search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3: Fix a winbind race leading to 100% CPU
[Samba.git] / source3 / smbd / smb2_negprot.c
blobf639503ad4cc418d6728d5ae7937b786ddfe106a
1 /*
2 Unix SMB/CIFS implementation.
3 Core SMB2 server
4
5 Copyright (C) Stefan Metzmacher 2009
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "smbd/smbd.h"
23 #include "smbd/globals.h"
24 #include "../libcli/smb/smb_common.h"
25
26 /*
27 * this is the entry point if SMB2 is selected via
28 * the SMB negprot
29 */
30 void reply_smb2002(struct smb_request *req, uint16_t choice)
31 {
32 uint8_t *smb2_inbuf;
33 uint8_t *smb2_hdr;
34 uint8_t *smb2_body;
35 uint8_t *smb2_dyn;
36 size_t len = 4 + SMB2_HDR_BODY + 0x24 + 2;
37
38 smb2_inbuf = talloc_zero_array(talloc_tos(), uint8_t, len);
39 if (smb2_inbuf == NULL) {
40 DEBUG(0, ("Could not push spnego blob\n"));
41 reply_nterror(req, NT_STATUS_NO_MEMORY);
42 return;
43 }
44 smb2_hdr = smb2_inbuf + 4;
45 smb2_body = smb2_hdr + SMB2_HDR_BODY;
46 smb2_dyn = smb2_body + 0x24;
47
48 SIVAL(smb2_hdr, SMB2_HDR_PROTOCOL_ID, SMB2_MAGIC);
49 SIVAL(smb2_hdr, SMB2_HDR_LENGTH, SMB2_HDR_BODY);
50
51 SSVAL(smb2_body, 0x00, 0x0024); /* struct size */
52 SSVAL(smb2_body, 0x02, 0x0001); /* dialect count */
53
54 SSVAL(smb2_dyn, 0x00, 0x0202); /* dialect 2.002 */
55
56 req->outbuf = NULL;
57
58 smbd_smb2_first_negprot(req->sconn, smb2_inbuf, len);
59 return;
60 }
61
62 NTSTATUS smbd_smb2_request_process_negprot(struct smbd_smb2_request *req)
63 {
64 const uint8_t *inbody;
65 const uint8_t *indyn = NULL;
66 int i = req->current_idx;
67 DATA_BLOB outbody;
68 DATA_BLOB outdyn;
69 DATA_BLOB negprot_spnego_blob;
70 uint16_t security_offset;
71 DATA_BLOB security_buffer;
72 size_t expected_body_size = 0x24;
73 size_t body_size;
74 size_t expected_dyn_size = 0;
75 size_t c;
76 uint16_t security_mode;
77 uint16_t dialect_count;
78 uint16_t dialect = 0;
79 uint32_t capabilities;
80
81 /* TODO: drop the connection with INVALID_PARAMETER */
82
83 if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
84 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
85 }
86
87 inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
88
89 body_size = SVAL(inbody, 0x00);
90 if (body_size != expected_body_size) {
91 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
92 }
93
94 dialect_count = SVAL(inbody, 0x02);
95 if (dialect_count == 0) {
96 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
97 }
98
99 expected_dyn_size = dialect_count * 2;
100 if (req->in.vector[i+2].iov_len < expected_dyn_size) {
101 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
102 }
103 indyn = (const uint8_t *)req->in.vector[i+2].iov_base;
104
105 for (c=0; c < dialect_count; c++) {
106 dialect = SVAL(indyn, c*2);
107 if (dialect == SMB2_DIALECT_REVISION_202) {
108 break;
109 }
110 }
111
112 if (dialect != SMB2_DIALECT_REVISION_202) {
113 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
114 }
115
116 set_Protocol(PROTOCOL_SMB2);
117
118 if (get_remote_arch() != RA_SAMBA) {
119 set_remote_arch(RA_VISTA);
120 }
121
122 /* negprot_spnego() returns a the server guid in the first 16 bytes */
123 negprot_spnego_blob = negprot_spnego(req, req->sconn);
124 if (negprot_spnego_blob.data == NULL) {
125 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
126 }
127
128 if (negprot_spnego_blob.length < 16) {
129 return smbd_smb2_request_error(req, NT_STATUS_INTERNAL_ERROR);
130 }
131
132 security_mode = SMB2_NEGOTIATE_SIGNING_ENABLED;
133 if (lp_server_signing() == Required) {
134 security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
135 }
136
137 capabilities = 0;
138 if (lp_host_msdfs()) {
139 capabilities |= SMB2_CAP_DFS;
140 }
141
142 security_offset = SMB2_HDR_BODY + 0x40;
143
144 #if 1
145 /* Try SPNEGO auth... */
146 security_buffer = data_blob_const(negprot_spnego_blob.data + 16,
147 negprot_spnego_blob.length - 16);
148 #else
149 /* for now we want raw NTLMSSP */
150 security_buffer = data_blob_const(NULL, 0);
151 #endif
152
153 outbody = data_blob_talloc(req->out.vector, NULL, 0x40);
154 if (outbody.data == NULL) {
155 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
156 }
157
158 SSVAL(outbody.data, 0x00, 0x40 + 1); /* struct size */
159 SSVAL(outbody.data, 0x02,
160 security_mode); /* security mode */
161 SSVAL(outbody.data, 0x04, dialect); /* dialect revision */
162 SSVAL(outbody.data, 0x06, 0); /* reserved */
163 memcpy(outbody.data + 0x08,
164 negprot_spnego_blob.data, 16); /* server guid */
165 SIVAL(outbody.data, 0x18,
166 capabilities); /* capabilities */
167 SIVAL(outbody.data, 0x1C, lp_smb2_max_trans()); /* max transact size */
168 SIVAL(outbody.data, 0x20, lp_smb2_max_read()); /* max read size */
169 SIVAL(outbody.data, 0x24, lp_smb2_max_write()); /* max write size */
170 SBVAL(outbody.data, 0x28, 0); /* system time */
171 SBVAL(outbody.data, 0x30, 0); /* server start time */
172 SSVAL(outbody.data, 0x38,
173 security_offset); /* security buffer offset */
174 SSVAL(outbody.data, 0x3A,
175 security_buffer.length); /* security buffer length */
176 SIVAL(outbody.data, 0x3C, 0); /* reserved */
177
178 outdyn = security_buffer;
179
180 req->sconn->using_smb2 = true;
181
182 return smbd_smb2_request_done(req, outbody, &outdyn);
183 }
Samba GIT mirror