search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
smbd: change flag name from UCF_CREATING_FILE to UCF_PREP_CREATEFILE
[Samba.git] / source3 / smbd / nttrans.c
blob15fa4b64776570c482f7af03097f57d2273d5e4c
1 /*
2 Unix SMB/CIFS implementation.
3 SMB NT transaction handling
4 Copyright (C) Jeremy Allison 1994-2007
5 Copyright (C) Stefan (metze) Metzmacher 2003
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "system/filesys.h"
23 #include "smbd/smbd.h"
24 #include "smbd/globals.h"
25 #include "fake_file.h"
26 #include "../libcli/security/security.h"
27 #include "../librpc/gen_ndr/ndr_security.h"
28 #include "passdb/lookup_sid.h"
29 #include "auth.h"
30 #include "smbprofile.h"
31 #include "libsmb/libsmb.h"
32
33 extern const struct generic_mapping file_generic_mapping;
34
35 static char *nttrans_realloc(char **ptr, size_t size)
36 {
37 if (ptr==NULL) {
38 smb_panic("nttrans_realloc() called with NULL ptr");
39 }
40
41 *ptr = (char *)SMB_REALLOC(*ptr, size);
42 if(*ptr == NULL) {
43 return NULL;
44 }
45 memset(*ptr,'\0',size);
46 return *ptr;
47 }
48
49 /****************************************************************************
50 Send the required number of replies back.
51 We assume all fields other than the data fields are
52 set correctly for the type of call.
53 HACK ! Always assumes smb_setup field is zero.
54 ****************************************************************************/
55
56 static void send_nt_replies(connection_struct *conn,
57 struct smb_request *req, NTSTATUS nt_error,
58 char *params, int paramsize,
59 char *pdata, int datasize)
60 {
61 int data_to_send = datasize;
62 int params_to_send = paramsize;
63 int useable_space;
64 char *pp = params;
65 char *pd = pdata;
66 int params_sent_thistime, data_sent_thistime, total_sent_thistime;
67 int alignment_offset = 1;
68 int data_alignment_offset = 0;
69 struct smbd_server_connection *sconn = req->sconn;
70 int max_send = sconn->smb1.sessions.max_send;
71
72 /*
73 * If there genuinely are no parameters or data to send just send
74 * the empty packet.
75 */
76
77 if(params_to_send == 0 && data_to_send == 0) {
78 reply_outbuf(req, 18, 0);
79 if (NT_STATUS_V(nt_error)) {
80 error_packet_set((char *)req->outbuf,
81 0, 0, nt_error,
82 __LINE__,__FILE__);
83 }
84 show_msg((char *)req->outbuf);
85 if (!srv_send_smb(sconn,
86 (char *)req->outbuf,
87 true, req->seqnum+1,
88 IS_CONN_ENCRYPTED(conn),
89 &req->pcd)) {
90 exit_server_cleanly("send_nt_replies: srv_send_smb failed.");
91 }
92 TALLOC_FREE(req->outbuf);
93 return;
94 }
95
96 /*
97 * When sending params and data ensure that both are nicely aligned.
98 * Only do this alignment when there is also data to send - else
99 * can cause NT redirector problems.
100 */
101
102 if (((params_to_send % 4) != 0) && (data_to_send != 0)) {
103 data_alignment_offset = 4 - (params_to_send % 4);
104 }
105
106 /*
107 * Space is bufsize minus Netbios over TCP header minus SMB header.
108 * The alignment_offset is to align the param bytes on a four byte
109 * boundary (2 bytes for data len, one byte pad).
110 * NT needs this to work correctly.
111 */
112
113 useable_space = max_send - (smb_size
114 + 2 * 18 /* wct */
115 + alignment_offset
116 + data_alignment_offset);
117
118 if (useable_space < 0) {
119 char *msg = talloc_asprintf(
120 talloc_tos(),
121 "send_nt_replies failed sanity useable_space = %d!!!",
122 useable_space);
123 DEBUG(0, ("%s\n", msg));
124 exit_server_cleanly(msg);
125 }
126
127 while (params_to_send || data_to_send) {
128
129 /*
130 * Calculate whether we will totally or partially fill this packet.
131 */
132
133 total_sent_thistime = params_to_send + data_to_send;
134
135 /*
136 * We can never send more than useable_space.
137 */
138
139 total_sent_thistime = MIN(total_sent_thistime, useable_space);
140
141 reply_outbuf(req, 18,
142 total_sent_thistime + alignment_offset
143 + data_alignment_offset);
144
145 /*
146 * Set total params and data to be sent.
147 */
148
149 SIVAL(req->outbuf,smb_ntr_TotalParameterCount,paramsize);
150 SIVAL(req->outbuf,smb_ntr_TotalDataCount,datasize);
151
152 /*
153 * Calculate how many parameters and data we can fit into
154 * this packet. Parameters get precedence.
155 */
156
157 params_sent_thistime = MIN(params_to_send,useable_space);
158 data_sent_thistime = useable_space - params_sent_thistime;
159 data_sent_thistime = MIN(data_sent_thistime,data_to_send);
160
161 SIVAL(req->outbuf, smb_ntr_ParameterCount,
162 params_sent_thistime);
163
164 if(params_sent_thistime == 0) {
165 SIVAL(req->outbuf,smb_ntr_ParameterOffset,0);
166 SIVAL(req->outbuf,smb_ntr_ParameterDisplacement,0);
167 } else {
168 /*
169 * smb_ntr_ParameterOffset is the offset from the start of the SMB header to the
170 * parameter bytes, however the first 4 bytes of outbuf are
171 * the Netbios over TCP header. Thus use smb_base() to subtract
172 * them from the calculation.
173 */
174
175 SIVAL(req->outbuf,smb_ntr_ParameterOffset,
176 ((smb_buf(req->outbuf)+alignment_offset)
177 - smb_base(req->outbuf)));
178 /*
179 * Absolute displacement of param bytes sent in this packet.
180 */
181
182 SIVAL(req->outbuf, smb_ntr_ParameterDisplacement,
183 pp - params);
184 }
185
186 /*
187 * Deal with the data portion.
188 */
189
190 SIVAL(req->outbuf, smb_ntr_DataCount, data_sent_thistime);
191
192 if(data_sent_thistime == 0) {
193 SIVAL(req->outbuf,smb_ntr_DataOffset,0);
194 SIVAL(req->outbuf,smb_ntr_DataDisplacement, 0);
195 } else {
196 /*
197 * The offset of the data bytes is the offset of the
198 * parameter bytes plus the number of parameters being sent this time.
199 */
200
201 SIVAL(req->outbuf, smb_ntr_DataOffset,
202 ((smb_buf(req->outbuf)+alignment_offset) -
203 smb_base(req->outbuf))
204 + params_sent_thistime + data_alignment_offset);
205 SIVAL(req->outbuf,smb_ntr_DataDisplacement, pd - pdata);
206 }
207
208 /*
209 * Copy the param bytes into the packet.
210 */
211
212 if(params_sent_thistime) {
213 if (alignment_offset != 0) {
214 memset(smb_buf(req->outbuf), 0,
215 alignment_offset);
216 }
217 memcpy((smb_buf(req->outbuf)+alignment_offset), pp,
218 params_sent_thistime);
219 }
220
221 /*
222 * Copy in the data bytes
223 */
224
225 if(data_sent_thistime) {
226 if (data_alignment_offset != 0) {
227 memset((smb_buf(req->outbuf)+alignment_offset+
228 params_sent_thistime), 0,
229 data_alignment_offset);
230 }
231 memcpy(smb_buf(req->outbuf)+alignment_offset
232 +params_sent_thistime+data_alignment_offset,
233 pd,data_sent_thistime);
234 }
235
236 DEBUG(9,("nt_rep: params_sent_thistime = %d, data_sent_thistime = %d, useable_space = %d\n",
237 params_sent_thistime, data_sent_thistime, useable_space));
238 DEBUG(9,("nt_rep: params_to_send = %d, data_to_send = %d, paramsize = %d, datasize = %d\n",
239 params_to_send, data_to_send, paramsize, datasize));
240
241 if (NT_STATUS_V(nt_error)) {
242 error_packet_set((char *)req->outbuf,
243 0, 0, nt_error,
244 __LINE__,__FILE__);
245 }
246
247 /* Send the packet */
248 show_msg((char *)req->outbuf);
249 if (!srv_send_smb(sconn,
250 (char *)req->outbuf,
251 true, req->seqnum+1,
252 IS_CONN_ENCRYPTED(conn),
253 &req->pcd)) {
254 exit_server_cleanly("send_nt_replies: srv_send_smb failed.");
255 }
256
257 TALLOC_FREE(req->outbuf);
258
259 pp += params_sent_thistime;
260 pd += data_sent_thistime;
261
262 params_to_send -= params_sent_thistime;
263 data_to_send -= data_sent_thistime;
264
265 /*
266 * Sanity check
267 */
268
269 if(params_to_send < 0 || data_to_send < 0) {
270 DEBUG(0,("send_nt_replies failed sanity check pts = %d, dts = %d\n!!!",
271 params_to_send, data_to_send));
272 exit_server_cleanly("send_nt_replies: internal error");
273 }
274 }
275 }
276
277 /****************************************************************************
278 Reply to an NT create and X call on a pipe
279 ****************************************************************************/
280
281 static void nt_open_pipe(char *fname, connection_struct *conn,
282 struct smb_request *req, uint16_t *ppnum)
283 {
284 files_struct *fsp;
285 NTSTATUS status;
286
287 DEBUG(4,("nt_open_pipe: Opening pipe %s.\n", fname));
288
289 /* Strip \\ off the name if present. */
290 while (fname[0] == '\\') {
291 fname++;
292 }
293
294 status = open_np_file(req, fname, &fsp);
295 if (!NT_STATUS_IS_OK(status)) {
296 if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
297 reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND,
298 ERRDOS, ERRbadpipe);
299 return;
300 }
301 reply_nterror(req, status);
302 return;
303 }
304
305 *ppnum = fsp->fnum;
306 return;
307 }
308
309 /****************************************************************************
310 Reply to an NT create and X call for pipes.
311 ****************************************************************************/
312
313 static void do_ntcreate_pipe_open(connection_struct *conn,
314 struct smb_request *req)
315 {
316 char *fname = NULL;
317 uint16_t pnum = FNUM_FIELD_INVALID;
318 char *p = NULL;
319 uint32 flags = IVAL(req->vwv+3, 1);
320 TALLOC_CTX *ctx = talloc_tos();
321
322 srvstr_pull_req_talloc(ctx, req, &fname, req->buf, STR_TERMINATE);
323
324 if (!fname) {
325 reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND,
326 ERRDOS, ERRbadpipe);
327 return;
328 }
329 nt_open_pipe(fname, conn, req, &pnum);
330
331 if (req->outbuf) {
332 /* error reply */
333 return;
334 }
335
336 /*
337 * Deal with pipe return.
338 */
339
340 if (flags & EXTENDED_RESPONSE_REQUIRED) {
341 /* This is very strange. We
342 * return 50 words, but only set
343 * the wcnt to 42 ? It's definitely
344 * what happens on the wire....
345 */
346 reply_outbuf(req, 50, 0);
347 SCVAL(req->outbuf,smb_wct,42);
348 } else {
349 reply_outbuf(req, 34, 0);
350 }
351
352 SSVAL(req->outbuf, smb_vwv0, 0xff); /* andx chain ends */
353 SSVAL(req->outbuf, smb_vwv1, 0); /* no andx offset */
354
355 p = (char *)req->outbuf + smb_vwv2;
356 p++;
357 SSVAL(p,0,pnum);
358 p += 2;
359 SIVAL(p,0,FILE_WAS_OPENED);
360 p += 4;
361 p += 32;
362 SIVAL(p,0,FILE_ATTRIBUTE_NORMAL); /* File Attributes. */
363 p += 20;
364 /* File type. */
365 SSVAL(p,0,FILE_TYPE_MESSAGE_MODE_PIPE);
366 /* Device state. */
367 SSVAL(p,2, 0x5FF); /* ? */
368 p += 4;
369
370 if (flags & EXTENDED_RESPONSE_REQUIRED) {
371 p += 25;
372 SIVAL(p,0,FILE_GENERIC_ALL);
373 /*
374 * For pipes W2K3 seems to return
375 * 0x12019B next.
376 * This is ((FILE_GENERIC_READ|FILE_GENERIC_WRITE) & ~FILE_APPEND_DATA)
377 */
378 SIVAL(p,4,(FILE_GENERIC_READ|FILE_GENERIC_WRITE)&~FILE_APPEND_DATA);
379 }
380
381 DEBUG(5,("do_ntcreate_pipe_open: open pipe = %s\n", fname));
382 }
383
384 struct case_semantics_state {
385 connection_struct *conn;
386 bool case_sensitive;
387 bool case_preserve;
388 bool short_case_preserve;
389 };
390
391 /****************************************************************************
392 Restore case semantics.
393 ****************************************************************************/
394
395 static int restore_case_semantics(struct case_semantics_state *state)
396 {
397 state->conn->case_sensitive = state->case_sensitive;
398 state->conn->case_preserve = state->case_preserve;
399 state->conn->short_case_preserve = state->short_case_preserve;
400 return 0;
401 }
402
403 /****************************************************************************
404 Save case semantics.
405 ****************************************************************************/
406
407 static struct case_semantics_state *set_posix_case_semantics(TALLOC_CTX *mem_ctx,
408 connection_struct *conn)
409 {
410 struct case_semantics_state *result;
411
412 if (!(result = talloc(mem_ctx, struct case_semantics_state))) {
413 return NULL;
414 }
415
416 result->conn = conn;
417 result->case_sensitive = conn->case_sensitive;
418 result->case_preserve = conn->case_preserve;
419 result->short_case_preserve = conn->short_case_preserve;
420
421 /* Set to POSIX. */
422 conn->case_sensitive = True;
423 conn->case_preserve = True;
424 conn->short_case_preserve = True;
425
426 talloc_set_destructor(result, restore_case_semantics);
427
428 return result;
429 }
430
431 /****************************************************************************
432 Reply to an NT create and X call.
433 ****************************************************************************/
434
435 void reply_ntcreate_and_X(struct smb_request *req)
436 {
437 connection_struct *conn = req->conn;
438 struct smb_filename *smb_fname = NULL;
439 char *fname = NULL;
440 uint32 flags;
441 uint32 access_mask;
442 uint32 file_attributes;
443 uint32 share_access;
444 uint32 create_disposition;
445 uint32 create_options;
446 uint16 root_dir_fid;
447 uint64_t allocation_size;
448 /* Breakout the oplock request bits so we can set the
449 reply bits separately. */
450 uint32 fattr=0;
451 off_t file_len = 0;
452 int info = 0;
453 files_struct *fsp = NULL;
454 char *p = NULL;
455 struct timespec create_timespec;
456 struct timespec c_timespec;
457 struct timespec a_timespec;
458 struct timespec m_timespec;
459 struct timespec write_time_ts;
460 NTSTATUS status;
461 int oplock_request;
462 uint8_t oplock_granted = NO_OPLOCK_RETURN;
463 struct case_semantics_state *case_state = NULL;
464 TALLOC_CTX *ctx = talloc_tos();
465
466 START_PROFILE(SMBntcreateX);
467
468 if (req->wct < 24) {
469 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
470 goto out;
471 }
472
473 flags = IVAL(req->vwv+3, 1);
474 access_mask = IVAL(req->vwv+7, 1);
475 file_attributes = IVAL(req->vwv+13, 1);
476 share_access = IVAL(req->vwv+15, 1);
477 create_disposition = IVAL(req->vwv+17, 1);
478 create_options = IVAL(req->vwv+19, 1);
479 root_dir_fid = (uint16)IVAL(req->vwv+5, 1);
480
481 allocation_size = BVAL(req->vwv+9, 1);
482
483 srvstr_get_path_req(ctx, req, &fname, (const char *)req->buf,
484 STR_TERMINATE, &status);
485
486 if (!NT_STATUS_IS_OK(status)) {
487 reply_nterror(req, status);
488 goto out;
489 }
490
491 DEBUG(10,("reply_ntcreate_and_X: flags = 0x%x, access_mask = 0x%x "
492 "file_attributes = 0x%x, share_access = 0x%x, "
493 "create_disposition = 0x%x create_options = 0x%x "
494 "root_dir_fid = 0x%x, fname = %s\n",
495 (unsigned int)flags,
496 (unsigned int)access_mask,
497 (unsigned int)file_attributes,
498 (unsigned int)share_access,
499 (unsigned int)create_disposition,
500 (unsigned int)create_options,
501 (unsigned int)root_dir_fid,
502 fname));
503
504 /*
505 * we need to remove ignored bits when they come directly from the client
506 * because we reuse some of them for internal stuff
507 */
508 create_options &= ~NTCREATEX_OPTIONS_MUST_IGNORE_MASK;
509
510 /*
511 * If it's an IPC, use the pipe handler.
512 */
513
514 if (IS_IPC(conn)) {
515 if (lp_nt_pipe_support()) {
516 do_ntcreate_pipe_open(conn, req);
517 goto out;
518 }
519 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
520 goto out;
521 }
522
523 oplock_request = (flags & REQUEST_OPLOCK) ? EXCLUSIVE_OPLOCK : 0;
524 if (oplock_request) {
525 oplock_request |= (flags & REQUEST_BATCH_OPLOCK)
526 ? BATCH_OPLOCK : 0;
527 }
528
529 if (file_attributes & FILE_FLAG_POSIX_SEMANTICS) {
530 case_state = set_posix_case_semantics(ctx, conn);
531 if (!case_state) {
532 reply_nterror(req, NT_STATUS_NO_MEMORY);
533 goto out;
534 }
535 }
536
537 status = filename_convert(ctx,
538 conn,
539 req->flags2 & FLAGS2_DFS_PATHNAMES,
540 fname,
541 (create_disposition == FILE_CREATE)
542 ? UCF_PREP_CREATEFILE : 0,
543 NULL,
544 &smb_fname);
545
546 TALLOC_FREE(case_state);
547
548 if (!NT_STATUS_IS_OK(status)) {
549 if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
550 reply_botherror(req,
551 NT_STATUS_PATH_NOT_COVERED,
552 ERRSRV, ERRbadpath);
553 goto out;
554 }
555 reply_nterror(req, status);
556 goto out;
557 }
558
559 /*
560 * Bug #6898 - clients using Windows opens should
561 * never be able to set this attribute into the
562 * VFS.
563 */
564 file_attributes &= ~FILE_FLAG_POSIX_SEMANTICS;
565
566 status = SMB_VFS_CREATE_FILE(
567 conn, /* conn */
568 req, /* req */
569 root_dir_fid, /* root_dir_fid */
570 smb_fname, /* fname */
571 access_mask, /* access_mask */
572 share_access, /* share_access */
573 create_disposition, /* create_disposition*/
574 create_options, /* create_options */
575 file_attributes, /* file_attributes */
576 oplock_request, /* oplock_request */
577 allocation_size, /* allocation_size */
578 0, /* private_flags */
579 NULL, /* sd */
580 NULL, /* ea_list */
581 &fsp, /* result */
582 &info); /* pinfo */
583
584 if (!NT_STATUS_IS_OK(status)) {
585 if (open_was_deferred(req->sconn, req->mid)) {
586 /* We have re-scheduled this call, no error. */
587 goto out;
588 }
589 reply_openerror(req, status);
590 goto out;
591 }
592
593 /* Ensure we're pointing at the correct stat struct. */
594 TALLOC_FREE(smb_fname);
595 smb_fname = fsp->fsp_name;
596
597 /*
598 * If the caller set the extended oplock request bit
599 * and we granted one (by whatever means) - set the
600 * correct bit for extended oplock reply.
601 */
602
603 if (oplock_request &&
604 (lp_fake_oplocks(SNUM(conn))
605 || EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type))) {
606
607 /*
608 * Exclusive oplock granted
609 */
610
611 if (flags & REQUEST_BATCH_OPLOCK) {
612 oplock_granted = BATCH_OPLOCK_RETURN;
613 } else {
614 oplock_granted = EXCLUSIVE_OPLOCK_RETURN;
615 }
616 } else if (fsp->oplock_type == LEVEL_II_OPLOCK) {
617 oplock_granted = LEVEL_II_OPLOCK_RETURN;
618 } else {
619 oplock_granted = NO_OPLOCK_RETURN;
620 }
621
622 file_len = smb_fname->st.st_ex_size;
623
624 if (flags & EXTENDED_RESPONSE_REQUIRED) {
625 /* This is very strange. We
626 * return 50 words, but only set
627 * the wcnt to 42 ? It's definitely
628 * what happens on the wire....
629 */
630 reply_outbuf(req, 50, 0);
631 SCVAL(req->outbuf,smb_wct,42);
632 } else {
633 reply_outbuf(req, 34, 0);
634 }
635
636 SSVAL(req->outbuf, smb_vwv0, 0xff); /* andx chain ends */
637 SSVAL(req->outbuf, smb_vwv1, 0); /* no andx offset */
638
639 p = (char *)req->outbuf + smb_vwv2;
640
641 SCVAL(p, 0, oplock_granted);
642
643 p++;
644 SSVAL(p,0,fsp->fnum);
645 p += 2;
646 if ((create_disposition == FILE_SUPERSEDE)
647 && (info == FILE_WAS_OVERWRITTEN)) {
648 SIVAL(p,0,FILE_WAS_SUPERSEDED);
649 } else {
650 SIVAL(p,0,info);
651 }
652 p += 4;
653
654 fattr = dos_mode(conn, smb_fname);
655 if (fattr == 0) {
656 fattr = FILE_ATTRIBUTE_NORMAL;
657 }
658
659 /* Deal with other possible opens having a modified
660 write time. JRA. */
661 ZERO_STRUCT(write_time_ts);
662 get_file_infos(fsp->file_id, 0, NULL, &write_time_ts);
663 if (!null_timespec(write_time_ts)) {
664 update_stat_ex_mtime(&smb_fname->st, write_time_ts);
665 }
666
667 /* Create time. */
668 create_timespec = get_create_timespec(conn, fsp, smb_fname);
669 a_timespec = smb_fname->st.st_ex_atime;
670 m_timespec = smb_fname->st.st_ex_mtime;
671 c_timespec = get_change_timespec(conn, fsp, smb_fname);
672
673 if (lp_dos_filetime_resolution(SNUM(conn))) {
674 dos_filetime_timespec(&create_timespec);
675 dos_filetime_timespec(&a_timespec);
676 dos_filetime_timespec(&m_timespec);
677 dos_filetime_timespec(&c_timespec);
678 }
679
680 put_long_date_timespec(conn->ts_res, p, create_timespec); /* create time. */
681 p += 8;
682 put_long_date_timespec(conn->ts_res, p, a_timespec); /* access time */
683 p += 8;
684 put_long_date_timespec(conn->ts_res, p, m_timespec); /* write time */
685 p += 8;
686 put_long_date_timespec(conn->ts_res, p, c_timespec); /* change time */
687 p += 8;
688 SIVAL(p,0,fattr); /* File Attributes. */
689 p += 4;
690 SOFF_T(p, 0, SMB_VFS_GET_ALLOC_SIZE(conn,fsp,&smb_fname->st));
691 p += 8;
692 SOFF_T(p,0,file_len);
693 p += 8;
694 if (flags & EXTENDED_RESPONSE_REQUIRED) {
695 uint16_t file_status = (NO_EAS|NO_SUBSTREAMS|NO_REPARSETAG);
696 size_t num_names = 0;
697 unsigned int num_streams = 0;
698 struct stream_struct *streams = NULL;
699
700 /* Do we have any EA's ? */
701 status = get_ea_names_from_file(ctx, conn, fsp,
702 smb_fname->base_name, NULL, &num_names);
703 if (NT_STATUS_IS_OK(status) && num_names) {
704 file_status &= ~NO_EAS;
705 }
706 status = vfs_streaminfo(conn, NULL, smb_fname->base_name, ctx,
707 &num_streams, &streams);
708 /* There is always one stream, ::$DATA. */
709 if (NT_STATUS_IS_OK(status) && num_streams > 1) {
710 file_status &= ~NO_SUBSTREAMS;
711 }
712 TALLOC_FREE(streams);
713 SSVAL(p,2,file_status);
714 }
715 p += 4;
716 SCVAL(p,0,fsp->is_directory ? 1 : 0);
717
718 if (flags & EXTENDED_RESPONSE_REQUIRED) {
719 uint32 perms = 0;
720 p += 25;
721 if (fsp->is_directory ||
722 can_write_to_file(conn, smb_fname)) {
723 perms = FILE_GENERIC_ALL;
724 } else {
725 perms = FILE_GENERIC_READ|FILE_EXECUTE;
726 }
727 SIVAL(p,0,perms);
728 }
729
730 DEBUG(5,("reply_ntcreate_and_X: %s, open name = %s\n",
731 fsp_fnum_dbg(fsp), smb_fname_str_dbg(smb_fname)));
732
733 out:
734 END_PROFILE(SMBntcreateX);
735 return;
736 }
737
738 /****************************************************************************
739 Reply to a NT_TRANSACT_CREATE call to open a pipe.
740 ****************************************************************************/
741
742 static void do_nt_transact_create_pipe(connection_struct *conn,
743 struct smb_request *req,
744 uint16 **ppsetup, uint32 setup_count,
745 char **ppparams, uint32 parameter_count,
746 char **ppdata, uint32 data_count)
747 {
748 char *fname = NULL;
749 char *params = *ppparams;
750 uint16_t pnum = FNUM_FIELD_INVALID;
751 char *p = NULL;
752 NTSTATUS status;
753 size_t param_len;
754 uint32 flags;
755 TALLOC_CTX *ctx = talloc_tos();
756
757 /*
758 * Ensure minimum number of parameters sent.
759 */
760
761 if(parameter_count < 54) {
762 DEBUG(0,("do_nt_transact_create_pipe - insufficient parameters (%u)\n", (unsigned int)parameter_count));
763 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
764 return;
765 }
766
767 flags = IVAL(params,0);
768
769 srvstr_get_path(ctx, params, req->flags2, &fname, params+53,
770 parameter_count-53, STR_TERMINATE,
771 &status);
772 if (!NT_STATUS_IS_OK(status)) {
773 reply_nterror(req, status);
774 return;
775 }
776
777 nt_open_pipe(fname, conn, req, &pnum);
778
779 if (req->outbuf) {
780 /* Error return */
781 return;
782 }
783
784 /* Realloc the size of parameters and data we will return */
785 if (flags & EXTENDED_RESPONSE_REQUIRED) {
786 /* Extended response is 32 more byyes. */
787 param_len = 101;
788 } else {
789 param_len = 69;
790 }
791 params = nttrans_realloc(ppparams, param_len);
792 if(params == NULL) {
793 reply_nterror(req, NT_STATUS_NO_MEMORY);
794 return;
795 }
796
797 p = params;
798 SCVAL(p,0,NO_OPLOCK_RETURN);
799
800 p += 2;
801 SSVAL(p,0,pnum);
802 p += 2;
803 SIVAL(p,0,FILE_WAS_OPENED);
804 p += 8;
805
806 p += 32;
807 SIVAL(p,0,FILE_ATTRIBUTE_NORMAL); /* File Attributes. */
808 p += 20;
809 /* File type. */
810 SSVAL(p,0,FILE_TYPE_MESSAGE_MODE_PIPE);
811 /* Device state. */
812 SSVAL(p,2, 0x5FF); /* ? */
813 p += 4;
814
815 if (flags & EXTENDED_RESPONSE_REQUIRED) {
816 p += 25;
817 SIVAL(p,0,FILE_GENERIC_ALL);
818 /*
819 * For pipes W2K3 seems to return
820 * 0x12019B next.
821 * This is ((FILE_GENERIC_READ|FILE_GENERIC_WRITE) & ~FILE_APPEND_DATA)
822 */
823 SIVAL(p,4,(FILE_GENERIC_READ|FILE_GENERIC_WRITE)&~FILE_APPEND_DATA);
824 }
825
826 DEBUG(5,("do_nt_transact_create_pipe: open name = %s\n", fname));
827
828 /* Send the required number of replies */
829 send_nt_replies(conn, req, NT_STATUS_OK, params, param_len, *ppdata, 0);
830
831 return;
832 }
833
834 /*********************************************************************
835 Windows seems to do canonicalization of inheritance bits. Do the
836 same.
837 *********************************************************************/
838
839 static void canonicalize_inheritance_bits(struct security_descriptor *psd)
840 {
841 bool set_auto_inherited = false;
842
843 /*
844 * We need to filter out the
845 * SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ
846 * bits. If both are set we store SEC_DESC_DACL_AUTO_INHERITED
847 * as this alters whether SEC_ACE_FLAG_INHERITED_ACE is set
848 * when an ACE is inherited. Otherwise we zero these bits out.
849 * See:
850 *
851 * http://social.msdn.microsoft.com/Forums/eu/os_fileservices/thread/11f77b68-731e-407d-b1b3-064750716531
852 *
853 * for details.
854 */
855
856 if ((psd->type & (SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ))
857 == (SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ)) {
858 set_auto_inherited = true;
859 }
860
861 psd->type &= ~(SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ);
862 if (set_auto_inherited) {
863 psd->type |= SEC_DESC_DACL_AUTO_INHERITED;
864 }
865 }
866
867 /****************************************************************************
868 Internal fn to set security descriptors.
869 ****************************************************************************/
870
871 NTSTATUS set_sd(files_struct *fsp, struct security_descriptor *psd,
872 uint32_t security_info_sent)
873 {
874 NTSTATUS status;
875
876 if (!CAN_WRITE(fsp->conn)) {
877 return NT_STATUS_ACCESS_DENIED;
878 }
879
880 if (!lp_nt_acl_support(SNUM(fsp->conn))) {
881 return NT_STATUS_OK;
882 }
883
884 if (psd->owner_sid == NULL) {
885 security_info_sent &= ~SECINFO_OWNER;
886 }
887 if (psd->group_sid == NULL) {
888 security_info_sent &= ~SECINFO_GROUP;
889 }
890
891 /* Ensure we have at least one thing set. */
892 if ((security_info_sent & (SECINFO_OWNER|SECINFO_GROUP|SECINFO_DACL|SECINFO_SACL)) == 0) {
893 /* Just like W2K3 */
894 return NT_STATUS_OK;
895 }
896
897 /* Ensure we have the rights to do this. */
898 if (security_info_sent & SECINFO_OWNER) {
899 if (!(fsp->access_mask & SEC_STD_WRITE_OWNER)) {
900 return NT_STATUS_ACCESS_DENIED;
901 }
902 }
903
904 if (security_info_sent & SECINFO_GROUP) {
905 if (!(fsp->access_mask & SEC_STD_WRITE_OWNER)) {
906 return NT_STATUS_ACCESS_DENIED;
907 }
908 }
909
910 if (security_info_sent & SECINFO_DACL) {
911 if (!(fsp->access_mask & SEC_STD_WRITE_DAC)) {
912 return NT_STATUS_ACCESS_DENIED;
913 }
914 /* Convert all the generic bits. */
915 if (psd->dacl) {
916 security_acl_map_generic(psd->dacl, &file_generic_mapping);
917 }
918 }
919
920 if (security_info_sent & SECINFO_SACL) {
921 if (!(fsp->access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
922 return NT_STATUS_ACCESS_DENIED;
923 }
924 /* Convert all the generic bits. */
925 if (psd->sacl) {
926 security_acl_map_generic(psd->sacl, &file_generic_mapping);
927 }
928 }
929
930 canonicalize_inheritance_bits(psd);
931
932 if (DEBUGLEVEL >= 10) {
933 DEBUG(10,("set_sd for file %s\n", fsp_str_dbg(fsp)));
934 NDR_PRINT_DEBUG(security_descriptor, psd);
935 }
936
937 status = SMB_VFS_FSET_NT_ACL(fsp, security_info_sent, psd);
938
939 TALLOC_FREE(psd);
940
941 return status;
942 }
943
944 /****************************************************************************
945 Internal fn to set security descriptors from a data blob.
946 ****************************************************************************/
947
948 NTSTATUS set_sd_blob(files_struct *fsp, uint8_t *data, uint32_t sd_len,
949 uint32_t security_info_sent)
950 {
951 struct security_descriptor *psd = NULL;
952 NTSTATUS status;
953
954 if (sd_len == 0) {
955 return NT_STATUS_INVALID_PARAMETER;
956 }
957
958 status = unmarshall_sec_desc(talloc_tos(), data, sd_len, &psd);
959
960 if (!NT_STATUS_IS_OK(status)) {
961 return status;
962 }
963
964 return set_sd(fsp, psd, security_info_sent);
965 }
966
967 /****************************************************************************
968 Read a list of EA names and data from an incoming data buffer. Create an ea_list with them.
969 ****************************************************************************/
970
971 struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t data_size)
972 {
973 struct ea_list *ea_list_head = NULL;
974 size_t offset = 0;
975
976 if (data_size < 4) {
977 return NULL;
978 }
979
980 while (offset + 4 <= data_size) {
981 size_t next_offset = IVAL(pdata,offset);
982 struct ea_list *eal = read_ea_list_entry(ctx, pdata + offset + 4, data_size - offset - 4, NULL);
983
984 if (!eal) {
985 return NULL;
986 }
987
988 DLIST_ADD_END(ea_list_head, eal, struct ea_list *);
989 if (next_offset == 0) {
990 break;
991 }
992
993 /* Integer wrap protection for the increment. */
994 if (offset + next_offset < offset) {
995 break;
996 }
997
998 offset += next_offset;
999
1000 /* Integer wrap protection for while loop. */
1001 if (offset + 4 < offset) {
1002 break;
1003 }
1004
1005 }
1006
1007 return ea_list_head;
1008 }
1009
1010 /****************************************************************************
1011 Reply to a NT_TRANSACT_CREATE call (needs to process SD's).
1012 ****************************************************************************/
1013
1014 static void call_nt_transact_create(connection_struct *conn,
1015 struct smb_request *req,
1016 uint16 **ppsetup, uint32 setup_count,
1017 char **ppparams, uint32 parameter_count,
1018 char **ppdata, uint32 data_count,
1019 uint32 max_data_count)
1020 {
1021 struct smb_filename *smb_fname = NULL;
1022 char *fname = NULL;
1023 char *params = *ppparams;
1024 char *data = *ppdata;
1025 /* Breakout the oplock request bits so we can set the reply bits separately. */
1026 uint32 fattr=0;
1027 off_t file_len = 0;
1028 int info = 0;
1029 files_struct *fsp = NULL;
1030 char *p = NULL;
1031 uint32 flags;
1032 uint32 access_mask;
1033 uint32 file_attributes;
1034 uint32 share_access;
1035 uint32 create_disposition;
1036 uint32 create_options;
1037 uint32 sd_len;
1038 struct security_descriptor *sd = NULL;
1039 uint32 ea_len;
1040 uint16 root_dir_fid;
1041 struct timespec create_timespec;
1042 struct timespec c_timespec;
1043 struct timespec a_timespec;
1044 struct timespec m_timespec;
1045 struct timespec write_time_ts;
1046 struct ea_list *ea_list = NULL;
1047 NTSTATUS status;
1048 size_t param_len;
1049 uint64_t allocation_size;
1050 int oplock_request;
1051 uint8_t oplock_granted;
1052 struct case_semantics_state *case_state = NULL;
1053 TALLOC_CTX *ctx = talloc_tos();
1054
1055 DEBUG(5,("call_nt_transact_create\n"));
1056
1057 /*
1058 * If it's an IPC, use the pipe handler.
1059 */
1060
1061 if (IS_IPC(conn)) {
1062 if (lp_nt_pipe_support()) {
1063 do_nt_transact_create_pipe(
1064 conn, req,
1065 ppsetup, setup_count,
1066 ppparams, parameter_count,
1067 ppdata, data_count);
1068 goto out;
1069 }
1070 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1071 goto out;
1072 }
1073
1074 /*
1075 * Ensure minimum number of parameters sent.
1076 */
1077
1078 if(parameter_count < 54) {
1079 DEBUG(0,("call_nt_transact_create - insufficient parameters (%u)\n", (unsigned int)parameter_count));
1080 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1081 goto out;
1082 }
1083
1084 flags = IVAL(params,0);
1085 access_mask = IVAL(params,8);
1086 file_attributes = IVAL(params,20);
1087 share_access = IVAL(params,24);
1088 create_disposition = IVAL(params,28);
1089 create_options = IVAL(params,32);
1090 sd_len = IVAL(params,36);
1091 ea_len = IVAL(params,40);
1092 root_dir_fid = (uint16)IVAL(params,4);
1093 allocation_size = BVAL(params,12);
1094
1095 /*
1096 * we need to remove ignored bits when they come directly from the client
1097 * because we reuse some of them for internal stuff
1098 */
1099 create_options &= ~NTCREATEX_OPTIONS_MUST_IGNORE_MASK;
1100
1101 srvstr_get_path(ctx, params, req->flags2, &fname,
1102 params+53, parameter_count-53,
1103 STR_TERMINATE, &status);
1104 if (!NT_STATUS_IS_OK(status)) {
1105 reply_nterror(req, status);
1106 goto out;
1107 }
1108
1109 if (file_attributes & FILE_FLAG_POSIX_SEMANTICS) {
1110 case_state = set_posix_case_semantics(ctx, conn);
1111 if (!case_state) {
1112 reply_nterror(req, NT_STATUS_NO_MEMORY);
1113 goto out;
1114 }
1115 }
1116
1117 status = filename_convert(ctx,
1118 conn,
1119 req->flags2 & FLAGS2_DFS_PATHNAMES,
1120 fname,
1121 (create_disposition == FILE_CREATE)
1122 ? UCF_PREP_CREATEFILE : 0,
1123 NULL,
1124 &smb_fname);
1125
1126 TALLOC_FREE(case_state);
1127
1128 if (!NT_STATUS_IS_OK(status)) {
1129 if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
1130 reply_botherror(req,
1131 NT_STATUS_PATH_NOT_COVERED,
1132 ERRSRV, ERRbadpath);
1133 goto out;
1134 }
1135 reply_nterror(req, status);
1136 goto out;
1137 }
1138
1139 /* Ensure the data_len is correct for the sd and ea values given. */
1140 if ((ea_len + sd_len > data_count)
1141 || (ea_len > data_count) || (sd_len > data_count)
1142 || (ea_len + sd_len < ea_len) || (ea_len + sd_len < sd_len)) {
1143 DEBUG(10, ("call_nt_transact_create - ea_len = %u, sd_len = "
1144 "%u, data_count = %u\n", (unsigned int)ea_len,
1145 (unsigned int)sd_len, (unsigned int)data_count));
1146 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1147 goto out;
1148 }
1149
1150 if (sd_len) {
1151 DEBUG(10, ("call_nt_transact_create - sd_len = %d\n",
1152 sd_len));
1153
1154 status = unmarshall_sec_desc(ctx, (uint8_t *)data, sd_len,
1155 &sd);
1156 if (!NT_STATUS_IS_OK(status)) {
1157 DEBUG(10, ("call_nt_transact_create: "
1158 "unmarshall_sec_desc failed: %s\n",
1159 nt_errstr(status)));
1160 reply_nterror(req, status);
1161 goto out;
1162 }
1163 }
1164
1165 if (ea_len) {
1166 if (!lp_ea_support(SNUM(conn))) {
1167 DEBUG(10, ("call_nt_transact_create - ea_len = %u but "
1168 "EA's not supported.\n",
1169 (unsigned int)ea_len));
1170 reply_nterror(req, NT_STATUS_EAS_NOT_SUPPORTED);
1171 goto out;
1172 }
1173
1174 if (ea_len < 10) {
1175 DEBUG(10,("call_nt_transact_create - ea_len = %u - "
1176 "too small (should be more than 10)\n",
1177 (unsigned int)ea_len ));
1178 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1179 goto out;
1180 }
1181
1182 /* We have already checked that ea_len <= data_count here. */
1183 ea_list = read_nttrans_ea_list(talloc_tos(), data + sd_len,
1184 ea_len);
1185 if (ea_list == NULL) {
1186 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1187 goto out;
1188 }
1189
1190 if (ea_list_has_invalid_name(ea_list)) {
1191 /* Realloc the size of parameters and data we will return */
1192 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1193 /* Extended response is 32 more byyes. */
1194 param_len = 101;
1195 } else {
1196 param_len = 69;
1197 }
1198 params = nttrans_realloc(ppparams, param_len);
1199 if(params == NULL) {
1200 reply_nterror(req, NT_STATUS_NO_MEMORY);
1201 goto out;
1202 }
1203
1204 memset(params, '\0', param_len);
1205 send_nt_replies(conn, req, STATUS_INVALID_EA_NAME,
1206 params, param_len, NULL, 0);
1207 goto out;
1208 }
1209 }
1210
1211 oplock_request = (flags & REQUEST_OPLOCK) ? EXCLUSIVE_OPLOCK : 0;
1212 if (oplock_request) {
1213 oplock_request |= (flags & REQUEST_BATCH_OPLOCK)
1214 ? BATCH_OPLOCK : 0;
1215 }
1216
1217 /*
1218 * Bug #6898 - clients using Windows opens should
1219 * never be able to set this attribute into the
1220 * VFS.
1221 */
1222 file_attributes &= ~FILE_FLAG_POSIX_SEMANTICS;
1223
1224 status = SMB_VFS_CREATE_FILE(
1225 conn, /* conn */
1226 req, /* req */
1227 root_dir_fid, /* root_dir_fid */
1228 smb_fname, /* fname */
1229 access_mask, /* access_mask */
1230 share_access, /* share_access */
1231 create_disposition, /* create_disposition*/
1232 create_options, /* create_options */
1233 file_attributes, /* file_attributes */
1234 oplock_request, /* oplock_request */
1235 allocation_size, /* allocation_size */
1236 0, /* private_flags */
1237 sd, /* sd */
1238 ea_list, /* ea_list */
1239 &fsp, /* result */
1240 &info); /* pinfo */
1241
1242 if(!NT_STATUS_IS_OK(status)) {
1243 if (open_was_deferred(req->sconn, req->mid)) {
1244 /* We have re-scheduled this call, no error. */
1245 return;
1246 }
1247 reply_openerror(req, status);
1248 goto out;
1249 }
1250
1251 /* Ensure we're pointing at the correct stat struct. */
1252 TALLOC_FREE(smb_fname);
1253 smb_fname = fsp->fsp_name;
1254
1255 /*
1256 * If the caller set the extended oplock request bit
1257 * and we granted one (by whatever means) - set the
1258 * correct bit for extended oplock reply.
1259 */
1260
1261 if (oplock_request &&
1262 (lp_fake_oplocks(SNUM(conn))
1263 || EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type))) {
1264
1265 /*
1266 * Exclusive oplock granted
1267 */
1268
1269 if (flags & REQUEST_BATCH_OPLOCK) {
1270 oplock_granted = BATCH_OPLOCK_RETURN;
1271 } else {
1272 oplock_granted = EXCLUSIVE_OPLOCK_RETURN;
1273 }
1274 } else if (fsp->oplock_type == LEVEL_II_OPLOCK) {
1275 oplock_granted = LEVEL_II_OPLOCK_RETURN;
1276 } else {
1277 oplock_granted = NO_OPLOCK_RETURN;
1278 }
1279
1280 file_len = smb_fname->st.st_ex_size;
1281
1282 /* Realloc the size of parameters and data we will return */
1283 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1284 /* Extended response is 32 more byyes. */
1285 param_len = 101;
1286 } else {
1287 param_len = 69;
1288 }
1289 params = nttrans_realloc(ppparams, param_len);
1290 if(params == NULL) {
1291 reply_nterror(req, NT_STATUS_NO_MEMORY);
1292 goto out;
1293 }
1294
1295 p = params;
1296 SCVAL(p, 0, oplock_granted);
1297
1298 p += 2;
1299 SSVAL(p,0,fsp->fnum);
1300 p += 2;
1301 if ((create_disposition == FILE_SUPERSEDE)
1302 && (info == FILE_WAS_OVERWRITTEN)) {
1303 SIVAL(p,0,FILE_WAS_SUPERSEDED);
1304 } else {
1305 SIVAL(p,0,info);
1306 }
1307 p += 8;
1308
1309 fattr = dos_mode(conn, smb_fname);
1310 if (fattr == 0) {
1311 fattr = FILE_ATTRIBUTE_NORMAL;
1312 }
1313
1314 /* Deal with other possible opens having a modified
1315 write time. JRA. */
1316 ZERO_STRUCT(write_time_ts);
1317 get_file_infos(fsp->file_id, 0, NULL, &write_time_ts);
1318 if (!null_timespec(write_time_ts)) {
1319 update_stat_ex_mtime(&smb_fname->st, write_time_ts);
1320 }
1321
1322 /* Create time. */
1323 create_timespec = get_create_timespec(conn, fsp, smb_fname);
1324 a_timespec = smb_fname->st.st_ex_atime;
1325 m_timespec = smb_fname->st.st_ex_mtime;
1326 c_timespec = get_change_timespec(conn, fsp, smb_fname);
1327
1328 if (lp_dos_filetime_resolution(SNUM(conn))) {
1329 dos_filetime_timespec(&create_timespec);
1330 dos_filetime_timespec(&a_timespec);
1331 dos_filetime_timespec(&m_timespec);
1332 dos_filetime_timespec(&c_timespec);
1333 }
1334
1335 put_long_date_timespec(conn->ts_res, p, create_timespec); /* create time. */
1336 p += 8;
1337 put_long_date_timespec(conn->ts_res, p, a_timespec); /* access time */
1338 p += 8;
1339 put_long_date_timespec(conn->ts_res, p, m_timespec); /* write time */
1340 p += 8;
1341 put_long_date_timespec(conn->ts_res, p, c_timespec); /* change time */
1342 p += 8;
1343 SIVAL(p,0,fattr); /* File Attributes. */
1344 p += 4;
1345 SOFF_T(p, 0, SMB_VFS_GET_ALLOC_SIZE(conn, fsp, &smb_fname->st));
1346 p += 8;
1347 SOFF_T(p,0,file_len);
1348 p += 8;
1349 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1350 uint16_t file_status = (NO_EAS|NO_SUBSTREAMS|NO_REPARSETAG);
1351 size_t num_names = 0;
1352 unsigned int num_streams = 0;
1353 struct stream_struct *streams = NULL;
1354
1355 /* Do we have any EA's ? */
1356 status = get_ea_names_from_file(ctx, conn, fsp,
1357 smb_fname->base_name, NULL, &num_names);
1358 if (NT_STATUS_IS_OK(status) && num_names) {
1359 file_status &= ~NO_EAS;
1360 }
1361 status = vfs_streaminfo(conn, NULL, smb_fname->base_name, ctx,
1362 &num_streams, &streams);
1363 /* There is always one stream, ::$DATA. */
1364 if (NT_STATUS_IS_OK(status) && num_streams > 1) {
1365 file_status &= ~NO_SUBSTREAMS;
1366 }
1367 TALLOC_FREE(streams);
1368 SSVAL(p,2,file_status);
1369 }
1370 p += 4;
1371 SCVAL(p,0,fsp->is_directory ? 1 : 0);
1372
1373 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1374 uint32 perms = 0;
1375 p += 25;
1376 if (fsp->is_directory ||
1377 can_write_to_file(conn, smb_fname)) {
1378 perms = FILE_GENERIC_ALL;
1379 } else {
1380 perms = FILE_GENERIC_READ|FILE_EXECUTE;
1381 }
1382 SIVAL(p,0,perms);
1383 }
1384
1385 DEBUG(5,("call_nt_transact_create: open name = %s\n",
1386 smb_fname_str_dbg(smb_fname)));
1387
1388 /* Send the required number of replies */
1389 send_nt_replies(conn, req, NT_STATUS_OK, params, param_len, *ppdata, 0);
1390 out:
1391 return;
1392 }
1393
1394 /****************************************************************************
1395 Reply to a NT CANCEL request.
1396 conn POINTER CAN BE NULL HERE !
1397 ****************************************************************************/
1398
1399 void reply_ntcancel(struct smb_request *req)
1400 {
1401 /*
1402 * Go through and cancel any pending change notifies.
1403 */
1404
1405 START_PROFILE(SMBntcancel);
1406 srv_cancel_sign_response(req->sconn);
1407 remove_pending_change_notify_requests_by_mid(req->sconn, req->mid);
1408 remove_pending_lock_requests_by_mid_smb1(req->sconn, req->mid);
1409
1410 DEBUG(3,("reply_ntcancel: cancel called on mid = %llu.\n",
1411 (unsigned long long)req->mid));
1412
1413 END_PROFILE(SMBntcancel);
1414 return;
1415 }
1416
1417 /****************************************************************************
1418 Copy a file.
1419 ****************************************************************************/
1420
1421 static NTSTATUS copy_internals(TALLOC_CTX *ctx,
1422 connection_struct *conn,
1423 struct smb_request *req,
1424 struct smb_filename *smb_fname_src,
1425 struct smb_filename *smb_fname_dst,
1426 uint32 attrs)
1427 {
1428 files_struct *fsp1,*fsp2;
1429 uint32 fattr;
1430 int info;
1431 off_t ret=-1;
1432 NTSTATUS status = NT_STATUS_OK;
1433 char *parent;
1434
1435 if (!CAN_WRITE(conn)) {
1436 status = NT_STATUS_MEDIA_WRITE_PROTECTED;
1437 goto out;
1438 }
1439
1440 /* Source must already exist. */
1441 if (!VALID_STAT(smb_fname_src->st)) {
1442 status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
1443 goto out;
1444 }
1445
1446 /* Ensure attributes match. */
1447 fattr = dos_mode(conn, smb_fname_src);
1448 if ((fattr & ~attrs) & (FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM)) {
1449 status = NT_STATUS_NO_SUCH_FILE;
1450 goto out;
1451 }
1452
1453 /* Disallow if dst file already exists. */
1454 if (VALID_STAT(smb_fname_dst->st)) {
1455 status = NT_STATUS_OBJECT_NAME_COLLISION;
1456 goto out;
1457 }
1458
1459 /* No links from a directory. */
1460 if (S_ISDIR(smb_fname_src->st.st_ex_mode)) {
1461 status = NT_STATUS_FILE_IS_A_DIRECTORY;
1462 goto out;
1463 }
1464
1465 DEBUG(10,("copy_internals: doing file copy %s to %s\n",
1466 smb_fname_str_dbg(smb_fname_src),
1467 smb_fname_str_dbg(smb_fname_dst)));
1468
1469 status = SMB_VFS_CREATE_FILE(
1470 conn, /* conn */
1471 req, /* req */
1472 0, /* root_dir_fid */
1473 smb_fname_src, /* fname */
1474 FILE_READ_DATA|FILE_READ_ATTRIBUTES|
1475 FILE_READ_EA, /* access_mask */
1476 (FILE_SHARE_READ | FILE_SHARE_WRITE | /* share_access */
1477 FILE_SHARE_DELETE),
1478 FILE_OPEN, /* create_disposition*/
1479 0, /* create_options */
1480 FILE_ATTRIBUTE_NORMAL, /* file_attributes */
1481 NO_OPLOCK, /* oplock_request */
1482 0, /* allocation_size */
1483 0, /* private_flags */
1484 NULL, /* sd */
1485 NULL, /* ea_list */
1486 &fsp1, /* result */
1487 &info); /* pinfo */
1488
1489 if (!NT_STATUS_IS_OK(status)) {
1490 goto out;
1491 }
1492
1493 status = SMB_VFS_CREATE_FILE(
1494 conn, /* conn */
1495 req, /* req */
1496 0, /* root_dir_fid */
1497 smb_fname_dst, /* fname */
1498 FILE_WRITE_DATA|FILE_WRITE_ATTRIBUTES|
1499 FILE_WRITE_EA, /* access_mask */
1500 (FILE_SHARE_READ | FILE_SHARE_WRITE | /* share_access */
1501 FILE_SHARE_DELETE),
1502 FILE_CREATE, /* create_disposition*/
1503 0, /* create_options */
1504 fattr, /* file_attributes */
1505 NO_OPLOCK, /* oplock_request */
1506 0, /* allocation_size */
1507 0, /* private_flags */
1508 NULL, /* sd */
1509 NULL, /* ea_list */
1510 &fsp2, /* result */
1511 &info); /* pinfo */
1512
1513 if (!NT_STATUS_IS_OK(status)) {
1514 close_file(NULL, fsp1, ERROR_CLOSE);
1515 goto out;
1516 }
1517
1518 if (smb_fname_src->st.st_ex_size) {
1519 ret = vfs_transfer_file(fsp1, fsp2, smb_fname_src->st.st_ex_size);
1520 }
1521
1522 /*
1523 * As we are opening fsp1 read-only we only expect
1524 * an error on close on fsp2 if we are out of space.
1525 * Thus we don't look at the error return from the
1526 * close of fsp1.
1527 */
1528 close_file(NULL, fsp1, NORMAL_CLOSE);
1529
1530 /* Ensure the modtime is set correctly on the destination file. */
1531 set_close_write_time(fsp2, smb_fname_src->st.st_ex_mtime);
1532
1533 status = close_file(NULL, fsp2, NORMAL_CLOSE);
1534
1535 /* Grrr. We have to do this as open_file_ntcreate adds FILE_ATTRIBUTE_ARCHIVE when it
1536 creates the file. This isn't the correct thing to do in the copy
1537 case. JRA */
1538 if (!parent_dirname(talloc_tos(), smb_fname_dst->base_name, &parent,
1539 NULL)) {
1540 status = NT_STATUS_NO_MEMORY;
1541 goto out;
1542 }
1543 file_set_dosmode(conn, smb_fname_dst, fattr, parent, false);
1544 TALLOC_FREE(parent);
1545
1546 if (ret < (off_t)smb_fname_src->st.st_ex_size) {
1547 status = NT_STATUS_DISK_FULL;
1548 goto out;
1549 }
1550 out:
1551 if (!NT_STATUS_IS_OK(status)) {
1552 DEBUG(3,("copy_internals: Error %s copy file %s to %s\n",
1553 nt_errstr(status), smb_fname_str_dbg(smb_fname_src),
1554 smb_fname_str_dbg(smb_fname_dst)));
1555 }
1556
1557 return status;
1558 }
1559
1560 /****************************************************************************
1561 Reply to a NT rename request.
1562 ****************************************************************************/
1563
1564 void reply_ntrename(struct smb_request *req)
1565 {
1566 connection_struct *conn = req->conn;
1567 struct smb_filename *smb_fname_old = NULL;
1568 struct smb_filename *smb_fname_new = NULL;
1569 char *oldname = NULL;
1570 char *newname = NULL;
1571 const char *p;
1572 NTSTATUS status;
1573 bool src_has_wcard = False;
1574 bool dest_has_wcard = False;
1575 uint32 attrs;
1576 uint32_t ucf_flags_src = 0;
1577 uint32_t ucf_flags_dst = 0;
1578 uint16 rename_type;
1579 TALLOC_CTX *ctx = talloc_tos();
1580 bool stream_rename = false;
1581
1582 START_PROFILE(SMBntrename);
1583
1584 if (req->wct < 4) {
1585 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1586 goto out;
1587 }
1588
1589 attrs = SVAL(req->vwv+0, 0);
1590 rename_type = SVAL(req->vwv+1, 0);
1591
1592 p = (const char *)req->buf + 1;
1593 p += srvstr_get_path_req_wcard(ctx, req, &oldname, p, STR_TERMINATE,
1594 &status, &src_has_wcard);
1595 if (!NT_STATUS_IS_OK(status)) {
1596 reply_nterror(req, status);
1597 goto out;
1598 }
1599
1600 if (ms_has_wild(oldname)) {
1601 reply_nterror(req, NT_STATUS_OBJECT_PATH_SYNTAX_BAD);
1602 goto out;
1603 }
1604
1605 p++;
1606 p += srvstr_get_path_req_wcard(ctx, req, &newname, p, STR_TERMINATE,
1607 &status, &dest_has_wcard);
1608 if (!NT_STATUS_IS_OK(status)) {
1609 reply_nterror(req, status);
1610 goto out;
1611 }
1612
1613 if (!lp_posix_pathnames()) {
1614 /* The newname must begin with a ':' if the
1615 oldname contains a ':'. */
1616 if (strchr_m(oldname, ':')) {
1617 if (newname[0] != ':') {
1618 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1619 goto out;
1620 }
1621 stream_rename = true;
1622 }
1623 }
1624
1625 /*
1626 * If this is a rename operation, allow wildcards and save the
1627 * destination's last component.
1628 */
1629 if (rename_type == RENAME_FLAG_RENAME) {
1630 ucf_flags_src = UCF_COND_ALLOW_WCARD_LCOMP;
1631 ucf_flags_dst = UCF_COND_ALLOW_WCARD_LCOMP | UCF_SAVE_LCOMP;
1632 }
1633
1634 /* rename_internals() calls unix_convert(), so don't call it here. */
1635 status = filename_convert(ctx, conn,
1636 req->flags2 & FLAGS2_DFS_PATHNAMES,
1637 oldname,
1638 ucf_flags_src,
1639 NULL,
1640 &smb_fname_old);
1641 if (!NT_STATUS_IS_OK(status)) {
1642 if (NT_STATUS_EQUAL(status,
1643 NT_STATUS_PATH_NOT_COVERED)) {
1644 reply_botherror(req,
1645 NT_STATUS_PATH_NOT_COVERED,
1646 ERRSRV, ERRbadpath);
1647 goto out;
1648 }
1649 reply_nterror(req, status);
1650 goto out;
1651 }
1652
1653 status = filename_convert(ctx, conn,
1654 req->flags2 & FLAGS2_DFS_PATHNAMES,
1655 newname,
1656 ucf_flags_dst,
1657 &dest_has_wcard,
1658 &smb_fname_new);
1659 if (!NT_STATUS_IS_OK(status)) {
1660 if (NT_STATUS_EQUAL(status,
1661 NT_STATUS_PATH_NOT_COVERED)) {
1662 reply_botherror(req,
1663 NT_STATUS_PATH_NOT_COVERED,
1664 ERRSRV, ERRbadpath);
1665 goto out;
1666 }
1667 reply_nterror(req, status);
1668 goto out;
1669 }
1670
1671 if (stream_rename) {
1672 /* smb_fname_new must be the same as smb_fname_old. */
1673 TALLOC_FREE(smb_fname_new->base_name);
1674 smb_fname_new->base_name = talloc_strdup(smb_fname_new,
1675 smb_fname_old->base_name);
1676 if (!smb_fname_new->base_name) {
1677 reply_nterror(req, NT_STATUS_NO_MEMORY);
1678 goto out;
1679 }
1680 }
1681
1682 DEBUG(3,("reply_ntrename: %s -> %s\n",
1683 smb_fname_str_dbg(smb_fname_old),
1684 smb_fname_str_dbg(smb_fname_new)));
1685
1686 switch(rename_type) {
1687 case RENAME_FLAG_RENAME:
1688 status = rename_internals(ctx, conn, req,
1689 smb_fname_old, smb_fname_new,
1690 attrs, False, src_has_wcard,
1691 dest_has_wcard,
1692 DELETE_ACCESS);
1693 break;
1694 case RENAME_FLAG_HARD_LINK:
1695 if (src_has_wcard || dest_has_wcard) {
1696 /* No wildcards. */
1697 status = NT_STATUS_OBJECT_PATH_SYNTAX_BAD;
1698 } else {
1699 status = hardlink_internals(ctx, conn,
1700 req,
1701 false,
1702 smb_fname_old,
1703 smb_fname_new);
1704 }
1705 break;
1706 case RENAME_FLAG_COPY:
1707 if (src_has_wcard || dest_has_wcard) {
1708 /* No wildcards. */
1709 status = NT_STATUS_OBJECT_PATH_SYNTAX_BAD;
1710 } else {
1711 status = copy_internals(ctx, conn, req,
1712 smb_fname_old,
1713 smb_fname_new,
1714 attrs);
1715 }
1716 break;
1717 case RENAME_FLAG_MOVE_CLUSTER_INFORMATION:
1718 status = NT_STATUS_INVALID_PARAMETER;
1719 break;
1720 default:
1721 status = NT_STATUS_ACCESS_DENIED; /* Default error. */
1722 break;
1723 }
1724
1725 if (!NT_STATUS_IS_OK(status)) {
1726 if (open_was_deferred(req->sconn, req->mid)) {
1727 /* We have re-scheduled this call. */
1728 goto out;
1729 }
1730
1731 reply_nterror(req, status);
1732 goto out;
1733 }
1734
1735 reply_outbuf(req, 0, 0);
1736 out:
1737 END_PROFILE(SMBntrename);
1738 return;
1739 }
1740
1741 /****************************************************************************
1742 Reply to a notify change - queue the request and
1743 don't allow a directory to be opened.
1744 ****************************************************************************/
1745
1746 static void smbd_smb1_notify_reply(struct smb_request *req,
1747 NTSTATUS error_code,
1748 uint8_t *buf, size_t len)
1749 {
1750 send_nt_replies(req->conn, req, error_code, (char *)buf, len, NULL, 0);
1751 }
1752
1753 static void call_nt_transact_notify_change(connection_struct *conn,
1754 struct smb_request *req,
1755 uint16 **ppsetup,
1756 uint32 setup_count,
1757 char **ppparams,
1758 uint32 parameter_count,
1759 char **ppdata, uint32 data_count,
1760 uint32 max_data_count,
1761 uint32 max_param_count)
1762 {
1763 uint16 *setup = *ppsetup;
1764 files_struct *fsp;
1765 uint32 filter;
1766 NTSTATUS status;
1767 bool recursive;
1768
1769 if(setup_count < 6) {
1770 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1771 return;
1772 }
1773
1774 fsp = file_fsp(req, SVAL(setup,4));
1775 filter = IVAL(setup, 0);
1776 recursive = (SVAL(setup, 6) != 0) ? True : False;
1777
1778 DEBUG(3,("call_nt_transact_notify_change\n"));
1779
1780 if(!fsp) {
1781 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
1782 return;
1783 }
1784
1785 {
1786 char *filter_string;
1787
1788 if (!(filter_string = notify_filter_string(NULL, filter))) {
1789 reply_nterror(req,NT_STATUS_NO_MEMORY);
1790 return;
1791 }
1792
1793 DEBUG(3,("call_nt_transact_notify_change: notify change "
1794 "called on %s, filter = %s, recursive = %d\n",
1795 fsp_str_dbg(fsp), filter_string, recursive));
1796
1797 TALLOC_FREE(filter_string);
1798 }
1799
1800 if((!fsp->is_directory) || (conn != fsp->conn)) {
1801 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1802 return;
1803 }
1804
1805 if (fsp->notify == NULL) {
1806
1807 status = change_notify_create(fsp, filter, recursive);
1808
1809 if (!NT_STATUS_IS_OK(status)) {
1810 DEBUG(10, ("change_notify_create returned %s\n",
1811 nt_errstr(status)));
1812 reply_nterror(req, status);
1813 return;
1814 }
1815 }
1816
1817 if (change_notify_fsp_has_changes(fsp)) {
1818
1819 /*
1820 * We've got changes pending, respond immediately
1821 */
1822
1823 /*
1824 * TODO: write a torture test to check the filtering behaviour
1825 * here.
1826 */
1827
1828 change_notify_reply(req,
1829 NT_STATUS_OK,
1830 max_param_count,
1831 fsp->notify,
1832 smbd_smb1_notify_reply);
1833
1834 /*
1835 * change_notify_reply() above has independently sent its
1836 * results
1837 */
1838 return;
1839 }
1840
1841 /*
1842 * No changes pending, queue the request
1843 */
1844
1845 status = change_notify_add_request(req,
1846 max_param_count,
1847 filter,
1848 recursive, fsp,
1849 smbd_smb1_notify_reply);
1850 if (!NT_STATUS_IS_OK(status)) {
1851 reply_nterror(req, status);
1852 }
1853 return;
1854 }
1855
1856 /****************************************************************************
1857 Reply to an NT transact rename command.
1858 ****************************************************************************/
1859
1860 static void call_nt_transact_rename(connection_struct *conn,
1861 struct smb_request *req,
1862 uint16 **ppsetup, uint32 setup_count,
1863 char **ppparams, uint32 parameter_count,
1864 char **ppdata, uint32 data_count,
1865 uint32 max_data_count)
1866 {
1867 char *params = *ppparams;
1868 char *new_name = NULL;
1869 files_struct *fsp = NULL;
1870 bool dest_has_wcard = False;
1871 NTSTATUS status;
1872 TALLOC_CTX *ctx = talloc_tos();
1873
1874 if(parameter_count < 5) {
1875 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1876 return;
1877 }
1878
1879 fsp = file_fsp(req, SVAL(params, 0));
1880 if (!check_fsp(conn, req, fsp)) {
1881 return;
1882 }
1883 srvstr_get_path_wcard(ctx, params, req->flags2, &new_name, params+4,
1884 parameter_count - 4,
1885 STR_TERMINATE, &status, &dest_has_wcard);
1886 if (!NT_STATUS_IS_OK(status)) {
1887 reply_nterror(req, status);
1888 return;
1889 }
1890
1891 /*
1892 * W2K3 ignores this request as the RAW-RENAME test
1893 * demonstrates, so we do.
1894 */
1895 send_nt_replies(conn, req, NT_STATUS_OK, NULL, 0, NULL, 0);
1896
1897 DEBUG(3,("nt transact rename from = %s, to = %s ignored!\n",
1898 fsp_str_dbg(fsp), new_name));
1899
1900 return;
1901 }
1902
1903 /******************************************************************************
1904 Fake up a completely empty SD.
1905 *******************************************************************************/
1906
1907 static NTSTATUS get_null_nt_acl(TALLOC_CTX *mem_ctx, struct security_descriptor **ppsd)
1908 {
1909 size_t sd_size;
1910
1911 *ppsd = make_standard_sec_desc( mem_ctx, &global_sid_World, &global_sid_World, NULL, &sd_size);
1912 if(!*ppsd) {
1913 DEBUG(0,("get_null_nt_acl: Unable to malloc space for security descriptor.\n"));
1914 return NT_STATUS_NO_MEMORY;
1915 }
1916
1917 return NT_STATUS_OK;
1918 }
1919
1920 /****************************************************************************
1921 Reply to query a security descriptor.
1922 Callable from SMB2 and SMB2.
1923 If it returns NT_STATUS_BUFFER_TOO_SMALL, pdata_size is initialized with
1924 the required size.
1925 ****************************************************************************/
1926
1927 NTSTATUS smbd_do_query_security_desc(connection_struct *conn,
1928 TALLOC_CTX *mem_ctx,
1929 files_struct *fsp,
1930 uint32_t security_info_wanted,
1931 uint32_t max_data_count,
1932 uint8_t **ppmarshalled_sd,
1933 size_t *psd_size)
1934 {
1935 NTSTATUS status;
1936 struct security_descriptor *psd = NULL;
1937 TALLOC_CTX *frame = talloc_stackframe();
1938
1939 /*
1940 * Get the permissions to return.
1941 */
1942
1943 if ((security_info_wanted & SECINFO_SACL) &&
1944 !(fsp->access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
1945 DEBUG(10, ("Access to SACL denied.\n"));
1946 TALLOC_FREE(frame);
1947 return NT_STATUS_ACCESS_DENIED;
1948 }
1949
1950 if ((security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|SECINFO_GROUP)) &&
1951 !(fsp->access_mask & SEC_STD_READ_CONTROL)) {
1952 DEBUG(10, ("Access to DACL, OWNER, or GROUP denied.\n"));
1953 TALLOC_FREE(frame);
1954 return NT_STATUS_ACCESS_DENIED;
1955 }
1956
1957 if (security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|
1958 SECINFO_GROUP|SECINFO_SACL)) {
1959 /* Don't return SECINFO_LABEL if anything else was
1960 requested. See bug #8458. */
1961 security_info_wanted &= ~SECINFO_LABEL;
1962 }
1963
1964 if (!lp_nt_acl_support(SNUM(conn))) {
1965 status = get_null_nt_acl(frame, &psd);
1966 } else if (security_info_wanted & SECINFO_LABEL) {
1967 /* Like W2K3 return a null object. */
1968 status = get_null_nt_acl(frame, &psd);
1969 } else {
1970 status = SMB_VFS_FGET_NT_ACL(
1971 fsp, security_info_wanted, frame, &psd);
1972 }
1973 if (!NT_STATUS_IS_OK(status)) {
1974 TALLOC_FREE(frame);
1975 return status;
1976 }
1977
1978 if (!(security_info_wanted & SECINFO_OWNER)) {
1979 psd->owner_sid = NULL;
1980 }
1981 if (!(security_info_wanted & SECINFO_GROUP)) {
1982 psd->group_sid = NULL;
1983 }
1984 if (!(security_info_wanted & SECINFO_DACL)) {
1985 psd->type &= ~SEC_DESC_DACL_PRESENT;
1986 psd->dacl = NULL;
1987 }
1988 if (!(security_info_wanted & SECINFO_SACL)) {
1989 psd->type &= ~SEC_DESC_SACL_PRESENT;
1990 psd->sacl = NULL;
1991 }
1992
1993 /* If the SACL/DACL is NULL, but was requested, we mark that it is
1994 * present in the reply to match Windows behavior */
1995 if (psd->sacl == NULL &&
1996 security_info_wanted & SECINFO_SACL)
1997 psd->type |= SEC_DESC_SACL_PRESENT;
1998 if (psd->dacl == NULL &&
1999 security_info_wanted & SECINFO_DACL)
2000 psd->type |= SEC_DESC_DACL_PRESENT;
2001
2002 if (security_info_wanted & SECINFO_LABEL) {
2003 /* Like W2K3 return a null object. */
2004 psd->owner_sid = NULL;
2005 psd->group_sid = NULL;
2006 psd->dacl = NULL;
2007 psd->sacl = NULL;
2008 psd->type &= ~(SEC_DESC_DACL_PRESENT|SEC_DESC_SACL_PRESENT);
2009 }
2010
2011 *psd_size = ndr_size_security_descriptor(psd, 0);
2012
2013 DEBUG(3,("smbd_do_query_security_desc: sd_size = %lu.\n",
2014 (unsigned long)*psd_size));
2015
2016 if (DEBUGLEVEL >= 10) {
2017 DEBUG(10,("smbd_do_query_security_desc for file %s\n",
2018 fsp_str_dbg(fsp)));
2019 NDR_PRINT_DEBUG(security_descriptor, psd);
2020 }
2021
2022 if (max_data_count < *psd_size) {
2023 TALLOC_FREE(frame);
2024 return NT_STATUS_BUFFER_TOO_SMALL;
2025 }
2026
2027 status = marshall_sec_desc(mem_ctx, psd,
2028 ppmarshalled_sd, psd_size);
2029
2030 if (!NT_STATUS_IS_OK(status)) {
2031 TALLOC_FREE(frame);
2032 return status;
2033 }
2034
2035 TALLOC_FREE(frame);
2036 return NT_STATUS_OK;
2037 }
2038
2039 /****************************************************************************
2040 SMB1 reply to query a security descriptor.
2041 ****************************************************************************/
2042
2043 static void call_nt_transact_query_security_desc(connection_struct *conn,
2044 struct smb_request *req,
2045 uint16 **ppsetup,
2046 uint32 setup_count,
2047 char **ppparams,
2048 uint32 parameter_count,
2049 char **ppdata,
2050 uint32 data_count,
2051 uint32 max_data_count)
2052 {
2053 char *params = *ppparams;
2054 char *data = *ppdata;
2055 size_t sd_size = 0;
2056 uint32 security_info_wanted;
2057 files_struct *fsp = NULL;
2058 NTSTATUS status;
2059 uint8_t *marshalled_sd = NULL;
2060
2061 if(parameter_count < 8) {
2062 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2063 return;
2064 }
2065
2066 fsp = file_fsp(req, SVAL(params,0));
2067 if(!fsp) {
2068 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
2069 return;
2070 }
2071
2072 security_info_wanted = IVAL(params,4);
2073
2074 DEBUG(3,("call_nt_transact_query_security_desc: file = %s, "
2075 "info_wanted = 0x%x\n", fsp_str_dbg(fsp),
2076 (unsigned int)security_info_wanted));
2077
2078 params = nttrans_realloc(ppparams, 4);
2079 if(params == NULL) {
2080 reply_nterror(req, NT_STATUS_NO_MEMORY);
2081 return;
2082 }
2083
2084 /*
2085 * Get the permissions to return.
2086 */
2087
2088 status = smbd_do_query_security_desc(conn,
2089 talloc_tos(),
2090 fsp,
2091 security_info_wanted,
2092 max_data_count,
2093 &marshalled_sd,
2094 &sd_size);
2095
2096 if (NT_STATUS_EQUAL(status, NT_STATUS_BUFFER_TOO_SMALL)) {
2097 SIVAL(params,0,(uint32_t)sd_size);
2098 send_nt_replies(conn, req, NT_STATUS_BUFFER_TOO_SMALL,
2099 params, 4, NULL, 0);
2100 return;
2101 }
2102
2103 if (!NT_STATUS_IS_OK(status)) {
2104 reply_nterror(req, status);
2105 return;
2106 }
2107
2108 SMB_ASSERT(sd_size > 0);
2109
2110 SIVAL(params,0,(uint32_t)sd_size);
2111
2112 if (max_data_count < sd_size) {
2113 send_nt_replies(conn, req, NT_STATUS_BUFFER_TOO_SMALL,
2114 params, 4, NULL, 0);
2115 return;
2116 }
2117
2118 /*
2119 * Allocate the data we will return.
2120 */
2121
2122 data = nttrans_realloc(ppdata, sd_size);
2123 if(data == NULL) {
2124 reply_nterror(req, NT_STATUS_NO_MEMORY);
2125 return;
2126 }
2127
2128 memcpy(data, marshalled_sd, sd_size);
2129
2130 send_nt_replies(conn, req, NT_STATUS_OK, params, 4, data, (int)sd_size);
2131
2132 return;
2133 }
2134
2135 /****************************************************************************
2136 Reply to set a security descriptor. Map to UNIX perms or POSIX ACLs.
2137 ****************************************************************************/
2138
2139 static void call_nt_transact_set_security_desc(connection_struct *conn,
2140 struct smb_request *req,
2141 uint16 **ppsetup,
2142 uint32 setup_count,
2143 char **ppparams,
2144 uint32 parameter_count,
2145 char **ppdata,
2146 uint32 data_count,
2147 uint32 max_data_count)
2148 {
2149 char *params= *ppparams;
2150 char *data = *ppdata;
2151 files_struct *fsp = NULL;
2152 uint32 security_info_sent = 0;
2153 NTSTATUS status;
2154
2155 if(parameter_count < 8) {
2156 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2157 return;
2158 }
2159
2160 if((fsp = file_fsp(req, SVAL(params,0))) == NULL) {
2161 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
2162 return;
2163 }
2164
2165 if (!CAN_WRITE(fsp->conn)) {
2166 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
2167 return;
2168 }
2169
2170 if(!lp_nt_acl_support(SNUM(conn))) {
2171 goto done;
2172 }
2173
2174 security_info_sent = IVAL(params,4);
2175
2176 DEBUG(3,("call_nt_transact_set_security_desc: file = %s, sent 0x%x\n",
2177 fsp_str_dbg(fsp), (unsigned int)security_info_sent));
2178
2179 if (data_count == 0) {
2180 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2181 return;
2182 }
2183
2184 status = set_sd_blob(fsp, (uint8 *)data, data_count, security_info_sent);
2185
2186 if (!NT_STATUS_IS_OK(status)) {
2187 reply_nterror(req, status);
2188 return;
2189 }
2190
2191 done:
2192 send_nt_replies(conn, req, NT_STATUS_OK, NULL, 0, NULL, 0);
2193 return;
2194 }
2195
2196 /****************************************************************************
2197 Reply to NT IOCTL
2198 ****************************************************************************/
2199
2200 static void call_nt_transact_ioctl(connection_struct *conn,
2201 struct smb_request *req,
2202 uint16 **ppsetup, uint32 setup_count,
2203 char **ppparams, uint32 parameter_count,
2204 char **ppdata, uint32 data_count,
2205 uint32 max_data_count)
2206 {
2207 NTSTATUS status;
2208 uint32 function;
2209 uint16 fidnum;
2210 files_struct *fsp;
2211 uint8 isFSctl;
2212 uint8 compfilter;
2213 char *out_data = NULL;
2214 uint32 out_data_len = 0;
2215 char *pdata = *ppdata;
2216 TALLOC_CTX *ctx = talloc_tos();
2217
2218 if (setup_count != 8) {
2219 DEBUG(3,("call_nt_transact_ioctl: invalid setup count %d\n", setup_count));
2220 reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
2221 return;
2222 }
2223
2224 function = IVAL(*ppsetup, 0);
2225 fidnum = SVAL(*ppsetup, 4);
2226 isFSctl = CVAL(*ppsetup, 6);
2227 compfilter = CVAL(*ppsetup, 7);
2228
2229 DEBUG(10, ("call_nt_transact_ioctl: function[0x%08X] FID[0x%04X] isFSctl[0x%02X] compfilter[0x%02X]\n",
2230 function, fidnum, isFSctl, compfilter));
2231
2232 fsp=file_fsp(req, fidnum);
2233
2234 /*
2235 * We don't really implement IOCTLs, especially on files.
2236 */
2237 if (!isFSctl) {
2238 DEBUG(10, ("isFSctl: 0x%02X indicates IOCTL, not FSCTL!\n",
2239 isFSctl));
2240 reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
2241 return;
2242 }
2243
2244 /* Has to be for an open file! */
2245 if (!check_fsp_open(conn, req, fsp)) {
2246 return;
2247 }
2248
2249 SMB_PERFCOUNT_SET_IOCTL(&req->pcd, function);
2250
2251 /*
2252 * out_data might be allocated by the VFS module, but talloc should be
2253 * used, and should be cleaned up when the request ends.
2254 */
2255 status = SMB_VFS_FSCTL(fsp,
2256 ctx,
2257 function,
2258 req->flags2,
2259 (uint8_t *)pdata,
2260 data_count,
2261 (uint8_t **)&out_data,
2262 max_data_count,
2263 &out_data_len);
2264 if (!NT_STATUS_IS_OK(status)) {
2265 reply_nterror(req, status);
2266 } else {
2267 send_nt_replies(conn, req, NT_STATUS_OK, NULL, 0, out_data, out_data_len);
2268 }
2269 }
2270
2271
2272 #ifdef HAVE_SYS_QUOTAS
2273 /****************************************************************************
2274 Reply to get user quota
2275 ****************************************************************************/
2276
2277 static void call_nt_transact_get_user_quota(connection_struct *conn,
2278 struct smb_request *req,
2279 uint16 **ppsetup,
2280 uint32 setup_count,
2281 char **ppparams,
2282 uint32 parameter_count,
2283 char **ppdata,
2284 uint32 data_count,
2285 uint32 max_data_count)
2286 {
2287 NTSTATUS nt_status = NT_STATUS_OK;
2288 char *params = *ppparams;
2289 char *pdata = *ppdata;
2290 char *entry;
2291 int data_len=0,param_len=0;
2292 int qt_len=0;
2293 int entry_len = 0;
2294 files_struct *fsp = NULL;
2295 uint16 level = 0;
2296 size_t sid_len;
2297 struct dom_sid sid;
2298 bool start_enum = True;
2299 SMB_NTQUOTA_STRUCT qt;
2300 SMB_NTQUOTA_LIST *tmp_list;
2301 SMB_NTQUOTA_HANDLE *qt_handle = NULL;
2302
2303 ZERO_STRUCT(qt);
2304
2305 /* access check */
2306 if (get_current_uid(conn) != 0) {
2307 DEBUG(1,("get_user_quota: access_denied service [%s] user "
2308 "[%s]\n", lp_servicename(talloc_tos(), SNUM(conn)),
2309 conn->session_info->unix_info->unix_name));
2310 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
2311 return;
2312 }
2313
2314 /*
2315 * Ensure minimum number of parameters sent.
2316 */
2317
2318 if (parameter_count < 4) {
2319 DEBUG(0,("TRANSACT_GET_USER_QUOTA: requires %d >= 4 bytes parameters\n",parameter_count));
2320 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2321 return;
2322 }
2323
2324 /* maybe we can check the quota_fnum */
2325 fsp = file_fsp(req, SVAL(params,0));
2326 if (!check_fsp_ntquota_handle(conn, req, fsp)) {
2327 DEBUG(3,("TRANSACT_GET_USER_QUOTA: no valid QUOTA HANDLE\n"));
2328 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
2329 return;
2330 }
2331
2332 /* the NULL pointer checking for fsp->fake_file_handle->pd
2333 * is done by CHECK_NTQUOTA_HANDLE_OK()
2334 */
2335 qt_handle = (SMB_NTQUOTA_HANDLE *)fsp->fake_file_handle->private_data;
2336
2337 level = SVAL(params,2);
2338
2339 /* unknown 12 bytes leading in params */
2340
2341 switch (level) {
2342 case TRANSACT_GET_USER_QUOTA_LIST_CONTINUE:
2343 /* seems that we should continue with the enum here --metze */
2344
2345 if (qt_handle->quota_list!=NULL &&
2346 qt_handle->tmp_list==NULL) {
2347
2348 /* free the list */
2349 free_ntquota_list(&(qt_handle->quota_list));
2350
2351 /* Realloc the size of parameters and data we will return */
2352 param_len = 4;
2353 params = nttrans_realloc(ppparams, param_len);
2354 if(params == NULL) {
2355 reply_nterror(req, NT_STATUS_NO_MEMORY);
2356 return;
2357 }
2358
2359 data_len = 0;
2360 SIVAL(params,0,data_len);
2361
2362 break;
2363 }
2364
2365 start_enum = False;
2366
2367 case TRANSACT_GET_USER_QUOTA_LIST_START:
2368
2369 if (qt_handle->quota_list==NULL &&
2370 qt_handle->tmp_list==NULL) {
2371 start_enum = True;
2372 }
2373
2374 if (start_enum && vfs_get_user_ntquota_list(fsp,&(qt_handle->quota_list))!=0) {
2375 reply_nterror(req, NT_STATUS_INTERNAL_ERROR);
2376 return;
2377 }
2378
2379 /* Realloc the size of parameters and data we will return */
2380 param_len = 4;
2381 params = nttrans_realloc(ppparams, param_len);
2382 if(params == NULL) {
2383 reply_nterror(req, NT_STATUS_NO_MEMORY);
2384 return;
2385 }
2386
2387 /* we should not trust the value in max_data_count*/
2388 max_data_count = MIN(max_data_count,2048);
2389
2390 pdata = nttrans_realloc(ppdata, max_data_count);/* should be max data count from client*/
2391 if(pdata == NULL) {
2392 reply_nterror(req, NT_STATUS_NO_MEMORY);
2393 return;
2394 }
2395
2396 entry = pdata;
2397
2398 /* set params Size of returned Quota Data 4 bytes*/
2399 /* but set it later when we know it */
2400
2401 /* for each entry push the data */
2402
2403 if (start_enum) {
2404 qt_handle->tmp_list = qt_handle->quota_list;
2405 }
2406
2407 tmp_list = qt_handle->tmp_list;
2408
2409 for (;((tmp_list!=NULL)&&((qt_len +40+SID_MAX_SIZE)<max_data_count));
2410 tmp_list=tmp_list->next,entry+=entry_len,qt_len+=entry_len) {
2411
2412 sid_len = ndr_size_dom_sid(
2413 &tmp_list->quotas->sid, 0);
2414 entry_len = 40 + sid_len;
2415
2416 /* nextoffset entry 4 bytes */
2417 SIVAL(entry,0,entry_len);
2418
2419 /* then the len of the SID 4 bytes */
2420 SIVAL(entry,4,sid_len);
2421
2422 /* unknown data 8 bytes uint64_t */
2423 SBIG_UINT(entry,8,(uint64_t)0); /* this is not 0 in windows...-metze*/
2424
2425 /* the used disk space 8 bytes uint64_t */
2426 SBIG_UINT(entry,16,tmp_list->quotas->usedspace);
2427
2428 /* the soft quotas 8 bytes uint64_t */
2429 SBIG_UINT(entry,24,tmp_list->quotas->softlim);
2430
2431 /* the hard quotas 8 bytes uint64_t */
2432 SBIG_UINT(entry,32,tmp_list->quotas->hardlim);
2433
2434 /* and now the SID */
2435 sid_linearize(entry+40, sid_len, &tmp_list->quotas->sid);
2436 }
2437
2438 qt_handle->tmp_list = tmp_list;
2439
2440 /* overwrite the offset of the last entry */
2441 SIVAL(entry-entry_len,0,0);
2442
2443 data_len = 4+qt_len;
2444 /* overwrite the params quota_data_len */
2445 SIVAL(params,0,data_len);
2446
2447 break;
2448
2449 case TRANSACT_GET_USER_QUOTA_FOR_SID:
2450
2451 /* unknown 4 bytes IVAL(pdata,0) */
2452
2453 if (data_count < 8) {
2454 DEBUG(0,("TRANSACT_GET_USER_QUOTA_FOR_SID: requires %d >= %d bytes data\n",data_count,8));
2455 reply_nterror(req, NT_STATUS_INVALID_LEVEL);
2456 return;
2457 }
2458
2459 sid_len = IVAL(pdata,4);
2460 /* Ensure this is less than 1mb. */
2461 if (sid_len > (1024*1024)) {
2462 reply_nterror(req, NT_STATUS_NO_MEMORY);
2463 return;
2464 }
2465
2466 if (data_count < 8+sid_len) {
2467 DEBUG(0,("TRANSACT_GET_USER_QUOTA_FOR_SID: requires %d >= %lu bytes data\n",data_count,(unsigned long)(8+sid_len)));
2468 reply_nterror(req, NT_STATUS_INVALID_LEVEL);
2469 return;
2470 }
2471
2472 data_len = 4+40+sid_len;
2473
2474 if (max_data_count < data_len) {
2475 DEBUG(0,("TRANSACT_GET_USER_QUOTA_FOR_SID: max_data_count(%d) < data_len(%d)\n",
2476 max_data_count, data_len));
2477 param_len = 4;
2478 SIVAL(params,0,data_len);
2479 data_len = 0;
2480 nt_status = NT_STATUS_BUFFER_TOO_SMALL;
2481 break;
2482 }
2483
2484 if (!sid_parse(pdata+8,sid_len,&sid)) {
2485 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2486 return;
2487 }
2488
2489 if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
2490 ZERO_STRUCT(qt);
2491 /*
2492 * we have to return zero's in all fields
2493 * instead of returning an error here
2494 * --metze
2495 */
2496 }
2497
2498 /* Realloc the size of parameters and data we will return */
2499 param_len = 4;
2500 params = nttrans_realloc(ppparams, param_len);
2501 if(params == NULL) {
2502 reply_nterror(req, NT_STATUS_NO_MEMORY);
2503 return;
2504 }
2505
2506 pdata = nttrans_realloc(ppdata, data_len);
2507 if(pdata == NULL) {
2508 reply_nterror(req, NT_STATUS_NO_MEMORY);
2509 return;
2510 }
2511
2512 entry = pdata;
2513
2514 /* set params Size of returned Quota Data 4 bytes*/
2515 SIVAL(params,0,data_len);
2516
2517 /* nextoffset entry 4 bytes */
2518 SIVAL(entry,0,0);
2519
2520 /* then the len of the SID 4 bytes */
2521 SIVAL(entry,4,sid_len);
2522
2523 /* unknown data 8 bytes uint64_t */
2524 SBIG_UINT(entry,8,(uint64_t)0); /* this is not 0 in windows...-mezte*/
2525
2526 /* the used disk space 8 bytes uint64_t */
2527 SBIG_UINT(entry,16,qt.usedspace);
2528
2529 /* the soft quotas 8 bytes uint64_t */
2530 SBIG_UINT(entry,24,qt.softlim);
2531
2532 /* the hard quotas 8 bytes uint64_t */
2533 SBIG_UINT(entry,32,qt.hardlim);
2534
2535 /* and now the SID */
2536 sid_linearize(entry+40, sid_len, &sid);
2537
2538 break;
2539
2540 default:
2541 DEBUG(0, ("do_nt_transact_get_user_quota: %s: unknown "
2542 "level 0x%04hX\n",
2543 fsp_fnum_dbg(fsp), level));
2544 reply_nterror(req, NT_STATUS_INVALID_LEVEL);
2545 return;
2546 break;
2547 }
2548
2549 send_nt_replies(conn, req, nt_status, params, param_len,
2550 pdata, data_len);
2551 }
2552
2553 /****************************************************************************
2554 Reply to set user quota
2555 ****************************************************************************/
2556
2557 static void call_nt_transact_set_user_quota(connection_struct *conn,
2558 struct smb_request *req,
2559 uint16 **ppsetup,
2560 uint32 setup_count,
2561 char **ppparams,
2562 uint32 parameter_count,
2563 char **ppdata,
2564 uint32 data_count,
2565 uint32 max_data_count)
2566 {
2567 char *params = *ppparams;
2568 char *pdata = *ppdata;
2569 int data_len=0,param_len=0;
2570 SMB_NTQUOTA_STRUCT qt;
2571 size_t sid_len;
2572 struct dom_sid sid;
2573 files_struct *fsp = NULL;
2574
2575 ZERO_STRUCT(qt);
2576
2577 /* access check */
2578 if (get_current_uid(conn) != 0) {
2579 DEBUG(1,("set_user_quota: access_denied service [%s] user "
2580 "[%s]\n", lp_servicename(talloc_tos(), SNUM(conn)),
2581 conn->session_info->unix_info->unix_name));
2582 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
2583 return;
2584 }
2585
2586 /*
2587 * Ensure minimum number of parameters sent.
2588 */
2589
2590 if (parameter_count < 2) {
2591 DEBUG(0,("TRANSACT_SET_USER_QUOTA: requires %d >= 2 bytes parameters\n",parameter_count));
2592 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2593 return;
2594 }
2595
2596 /* maybe we can check the quota_fnum */
2597 fsp = file_fsp(req, SVAL(params,0));
2598 if (!check_fsp_ntquota_handle(conn, req, fsp)) {
2599 DEBUG(3,("TRANSACT_GET_USER_QUOTA: no valid QUOTA HANDLE\n"));
2600 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
2601 return;
2602 }
2603
2604 if (data_count < 40) {
2605 DEBUG(0,("TRANSACT_SET_USER_QUOTA: requires %d >= %d bytes data\n",data_count,40));
2606 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2607 return;
2608 }
2609
2610 /* offset to next quota record.
2611 * 4 bytes IVAL(pdata,0)
2612 * unused here...
2613 */
2614
2615 /* sid len */
2616 sid_len = IVAL(pdata,4);
2617
2618 if (data_count < 40+sid_len || (40+sid_len < sid_len)) {
2619 DEBUG(0,("TRANSACT_SET_USER_QUOTA: requires %d >= %lu bytes data\n",data_count,(unsigned long)40+sid_len));
2620 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2621 return;
2622 }
2623
2624 /* unknown 8 bytes in pdata
2625 * maybe its the change time in NTTIME
2626 */
2627
2628 /* the used space 8 bytes (uint64_t)*/
2629 qt.usedspace = BVAL(pdata,16);
2630
2631 /* the soft quotas 8 bytes (uint64_t)*/
2632 qt.softlim = BVAL(pdata,24);
2633
2634 /* the hard quotas 8 bytes (uint64_t)*/
2635 qt.hardlim = BVAL(pdata,32);
2636
2637 if (!sid_parse(pdata+40,sid_len,&sid)) {
2638 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2639 return;
2640 }
2641
2642 DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid)));
2643
2644 /* 44 unknown bytes left... */
2645
2646 if (vfs_set_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
2647 reply_nterror(req, NT_STATUS_INTERNAL_ERROR);
2648 return;
2649 }
2650
2651 send_nt_replies(conn, req, NT_STATUS_OK, params, param_len,
2652 pdata, data_len);
2653 }
2654 #endif /* HAVE_SYS_QUOTAS */
2655
2656 static void handle_nttrans(connection_struct *conn,
2657 struct trans_state *state,
2658 struct smb_request *req)
2659 {
2660 if (get_Protocol() >= PROTOCOL_NT1) {
2661 req->flags2 |= 0x40; /* IS_LONG_NAME */
2662 SSVAL(discard_const_p(uint8_t, req->inbuf),smb_flg2,req->flags2);
2663 }
2664
2665
2666 SMB_PERFCOUNT_SET_SUBOP(&req->pcd, state->call);
2667
2668 /* Now we must call the relevant NT_TRANS function */
2669 switch(state->call) {
2670 case NT_TRANSACT_CREATE:
2671 {
2672 START_PROFILE(NT_transact_create);
2673 call_nt_transact_create(
2674 conn, req,
2675 &state->setup, state->setup_count,
2676 &state->param, state->total_param,
2677 &state->data, state->total_data,
2678 state->max_data_return);
2679 END_PROFILE(NT_transact_create);
2680 break;
2681 }
2682
2683 case NT_TRANSACT_IOCTL:
2684 {
2685 START_PROFILE(NT_transact_ioctl);
2686 call_nt_transact_ioctl(
2687 conn, req,
2688 &state->setup, state->setup_count,
2689 &state->param, state->total_param,
2690 &state->data, state->total_data,
2691 state->max_data_return);
2692 END_PROFILE(NT_transact_ioctl);
2693 break;
2694 }
2695
2696 case NT_TRANSACT_SET_SECURITY_DESC:
2697 {
2698 START_PROFILE(NT_transact_set_security_desc);
2699 call_nt_transact_set_security_desc(
2700 conn, req,
2701 &state->setup, state->setup_count,
2702 &state->param, state->total_param,
2703 &state->data, state->total_data,
2704 state->max_data_return);
2705 END_PROFILE(NT_transact_set_security_desc);
2706 break;
2707 }
2708
2709 case NT_TRANSACT_NOTIFY_CHANGE:
2710 {
2711 START_PROFILE(NT_transact_notify_change);
2712 call_nt_transact_notify_change(
2713 conn, req,
2714 &state->setup, state->setup_count,
2715 &state->param, state->total_param,
2716 &state->data, state->total_data,
2717 state->max_data_return,
2718 state->max_param_return);
2719 END_PROFILE(NT_transact_notify_change);
2720 break;
2721 }
2722
2723 case NT_TRANSACT_RENAME:
2724 {
2725 START_PROFILE(NT_transact_rename);
2726 call_nt_transact_rename(
2727 conn, req,
2728 &state->setup, state->setup_count,
2729 &state->param, state->total_param,
2730 &state->data, state->total_data,
2731 state->max_data_return);
2732 END_PROFILE(NT_transact_rename);
2733 break;
2734 }
2735
2736 case NT_TRANSACT_QUERY_SECURITY_DESC:
2737 {
2738 START_PROFILE(NT_transact_query_security_desc);
2739 call_nt_transact_query_security_desc(
2740 conn, req,
2741 &state->setup, state->setup_count,
2742 &state->param, state->total_param,
2743 &state->data, state->total_data,
2744 state->max_data_return);
2745 END_PROFILE(NT_transact_query_security_desc);
2746 break;
2747 }
2748
2749 #ifdef HAVE_SYS_QUOTAS
2750 case NT_TRANSACT_GET_USER_QUOTA:
2751 {
2752 START_PROFILE(NT_transact_get_user_quota);
2753 call_nt_transact_get_user_quota(
2754 conn, req,
2755 &state->setup, state->setup_count,
2756 &state->param, state->total_param,
2757 &state->data, state->total_data,
2758 state->max_data_return);
2759 END_PROFILE(NT_transact_get_user_quota);
2760 break;
2761 }
2762
2763 case NT_TRANSACT_SET_USER_QUOTA:
2764 {
2765 START_PROFILE(NT_transact_set_user_quota);
2766 call_nt_transact_set_user_quota(
2767 conn, req,
2768 &state->setup, state->setup_count,
2769 &state->param, state->total_param,
2770 &state->data, state->total_data,
2771 state->max_data_return);
2772 END_PROFILE(NT_transact_set_user_quota);
2773 break;
2774 }
2775 #endif /* HAVE_SYS_QUOTAS */
2776
2777 default:
2778 /* Error in request */
2779 DEBUG(0,("handle_nttrans: Unknown request %d in "
2780 "nttrans call\n", state->call));
2781 reply_nterror(req, NT_STATUS_INVALID_LEVEL);
2782 return;
2783 }
2784 return;
2785 }
2786
2787 /****************************************************************************
2788 Reply to a SMBNTtrans.
2789 ****************************************************************************/
2790
2791 void reply_nttrans(struct smb_request *req)
2792 {
2793 connection_struct *conn = req->conn;
2794 uint32_t pscnt;
2795 uint32_t psoff;
2796 uint32_t dscnt;
2797 uint32_t dsoff;
2798 uint16 function_code;
2799 NTSTATUS result;
2800 struct trans_state *state;
2801
2802 START_PROFILE(SMBnttrans);
2803
2804 if (req->wct < 19) {
2805 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2806 END_PROFILE(SMBnttrans);
2807 return;
2808 }
2809
2810 pscnt = IVAL(req->vwv+9, 1);
2811 psoff = IVAL(req->vwv+11, 1);
2812 dscnt = IVAL(req->vwv+13, 1);
2813 dsoff = IVAL(req->vwv+15, 1);
2814 function_code = SVAL(req->vwv+18, 0);
2815
2816 if (IS_IPC(conn) && (function_code != NT_TRANSACT_CREATE)) {
2817 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
2818 END_PROFILE(SMBnttrans);
2819 return;
2820 }
2821
2822 result = allow_new_trans(conn->pending_trans, req->mid);
2823 if (!NT_STATUS_IS_OK(result)) {
2824 DEBUG(2, ("Got invalid nttrans request: %s\n", nt_errstr(result)));
2825 reply_nterror(req, result);
2826 END_PROFILE(SMBnttrans);
2827 return;
2828 }
2829
2830 if ((state = talloc(conn, struct trans_state)) == NULL) {
2831 reply_nterror(req, NT_STATUS_NO_MEMORY);
2832 END_PROFILE(SMBnttrans);
2833 return;
2834 }
2835
2836 state->cmd = SMBnttrans;
2837
2838 state->mid = req->mid;
2839 state->vuid = req->vuid;
2840 state->total_data = IVAL(req->vwv+3, 1);
2841 state->data = NULL;
2842 state->total_param = IVAL(req->vwv+1, 1);
2843 state->param = NULL;
2844 state->max_data_return = IVAL(req->vwv+7, 1);
2845 state->max_param_return = IVAL(req->vwv+5, 1);
2846
2847 /* setup count is in *words* */
2848 state->setup_count = 2*CVAL(req->vwv+17, 1);
2849 state->setup = NULL;
2850 state->call = function_code;
2851
2852 DEBUG(10, ("num_setup=%u, "
2853 "param_total=%u, this_param=%u, max_param=%u, "
2854 "data_total=%u, this_data=%u, max_data=%u, "
2855 "param_offset=%u, data_offset=%u\n",
2856 (unsigned)state->setup_count,
2857 (unsigned)state->total_param, (unsigned)pscnt,
2858 (unsigned)state->max_param_return,
2859 (unsigned)state->total_data, (unsigned)dscnt,
2860 (unsigned)state->max_data_return,
2861 (unsigned)psoff, (unsigned)dsoff));
2862
2863 /*
2864 * All nttrans messages we handle have smb_wct == 19 +
2865 * state->setup_count. Ensure this is so as a sanity check.
2866 */
2867
2868 if(req->wct != 19 + (state->setup_count/2)) {
2869 DEBUG(2,("Invalid smb_wct %d in nttrans call (should be %d)\n",
2870 req->wct, 19 + (state->setup_count/2)));
2871 goto bad_param;
2872 }
2873
2874 /* Don't allow more than 128mb for each value. */
2875 if ((state->total_data > (1024*1024*128)) ||
2876 (state->total_param > (1024*1024*128))) {
2877 reply_nterror(req, NT_STATUS_NO_MEMORY);
2878 END_PROFILE(SMBnttrans);
2879 return;
2880 }
2881
2882 if ((dscnt > state->total_data) || (pscnt > state->total_param))
2883 goto bad_param;
2884
2885 if (state->total_data) {
2886
2887 if (trans_oob(state->total_data, 0, dscnt)
2888 || trans_oob(smb_len(req->inbuf), dsoff, dscnt)) {
2889 goto bad_param;
2890 }
2891
2892 /* Can't use talloc here, the core routines do realloc on the
2893 * params and data. */
2894 if ((state->data = (char *)SMB_MALLOC(state->total_data)) == NULL) {
2895 DEBUG(0,("reply_nttrans: data malloc fail for %u "
2896 "bytes !\n", (unsigned int)state->total_data));
2897 TALLOC_FREE(state);
2898 reply_nterror(req, NT_STATUS_NO_MEMORY);
2899 END_PROFILE(SMBnttrans);
2900 return;
2901 }
2902
2903 memcpy(state->data,smb_base(req->inbuf)+dsoff,dscnt);
2904 }
2905
2906 if (state->total_param) {
2907
2908 if (trans_oob(state->total_param, 0, pscnt)
2909 || trans_oob(smb_len(req->inbuf), psoff, pscnt)) {
2910 goto bad_param;
2911 }
2912
2913 /* Can't use talloc here, the core routines do realloc on the
2914 * params and data. */
2915 if ((state->param = (char *)SMB_MALLOC(state->total_param)) == NULL) {
2916 DEBUG(0,("reply_nttrans: param malloc fail for %u "
2917 "bytes !\n", (unsigned int)state->total_param));
2918 SAFE_FREE(state->data);
2919 TALLOC_FREE(state);
2920 reply_nterror(req, NT_STATUS_NO_MEMORY);
2921 END_PROFILE(SMBnttrans);
2922 return;
2923 }
2924
2925 memcpy(state->param,smb_base(req->inbuf)+psoff,pscnt);
2926 }
2927
2928 state->received_data = dscnt;
2929 state->received_param = pscnt;
2930
2931 if(state->setup_count > 0) {
2932 DEBUG(10,("reply_nttrans: state->setup_count = %d\n",
2933 state->setup_count));
2934
2935 /*
2936 * No overflow possible here, state->setup_count is an
2937 * unsigned int, being filled by a single byte from
2938 * CVAL(req->vwv+13, 0) above. The cast in the comparison
2939 * below is not necessary, it's here to clarify things. The
2940 * validity of req->vwv and req->wct has been checked in
2941 * init_smb_request already.
2942 */
2943 if ((state->setup_count/2) + 19 > (unsigned int)req->wct) {
2944 goto bad_param;
2945 }
2946
2947 state->setup = (uint16 *)TALLOC(state, state->setup_count);
2948 if (state->setup == NULL) {
2949 DEBUG(0,("reply_nttrans : Out of memory\n"));
2950 SAFE_FREE(state->data);
2951 SAFE_FREE(state->param);
2952 TALLOC_FREE(state);
2953 reply_nterror(req, NT_STATUS_NO_MEMORY);
2954 END_PROFILE(SMBnttrans);
2955 return;
2956 }
2957
2958 memcpy(state->setup, req->vwv+19, state->setup_count);
2959 dump_data(10, (uint8 *)state->setup, state->setup_count);
2960 }
2961
2962 if ((state->received_data == state->total_data) &&
2963 (state->received_param == state->total_param)) {
2964 handle_nttrans(conn, state, req);
2965 SAFE_FREE(state->param);
2966 SAFE_FREE(state->data);
2967 TALLOC_FREE(state);
2968 END_PROFILE(SMBnttrans);
2969 return;
2970 }
2971
2972 DLIST_ADD(conn->pending_trans, state);
2973
2974 /* We need to send an interim response then receive the rest
2975 of the parameter/data bytes */
2976 reply_outbuf(req, 0, 0);
2977 show_msg((char *)req->outbuf);
2978 END_PROFILE(SMBnttrans);
2979 return;
2980
2981 bad_param:
2982
2983 DEBUG(0,("reply_nttrans: invalid trans parameters\n"));
2984 SAFE_FREE(state->data);
2985 SAFE_FREE(state->param);
2986 TALLOC_FREE(state);
2987 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2988 END_PROFILE(SMBnttrans);
2989 return;
2990 }
2991
2992 /****************************************************************************
2993 Reply to a SMBnttranss
2994 ****************************************************************************/
2995
2996 void reply_nttranss(struct smb_request *req)
2997 {
2998 connection_struct *conn = req->conn;
2999 uint32_t pcnt,poff,dcnt,doff,pdisp,ddisp;
3000 struct trans_state *state;
3001
3002 START_PROFILE(SMBnttranss);
3003
3004 show_msg((const char *)req->inbuf);
3005
3006 /* Windows clients expect all replies to
3007 an NT transact secondary (SMBnttranss 0xA1)
3008 to have a command code of NT transact
3009 (SMBnttrans 0xA0). See bug #8989 for details. */
3010 req->cmd = SMBnttrans;
3011
3012 if (req->wct < 18) {
3013 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
3014 END_PROFILE(SMBnttranss);
3015 return;
3016 }
3017
3018 for (state = conn->pending_trans; state != NULL;
3019 state = state->next) {
3020 if (state->mid == req->mid) {
3021 break;
3022 }
3023 }
3024
3025 if ((state == NULL) || (state->cmd != SMBnttrans)) {
3026 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
3027 END_PROFILE(SMBnttranss);
3028 return;
3029 }
3030
3031 /* Revise state->total_param and state->total_data in case they have
3032 changed downwards */
3033 if (IVAL(req->vwv+1, 1) < state->total_param) {
3034 state->total_param = IVAL(req->vwv+1, 1);
3035 }
3036 if (IVAL(req->vwv+3, 1) < state->total_data) {
3037 state->total_data = IVAL(req->vwv+3, 1);
3038 }
3039
3040 pcnt = IVAL(req->vwv+5, 1);
3041 poff = IVAL(req->vwv+7, 1);
3042 pdisp = IVAL(req->vwv+9, 1);
3043
3044 dcnt = IVAL(req->vwv+11, 1);
3045 doff = IVAL(req->vwv+13, 1);
3046 ddisp = IVAL(req->vwv+15, 1);
3047
3048 state->received_param += pcnt;
3049 state->received_data += dcnt;
3050
3051 if ((state->received_data > state->total_data) ||
3052 (state->received_param > state->total_param))
3053 goto bad_param;
3054
3055 if (pcnt) {
3056 if (trans_oob(state->total_param, pdisp, pcnt)
3057 || trans_oob(smb_len(req->inbuf), poff, pcnt)) {
3058 goto bad_param;
3059 }
3060 memcpy(state->param+pdisp, smb_base(req->inbuf)+poff,pcnt);
3061 }
3062
3063 if (dcnt) {
3064 if (trans_oob(state->total_data, ddisp, dcnt)
3065 || trans_oob(smb_len(req->inbuf), doff, dcnt)) {
3066 goto bad_param;
3067 }
3068 memcpy(state->data+ddisp, smb_base(req->inbuf)+doff,dcnt);
3069 }
3070
3071 if ((state->received_param < state->total_param) ||
3072 (state->received_data < state->total_data)) {
3073 END_PROFILE(SMBnttranss);
3074 return;
3075 }
3076
3077 handle_nttrans(conn, state, req);
3078
3079 DLIST_REMOVE(conn->pending_trans, state);
3080 SAFE_FREE(state->data);
3081 SAFE_FREE(state->param);
3082 TALLOC_FREE(state);
3083 END_PROFILE(SMBnttranss);
3084 return;
3085
3086 bad_param:
3087
3088 DEBUG(0,("reply_nttranss: invalid trans parameters\n"));
3089 DLIST_REMOVE(conn->pending_trans, state);
3090 SAFE_FREE(state->data);
3091 SAFE_FREE(state->param);
3092 TALLOC_FREE(state);
3093 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
3094 END_PROFILE(SMBnttranss);
3095 return;
3096 }
Samba GIT mirror