search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
CVE-2017-2619: s3: smbd: Move the reference counting and destructor setup to just...
[Samba.git] / lib / dbwrap / dbwrap_rbt.c
blob3b5e5895cd5a48b671bf5c8af6858823280d7244
1 /*
2 Unix SMB/CIFS implementation.
3 Database interface wrapper around red-black trees
4 Copyright (C) Volker Lendecke 2007, 2008
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "dbwrap/dbwrap.h"
22 #include "dbwrap/dbwrap_private.h"
23 #include "dbwrap/dbwrap_rbt.h"
24 #include "../lib/util/rbtree.h"
25 #include "../lib/util/dlinklist.h"
26
27 #define DBWRAP_RBT_ALIGN(_size_) (((_size_)+15)&~15)
28
29 struct db_rbt_ctx {
30 struct rb_root tree;
31 struct db_rbt_node *nodes;
32 size_t traverse_read;
33 struct db_rbt_node **traverse_nextp;
34 };
35
36 struct db_rbt_rec {
37 struct db_rbt_node *node;
38 };
39
40 /* The structure that ends up in the tree */
41
42 struct db_rbt_node {
43 struct rb_node rb_node;
44 size_t keysize, valuesize;
45 struct db_rbt_node *prev, *next;
46 };
47
48 /*
49 * Hide the ugly pointer calculations in a function
50 */
51
52 static struct db_rbt_node *db_rbt2node(struct rb_node *node)
53 {
54 return (struct db_rbt_node *)
55 ((char *)node - offsetof(struct db_rbt_node, rb_node));
56 }
57
58 /*
59 * Compare two keys
60 */
61
62 static int db_rbt_compare(TDB_DATA a, TDB_DATA b)
63 {
64 int res;
65
66 res = memcmp(a.dptr, b.dptr, MIN(a.dsize, b.dsize));
67
68 if ((res < 0) || ((res == 0) && (a.dsize < b.dsize))) {
69 return -1;
70 }
71 if ((res > 0) || ((res == 0) && (a.dsize > b.dsize))) {
72 return 1;
73 }
74 return 0;
75 }
76
77 /*
78 * dissect a db_rbt_node into its implicit key and value parts
79 */
80
81 static void db_rbt_parse_node(struct db_rbt_node *node,
82 TDB_DATA *key, TDB_DATA *value)
83 {
84 size_t key_offset, value_offset;
85
86 key_offset = DBWRAP_RBT_ALIGN(sizeof(struct db_rbt_node));
87 key->dptr = ((uint8_t *)node) + key_offset;
88 key->dsize = node->keysize;
89
90 value_offset = DBWRAP_RBT_ALIGN(node->keysize);
91 value->dptr = key->dptr + value_offset;
92 value->dsize = node->valuesize;
93 }
94
95 static ssize_t db_rbt_reclen(size_t keylen, size_t valuelen)
96 {
97 size_t len, tmp;
98
99 len = DBWRAP_RBT_ALIGN(sizeof(struct db_rbt_node));
100
101 tmp = DBWRAP_RBT_ALIGN(keylen);
102 if (tmp < keylen) {
103 goto overflow;
104 }
105
106 len += tmp;
107 if (len < tmp) {
108 goto overflow;
109 }
110
111 len += valuelen;
112 if (len < valuelen) {
113 goto overflow;
114 }
115
116 return len;
117 overflow:
118 return -1;
119 }
120
121 static NTSTATUS db_rbt_store(struct db_record *rec, TDB_DATA data, int flag)
122 {
123 struct db_rbt_ctx *db_ctx = talloc_get_type_abort(
124 rec->db->private_data, struct db_rbt_ctx);
125 struct db_rbt_rec *rec_priv = (struct db_rbt_rec *)rec->private_data;
126 struct db_rbt_node *node;
127
128 struct rb_node ** p;
129 struct rb_node *parent = NULL;
130 struct db_rbt_node *parent_node = NULL;
131
132 ssize_t reclen;
133 TDB_DATA this_key, this_val;
134
135 if (db_ctx->traverse_read > 0) {
136 return NT_STATUS_MEDIA_WRITE_PROTECTED;
137 }
138
139 if (rec_priv->node != NULL) {
140
141 /*
142 * The record was around previously
143 */
144
145 db_rbt_parse_node(rec_priv->node, &this_key, &this_val);
146
147 SMB_ASSERT(this_key.dsize == rec->key.dsize);
148 SMB_ASSERT(memcmp(this_key.dptr, rec->key.dptr,
149 this_key.dsize) == 0);
150
151 if (this_val.dsize >= data.dsize) {
152 /*
153 * The new value fits into the old space
154 */
155 memcpy(this_val.dptr, data.dptr, data.dsize);
156 rec_priv->node->valuesize = data.dsize;
157 return NT_STATUS_OK;
158 }
159 }
160
161 reclen = db_rbt_reclen(rec->key.dsize, data.dsize);
162 if (reclen == -1) {
163 return NT_STATUS_INSUFFICIENT_RESOURCES;
164 }
165
166 node = talloc_zero_size(db_ctx, reclen);
167 if (node == NULL) {
168 return NT_STATUS_NO_MEMORY;
169 }
170
171 if (rec_priv->node != NULL) {
172 if (db_ctx->traverse_nextp != NULL) {
173 if (*db_ctx->traverse_nextp == rec_priv->node) {
174 *db_ctx->traverse_nextp = node;
175 }
176 }
177
178 /*
179 * We need to delete the key from the tree and start fresh,
180 * there's not enough space in the existing record
181 */
182
183 rb_erase(&rec_priv->node->rb_node, &db_ctx->tree);
184 DLIST_REMOVE(db_ctx->nodes, rec_priv->node);
185
186 /*
187 * Keep the existing node around for a while: If the record
188 * existed before, we reference the key data in there.
189 */
190 }
191
192 node->keysize = rec->key.dsize;
193 node->valuesize = data.dsize;
194
195 db_rbt_parse_node(node, &this_key, &this_val);
196
197 memcpy(this_key.dptr, rec->key.dptr, node->keysize);
198 TALLOC_FREE(rec_priv->node);
199 rec_priv->node = node;
200
201 memcpy(this_val.dptr, data.dptr, node->valuesize);
202
203 parent = NULL;
204 p = &db_ctx->tree.rb_node;
205
206 while (*p) {
207 struct db_rbt_node *r;
208 TDB_DATA search_key, search_val;
209 int res;
210
211 r = db_rbt2node(*p);
212
213 parent = (*p);
214 parent_node = r;
215
216 db_rbt_parse_node(r, &search_key, &search_val);
217
218 res = db_rbt_compare(this_key, search_key);
219
220 if (res == -1) {
221 p = &(*p)->rb_left;
222 }
223 else if (res == 1) {
224 p = &(*p)->rb_right;
225 }
226 else {
227 smb_panic("someone messed with the tree");
228 }
229 }
230
231 rb_link_node(&node->rb_node, parent, p);
232 DLIST_ADD_AFTER(db_ctx->nodes, node, parent_node);
233 rb_insert_color(&node->rb_node, &db_ctx->tree);
234
235 return NT_STATUS_OK;
236 }
237
238 static NTSTATUS db_rbt_delete(struct db_record *rec)
239 {
240 struct db_rbt_ctx *db_ctx = talloc_get_type_abort(
241 rec->db->private_data, struct db_rbt_ctx);
242 struct db_rbt_rec *rec_priv = (struct db_rbt_rec *)rec->private_data;
243
244 if (db_ctx->traverse_read > 0) {
245 return NT_STATUS_MEDIA_WRITE_PROTECTED;
246 }
247
248 if (rec_priv->node == NULL) {
249 return NT_STATUS_OK;
250 }
251
252 if (db_ctx->traverse_nextp != NULL) {
253 if (*db_ctx->traverse_nextp == rec_priv->node) {
254 *db_ctx->traverse_nextp = rec_priv->node->next;
255 }
256 }
257
258 rb_erase(&rec_priv->node->rb_node, &db_ctx->tree);
259 DLIST_REMOVE(db_ctx->nodes, rec_priv->node);
260 TALLOC_FREE(rec_priv->node);
261
262 return NT_STATUS_OK;
263 }
264
265 struct db_rbt_search_result {
266 TDB_DATA key;
267 TDB_DATA val;
268 struct db_rbt_node* node;
269 };
270
271 static bool db_rbt_search_internal(struct db_context *db, TDB_DATA key,
272 struct db_rbt_search_result *result)
273 {
274 struct db_rbt_ctx *ctx = talloc_get_type_abort(
275 db->private_data, struct db_rbt_ctx);
276
277 struct rb_node *n;
278 bool found = false;
279 struct db_rbt_node *r = NULL;
280 TDB_DATA search_key, search_val;
281
282 n = ctx->tree.rb_node;
283
284 while (n != NULL) {
285 int res;
286
287 r = db_rbt2node(n);
288
289 db_rbt_parse_node(r, &search_key, &search_val);
290
291 res = db_rbt_compare(key, search_key);
292
293 if (res == -1) {
294 n = n->rb_left;
295 }
296 else if (res == 1) {
297 n = n->rb_right;
298 }
299 else {
300 found = true;
301 break;
302 }
303 }
304 if (result != NULL) {
305 if (found) {
306 result->key = search_key;
307 result->val = search_val;
308 result->node = r;
309 } else {
310 ZERO_STRUCT(*result);
311 }
312 }
313 return found;
314 }
315
316 static struct db_record *db_rbt_fetch_locked(struct db_context *db_ctx,
317 TALLOC_CTX *mem_ctx,
318 TDB_DATA key)
319 {
320 struct db_rbt_rec *rec_priv;
321 struct db_record *result;
322 size_t size;
323 bool found;
324 struct db_rbt_search_result res;
325
326 found = db_rbt_search_internal(db_ctx, key, &res);
327
328 /*
329 * In this low-level routine, play tricks to reduce the number of
330 * tallocs to one. Not recommened for general use, but here it pays
331 * off.
332 */
333
334 size = DBWRAP_RBT_ALIGN(sizeof(struct db_record))
335 + sizeof(struct db_rbt_rec);
336
337 if (!found) {
338 /*
339 * We need to keep the key around for later store
340 */
341 size += key.dsize;
342 }
343
344 result = (struct db_record *)talloc_size(mem_ctx, size);
345 if (result == NULL) {
346 return NULL;
347 }
348
349 rec_priv = (struct db_rbt_rec *)
350 ((char *)result + DBWRAP_RBT_ALIGN(sizeof(struct db_record)));
351
352 result->store = db_rbt_store;
353 result->delete_rec = db_rbt_delete;
354 result->private_data = rec_priv;
355
356 rec_priv->node = res.node;
357 result->value = res.val;
358
359 if (found) {
360 result->key = res.key;
361 }
362 else {
363 result->key.dptr = (uint8_t *)
364 ((char *)rec_priv + sizeof(*rec_priv));
365 result->key.dsize = key.dsize;
366 memcpy(result->key.dptr, key.dptr, key.dsize);
367 }
368
369 return result;
370 }
371
372 static int db_rbt_exists(struct db_context *db, TDB_DATA key)
373 {
374 return db_rbt_search_internal(db, key, NULL);
375 }
376
377 static int db_rbt_wipe(struct db_context *db)
378 {
379 struct db_rbt_ctx *old_ctx = talloc_get_type_abort(
380 db->private_data, struct db_rbt_ctx);
381 struct db_rbt_ctx *new_ctx = talloc_zero(db, struct db_rbt_ctx);
382 if (new_ctx == NULL) {
383 return -1;
384 }
385 db->private_data = new_ctx;
386 talloc_free(old_ctx);
387 return 0;
388 }
389
390 static NTSTATUS db_rbt_parse_record(struct db_context *db, TDB_DATA key,
391 void (*parser)(TDB_DATA key, TDB_DATA data,
392 void *private_data),
393 void *private_data)
394 {
395 struct db_rbt_search_result res;
396 bool found = db_rbt_search_internal(db, key, &res);
397
398 if (!found) {
399 return NT_STATUS_NOT_FOUND;
400 }
401 parser(res.key, res.val, private_data);
402 return NT_STATUS_OK;
403 }
404
405 static int db_rbt_traverse_internal(struct db_context *db,
406 int (*f)(struct db_record *db,
407 void *private_data),
408 void *private_data, uint32_t* count,
409 bool rw)
410 {
411 struct db_rbt_ctx *ctx = talloc_get_type_abort(
412 db->private_data, struct db_rbt_ctx);
413 struct db_rbt_node *cur = NULL;
414 struct db_rbt_node *next = NULL;
415 int ret;
416
417 for (cur = ctx->nodes; cur != NULL; cur = next) {
418 struct db_record rec;
419 struct db_rbt_rec rec_priv;
420
421 rec_priv.node = cur;
422 next = rec_priv.node->next;
423
424 ZERO_STRUCT(rec);
425 rec.db = db;
426 rec.private_data = &rec_priv;
427 rec.store = db_rbt_store;
428 rec.delete_rec = db_rbt_delete;
429 db_rbt_parse_node(rec_priv.node, &rec.key, &rec.value);
430
431 if (rw) {
432 ctx->traverse_nextp = &next;
433 }
434 ret = f(&rec, private_data);
435 (*count) ++;
436 if (rw) {
437 ctx->traverse_nextp = NULL;
438 }
439 if (ret != 0) {
440 return ret;
441 }
442 if (rec_priv.node != NULL) {
443 next = rec_priv.node->next;
444 }
445 }
446
447 return 0;
448 }
449
450 static int db_rbt_traverse_read(struct db_context *db,
451 int (*f)(struct db_record *db,
452 void *private_data),
453 void *private_data)
454 {
455 struct db_rbt_ctx *ctx = talloc_get_type_abort(
456 db->private_data, struct db_rbt_ctx);
457 uint32_t count = 0;
458 int ret;
459
460 ctx->traverse_read++;
461 ret = db_rbt_traverse_internal(db,
462 f, private_data, &count,
463 false /* rw */);
464 ctx->traverse_read--;
465 if (ret != 0) {
466 return -1;
467 }
468 if (count > INT_MAX) {
469 return -1;
470 }
471 return count;
472 }
473
474 static int db_rbt_traverse(struct db_context *db,
475 int (*f)(struct db_record *db,
476 void *private_data),
477 void *private_data)
478 {
479 struct db_rbt_ctx *ctx = talloc_get_type_abort(
480 db->private_data, struct db_rbt_ctx);
481 uint32_t count = 0;
482 int ret;
483
484 if (ctx->traverse_nextp != NULL) {
485 return -1;
486 };
487
488 if (ctx->traverse_read > 0) {
489 return db_rbt_traverse_read(db, f, private_data);
490 }
491
492 ret = db_rbt_traverse_internal(db,
493 f, private_data, &count,
494 true /* rw */);
495 if (ret != 0) {
496 return -1;
497 }
498 if (count > INT_MAX) {
499 return -1;
500 }
501 return count;
502 }
503
504 static int db_rbt_get_seqnum(struct db_context *db)
505 {
506 return 0;
507 }
508
509 static int db_rbt_trans_dummy(struct db_context *db)
510 {
511 /*
512 * Transactions are pretty pointless in-memory, just return success.
513 */
514 return 0;
515 }
516
517 static size_t db_rbt_id(struct db_context *db, uint8_t *id, size_t idlen)
518 {
519 if (idlen >= sizeof(struct db_context *)) {
520 memcpy(id, &db, sizeof(struct db_context *));
521 }
522 return sizeof(struct db_context *);
523 }
524
525 struct db_context *db_open_rbt(TALLOC_CTX *mem_ctx)
526 {
527 struct db_context *result;
528
529 result = talloc_zero(mem_ctx, struct db_context);
530
531 if (result == NULL) {
532 return NULL;
533 }
534
535 result->private_data = talloc_zero(result, struct db_rbt_ctx);
536
537 if (result->private_data == NULL) {
538 TALLOC_FREE(result);
539 return NULL;
540 }
541
542 result->fetch_locked = db_rbt_fetch_locked;
543 result->traverse = db_rbt_traverse;
544 result->traverse_read = db_rbt_traverse_read;
545 result->get_seqnum = db_rbt_get_seqnum;
546 result->transaction_start = db_rbt_trans_dummy;
547 result->transaction_commit = db_rbt_trans_dummy;
548 result->transaction_cancel = db_rbt_trans_dummy;
549 result->exists = db_rbt_exists;
550 result->wipe = db_rbt_wipe;
551 result->parse_record = db_rbt_parse_record;
552 result->id = db_rbt_id;
553 result->name = "dbwrap rbt";
554
555 return result;
556 }
Samba GIT mirror