 },
1105 /* 0x1a */ { "SMBreadbraw",reply_readbraw,AS_USER},
1106 /* 0x1b */ { "SMBreadBmpx",reply_readbmpx,AS_USER},
1107 /* 0x1c */ { "SMBreadBs",reply_readbs,AS_USER },
1108 /* 0x1d */ { "SMBwritebraw",reply_writebraw,AS_USER},
1109 /* 0x1e */ { "SMBwriteBmpx",reply_writebmpx,AS_USER},
1110 /* 0x1f */ { "SMBwriteBs",reply_writebs,AS_USER},
1111 /* 0x20 */ { "SMBwritec", NULL,0},
1112 /* 0x21 */ { NULL, NULL, 0 },
1113 /* 0x22 */ { "SMBsetattrE",reply_setattrE,AS_USER | NEED_WRITE },
1114 /* 0x23 */ { "SMBgetattrE",reply_getattrE,AS_USER },
1115 /* 0x24 */ { "SMBlockingX",reply_lockingX,AS_USER },
1116 /* 0x25 */ { "SMBtrans",reply_trans,AS_USER | CAN_IPC },
1117 /* 0x26 */ { "SMBtranss",reply_transs,AS_USER | CAN_IPC},
1118 /* 0x27 */ { "SMBioctl",reply_ioctl,0},
1119 /* 0x28 */ { "SMBioctls", NULL,AS_USER},
1120 /* 0x29 */ { "SMBcopy",reply_copy,AS_USER | NEED_WRITE },
1121 /* 0x2a */ { "SMBmove", NULL,AS_USER | NEED_WRITE },
1122 /* 0x2b */ { "SMBecho",reply_echo,0},
1123 /* 0x2c */ { "SMBwriteclose",reply_writeclose,AS_USER},
1124 /* 0x2d */ { "SMBopenX",reply_open_and_X,AS_USER | CAN_IPC },
1125 /* 0x2e */ { "SMBreadX",reply_read_and_X,AS_USER | CAN_IPC },
1126 /* 0x2f */ { "SMBwriteX",reply_write_and_X,AS_USER | CAN_IPC },
1127 /* 0x30 */ { NULL, NULL, 0 },
1128 /* 0x31 */ { NULL, NULL, 0 },
1129 /* 0x32 */ { "SMBtrans2",reply_trans2, AS_USER | CAN_IPC },
1130 /* 0x33 */ { "SMBtranss2",reply_transs2, AS_USER | CAN_IPC },
1131 /* 0x34 */ { "SMBfindclose",reply_findclose,AS_USER},
1132 /* 0x35 */ { "SMBfindnclose",reply_findnclose,AS_USER},
1133 /* 0x36 */ { NULL, NULL, 0 },
1134 /* 0x37 */ { NULL, NULL, 0 },
1135 /* 0x38 */ { NULL, NULL, 0 },
1136 /* 0x39 */ { NULL, NULL, 0 },
1137 /* 0x3a */ { NULL, NULL, 0 },
1138 /* 0x3b */ { NULL, NULL, 0 },
1139 /* 0x3c */ { NULL, NULL, 0 },
1140 /* 0x3d */ { NULL, NULL, 0 },
1141 /* 0x3e */ { NULL, NULL, 0 },
1142 /* 0x3f */ { NULL, NULL, 0 },
1143 /* 0x40 */ { NULL, NULL, 0 },
1144 /* 0x41 */ { NULL, NULL, 0 },
1145 /* 0x42 */ { NULL, NULL, 0 },
1146 /* 0x43 */ { NULL, NULL, 0 },
1147 /* 0x44 */ { NULL, NULL, 0 },
1148 /* 0x45 */ { NULL, NULL, 0 },
1149 /* 0x46 */ { NULL, NULL, 0 },
1150 /* 0x47 */ { NULL, NULL, 0 },
1151 /* 0x48 */ { NULL, NULL, 0 },
1152 /* 0x49 */ { NULL, NULL, 0 },
1153 /* 0x4a */ { NULL, NULL, 0 },
1154 /* 0x4b */ { NULL, NULL, 0 },
1155 /* 0x4c */ { NULL, NULL, 0 },
1156 /* 0x4d */ { NULL, NULL, 0 },
1157 /* 0x4e */ { NULL, NULL, 0 },
1158 /* 0x4f */ { NULL, NULL, 0 },
1159 /* 0x50 */ { NULL, NULL, 0 },
1160 /* 0x51 */ { NULL, NULL, 0 },
1161 /* 0x52 */ { NULL, NULL, 0 },
1162 /* 0x53 */ { NULL, NULL, 0 },
1163 /* 0x54 */ { NULL, NULL, 0 },
1164 /* 0x55 */ { NULL, NULL, 0 },
1165 /* 0x56 */ { NULL, NULL, 0 },
1166 /* 0x57 */ { NULL, NULL, 0 },
1167 /* 0x58 */ { NULL, NULL, 0 },
1168 /* 0x59 */ { NULL, NULL, 0 },
1169 /* 0x5a */ { NULL, NULL, 0 },
1170 /* 0x5b */ { NULL, NULL, 0 },
1171 /* 0x5c */ { NULL, NULL, 0 },
1172 /* 0x5d */ { NULL, NULL, 0 },
1173 /* 0x5e */ { NULL, NULL, 0 },
1174 /* 0x5f */ { NULL, NULL, 0 },
1175 /* 0x60 */ { NULL, NULL, 0 },
1176 /* 0x61 */ { NULL, NULL, 0 },
1177 /* 0x62 */ { NULL, NULL, 0 },
1178 /* 0x63 */ { NULL, NULL, 0 },
1179 /* 0x64 */ { NULL, NULL, 0 },
1180 /* 0x65 */ { NULL, NULL, 0 },
1181 /* 0x66 */ { NULL, NULL, 0 },
1182 /* 0x67 */ { NULL, NULL, 0 },
1183 /* 0x68 */ { NULL, NULL, 0 },
1184 /* 0x69 */ { NULL, NULL, 0 },
1185 /* 0x6a */ { NULL, NULL, 0 },
1186 /* 0x6b */ { NULL, NULL, 0 },
1187 /* 0x6c */ { NULL, NULL, 0 },
1188 /* 0x6d */ { NULL, NULL, 0 },
1189 /* 0x6e */ { NULL, NULL, 0 },
1190 /* 0x6f */ { NULL, NULL, 0 },
1191 /* 0x70 */ { "SMBtcon",reply_tcon,0},
1192 /* 0x71 */ { "SMBtdis",reply_tdis,DO_CHDIR},
1193 /* 0x72 */ { "SMBnegprot",reply_negprot,0},
1194 /* 0x73 */ { "SMBsesssetupX",reply_sesssetup_and_X,0},
1195 /* 0x74 */ { "SMBulogoffX",reply_ulogoffX, 0}, /* ulogoff doesn't give a valid TID */
1196 /* 0x75 */ { "SMBtconX",reply_tcon_and_X,0},
1197 /* 0x76 */ { NULL, NULL, 0 },
1198 /* 0x77 */ { NULL, NULL, 0 },
1199 /* 0x78 */ { NULL, NULL, 0 },
1200 /* 0x79 */ { NULL, NULL, 0 },
1201 /* 0x7a */ { NULL, NULL, 0 },
1202 /* 0x7b */ { NULL, NULL, 0 },
1203 /* 0x7c */ { NULL, NULL, 0 },
1204 /* 0x7d */ { NULL, NULL, 0 },
1205 /* 0x7e */ { NULL, NULL, 0 },
1206 /* 0x7f */ { NULL, NULL, 0 },
1207 /* 0x80 */ { "SMBdskattr",reply_dskattr,AS_USER},
1208 /* 0x81 */ { "SMBsearch",reply_search,AS_USER},
1209 /* 0x82 */ { "SMBffirst",reply_search,AS_USER},
1210 /* 0x83 */ { "SMBfunique",reply_search,AS_USER},
1211 /* 0x84 */ { "SMBfclose",reply_fclose,AS_USER},
1212 /* 0x85 */ { NULL, NULL, 0 },
1213 /* 0x86 */ { NULL, NULL, 0 },
1214 /* 0x87 */ { NULL, NULL, 0 },
1215 /* 0x88 */ { NULL, NULL, 0 },
1216 /* 0x89 */ { NULL, NULL, 0 },
1217 /* 0x8a */ { NULL, NULL, 0 },
1218 /* 0x8b */ { NULL, NULL, 0 },
1219 /* 0x8c */ { NULL, NULL, 0 },
1220 /* 0x8d */ { NULL, NULL, 0 },
1221 /* 0x8e */ { NULL, NULL, 0 },
1222 /* 0x8f */ { NULL, NULL, 0 },
1223 /* 0x90 */ { NULL, NULL, 0 },
1224 /* 0x91 */ { NULL, NULL, 0 },
1225 /* 0x92 */ { NULL, NULL, 0 },
1226 /* 0x93 */ { NULL, NULL, 0 },
1227 /* 0x94 */ { NULL, NULL, 0 },
1228 /* 0x95 */ { NULL, NULL, 0 },
1229 /* 0x96 */ { NULL, NULL, 0 },
1230 /* 0x97 */ { NULL, NULL, 0 },
1231 /* 0x98 */ { NULL, NULL, 0 },
1232 /* 0x99 */ { NULL, NULL, 0 },
1233 /* 0x9a */ { NULL, NULL, 0 },
1234 /* 0x9b */ { NULL, NULL, 0 },
1235 /* 0x9c */ { NULL, NULL, 0 },
1236 /* 0x9d */ { NULL, NULL, 0 },
1237 /* 0x9e */ { NULL, NULL, 0 },
1238 /* 0x9f */ { NULL, NULL, 0 },
1239 /* 0xa0 */ { "SMBnttrans",reply_nttrans, AS_USER | CAN_IPC },
1240 /* 0xa1 */ { "SMBnttranss",reply_nttranss, AS_USER | CAN_IPC },
1241 /* 0xa2 */ { "SMBntcreateX",reply_ntcreate_and_X, AS_USER | CAN_IPC },
1242 /* 0xa3 */ { NULL, NULL, 0 },
1243 /* 0xa4 */ { "SMBntcancel",reply_ntcancel, 0 },
1244 /* 0xa5 */ { "SMBntrename",reply_ntrename, AS_USER | NEED_WRITE },
1245 /* 0xa6 */ { NULL, NULL, 0 },
1246 /* 0xa7 */ { NULL, NULL, 0 },
1247 /* 0xa8 */ { NULL, NULL, 0 },
1248 /* 0xa9 */ { NULL, NULL, 0 },
1249 /* 0xaa */ { NULL, NULL, 0 },
1250 /* 0xab */ { NULL, NULL, 0 },
1251 /* 0xac */ { NULL, NULL, 0 },
1252 /* 0xad */ { NULL, NULL, 0 },
1253 /* 0xae */ { NULL, NULL, 0 },
1254 /* 0xaf */ { NULL, NULL, 0 },
1255 /* 0xb0 */ { NULL, NULL, 0 },
1256 /* 0xb1 */ { NULL, NULL, 0 },
1257 /* 0xb2 */ { NULL, NULL, 0 },
1258 /* 0xb3 */ { NULL, NULL, 0 },
1259 /* 0xb4 */ { NULL, NULL, 0 },
1260 /* 0xb5 */ { NULL, NULL, 0 },
1261 /* 0xb6 */ { NULL, NULL, 0 },
1262 /* 0xb7 */ { NULL, NULL, 0 },
1263 /* 0xb8 */ { NULL, NULL, 0 },
1264 /* 0xb9 */ { NULL, NULL, 0 },
1265 /* 0xba */ { NULL, NULL, 0 },
1266 /* 0xbb */ { NULL, NULL, 0 },
1267 /* 0xbc */ { NULL, NULL, 0 },
1268 /* 0xbd */ { NULL, NULL, 0 },
1269 /* 0xbe */ { NULL, NULL, 0 },
1270 /* 0xbf */ { NULL, NULL, 0 },
1271 /* 0xc0 */ { "SMBsplopen",reply_printopen,AS_USER},
1272 /* 0xc1 */ { "SMBsplwr",reply_printwrite,AS_USER},
1273 /* 0xc2 */ { "SMBsplclose",reply_printclose,AS_USER},
1274 /* 0xc3 */ { "SMBsplretq",reply_printqueue,AS_USER},
1275 /* 0xc4 */ { NULL, NULL, 0 },
1276 /* 0xc5 */ { NULL, NULL, 0 },
1277 /* 0xc6 */ { NULL, NULL, 0 },
1278 /* 0xc7 */ { NULL, NULL, 0 },
1279 /* 0xc8 */ { NULL, NULL, 0 },
1280 /* 0xc9 */ { NULL, NULL, 0 },
1281 /* 0xca */ { NULL, NULL, 0 },
1282 /* 0xcb */ { NULL, NULL, 0 },
1283 /* 0xcc */ { NULL, NULL, 0 },
1284 /* 0xcd */ { NULL, NULL, 0 },
1285 /* 0xce */ { NULL, NULL, 0 },
1286 /* 0xcf */ { NULL, NULL, 0 },
1287 /* 0xd0 */ { "SMBsends",reply_sends,AS_GUEST},
1288 /* 0xd1 */ { "SMBsendb", NULL,AS_GUEST},
1289 /* 0xd2 */ { "SMBfwdname", NULL,AS_GUEST},
1290 /* 0xd3 */ { "SMBcancelf", NULL,AS_GUEST},
1291 /* 0xd4 */ { "SMBgetmac", NULL,AS_GUEST},
1292 /* 0xd5 */ { "SMBsendstrt",reply_sendstrt,AS_GUEST},
1293 /* 0xd6 */ { "SMBsendend",reply_sendend,AS_GUEST},
1294 /* 0xd7 */ { "SMBsendtxt",reply_sendtxt,AS_GUEST},
1295 /* 0xd8 */ { NULL, NULL, 0 },
1296 /* 0xd9 */ { NULL, NULL, 0 },
1297 /* 0xda */ { NULL, NULL, 0 },
1298 /* 0xdb */ { NULL, NULL, 0 },
1299 /* 0xdc */ { NULL, NULL, 0 },
1300 /* 0xdd */ { NULL, NULL, 0 },
1301 /* 0xde */ { NULL, NULL, 0 },
1302 /* 0xdf */ { NULL, NULL, 0 },
1303 /* 0xe0 */ { NULL, NULL, 0 },
1304 /* 0xe1 */ { NULL, NULL, 0 },
1305 /* 0xe2 */ { NULL, NULL, 0 },
1306 /* 0xe3 */ { NULL, NULL, 0 },
1307 /* 0xe4 */ { NULL, NULL, 0 },
1308 /* 0xe5 */ { NULL, NULL, 0 },
1309 /* 0xe6 */ { NULL, NULL, 0 },
1310 /* 0xe7 */ { NULL, NULL, 0 },
1311 /* 0xe8 */ { NULL, NULL, 0 },
1312 /* 0xe9 */ { NULL, NULL, 0 },
1313 /* 0xea */ { NULL, NULL, 0 },
1314 /* 0xeb */ { NULL, NULL, 0 },
1315 /* 0xec */ { NULL, NULL, 0 },
1316 /* 0xed */ { NULL, NULL, 0 },
1317 /* 0xee */ { NULL, NULL, 0 },
1318 /* 0xef */ { NULL, NULL, 0 },
1319 /* 0xf0 */ { NULL, NULL, 0 },
1320 /* 0xf1 */ { NULL, NULL, 0 },
1321 /* 0xf2 */ { NULL, NULL, 0 },
1322 /* 0xf3 */ { NULL, NULL, 0 },
1323 /* 0xf4 */ { NULL, NULL, 0 },
1324 /* 0xf5 */ { NULL, NULL, 0 },
1325 /* 0xf6 */ { NULL, NULL, 0 },
1326 /* 0xf7 */ { NULL, NULL, 0 },
1327 /* 0xf8 */ { NULL, NULL, 0 },
1328 /* 0xf9 */ { NULL, NULL, 0 },
1329 /* 0xfa */ { NULL, NULL, 0 },
1330 /* 0xfb */ { NULL, NULL, 0 },
1331 /* 0xfc */ { NULL, NULL, 0 },
1332 /* 0xfd */ { NULL, NULL, 0 },
1333 /* 0xfe */ { NULL, NULL, 0 },
1334 /* 0xff */ { NULL, NULL, 0 }
1335
1336 };
1337
1338 /*******************************************************************
1339 allocate and initialize a reply packet
1340 ********************************************************************/
1341
1342 static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req,
1343 const char *inbuf, char **outbuf, uint8_t num_words,
1344 uint32_t num_bytes)
1345 {
1346 /*
1347 * Protect against integer wrap
1348 */
1349 if ((num_bytes > 0xffffff)
1350 || ((num_bytes + smb_size + num_words*2) > 0xffffff)) {
1351 char *msg;
1352 if (asprintf(&msg, "num_bytes too large: %u",
1353 (unsigned)num_bytes) == -1) {
1354 msg = CONST_DISCARD(char *, "num_bytes too large");
1355 }
1356 smb_panic(msg);
1357 }
1358
1359 *outbuf = TALLOC_ARRAY(mem_ctx, char,
1360 smb_size + num_words*2 + num_bytes);
1361 if (*outbuf == NULL) {
1362 return false;
1363 }
1364
1365 construct_reply_common(req, inbuf, *outbuf);
1366 srv_set_message(*outbuf, num_words, num_bytes, false);
1367 /*
1368 * Zero out the word area, the caller has to take care of the bcc area
1369 * himself
1370 */
1371 if (num_words != 0) {
1372 memset(*outbuf + smb_vwv0, 0, num_words*2);
1373 }
1374
1375 return true;
1376 }
1377
1378 void reply_outbuf(struct smb_request *req, uint8 num_words, uint32 num_bytes)
1379 {
1380 char *outbuf;
1381 if (!create_outbuf(req, req, (char *)req->inbuf, &outbuf, num_words,
1382 num_bytes)) {
1383 smb_panic("could not allocate output buffer\n");
1384 }
1385 req->outbuf = (uint8_t *)outbuf;
1386 }
1387
1388
1389 /*******************************************************************
1390 Dump a packet to a file.
1391 ********************************************************************/
1392
1393 static void smb_dump(const char *name, int type, const char *data, ssize_t len)
1394 {
1395 int fd, i;
1396 char *fname = NULL;
1397 if (DEBUGLEVEL < 50) {
1398 return;
1399 }
1400
1401 if (len < 4) len = smb_len(data)+4;
1402 for (i=1;i<100;i++) {
1403 if (asprintf(&fname, "/tmp/%s.%d.%s", name, i,
1404 type ? "req" : "resp") == -1) {
1405 return;
1406 }
1407 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
1408 if (fd != -1 || errno != EEXIST) break;
1409 }
1410 if (fd != -1) {
1411 ssize_t ret = write(fd, data, len);
1412 if (ret != len)
1413 DEBUG(0,("smb_dump: problem: write returned %d\n", (int)ret ));
1414 close(fd);
1415 DEBUG(0,("created %s len %lu\n", fname, (unsigned long)len));
1416 }
1417 SAFE_FREE(fname);
1418 }
1419
1420 /****************************************************************************
1421 Prepare everything for calling the actual request function, and potentially
1422 call the request function via the "new" interface.
1423
1424 Return False if the "legacy" function needs to be called, everything is
1425 prepared.
1426
1427 Return True if we're done.
1428
1429 I know this API sucks, but it is the one with the least code change I could
1430 find.
1431 ****************************************************************************/
1432
1433 static connection_struct *switch_message(uint8 type, struct smb_request *req, int size)
1434 {
1435 int flags;
1436 uint16 session_tag;
1437 connection_struct *conn = NULL;
1438 struct smbd_server_connection *sconn = req->sconn;
1439
1440 errno = 0;
1441
1442 /* Make sure this is an SMB packet. smb_size contains NetBIOS header
1443 * so subtract 4 from it. */
1444 if (!valid_smb_header(req->inbuf)
1445 || (size < (smb_size - 4))) {
1446 DEBUG(2,("Non-SMB packet of length %d. Terminating server\n",
1447 smb_len(req->inbuf)));
1448 exit_server_cleanly("Non-SMB packet");
1449 }
1450
1451 if (smb_messages[type].fn == NULL) {
1452 DEBUG(0,("Unknown message type %d!\n",type));
1453 smb_dump("Unknown", 1, (char *)req->inbuf, size);
1454 reply_unknown_new(req, type);
1455 return NULL;
1456 }
1457
1458 flags = smb_messages[type].flags;
1459
1460 /* In share mode security we must ignore the vuid. */
1461 session_tag = (lp_security() == SEC_SHARE)
1462 ? UID_FIELD_INVALID : req->vuid;
1463 conn = req->conn;
1464
1465 DEBUG(3,("switch message %s (pid %d) conn 0x%lx\n", smb_fn_name(type),
1466 (int)sys_getpid(), (unsigned long)conn));
1467
1468 smb_dump(smb_fn_name(type), 1, (char *)req->inbuf, size);
1469
1470 /* Ensure this value is replaced in the incoming packet. */
1471 SSVAL(req->inbuf,smb_uid,session_tag);
1472
1473 /*
1474 * Ensure the correct username is in current_user_info. This is a
1475 * really ugly bugfix for problems with multiple session_setup_and_X's
1476 * being done and allowing %U and %G substitutions to work correctly.
1477 * There is a reason this code is done here, don't move it unless you
1478 * know what you're doing... :-).
1479 * JRA.
1480 */
1481
1482 if (session_tag != sconn->smb1.sessions.last_session_tag) {
1483 user_struct *vuser = NULL;
1484
1485 sconn->smb1.sessions.last_session_tag = session_tag;
1486 if(session_tag != UID_FIELD_INVALID) {
1487 vuser = get_valid_user_struct(sconn, session_tag);
1488 if (vuser) {
1489 set_current_user_info(
1490 vuser->session_info->sanitized_username,
1491 vuser->session_info->unix_name,
1492 vuser->session_info->info3->base.domain.string);
1493 }
1494 }
1495 }
1496
1497 /* Does this call need to be run as the connected user? */
1498 if (flags & AS_USER) {
1499
1500 /* Does this call need a valid tree connection? */
1501 if (!conn) {
1502 /*
1503 * Amazingly, the error code depends on the command
1504 * (from Samba4).
1505 */
1506 if (type == SMBntcreateX) {
1507 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
1508 } else {
1509 reply_nterror(req, NT_STATUS_NETWORK_NAME_DELETED);
1510 }
1511 return NULL;
1512 }
1513
1514 if (!change_to_user(conn,session_tag)) {
1515 DEBUG(0, ("Error: Could not change to user. Removing "
1516 "deferred open, mid=%llu.\n",
1517 (unsigned long long)req->mid));
1518 reply_force_doserror(req, ERRSRV, ERRbaduid);
1519 return conn;
1520 }
1521
1522 /* All NEED_WRITE and CAN_IPC flags must also have AS_USER. */
1523
1524 /* Does it need write permission? */
1525 if ((flags & NEED_WRITE) && !CAN_WRITE(conn)) {
1526 reply_nterror(req, NT_STATUS_MEDIA_WRITE_PROTECTED);
1527 return conn;
1528 }
1529
1530 /* IPC services are limited */
1531 if (IS_IPC(conn) && !(flags & CAN_IPC)) {
1532 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1533 return conn;
1534 }
1535 } else {
1536 /* This call needs to be run as root */
1537 change_to_root_user();
1538 }
1539
1540 /* load service specific parameters */
1541 if (conn) {
1542 if (req->encrypted) {
1543 conn->encrypted_tid = true;
1544 /* encrypted required from now on. */
1545 conn->encrypt_level = Required;
1546 } else if (ENCRYPTION_REQUIRED(conn)) {
1547 if (req->cmd != SMBtrans2 && req->cmd != SMBtranss2) {
1548 exit_server_cleanly("encryption required "
1549 "on connection");
1550 return conn;
1551 }
1552 }
1553
1554 if (!set_current_service(conn,SVAL(req->inbuf,smb_flg),
1555 (flags & (AS_USER|DO_CHDIR)
1556 ?True:False))) {
1557 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1558 return conn;
1559 }
1560 conn->num_smb_operations++;
1561 }
1562
1563 /* does this protocol need to be run as guest? */
1564 if ((flags & AS_GUEST)
1565 && (!change_to_guest() ||
1566 !allow_access(lp_hostsdeny(-1), lp_hostsallow(-1),
1567 sconn->client_id.name,
1568 sconn->client_id.addr))) {
1569 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1570 return conn;
1571 }
1572
1573 smb_messages[type].fn(req);
1574 return req->conn;
1575 }
1576
1577 /****************************************************************************
1578 Construct a reply to the incoming packet.
1579 ****************************************************************************/
1580
1581 static void construct_reply(struct smbd_server_connection *sconn,
1582 char *inbuf, int size, size_t unread_bytes,
1583 uint32_t seqnum, bool encrypted,
1584 struct smb_perfcount_data *deferred_pcd)
1585 {
1586 connection_struct *conn;
1587 struct smb_request *req;
1588
1589 if (!(req = talloc(talloc_tos(), struct smb_request))) {
1590 smb_panic("could not allocate smb_request");
1591 }
1592
1593 if (!init_smb_request(req, sconn, (uint8 *)inbuf, unread_bytes,
1594 encrypted, seqnum)) {
1595 exit_server_cleanly("Invalid SMB request");
1596 }
1597
1598 req->inbuf = (uint8_t *)talloc_move(req, &inbuf);
1599
1600 /* we popped this message off the queue - keep original perf data */
1601 if (deferred_pcd)
1602 req->pcd = *deferred_pcd;
1603 else {
1604 SMB_PERFCOUNT_START(&req->pcd);
1605 SMB_PERFCOUNT_SET_OP(&req->pcd, req->cmd);
1606 SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, size);
1607 }
1608
1609 conn = switch_message(req->cmd, req, size);
1610
1611 if (req->unread_bytes) {
1612 /* writeX failed. drain socket. */
1613 if (drain_socket(req->sconn->sock, req->unread_bytes) !=
1614 req->unread_bytes) {
1615 smb_panic("failed to drain pending bytes");
1616 }
1617 req->unread_bytes = 0;
1618 }
1619
1620 if (req->done) {
1621 TALLOC_FREE(req);
1622 return;
1623 }
1624
1625 if (req->outbuf == NULL) {
1626 return;
1627 }
1628
1629 if (CVAL(req->outbuf,0) == 0) {
1630 show_msg((char *)req->outbuf);
1631 }
1632
1633 if (!srv_send_smb(req->sconn,
1634 (char *)req->outbuf,
1635 true, req->seqnum+1,
1636 IS_CONN_ENCRYPTED(conn)||req->encrypted,
1637 &req->pcd)) {
1638 exit_server_cleanly("construct_reply: srv_send_smb failed.");
1639 }
1640
1641 TALLOC_FREE(req);
1642
1643 return;
1644 }
1645
1646 /****************************************************************************
1647 Process an smb from the client
1648 ****************************************************************************/
1649 static void process_smb(struct smbd_server_connection *sconn,
1650 uint8_t *inbuf, size_t nread, size_t unread_bytes,
1651 uint32_t seqnum, bool encrypted,
1652 struct smb_perfcount_data *deferred_pcd)
1653 {
1654 int msg_type = CVAL(inbuf,0);
1655
1656 DO_PROFILE_INC(smb_count);
1657
1658 DEBUG( 6, ( "got message type 0x%x of len 0x%x\n", msg_type,
1659 smb_len(inbuf) ) );
1660 DEBUG(3, ("Transaction %d of length %d (%u toread)\n",
1661 sconn->trans_num, (int)nread, (unsigned int)unread_bytes));
1662
1663 if (msg_type != 0) {
1664 /*
1665 * NetBIOS session request, keepalive, etc.
1666 */
1667 reply_special(sconn, (char *)inbuf, nread);
1668 goto done;
1669 }
1670
1671 if (sconn->using_smb2) {
1672 /* At this point we're not really using smb2,
1673 * we make the decision here.. */
1674 if (smbd_is_smb2_header(inbuf, nread)) {
1675 smbd_smb2_first_negprot(sconn, inbuf, nread);
1676 return;
1677 } else if (nread >= smb_size && valid_smb_header(inbuf)
1678 && CVAL(inbuf, smb_com) != 0x72) {
1679 /* This is a non-negprot SMB1 packet.
1680 Disable SMB2 from now on. */
1681 sconn->using_smb2 = false;
1682 }
1683 }
1684
1685 show_msg((char *)inbuf);
1686
1687 construct_reply(sconn, (char *)inbuf, nread, unread_bytes, seqnum,
1688 encrypted, deferred_pcd);
1689 sconn->trans_num++;
1690
1691 done:
1692 sconn->num_requests++;
1693
1694 /* The timeout_processing function isn't run nearly
1695 often enough to implement 'max log size' without
1696 overrunning the size of the file by many megabytes.
1697 This is especially true if we are running at debug
1698 level 10. Checking every 50 SMBs is a nice
1699 tradeoff of performance vs log file size overrun. */
1700
1701 if ((sconn->num_requests % 50) == 0 &&
1702 need_to_check_log_size()) {
1703 change_to_root_user();
1704 check_log_size();
1705 }
1706 }
1707
1708 /****************************************************************************
1709 Return a string containing the function name of a SMB command.
1710 ****************************************************************************/
1711
1712 const char *smb_fn_name(int type)
1713 {
1714 const char *unknown_name = "SMBunknown";
1715
1716 if (smb_messages[type].name == NULL)
1717 return(unknown_name);
1718
1719 return(smb_messages[type].name);
1720 }
1721
1722 /****************************************************************************
1723 Helper functions for contruct_reply.
1724 ****************************************************************************/
1725
1726 void add_to_common_flags2(uint32 v)
1727 {
1728 common_flags2 |= v;
1729 }
1730
1731 void remove_from_common_flags2(uint32 v)
1732 {
1733 common_flags2 &= ~v;
1734 }
1735
1736 static void construct_reply_common(struct smb_request *req, const char *inbuf,
1737 char *outbuf)
1738 {
1739 srv_set_message(outbuf,0,0,false);
1740
1741 SCVAL(outbuf, smb_com, req->cmd);
1742 SIVAL(outbuf,smb_rcls,0);
1743 SCVAL(outbuf,smb_flg, FLAG_REPLY | (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES));
1744 SSVAL(outbuf,smb_flg2,
1745 (SVAL(inbuf,smb_flg2) & FLAGS2_UNICODE_STRINGS) |
1746 common_flags2);
1747 memset(outbuf+smb_pidhigh,'\0',(smb_tid-smb_pidhigh));
1748
1749 SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid));
1750 SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid));
1751 SSVAL(outbuf,smb_uid,SVAL(inbuf,smb_uid));
1752 SSVAL(outbuf,smb_mid,SVAL(inbuf,smb_mid));
1753 }
1754
1755 void construct_reply_common_req(struct smb_request *req, char *outbuf)
1756 {
1757 construct_reply_common(req, (char *)req->inbuf, outbuf);
1758 }
1759
1760 /*
1761 * How many bytes have we already accumulated up to the current wct field
1762 * offset?
1763 */
1764
1765 size_t req_wct_ofs(struct smb_request *req)
1766 {
1767 size_t buf_size;
1768
1769 if (req->chain_outbuf == NULL) {
1770 return smb_wct - 4;
1771 }
1772 buf_size = talloc_get_size(req->chain_outbuf);
1773 if ((buf_size % 4) != 0) {
1774 buf_size += (4 - (buf_size % 4));
1775 }
1776 return buf_size - 4;
1777 }
1778
1779 /*
1780 * Hack around reply_nterror & friends not being aware of chained requests,
1781 * generating illegal (i.e. wct==0) chain replies.
1782 */
1783
1784 static void fixup_chain_error_packet(struct smb_request *req)
1785 {
1786 uint8_t *outbuf = req->outbuf;
1787 req->outbuf = NULL;
1788 reply_outbuf(req, 2, 0);
1789 memcpy(req->outbuf, outbuf, smb_wct);
1790 TALLOC_FREE(outbuf);
1791 SCVAL(req->outbuf, smb_vwv0, 0xff);
1792 }
1793
1794 /**
1795 * @brief Find the smb_cmd offset of the last command pushed
1796 * @param[in] buf The buffer we're building up
1797 * @retval Where can we put our next andx cmd?
1798 *
1799 * While chaining requests, the "next" request we're looking at needs to put
1800 * its SMB_Command before the data the previous request already built up added
1801 * to the chain. Find the offset to the place where we have to put our cmd.
1802 */
1803
1804 static bool find_andx_cmd_ofs(uint8_t *buf, size_t *pofs)
1805 {
1806 uint8_t cmd;
1807 size_t ofs;
1808
1809 cmd = CVAL(buf, smb_com);
1810
1811 SMB_ASSERT(is_andx_req(cmd));
1812
1813 ofs = smb_vwv0;
1814
1815 while (CVAL(buf, ofs) != 0xff) {
1816
1817 if (!is_andx_req(CVAL(buf, ofs))) {
1818 return false;
1819 }
1820
1821 /*
1822 * ofs is from start of smb header, so add the 4 length
1823 * bytes. The next cmd is right after the wct field.
1824 */
1825 ofs = SVAL(buf, ofs+2) + 4 + 1;
1826
1827 SMB_ASSERT(ofs+4 < talloc_get_size(buf));
1828 }
1829
1830 *pofs = ofs;
1831 return true;
1832 }
1833
1834 /**
1835 * @brief Do the smb chaining at a buffer level
1836 * @param[in] poutbuf Pointer to the talloc'ed buffer to be modified
1837 * @param[in] smb_command The command that we want to issue
1838 * @param[in] wct How many words?
1839 * @param[in] vwv The words, already in network order
1840 * @param[in] bytes_alignment How shall we align "bytes"?
1841 * @param[in] num_bytes How many bytes?
1842 * @param[in] bytes The data the request ships
1843 *
1844 * smb_splice_chain() adds the vwv and bytes to the request already present in
1845 * *poutbuf.
1846 */
1847
1848 static bool smb_splice_chain(uint8_t **poutbuf, uint8_t smb_command,
1849 uint8_t wct, const uint16_t *vwv,
1850 size_t bytes_alignment,
1851 uint32_t num_bytes, const uint8_t *bytes)
1852 {
1853 uint8_t *outbuf;
1854 size_t old_size, new_size;
1855 size_t ofs;
1856 size_t chain_padding = 0;
1857 size_t bytes_padding = 0;
1858 bool first_request;
1859
1860 old_size = talloc_get_size(*poutbuf);
1861
1862 /*
1863 * old_size == smb_wct means we're pushing the first request in for
1864 * libsmb/
1865 */
1866
1867 first_request = (old_size == smb_wct);
1868
1869 if (!first_request && ((old_size % 4) != 0)) {
1870 /*
1871 * Align the wct field of subsequent requests to a 4-byte
1872 * boundary
1873 */
1874 chain_padding = 4 - (old_size % 4);
1875 }
1876
1877 /*
1878 * After the old request comes the new wct field (1 byte), the vwv's
1879 * and the num_bytes field. After at we might need to align the bytes
1880 * given to us to "bytes_alignment", increasing the num_bytes value.
1881 */
1882
1883 new_size = old_size + chain_padding + 1 + wct * sizeof(uint16_t) + 2;
1884
1885 if ((bytes_alignment != 0) && ((new_size % bytes_alignment) != 0)) {
1886 bytes_padding = bytes_alignment - (new_size % bytes_alignment);
1887 }
1888
1889 new_size += bytes_padding + num_bytes;
1890
1891 if ((smb_command != SMBwriteX) && (new_size > 0xffff)) {
1892 DEBUG(1, ("splice_chain: %u bytes won't fit\n",
1893 (unsigned)new_size));
1894 return false;
1895 }
1896
1897 outbuf = TALLOC_REALLOC_ARRAY(NULL, *poutbuf, uint8_t, new_size);
1898 if (outbuf == NULL) {
1899 DEBUG(0, ("talloc failed\n"));
1900 return false;
1901 }
1902 *poutbuf = outbuf;
1903
1904 if (first_request) {
1905 SCVAL(outbuf, smb_com, smb_command);
1906 } else {
1907 size_t andx_cmd_ofs;
1908
1909 if (!find_andx_cmd_ofs(outbuf, &andx_cmd_ofs)) {
1910 DEBUG(1, ("invalid command chain\n"));
1911 *poutbuf = TALLOC_REALLOC_ARRAY(
1912 NULL, *poutbuf, uint8_t, old_size);
1913 return false;
1914 }
1915
1916 if (chain_padding != 0) {
1917 memset(outbuf + old_size, 0, chain_padding);
1918 old_size += chain_padding;
1919 }
1920
1921 SCVAL(outbuf, andx_cmd_ofs, smb_command);
1922 SSVAL(outbuf, andx_cmd_ofs + 2, old_size - 4);
1923 }
1924
1925 ofs = old_size;
1926
1927 /*
1928 * Push the chained request:
1929 *
1930 * wct field
1931 */
1932
1933 SCVAL(outbuf, ofs, wct);
1934 ofs += 1;
1935
1936 /*
1937 * vwv array
1938 */
1939
1940 memcpy(outbuf + ofs, vwv, sizeof(uint16_t) * wct);
1941 ofs += sizeof(uint16_t) * wct;
1942
1943 /*
1944 * bcc (byte count)
1945 */
1946
1947 SSVAL(outbuf, ofs, num_bytes + bytes_padding);
1948 ofs += sizeof(uint16_t);
1949
1950 /*
1951 * padding
1952 */
1953
1954 if (bytes_padding != 0) {
1955 memset(outbuf + ofs, 0, bytes_padding);
1956 ofs += bytes_padding;
1957 }
1958
1959 /*
1960 * The bytes field
1961 */
1962
1963 memcpy(outbuf + ofs, bytes, num_bytes);
1964
1965 return true;
1966 }
1967
1968 /****************************************************************************
1969 Construct a chained reply and add it to the already made reply
1970 ****************************************************************************/
1971
1972 void chain_reply(struct smb_request *req)
1973 {
1974 size_t smblen = smb_len(req->inbuf);
1975 size_t already_used, length_needed;
1976 uint8_t chain_cmd;
1977 uint32_t chain_offset; /* uint32_t to avoid overflow */
1978
1979 uint8_t wct;
1980 uint16_t *vwv;
1981 uint16_t buflen;
1982 uint8_t *buf;
1983
1984 if (IVAL(req->outbuf, smb_rcls) != 0) {
1985 fixup_chain_error_packet(req);
1986 }
1987
1988 /*
1989 * Any of the AndX requests and replies have at least a wct of
1990 * 2. vwv[0] is the next command, vwv[1] is the offset from the
1991 * beginning of the SMB header to the next wct field.
1992 *
1993 * None of the AndX requests put anything valuable in vwv[0] and [1],
1994 * so we can overwrite it here to form the chain.
1995 */
1996
1997 if ((req->wct < 2) || (CVAL(req->outbuf, smb_wct) < 2)) {
1998 if (req->chain_outbuf == NULL) {
1999 req->chain_outbuf = TALLOC_REALLOC_ARRAY(
2000 req, req->outbuf, uint8_t,
2001 smb_len(req->outbuf) + 4);
2002 if (req->chain_outbuf == NULL) {
2003 smb_panic("talloc failed");
2004 }
2005 }
2006 req->outbuf = NULL;
2007 goto error;
2008 }
2009
2010 /*
2011 * Here we assume that this is the end of the chain. For that we need
2012 * to set "next command" to 0xff and the offset to 0. If we later find
2013 * more commands in the chain, this will be overwritten again.
2014 */
2015
2016 SCVAL(req->outbuf, smb_vwv0, 0xff);
2017 SCVAL(req->outbuf, smb_vwv0+1, 0);
2018 SSVAL(req->outbuf, smb_vwv1, 0);
2019
2020 if (req->chain_outbuf == NULL) {
2021 /*
2022 * In req->chain_outbuf we collect all the replies. Start the
2023 * chain by copying in the first reply.
2024 *
2025 * We do the realloc because later on we depend on
2026 * talloc_get_size to determine the length of
2027 * chain_outbuf. The reply_xxx routines might have
2028 * over-allocated (reply_pipe_read_and_X used to be such an
2029 * example).
2030 */
2031 req->chain_outbuf = TALLOC_REALLOC_ARRAY(
2032 req, req->outbuf, uint8_t, smb_len(req->outbuf) + 4);
2033 if (req->chain_outbuf == NULL) {
2034 smb_panic("talloc failed");
2035 }
2036 req->outbuf = NULL;
2037 } else {
2038 /*
2039 * Update smb headers where subsequent chained commands
2040 * may have updated them.
2041 */
2042 SSVAL(req->chain_outbuf, smb_tid, SVAL(req->outbuf, smb_tid));
2043 SSVAL(req->chain_outbuf, smb_uid, SVAL(req->outbuf, smb_uid));
2044
2045 if (!smb_splice_chain(&req->chain_outbuf,
2046 CVAL(req->outbuf, smb_com),
2047 CVAL(req->outbuf, smb_wct),
2048 (uint16_t *)(req->outbuf + smb_vwv),
2049 0, smb_buflen(req->outbuf),
2050 (uint8_t *)smb_buf(req->outbuf))) {
2051 goto error;
2052 }
2053 TALLOC_FREE(req->outbuf);
2054 }
2055
2056 /*
2057 * We use the old request's vwv field to grab the next chained command
2058 * and offset into the chained fields.
2059 */
2060
2061 chain_cmd = CVAL(req->vwv+0, 0);
2062 chain_offset = SVAL(req->vwv+1, 0);
2063
2064 if (chain_cmd == 0xff) {
2065 /*
2066 * End of chain, no more requests from the client. So ship the
2067 * replies.
2068 */
2069 smb_setlen((char *)(req->chain_outbuf),
2070 talloc_get_size(req->chain_outbuf) - 4);
2071
2072 if (!srv_send_smb(req->sconn, (char *)req->chain_outbuf,
2073 true, req->seqnum+1,
2074 IS_CONN_ENCRYPTED(req->conn)
2075 ||req->encrypted,
2076 &req->pcd)) {
2077 exit_server_cleanly("chain_reply: srv_send_smb "
2078 "failed.");
2079 }
2080 TALLOC_FREE(req->chain_outbuf);
2081 req->done = true;
2082 return;
2083 }
2084
2085 /* add a new perfcounter for this element of chain */
2086 SMB_PERFCOUNT_ADD(&req->pcd);
2087 SMB_PERFCOUNT_SET_OP(&req->pcd, chain_cmd);
2088 SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, smblen);
2089
2090 /*
2091 * Check if the client tries to fool us. The chain offset
2092 * needs to point beyond the current request in the chain, it
2093 * needs to strictly grow. Otherwise we might be tricked into
2094 * an endless loop always processing the same request over and
2095 * over again. We used to assume that vwv and the byte buffer
2096 * array in a chain are always attached, but OS/2 the
2097 * Write&X/Read&X chain puts the Read&X vwv array right behind
2098 * the Write&X vwv chain. The Write&X bcc array is put behind
2099 * the Read&X vwv array. So now we check whether the chain
2100 * offset points strictly behind the previous vwv
2101 * array. req->buf points right after the vwv array of the
2102 * previous request. See
2103 * https://bugzilla.samba.org/show_bug.cgi?id=8360 for more
2104 * information.
2105 */
2106
2107 already_used = PTR_DIFF(req->buf, smb_base(req->inbuf));
2108 if (chain_offset <= already_used) {
2109 goto error;
2110 }
2111
2112 /*
2113 * Next check: Make sure the chain offset does not point beyond the
2114 * overall smb request length.
2115 */
2116
2117 length_needed = chain_offset+1; /* wct */
2118 if (length_needed > smblen) {
2119 goto error;
2120 }
2121
2122 /*
2123 * Now comes the pointer magic. Goal here is to set up req->vwv and
2124 * req->buf correctly again to be able to call the subsequent
2125 * switch_message(). The chain offset (the former vwv[1]) points at
2126 * the new wct field.
2127 */
2128
2129 wct = CVAL(smb_base(req->inbuf), chain_offset);
2130
2131 /*
2132 * Next consistency check: Make the new vwv array fits in the overall
2133 * smb request.
2134 */
2135
2136 length_needed += (wct+1)*sizeof(uint16_t); /* vwv+buflen */
2137 if (length_needed > smblen) {
2138 goto error;
2139 }
2140 vwv = (uint16_t *)(smb_base(req->inbuf) + chain_offset + 1);
2141
2142 /*
2143 * Now grab the new byte buffer....
2144 */
2145
2146 buflen = SVAL(vwv+wct, 0);
2147
2148 /*
2149 * .. and check that it fits.
2150 */
2151
2152 length_needed += buflen;
2153 if (length_needed > smblen) {
2154 goto error;
2155 }
2156 buf = (uint8_t *)(vwv+wct+1);
2157
2158 req->cmd = chain_cmd;
2159 req->wct = wct;
2160 req->vwv = vwv;
2161 req->buflen = buflen;
2162 req->buf = buf;
2163
2164 switch_message(chain_cmd, req, smblen);
2165
2166 if (req->outbuf == NULL) {
2167 /*
2168 * This happens if the chained command has suspended itself or
2169 * if it has called srv_send_smb() itself.
2170 */
2171 return;
2172 }
2173
2174 /*
2175 * We end up here if the chained command was not itself chained or
2176 * suspended, but for example a close() command. We now need to splice
2177 * the chained commands' outbuf into the already built up chain_outbuf
2178 * and ship the result.
2179 */
2180 goto done;
2181
2182 error:
2183 /*
2184 * We end up here if there's any error in the chain syntax. Report a
2185 * DOS error, just like Windows does.
2186 */
2187 reply_force_doserror(req, ERRSRV, ERRerror);
2188 fixup_chain_error_packet(req);
2189
2190 done:
2191 /*
2192 * This scary statement intends to set the
2193 * FLAGS2_32_BIT_ERROR_CODES flg2 field in req->chain_outbuf
2194 * to the value req->outbuf carries
2195 */
2196 SSVAL(req->chain_outbuf, smb_flg2,
2197 (SVAL(req->chain_outbuf, smb_flg2) & ~FLAGS2_32_BIT_ERROR_CODES)
2198 | (SVAL(req->outbuf, smb_flg2) & FLAGS2_32_BIT_ERROR_CODES));
2199
2200 /*
2201 * Transfer the error codes from the subrequest to the main one
2202 */
2203 SSVAL(req->chain_outbuf, smb_rcls, SVAL(req->outbuf, smb_rcls));
2204 SSVAL(req->chain_outbuf, smb_err, SVAL(req->outbuf, smb_err));
2205
2206 if (!smb_splice_chain(&req->chain_outbuf,
2207 CVAL(req->outbuf, smb_com),
2208 CVAL(req->outbuf, smb_wct),
2209 (uint16_t *)(req->outbuf + smb_vwv),
2210 0, smb_buflen(req->outbuf),
2211 (uint8_t *)smb_buf(req->outbuf))) {
2212 exit_server_cleanly("chain_reply: smb_splice_chain failed\n");
2213 }
2214 TALLOC_FREE(req->outbuf);
2215
2216 smb_setlen((char *)(req->chain_outbuf),
2217 talloc_get_size(req->chain_outbuf) - 4);
2218
2219 show_msg((char *)(req->chain_outbuf));
2220
2221 if (!srv_send_smb(req->sconn, (char *)req->chain_outbuf,
2222 true, req->seqnum+1,
2223 IS_CONN_ENCRYPTED(req->conn)||req->encrypted,
2224 &req->pcd)) {
2225 exit_server_cleanly("chain_reply: srv_send_smb failed.");
2226 }
2227 TALLOC_FREE(req->chain_outbuf);
2228 req->done = true;
2229 }
2230
2231 /****************************************************************************
2232 Check if services need reloading.
2233 ****************************************************************************/
2234
2235 static void check_reload(struct smbd_server_connection *sconn, time_t t)
2236 {
2237
2238 if (last_smb_conf_reload_time == 0) {
2239 last_smb_conf_reload_time = t;
2240 }
2241
2242 if (t >= last_smb_conf_reload_time+SMBD_RELOAD_CHECK) {
2243 reload_services(sconn->msg_ctx, sconn->sock, True);
2244 last_smb_conf_reload_time = t;
2245 }
2246 }
2247
2248 static bool fd_is_readable(int fd)
2249 {
2250 int ret, revents;
2251
2252 ret = poll_one_fd(fd, POLLIN|POLLHUP, 0, &revents);
2253
2254 return ((ret > 0) && ((revents & (POLLIN|POLLHUP|POLLERR)) != 0));
2255
2256 }
2257
2258 static void smbd_server_connection_write_handler(struct smbd_server_connection *conn)
2259 {
2260 /* TODO: make write nonblocking */
2261 }
2262
2263 static void smbd_server_connection_read_handler(
2264 struct smbd_server_connection *conn, int fd)
2265 {
2266 uint8_t *inbuf = NULL;
2267 size_t inbuf_len = 0;
2268 size_t unread_bytes = 0;
2269 bool encrypted = false;
2270 TALLOC_CTX *mem_ctx = talloc_tos();
2271 NTSTATUS status;
2272 uint32_t seqnum;
2273
2274 bool from_client = (conn->sock == fd);
2275
2276 if (from_client) {
2277 smbd_lock_socket(conn);
2278
2279 if (lp_async_smb_echo_handler() && !fd_is_readable(fd)) {
2280 DEBUG(10,("the echo listener was faster\n"));
2281 smbd_unlock_socket(conn);
2282 return;
2283 }
2284
2285 /* TODO: make this completely nonblocking */
2286 status = receive_smb_talloc(mem_ctx, conn, fd,
2287 (char **)(void *)&inbuf,
2288 0, /* timeout */
2289 &unread_bytes,
2290 &encrypted,
2291 &inbuf_len, &seqnum,
2292 false /* trusted channel */);
2293 smbd_unlock_socket(conn);
2294 } else {
2295 /* TODO: make this completely nonblocking */
2296 status = receive_smb_talloc(mem_ctx, conn, fd,
2297 (char **)(void *)&inbuf,
2298 0, /* timeout */
2299 &unread_bytes,
2300 &encrypted,
2301 &inbuf_len, &seqnum,
2302 true /* trusted channel */);
2303 }
2304
2305 if (NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
2306 goto process;
2307 }
2308 if (NT_STATUS_IS_ERR(status)) {
2309 exit_server_cleanly("failed to receive smb request");
2310 }
2311 if (!NT_STATUS_IS_OK(status)) {
2312 return;
2313 }
2314
2315 process:
2316 process_smb(conn, inbuf, inbuf_len, unread_bytes,
2317 seqnum, encrypted, NULL);
2318 }
2319
2320 static void smbd_server_connection_handler(struct event_context *ev,
2321 struct fd_event *fde,
2322 uint16_t flags,
2323 void *private_data)
2324 {
2325 struct smbd_server_connection *conn = talloc_get_type(private_data,
2326 struct smbd_server_connection);
2327
2328 if (flags & EVENT_FD_WRITE) {
2329 smbd_server_connection_write_handler(conn);
2330 return;
2331 }
2332 if (flags & EVENT_FD_READ) {
2333 smbd_server_connection_read_handler(conn, conn->sock);
2334 return;
2335 }
2336 }
2337
2338 static void smbd_server_echo_handler(struct event_context *ev,
2339 struct fd_event *fde,
2340 uint16_t flags,
2341 void *private_data)
2342 {
2343 struct smbd_server_connection *conn = talloc_get_type(private_data,
2344 struct smbd_server_connection);
2345
2346 if (flags & EVENT_FD_WRITE) {
2347 smbd_server_connection_write_handler(conn);
2348 return;
2349 }
2350 if (flags & EVENT_FD_READ) {
2351 smbd_server_connection_read_handler(
2352 conn, conn->smb1.echo_handler.trusted_fd);
2353 return;
2354 }
2355 }
2356
2357 /****************************************************************************
2358 received when we should release a specific IP
2359 ****************************************************************************/
2360 static void release_ip(const char *ip, void *priv)
2361 {
2362 const char *addr = (const char *)priv;
2363 const char *p = addr;
2364
2365 if (strncmp("::ffff:", addr, 7) == 0) {
2366 p = addr + 7;
2367 }
2368
2369 DEBUG(10, ("Got release IP message for %s, "
2370 "our address is %s\n", ip, p));
2371
2372 if ((strcmp(p, ip) == 0) || ((p != addr) && strcmp(addr, ip) == 0)) {
2373 /* we can't afford to do a clean exit - that involves
2374 database writes, which would potentially mean we
2375 are still running after the failover has finished -
2376 we have to get rid of this process ID straight
2377 away */
2378 DEBUG(0,("Got release IP message for our IP %s - exiting immediately\n",
2379 ip));
2380 /* note we must exit with non-zero status so the unclean handler gets
2381 called in the parent, so that the brl database is tickled */
2382 _exit(1);
2383 }
2384 }
2385
2386 static void msg_release_ip(struct messaging_context *msg_ctx, void *private_data,
2387 uint32_t msg_type, struct server_id server_id, DATA_BLOB *data)
2388 {
2389 struct smbd_server_connection *sconn = talloc_get_type_abort(
2390 private_data, struct smbd_server_connection);
2391
2392 release_ip((char *)data->data, sconn->client_id.addr);
2393 }
2394
2395 #ifdef CLUSTER_SUPPORT
2396 static int client_get_tcp_info(int sock, struct sockaddr_storage *server,
2397 struct sockaddr_storage *client)
2398 {
2399 socklen_t length;
2400 length = sizeof(*server);
2401 if (getsockname(sock, (struct sockaddr *)server, &length) != 0) {
2402 return -1;
2403 }
2404 length = sizeof(*client);
2405 if (getpeername(sock, (struct sockaddr *)client, &length) != 0) {
2406 return -1;
2407 }
2408 return 0;
2409 }
2410 #endif
2411
2412 /*
2413 * Send keepalive packets to our client
2414 */
2415 static bool keepalive_fn(const struct timeval *now, void *private_data)
2416 {
2417 struct smbd_server_connection *sconn = smbd_server_conn;
2418 bool ret;
2419
2420 if (sconn->using_smb2) {
2421 /* Don't do keepalives on an SMB2 connection. */
2422 return false;
2423 }
2424
2425 smbd_lock_socket(smbd_server_conn);
2426 ret = send_keepalive(sconn->sock);
2427 smbd_unlock_socket(smbd_server_conn);
2428
2429 if (!ret) {
2430 char addr[INET6_ADDRSTRLEN];
2431 /*
2432 * Try and give an error message saying what
2433 * client failed.
2434 */
2435 DEBUG(0, ("send_keepalive failed for client %s. "
2436 "Error %s - exiting\n",
2437 get_peer_addr(sconn->sock, addr, sizeof(addr)),
2438 strerror(errno)));
2439 return False;
2440 }
2441 return True;
2442 }
2443
2444 /*
2445 * Do the recurring check if we're idle
2446 */
2447 static bool deadtime_fn(const struct timeval *now, void *private_data)
2448 {
2449 struct smbd_server_connection *sconn =
2450 (struct smbd_server_connection *)private_data;
2451
2452 if ((conn_num_open(sconn) == 0)
2453 || (conn_idle_all(sconn, now->tv_sec))) {
2454 DEBUG( 2, ( "Closing idle connection\n" ) );
2455 messaging_send(sconn->msg_ctx,
2456 messaging_server_id(sconn->msg_ctx),
2457 MSG_SHUTDOWN, &data_blob_null);
2458 return False;
2459 }
2460
2461 return True;
2462 }
2463
2464 /*
2465 * Do the recurring log file and smb.conf reload checks.
2466 */
2467
2468 static bool housekeeping_fn(const struct timeval *now, void *private_data)
2469 {
2470 struct smbd_server_connection *sconn = talloc_get_type_abort(
2471 private_data, struct smbd_server_connection);
2472
2473 DEBUG(5, ("housekeeping\n"));
2474
2475 change_to_root_user();
2476
2477 /* update printer queue caches if necessary */
2478 update_monitored_printq_cache(sconn->msg_ctx);
2479
2480 /* check if we need to reload services */
2481 check_reload(sconn, time_mono(NULL));
2482
2483 /* Change machine password if neccessary. */
2484 attempt_machine_password_change();
2485
2486 /*
2487 * Force a log file check.
2488 */
2489 force_check_log_size();
2490 check_log_size();
2491 return true;
2492 }
2493
2494 static int create_unlink_tmp(const char *dir)
2495 {
2496 char *fname;
2497 int fd;
2498
2499 fname = talloc_asprintf(talloc_tos(), "%s/listenerlock_XXXXXX", dir);
2500 if (fname == NULL) {
2501 errno = ENOMEM;
2502 return -1;
2503 }
2504 fd = mkstemp(fname);
2505 if (fd == -1) {
2506 TALLOC_FREE(fname);
2507 return -1;
2508 }
2509 if (unlink(fname) == -1) {
2510 int sys_errno = errno;
2511 close(fd);
2512 TALLOC_FREE(fname);
2513 errno = sys_errno;
2514 return -1;
2515 }
2516 TALLOC_FREE(fname);
2517 return fd;
2518 }
2519
2520 struct smbd_echo_state {
2521 struct tevent_context *ev;
2522 struct iovec *pending;
2523 struct smbd_server_connection *sconn;
2524 int parent_pipe;
2525
2526 struct tevent_fd *parent_fde;
2527
2528 struct tevent_fd *read_fde;
2529 struct tevent_req *write_req;
2530 };
2531
2532 static void smbd_echo_writer_done(struct tevent_req *req);
2533
2534 static void smbd_echo_activate_writer(struct smbd_echo_state *state)
2535 {
2536 int num_pending;
2537
2538 if (state->write_req != NULL) {
2539 return;
2540 }
2541
2542 num_pending = talloc_array_length(state->pending);
2543 if (num_pending == 0) {
2544 return;
2545 }
2546
2547 state->write_req = writev_send(state, state->ev, NULL,
2548 state->parent_pipe, false,
2549 state->pending, num_pending);
2550 if (state->write_req == NULL) {
2551 DEBUG(1, ("writev_send failed\n"));
2552 exit(1);
2553 }
2554
2555 talloc_steal(state->write_req, state->pending);
2556 state->pending = NULL;
2557
2558 tevent_req_set_callback(state->write_req, smbd_echo_writer_done,
2559 state);
2560 }
2561
2562 static void smbd_echo_writer_done(struct tevent_req *req)
2563 {
2564 struct smbd_echo_state *state = tevent_req_callback_data(
2565 req, struct smbd_echo_state);
2566 ssize_t written;
2567 int err;
2568
2569 written = writev_recv(req, &err);
2570 TALLOC_FREE(req);
2571 state->write_req = NULL;
2572 if (written == -1) {
2573 DEBUG(1, ("writev to parent failed: %s\n", strerror(err)));
2574 exit(1);
2575 }
2576 DEBUG(10,("echo_handler[%d]: forwarded pdu to main\n", (int)sys_getpid()));
2577 smbd_echo_activate_writer(state);
2578 }
2579
2580 static bool smbd_echo_reply(uint8_t *inbuf, size_t inbuf_len,
2581 uint32_t seqnum)
2582 {
2583 struct smb_request req;
2584 uint16_t num_replies;
2585 size_t out_len;
2586 char *outbuf;
2587 bool ok;
2588
2589 if ((inbuf_len == 4) && (CVAL(inbuf, 0) == SMBkeepalive)) {
2590 DEBUG(10, ("Got netbios keepalive\n"));
2591 /*
2592 * Just swallow it
2593 */
2594 return true;
2595 }
2596
2597 if (inbuf_len < smb_size) {
2598 DEBUG(10, ("Got short packet: %d bytes\n", (int)inbuf_len));
2599 return false;
2600 }
2601 if (!valid_smb_header(inbuf)) {
2602 DEBUG(10, ("Got invalid SMB header\n"));
2603 return false;
2604 }
2605
2606 if (!init_smb_request(&req, smbd_server_conn, inbuf, 0, false,
2607 seqnum)) {
2608 return false;
2609 }
2610 req.inbuf = inbuf;
2611
2612 DEBUG(10, ("smbecho handler got cmd %d (%s)\n", (int)req.cmd,
2613 smb_messages[req.cmd].name
2614 ? smb_messages[req.cmd].name : "unknown"));
2615
2616 if (req.cmd != SMBecho) {
2617 return false;
2618 }
2619 if (req.wct < 1) {
2620 return false;
2621 }
2622
2623 num_replies = SVAL(req.vwv+0, 0);
2624 if (num_replies != 1) {
2625 /* Not a Windows "Hey, you're still there?" request */
2626 return false;
2627 }
2628
2629 if (!create_outbuf(talloc_tos(), &req, (char *)req.inbuf, &outbuf,
2630 1, req.buflen)) {
2631 DEBUG(10, ("create_outbuf failed\n"));
2632 return false;
2633 }
2634 req.outbuf = (uint8_t *)outbuf;
2635
2636 SSVAL(req.outbuf, smb_vwv0, num_replies);
2637
2638 if (req.buflen > 0) {
2639 memcpy(smb_buf(req.outbuf), req.buf, req.buflen);
2640 }
2641
2642 out_len = smb_len(req.outbuf) + 4;
2643
2644 ok = srv_send_smb(req.sconn,
2645 (char *)outbuf,
2646 true, seqnum+1,
2647 false, &req.pcd);
2648 TALLOC_FREE(outbuf);
2649 if (!ok) {
2650 exit(1);
2651 }
2652
2653 return true;
2654 }
2655
2656 static void smbd_echo_exit(struct tevent_context *ev,
2657 struct tevent_fd *fde, uint16_t flags,
2658 void *private_data)
2659 {
2660 DEBUG(2, ("smbd_echo_exit: lost connection to parent\n"));
2661 exit(0);
2662 }
2663
2664 static void smbd_echo_reader(struct tevent_context *ev,
2665 struct tevent_fd *fde, uint16_t flags,
2666 void *private_data)
2667 {
2668 struct smbd_echo_state *state = talloc_get_type_abort(
2669 private_data, struct smbd_echo_state);
2670 struct smbd_server_connection *sconn = state->sconn;
2671 size_t unread, num_pending;
2672 NTSTATUS status;
2673 struct iovec *tmp;
2674 size_t iov_len;
2675 uint32_t seqnum = 0;
2676 bool reply;
2677 bool ok;
2678 bool encrypted = false;
2679
2680 smb_msleep(1000);
2681
2682 ok = smbd_lock_socket_internal(sconn);
2683 if (!ok) {
2684 DEBUG(0, ("%s: failed to lock socket\n",
2685 __location__));
2686 exit(1);
2687 }
2688
2689 if (!fd_is_readable(sconn->sock)) {
2690 DEBUG(10,("echo_handler[%d] the parent smbd was faster\n",
2691 (int)sys_getpid()));
2692 ok = smbd_unlock_socket_internal(sconn);
2693 if (!ok) {
2694 DEBUG(1, ("%s: failed to unlock socket in\n",
2695 __location__));
2696 exit(1);
2697 }
2698 return;
2699 }
2700
2701 num_pending = talloc_array_length(state->pending);
2702 tmp = talloc_realloc(state, state->pending, struct iovec,
2703 num_pending+1);
2704 if (tmp == NULL) {
2705 DEBUG(1, ("talloc_realloc failed\n"));
2706 exit(1);
2707 }
2708 state->pending = tmp;
2709
2710 DEBUG(10,("echo_handler[%d]: reading pdu\n", (int)sys_getpid()));
2711
2712 status = receive_smb_talloc(state->pending, sconn, sconn->sock,
2713 (char **)(void *)&state->pending[num_pending].iov_base,
2714 0 /* timeout */,
2715 &unread,
2716 &encrypted,
2717 &iov_len,
2718 &seqnum,
2719 false /* trusted_channel*/);
2720 if (!NT_STATUS_IS_OK(status)) {
2721 DEBUG(1, ("echo_handler[%d]: receive_smb_raw_talloc failed: %s\n",
2722 (int)sys_getpid(), nt_errstr(status)));
2723 exit(1);
2724 }
2725 state->pending[num_pending].iov_len = iov_len;
2726
2727 ok = smbd_unlock_socket_internal(sconn);
2728 if (!ok) {
2729 DEBUG(1, ("%s: failed to unlock socket in\n",
2730 __location__));
2731 exit(1);
2732 }
2733
2734 reply = smbd_echo_reply((uint8_t *)state->pending[num_pending].iov_base,
2735 state->pending[num_pending].iov_len,
2736 seqnum);
2737 if (reply) {
2738 DEBUG(10,("echo_handler[%d]: replied to client\n", (int)sys_getpid()));
2739 /* no check, shrinking by some bytes does not fail */
2740 state->pending = talloc_realloc(state, state->pending,
2741 struct iovec,
2742 num_pending);
2743 return;
2744 }
2745
2746 if (state->pending[num_pending].iov_len >= smb_size) {
2747 /*
2748 * place the seqnum in the packet so that the main process
2749 * can reply with signing
2750 */
2751 SIVAL((uint8_t *)state->pending[num_pending].iov_base,
2752 smb_ss_field, seqnum);
2753 SIVAL((uint8_t *)state->pending[num_pending].iov_base,
2754 smb_ss_field+4, NT_STATUS_V(NT_STATUS_OK));
2755 }
2756
2757 DEBUG(10,("echo_handler[%d]: forward to main\n", (int)sys_getpid()));
2758 smbd_echo_activate_writer(state);
2759 }
2760
2761 static void smbd_echo_loop(struct smbd_server_connection *sconn,
2762 int parent_pipe)
2763 {
2764 struct smbd_echo_state *state;
2765
2766 state = talloc_zero(sconn, struct smbd_echo_state);
2767 if (state == NULL) {
2768 DEBUG(1, ("talloc failed\n"));
2769 return;
2770 }
2771 state->sconn = sconn;
2772 state->parent_pipe = parent_pipe;
2773 state->ev = s3_tevent_context_init(state);
2774 if (state->ev == NULL) {
2775 DEBUG(1, ("tevent_context_init failed\n"));
2776 TALLOC_FREE(state);
2777 return;
2778 }
2779 state->parent_fde = tevent_add_fd(state->ev, state, parent_pipe,
2780 TEVENT_FD_READ, smbd_echo_exit,
2781 state);
2782 if (state->parent_fde == NULL) {
2783 DEBUG(1, ("tevent_add_fd failed\n"));
2784 TALLOC_FREE(state);
2785 return;
2786 }
2787 state->read_fde = tevent_add_fd(state->ev, state, sconn->sock,
2788 TEVENT_FD_READ, smbd_echo_reader,
2789 state);
2790 if (state->read_fde == NULL) {
2791 DEBUG(1, ("tevent_add_fd failed\n"));
2792 TALLOC_FREE(state);
2793 return;
2794 }
2795
2796 while (true) {
2797 if (tevent_loop_once(state->ev) == -1) {
2798 DEBUG(1, ("tevent_loop_once failed: %s\n",
2799 strerror(errno)));
2800 break;
2801 }
2802 }
2803 TALLOC_FREE(state);
2804 }
2805
2806 /*
2807 * Handle SMBecho requests in a forked child process
2808 */
2809 static bool fork_echo_handler(struct smbd_server_connection *sconn)
2810 {
2811 int listener_pipe[2];
2812 int res;
2813 pid_t child;
2814
2815 res = pipe(listener_pipe);
2816 if (res == -1) {
2817 DEBUG(1, ("pipe() failed: %s\n", strerror(errno)));
2818 return false;
2819 }
2820 sconn->smb1.echo_handler.socket_lock_fd = create_unlink_tmp(lp_lockdir());
2821 if (sconn->smb1.echo_handler.socket_lock_fd == -1) {
2822 DEBUG(1, ("Could not create lock fd: %s\n", strerror(errno)));
2823 goto fail;
2824 }
2825
2826 child = sys_fork();
2827 if (child == 0) {
2828 NTSTATUS status;
2829
2830 close(listener_pipe[0]);
2831 set_blocking(listener_pipe[1], false);
2832
2833 status = reinit_after_fork(sconn->msg_ctx,
2834 smbd_event_context(),
2835 procid_self(), false);
2836 if (!NT_STATUS_IS_OK(status)) {
2837 DEBUG(1, ("reinit_after_fork failed: %s\n",
2838 nt_errstr(status)));
2839 exit(1);
2840 }
2841 smbd_echo_loop(sconn, listener_pipe[1]);
2842 exit(0);
2843 }
2844 close(listener_pipe[1]);
2845 listener_pipe[1] = -1;
2846 sconn->smb1.echo_handler.trusted_fd = listener_pipe[0];
2847
2848 DEBUG(10,("fork_echo_handler: main[%d] echo_child[%d]\n", (int)sys_getpid(), child));
2849
2850 /*
2851 * Without smb signing this is the same as the normal smbd
2852 * listener. This needs to change once signing comes in.
2853 */
2854 sconn->smb1.echo_handler.trusted_fde = event_add_fd(smbd_event_context(),
2855 sconn,
2856 sconn->smb1.echo_handler.trusted_fd,
2857 EVENT_FD_READ,
2858 smbd_server_echo_handler,
2859 sconn);
2860 if (sconn->smb1.echo_handler.trusted_fde == NULL) {
2861 DEBUG(1, ("event_add_fd failed\n"));
2862 goto fail;
2863 }
2864
2865 return true;
2866
2867 fail:
2868 if (listener_pipe[0] != -1) {
2869 close(listener_pipe[0]);
2870 }
2871 if (listener_pipe[1] != -1) {
2872 close(listener_pipe[1]);
2873 }
2874 sconn->smb1.echo_handler.trusted_fd = -1;
2875 if (sconn->smb1.echo_handler.socket_lock_fd != -1) {
2876 close(sconn->smb1.echo_handler.socket_lock_fd);
2877 }
2878 sconn->smb1.echo_handler.trusted_fd = -1;
2879 sconn->smb1.echo_handler.socket_lock_fd = -1;
2880 return false;
2881 }
2882
2883 #if CLUSTER_SUPPORT
2884
2885 static NTSTATUS smbd_register_ips(struct smbd_server_connection *sconn,
2886 struct sockaddr_storage *srv,
2887 struct sockaddr_storage *clnt)
2888 {
2889 struct ctdbd_connection *cconn;
2890 char tmp_addr[INET6_ADDRSTRLEN];
2891 char *addr;
2892
2893 cconn = messaging_ctdbd_connection();
2894 if (cconn == NULL) {
2895 return NT_STATUS_NO_MEMORY;
2896 }
2897
2898 client_socket_addr(sconn->sock, tmp_addr, sizeof(tmp_addr));
2899 addr = talloc_strdup(cconn, tmp_addr);
2900 if (addr == NULL) {
2901 return NT_STATUS_NO_MEMORY;
2902 }
2903 return ctdbd_register_ips(cconn, srv, clnt, release_ip, addr);
2904 }
2905
2906 #endif
2907
2908 /****************************************************************************
2909 Process commands from the client
2910 ****************************************************************************/
2911
2912 void smbd_process(struct smbd_server_connection *sconn)
2913 {
2914 TALLOC_CTX *frame = talloc_stackframe();
2915 struct sockaddr_storage ss;
2916 struct sockaddr *sa = NULL;
2917 socklen_t sa_socklen;
2918 struct tsocket_address *local_address = NULL;
2919 struct tsocket_address *remote_address = NULL;
2920 const char *remaddr = NULL;
2921 int ret;
2922
2923 if (lp_maxprotocol() == PROTOCOL_SMB2 &&
2924 !lp_async_smb_echo_handler()) {
2925 /*
2926 * We're not making the decision here,
2927 * we're just allowing the client
2928 * to decide between SMB1 and SMB2
2929 * with the first negprot
2930 * packet.
2931 */
2932 sconn->using_smb2 = true;
2933 }
2934
2935 /* Ensure child is set to blocking mode */
2936 set_blocking(sconn->sock,True);
2937
2938 set_socket_options(sconn->sock, "SO_KEEPALIVE");
2939 set_socket_options(sconn->sock, lp_socket_options());
2940
2941 sa = (struct sockaddr *)(void *)&ss;
2942 sa_socklen = sizeof(ss);
2943 ret = getpeername(sconn->sock, sa, &sa_socklen);
2944 if (ret != 0) {
2945 int level = (errno == ENOTCONN)?2:0;
2946 DEBUG(level,("getpeername() failed - %s\n", strerror(errno)));
2947 exit_server_cleanly("getpeername() failed.\n");
2948 }
2949 ret = tsocket_address_bsd_from_sockaddr(sconn,
2950 sa, sa_socklen,
2951 &remote_address);
2952 if (ret != 0) {
2953 DEBUG(0,("%s: tsocket_address_bsd_from_sockaddr remote failed - %s\n",
2954 __location__, strerror(errno)));
2955 exit_server_cleanly("tsocket_address_bsd_from_sockaddr remote failed.\n");
2956 }
2957
2958 sa = (struct sockaddr *)(void *)&ss;
2959 sa_socklen = sizeof(ss);
2960 ret = getsockname(sconn->sock, sa, &sa_socklen);
2961 if (ret != 0) {
2962 int level = (errno == ENOTCONN)?2:0;
2963 DEBUG(level,("getsockname() failed - %s\n", strerror(errno)));
2964 exit_server_cleanly("getsockname() failed.\n");
2965 }
2966 ret = tsocket_address_bsd_from_sockaddr(sconn,
2967 sa, sa_socklen,
2968 &local_address);
2969 if (ret != 0) {
2970 DEBUG(0,("%s: tsocket_address_bsd_from_sockaddr remote failed - %s\n",
2971 __location__, strerror(errno)));
2972 exit_server_cleanly("tsocket_address_bsd_from_sockaddr remote failed.\n");
2973 }
2974
2975 sconn->local_address = local_address;
2976 sconn->remote_address = remote_address;
2977
2978 if (tsocket_address_is_inet(remote_address, "ip")) {
2979 remaddr = tsocket_address_inet_addr_string(
2980 sconn->remote_address,
2981 talloc_tos());
2982 if (remaddr == NULL) {
2983
2984 }
2985 } else {
2986 remaddr = "0.0.0.0";
2987 }
2988
2989 /* this is needed so that we get decent entries
2990 in smbstatus for port 445 connects */
2991 set_remote_machine_name(remaddr, false);
2992 reload_services(sconn->msg_ctx, sconn->sock, true);
2993
2994 /*
2995 * Before the first packet, check the global hosts allow/ hosts deny
2996 * parameters before doing any parsing of packets passed to us by the
2997 * client. This prevents attacks on our parsing code from hosts not in
2998 * the hosts allow list.
2999 */
3000
3001 if (!allow_access(lp_hostsdeny(-1), lp_hostsallow(-1),
3002 sconn->client_id.name,
3003 sconn->client_id.addr)) {
3004 /*
3005 * send a negative session response "not listening on calling
3006 * name"
3007 */
3008 unsigned char buf[5] = {0x83, 0, 0, 1, 0x81};
3009 DEBUG( 1, ("Connection denied from %s to %s\n",
3010 tsocket_address_string(remote_address, talloc_tos()),
3011 tsocket_address_string(local_address, talloc_tos())));
3012 (void)srv_send_smb(sconn,(char *)buf, false,
3013 0, false, NULL);
3014 exit_server_cleanly("connection denied");
3015 }
3016
3017 DEBUG(10, ("Connection allowed from %s to %s\n",
3018 tsocket_address_string(remote_address, talloc_tos()),
3019 tsocket_address_string(local_address, talloc_tos())));
3020
3021 init_modules();
3022
3023 smb_perfcount_init();
3024
3025 if (!init_account_policy()) {
3026 exit_server("Could not open account policy tdb.\n");
3027 }
3028
3029 if (*lp_rootdir()) {
3030 if (chroot(lp_rootdir()) != 0) {
3031 DEBUG(0,("Failed to change root to %s\n", lp_rootdir()));
3032 exit_server("Failed to chroot()");
3033 }
3034 if (chdir("/") == -1) {
3035 DEBUG(0,("Failed to chdir to / on chroot to %s\n", lp_rootdir()));
3036 exit_server("Failed to chroot()");
3037 }
3038 DEBUG(0,("Changed root to %s\n", lp_rootdir()));
3039 }
3040
3041 if (!srv_init_signing(sconn)) {
3042 exit_server("Failed to init smb_signing");
3043 }
3044
3045 if (lp_async_smb_echo_handler() && !fork_echo_handler(sconn)) {
3046 exit_server("Failed to fork echo handler");
3047 }
3048
3049 /* Setup oplocks */
3050 if (!init_oplocks(sconn->msg_ctx))
3051 exit_server("Failed to init oplocks");
3052
3053 /* register our message handlers */
3054 messaging_register(sconn->msg_ctx, NULL,
3055 MSG_SMB_FORCE_TDIS, msg_force_tdis);
3056 messaging_register(sconn->msg_ctx, sconn,
3057 MSG_SMB_RELEASE_IP, msg_release_ip);
3058 messaging_register(sconn->msg_ctx, NULL,
3059 MSG_SMB_CLOSE_FILE, msg_close_file);
3060
3061 /*
3062 * Use the default MSG_DEBUG handler to avoid rebroadcasting
3063 * MSGs to all child processes
3064 */
3065 messaging_deregister(sconn->msg_ctx,
3066 MSG_DEBUG, NULL);
3067 messaging_register(sconn->msg_ctx, NULL,
3068 MSG_DEBUG, debug_message);
3069
3070 if ((lp_keepalive() != 0)
3071 && !(event_add_idle(smbd_event_context(), NULL,
3072 timeval_set(lp_keepalive(), 0),
3073 "keepalive", keepalive_fn,
3074 NULL))) {
3075 DEBUG(0, ("Could not add keepalive event\n"));
3076 exit(1);
3077 }
3078
3079 if (!(event_add_idle(smbd_event_context(), NULL,
3080 timeval_set(IDLE_CLOSED_TIMEOUT, 0),
3081 "deadtime", deadtime_fn, sconn))) {
3082 DEBUG(0, ("Could not add deadtime event\n"));
3083 exit(1);
3084 }
3085
3086 if (!(event_add_idle(smbd_event_context(), NULL,
3087 timeval_set(SMBD_HOUSEKEEPING_INTERVAL, 0),
3088 "housekeeping", housekeeping_fn, sconn))) {
3089 DEBUG(0, ("Could not add housekeeping event\n"));
3090 exit(1);
3091 }
3092
3093 #ifdef CLUSTER_SUPPORT
3094
3095 if (lp_clustering()) {
3096 /*
3097 * We need to tell ctdb about our client's TCP
3098 * connection, so that for failover ctdbd can send
3099 * tickle acks, triggering a reconnection by the
3100 * client.
3101 */
3102
3103 struct sockaddr_storage srv, clnt;
3104
3105 if (client_get_tcp_info(sconn->sock, &srv, &clnt) == 0) {
3106 NTSTATUS status;
3107 status = smbd_register_ips(sconn, &srv, &clnt);
3108 if (!NT_STATUS_IS_OK(status)) {
3109 DEBUG(0, ("ctdbd_register_ips failed: %s\n",
3110 nt_errstr(status)));
3111 }
3112 } else
3113 {
3114 DEBUG(0,("Unable to get tcp info for "
3115 "CTDB_CONTROL_TCP_CLIENT: %s\n",
3116 strerror(errno)));
3117 }
3118 }
3119
3120 #endif
3121
3122 sconn->nbt.got_session = false;
3123
3124 sconn->smb1.negprot.max_recv = MIN(lp_maxxmit(),BUFFER_SIZE);
3125
3126 sconn->smb1.sessions.done_sesssetup = false;
3127 sconn->smb1.sessions.max_send = BUFFER_SIZE;
3128 sconn->smb1.sessions.last_session_tag = UID_FIELD_INVALID;
3129 /* users from session setup */
3130 sconn->smb1.sessions.session_userlist = NULL;
3131 /* workgroup from session setup. */
3132 sconn->smb1.sessions.session_workgroup = NULL;
3133 /* this holds info on user ids that are already validated for this VC */
3134 sconn->smb1.sessions.validated_users = NULL;
3135 sconn->smb1.sessions.next_vuid = VUID_OFFSET;
3136 sconn->smb1.sessions.num_validated_vuids = 0;
3137
3138 conn_init(sconn);
3139 if (!init_dptrs(sconn)) {
3140 exit_server("init_dptrs() failed");
3141 }
3142
3143 sconn->smb1.fde = event_add_fd(smbd_event_context(),
3144 sconn,
3145 sconn->sock,
3146 EVENT_FD_READ,
3147 smbd_server_connection_handler,
3148 sconn);
3149 if (!sconn->smb1.fde) {
3150 exit_server("failed to create smbd_server_connection fde");
3151 }
3152
3153 TALLOC_FREE(frame);
3154
3155 while (True) {
3156 NTSTATUS status;
3157
3158 frame = talloc_stackframe_pool(8192);
3159
3160 errno = 0;
3161
3162 status = smbd_server_connection_loop_once(sconn);
3163 if (!NT_STATUS_EQUAL(status, NT_STATUS_RETRY) &&
3164 !NT_STATUS_IS_OK(status)) {
3165 DEBUG(3, ("smbd_server_connection_loop_once failed: %s,"
3166 " exiting\n", nt_errstr(status)));
3167 break;
3168 }
3169
3170 TALLOC_FREE(frame);
3171 }
3172
3173 exit_server_cleanly(NULL);
3174 }
3175
3176 bool req_is_in_chain(struct smb_request *req)
3177 {
3178 if (req->vwv != (uint16_t *)(req->inbuf+smb_vwv)) {
3179 /*
3180 * We're right now handling a subsequent request, so we must
3181 * be in a chain
3182 */
3183 return true;
3184 }
3185
3186 if (!is_andx_req(req->cmd)) {
3187 return false;
3188 }
3189
3190 if (req->wct < 2) {
3191 /*
3192 * Okay, an illegal request, but definitely not chained :-)
3193 */
3194 return false;
3195 }
3196
3197 return (CVAL(req->vwv+0, 0) != 0xFF);
3198 }
Samba GIT mirror