search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3: Fix Coverity ID 986, BUFFER_SIZE_WARNING
[Samba.git] / source3 / rpc_server / srv_pipe.c
blob73a34866b20eab95b443af96418cf75c5f18ce9e
1 /*
2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Almost completely rewritten by (C) Jeremy Allison 2005 - 2010
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 3 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, see <http://www.gnu.org/licenses/>.
18 */
19
20 /* this module apparently provides an implementation of DCE/RPC over a
21 * named pipe (IPC$ connection using SMBtrans). details of DCE/RPC
22 * documentation are available (in on-line form) from the X-Open group.
23 *
24 * this module should provide a level of abstraction between SMB
25 * and DCE/RPC, while minimising the amount of mallocs, unnecessary
26 * data copies, and network traffic.
27 *
28 */
29
30 #include "includes.h"
31 #include "system/filesys.h"
32 #include "srv_pipe_internal.h"
33 #include "../librpc/gen_ndr/ndr_schannel.h"
34 #include "../libcli/auth/schannel.h"
35 #include "../libcli/auth/spnego.h"
36 #include "dcesrv_ntlmssp.h"
37 #include "dcesrv_gssapi.h"
38 #include "dcesrv_spnego.h"
39 #include "rpc_server.h"
40 #include "rpc_dce.h"
41 #include "smbd/smbd.h"
42 #include "auth.h"
43 #include "ntdomain.h"
44
45 #undef DBGC_CLASS
46 #define DBGC_CLASS DBGC_RPC_SRV
47
48 /**
49 * Dump everything from the start of the end up of the provided data
50 * into a file, but only at debug level >= 50
51 **/
52 static void dump_pdu_region(const char *name, int v,
53 DATA_BLOB *data, size_t start, size_t end)
54 {
55 int fd, i;
56 char *fname = NULL;
57 ssize_t sz;
58
59 if (DEBUGLEVEL < 50) return;
60
61 if (start > data->length || end > data->length || start > end) return;
62
63 for (i = 1; i < 100; i++) {
64 if (v != -1) {
65 fname = talloc_asprintf(talloc_tos(),
66 "/tmp/%s_%d.%d.prs",
67 name, v, i);
68 } else {
69 fname = talloc_asprintf(talloc_tos(),
70 "/tmp/%s_%d.prs",
71 name, i);
72 }
73 if (!fname) {
74 return;
75 }
76 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
77 if (fd != -1 || errno != EEXIST) break;
78 }
79 if (fd != -1) {
80 sz = write(fd, data->data + start, end - start);
81 i = close(fd);
82 if ((sz != end - start) || (i != 0) ) {
83 DEBUG(0, ("Error writing/closing %s: %ld!=%ld %d\n",
84 fname, (unsigned long)sz,
85 (unsigned long)end - start, i));
86 } else {
87 DEBUG(0,("created %s\n", fname));
88 }
89 }
90 TALLOC_FREE(fname);
91 }
92
93 static DATA_BLOB generic_session_key(void)
94 {
95 return data_blob_const("SystemLibraryDTC", 16);
96 }
97
98 /*******************************************************************
99 Generate the next PDU to be returned from the data.
100 ********************************************************************/
101
102 static NTSTATUS create_next_packet(TALLOC_CTX *mem_ctx,
103 struct pipe_auth_data *auth,
104 uint32_t call_id,
105 DATA_BLOB *rdata,
106 size_t data_sent_length,
107 DATA_BLOB *frag,
108 size_t *pdu_size)
109 {
110 union dcerpc_payload u;
111 uint8_t pfc_flags;
112 size_t data_left;
113 size_t data_to_send;
114 size_t frag_len;
115 size_t pad_len = 0;
116 size_t auth_len = 0;
117 NTSTATUS status;
118
119 ZERO_STRUCT(u.response);
120
121 /* Set up rpc packet pfc flags. */
122 if (data_sent_length == 0) {
123 pfc_flags = DCERPC_PFC_FLAG_FIRST;
124 } else {
125 pfc_flags = 0;
126 }
127
128 /* Work out how much we can fit in a single PDU. */
129 data_left = rdata->length - data_sent_length;
130
131 /* Ensure there really is data left to send. */
132 if (!data_left) {
133 DEBUG(0, ("No data left to send !\n"));
134 return NT_STATUS_BUFFER_TOO_SMALL;
135 }
136
137 status = dcerpc_guess_sizes(auth,
138 DCERPC_RESPONSE_LENGTH,
139 data_left,
140 RPC_MAX_PDU_FRAG_LEN,
141 SERVER_NDR_PADDING_SIZE,
142 &data_to_send, &frag_len,
143 &auth_len, &pad_len);
144 if (!NT_STATUS_IS_OK(status)) {
145 return status;
146 }
147
148 /* Set up the alloc hint. This should be the data left to send. */
149 u.response.alloc_hint = data_left;
150
151 /* Work out if this PDU will be the last. */
152 if (data_sent_length + data_to_send >= rdata->length) {
153 pfc_flags |= DCERPC_PFC_FLAG_LAST;
154 }
155
156 /* Prepare data to be NDR encoded. */
157 u.response.stub_and_verifier =
158 data_blob_const(rdata->data + data_sent_length, data_to_send);
159
160 /* Store the packet in the data stream. */
161 status = dcerpc_push_ncacn_packet(mem_ctx, DCERPC_PKT_RESPONSE,
162 pfc_flags, auth_len, call_id,
163 &u, frag);
164 if (!NT_STATUS_IS_OK(status)) {
165 DEBUG(0, ("Failed to marshall RPC Packet.\n"));
166 return status;
167 }
168
169 if (auth_len) {
170 /* Set the proper length on the pdu, including padding.
171 * Only needed if an auth trailer will be appended. */
172 dcerpc_set_frag_length(frag, frag->length
173 + pad_len
174 + DCERPC_AUTH_TRAILER_LENGTH
175 + auth_len);
176 }
177
178 if (auth_len) {
179 status = dcerpc_add_auth_footer(auth, pad_len, frag);
180 if (!NT_STATUS_IS_OK(status)) {
181 data_blob_free(frag);
182 return status;
183 }
184 }
185
186 *pdu_size = data_to_send;
187 return NT_STATUS_OK;
188 }
189
190 /*******************************************************************
191 Generate the next PDU to be returned from the data in p->rdata.
192 ********************************************************************/
193
194 bool create_next_pdu(struct pipes_struct *p)
195 {
196 size_t pdu_size = 0;
197 NTSTATUS status;
198
199 /*
200 * If we're in the fault state, keep returning fault PDU's until
201 * the pipe gets closed. JRA.
202 */
203 if (p->fault_state) {
204 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
205 return true;
206 }
207
208 status = create_next_packet(p->mem_ctx, &p->auth,
209 p->call_id, &p->out_data.rdata,
210 p->out_data.data_sent_length,
211 &p->out_data.frag, &pdu_size);
212 if (!NT_STATUS_IS_OK(status)) {
213 DEBUG(0, ("Failed to create packet with error %s, "
214 "(auth level %u / type %u)\n",
215 nt_errstr(status),
216 (unsigned int)p->auth.auth_level,
217 (unsigned int)p->auth.auth_type));
218 return false;
219 }
220
221 /* Setup the counts for this PDU. */
222 p->out_data.data_sent_length += pdu_size;
223 p->out_data.current_pdu_sent = 0;
224 return true;
225 }
226
227
228 static bool pipe_init_outgoing_data(struct pipes_struct *p);
229
230 /*******************************************************************
231 Marshall a bind_nak pdu.
232 *******************************************************************/
233
234 static bool setup_bind_nak(struct pipes_struct *p, struct ncacn_packet *pkt)
235 {
236 NTSTATUS status;
237 union dcerpc_payload u;
238
239 /* Free any memory in the current return data buffer. */
240 pipe_init_outgoing_data(p);
241
242 /*
243 * Initialize a bind_nak header.
244 */
245
246 ZERO_STRUCT(u);
247
248 u.bind_nak.reject_reason = 0;
249
250 /*
251 * Marshall directly into the outgoing PDU space. We
252 * must do this as we need to set to the bind response
253 * header and are never sending more than one PDU here.
254 */
255
256 status = dcerpc_push_ncacn_packet(p->mem_ctx,
257 DCERPC_PKT_BIND_NAK,
258 DCERPC_PFC_FLAG_FIRST |
259 DCERPC_PFC_FLAG_LAST,
260 0,
261 pkt->call_id,
262 &u,
263 &p->out_data.frag);
264 if (!NT_STATUS_IS_OK(status)) {
265 return False;
266 }
267
268 p->out_data.data_sent_length = 0;
269 p->out_data.current_pdu_sent = 0;
270
271 TALLOC_FREE(p->auth.auth_ctx);
272 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
273 p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
274 p->pipe_bound = False;
275
276 return True;
277 }
278
279 /*******************************************************************
280 Marshall a fault pdu.
281 *******************************************************************/
282
283 bool setup_fault_pdu(struct pipes_struct *p, NTSTATUS fault_status)
284 {
285 NTSTATUS status;
286 union dcerpc_payload u;
287
288 /* Free any memory in the current return data buffer. */
289 pipe_init_outgoing_data(p);
290
291 /*
292 * Initialize a fault header.
293 */
294
295 ZERO_STRUCT(u);
296
297 u.fault.status = NT_STATUS_V(fault_status);
298 u.fault._pad = data_blob_talloc_zero(p->mem_ctx, 4);
299
300 /*
301 * Marshall directly into the outgoing PDU space. We
302 * must do this as we need to set to the bind response
303 * header and are never sending more than one PDU here.
304 */
305
306 status = dcerpc_push_ncacn_packet(p->mem_ctx,
307 DCERPC_PKT_FAULT,
308 DCERPC_PFC_FLAG_FIRST |
309 DCERPC_PFC_FLAG_LAST |
310 DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
311 0,
312 p->call_id,
313 &u,
314 &p->out_data.frag);
315 if (!NT_STATUS_IS_OK(status)) {
316 return False;
317 }
318
319 p->out_data.data_sent_length = 0;
320 p->out_data.current_pdu_sent = 0;
321
322 return True;
323 }
324
325 /*******************************************************************
326 Ensure a bind request has the correct abstract & transfer interface.
327 Used to reject unknown binds from Win2k.
328 *******************************************************************/
329
330 static bool check_bind_req(struct pipes_struct *p,
331 struct ndr_syntax_id* abstract,
332 struct ndr_syntax_id* transfer,
333 uint32 context_id)
334 {
335 struct pipe_rpc_fns *context_fns;
336
337 DEBUG(3,("check_bind_req for %s\n",
338 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
339
340 /* we have to check all now since win2k introduced a new UUID on the lsaprpc pipe */
341 if (rpc_srv_pipe_exists_by_id(abstract) &&
342 ndr_syntax_id_equal(transfer, &ndr_transfer_syntax)) {
343 DEBUG(3, ("check_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
344 rpc_srv_get_pipe_cli_name(abstract),
345 rpc_srv_get_pipe_srv_name(abstract)));
346 } else {
347 return false;
348 }
349
350 context_fns = SMB_MALLOC_P(struct pipe_rpc_fns);
351 if (context_fns == NULL) {
352 DEBUG(0,("check_bind_req: malloc() failed!\n"));
353 return False;
354 }
355
356 context_fns->next = context_fns->prev = NULL;
357 context_fns->n_cmds = rpc_srv_get_pipe_num_cmds(abstract);
358 context_fns->cmds = rpc_srv_get_pipe_cmds(abstract);
359 context_fns->context_id = context_id;
360
361 /* add to the list of open contexts */
362
363 DLIST_ADD( p->contexts, context_fns );
364
365 return True;
366 }
367
368 /**
369 * Is a named pipe known?
370 * @param[in] cli_filename The pipe name requested by the client
371 * @result Do we want to serve this?
372 */
373 bool is_known_pipename(const char *cli_filename, struct ndr_syntax_id *syntax)
374 {
375 const char *pipename = cli_filename;
376 NTSTATUS status;
377
378 if (strnequal(pipename, "\\PIPE\\", 6)) {
379 pipename += 5;
380 }
381
382 if (*pipename == '\\') {
383 pipename += 1;
384 }
385
386 if (lp_disable_spoolss() && strequal(pipename, "spoolss")) {
387 DEBUG(10, ("refusing spoolss access\n"));
388 return false;
389 }
390
391 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
392 return true;
393 }
394
395 status = smb_probe_module("rpc", pipename);
396 if (!NT_STATUS_IS_OK(status)) {
397 DEBUG(10, ("is_known_pipename: %s unknown\n", cli_filename));
398 return false;
399 }
400 DEBUG(10, ("is_known_pipename: %s loaded dynamically\n", pipename));
401
402 /*
403 * Scan the list again for the interface id
404 */
405 if (rpc_srv_get_pipe_interface_by_cli_name(pipename, syntax)) {
406 return true;
407 }
408
409 DEBUG(10, ("is_known_pipename: pipe %s did not register itself!\n",
410 pipename));
411
412 return false;
413 }
414
415 /*******************************************************************
416 Handle the first part of a SPNEGO bind auth.
417 *******************************************************************/
418
419 static bool pipe_spnego_auth_bind(struct pipes_struct *p,
420 TALLOC_CTX *mem_ctx,
421 struct dcerpc_auth *auth_info,
422 DATA_BLOB *response)
423 {
424 struct spnego_context *spnego_ctx;
425 NTSTATUS status;
426
427 status = spnego_server_auth_start(p,
428 (auth_info->auth_level ==
429 DCERPC_AUTH_LEVEL_INTEGRITY),
430 (auth_info->auth_level ==
431 DCERPC_AUTH_LEVEL_PRIVACY),
432 true,
433 &auth_info->credentials,
434 response,
435 &spnego_ctx);
436 if (!NT_STATUS_IS_OK(status)) {
437 DEBUG(0, ("Failed SPNEGO negotiate (%s)\n",
438 nt_errstr(status)));
439 return false;
440 }
441
442 /* Make sure data is bound to the memctx, to be freed the caller */
443 talloc_steal(mem_ctx, response->data);
444
445 p->auth.auth_ctx = spnego_ctx;
446 p->auth.auth_type = DCERPC_AUTH_TYPE_SPNEGO;
447
448 DEBUG(10, ("SPNEGO auth started\n"));
449
450 return true;
451 }
452
453 /*******************************************************************
454 Handle an schannel bind auth.
455 *******************************************************************/
456
457 static bool pipe_schannel_auth_bind(struct pipes_struct *p,
458 TALLOC_CTX *mem_ctx,
459 struct dcerpc_auth *auth_info,
460 DATA_BLOB *response)
461 {
462 struct NL_AUTH_MESSAGE neg;
463 struct NL_AUTH_MESSAGE reply;
464 bool ret;
465 NTSTATUS status;
466 struct netlogon_creds_CredentialState *creds;
467 enum ndr_err_code ndr_err;
468 struct schannel_state *schannel_auth;
469
470 ndr_err = ndr_pull_struct_blob(
471 &auth_info->credentials, mem_ctx, &neg,
472 (ndr_pull_flags_fn_t)ndr_pull_NL_AUTH_MESSAGE);
473 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
474 DEBUG(0,("pipe_schannel_auth_bind: Could not unmarshal SCHANNEL auth neg\n"));
475 return false;
476 }
477
478 if (DEBUGLEVEL >= 10) {
479 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &neg);
480 }
481
482 if (!(neg.Flags & NL_FLAG_OEM_NETBIOS_COMPUTER_NAME)) {
483 DEBUG(0,("pipe_schannel_auth_bind: Did not receive netbios computer name\n"));
484 return false;
485 }
486
487 /*
488 * The neg.oem_netbios_computer.a key here must match the remote computer name
489 * given in the DOM_CLNT_SRV.uni_comp_name used on all netlogon pipe
490 * operations that use credentials.
491 */
492
493 become_root();
494 status = schannel_get_creds_state(p, lp_private_dir(),
495 neg.oem_netbios_computer.a, &creds);
496 unbecome_root();
497
498 if (!NT_STATUS_IS_OK(status)) {
499 DEBUG(0, ("pipe_schannel_auth_bind: Attempt to bind using schannel without successful serverauth2\n"));
500 return False;
501 }
502
503 schannel_auth = talloc(p, struct schannel_state);
504 if (!schannel_auth) {
505 TALLOC_FREE(creds);
506 return False;
507 }
508
509 schannel_auth->state = SCHANNEL_STATE_START;
510 schannel_auth->seq_num = 0;
511 schannel_auth->initiator = false;
512 schannel_auth->creds = creds;
513
514 /*
515 * JRA. Should we also copy the schannel session key into the pipe session key p->session_key
516 * here ? We do that for NTLMSSP, but the session key is already set up from the vuser
517 * struct of the person who opened the pipe. I need to test this further. JRA.
518 *
519 * VL. As we are mapping this to guest set the generic key
520 * "SystemLibraryDTC" key here. It's a bit difficult to test against
521 * W2k3, as it does not allow schannel binds against SAMR and LSA
522 * anymore.
523 */
524
525 ret = session_info_set_session_key(p->session_info, generic_session_key());
526
527 if (!ret) {
528 DEBUG(0, ("session_info_set_session_key failed\n"));
529 return false;
530 }
531
532 /*** SCHANNEL verifier ***/
533
534 reply.MessageType = NL_NEGOTIATE_RESPONSE;
535 reply.Flags = 0;
536 reply.Buffer.dummy = 5; /* ??? actually I don't think
537 * this has any meaning
538 * here - gd */
539
540 ndr_err = ndr_push_struct_blob(response, mem_ctx, &reply,
541 (ndr_push_flags_fn_t)ndr_push_NL_AUTH_MESSAGE);
542 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
543 DEBUG(0,("Failed to marshall NL_AUTH_MESSAGE.\n"));
544 return false;
545 }
546
547 if (DEBUGLEVEL >= 10) {
548 NDR_PRINT_DEBUG(NL_AUTH_MESSAGE, &reply);
549 }
550
551 DEBUG(10,("pipe_schannel_auth_bind: schannel auth: domain [%s] myname [%s]\n",
552 neg.oem_netbios_domain.a, neg.oem_netbios_computer.a));
553
554 /* We're finished with this bind - no more packets. */
555 p->auth.auth_ctx = schannel_auth;
556 p->auth.auth_type = DCERPC_AUTH_TYPE_SCHANNEL;
557
558 p->pipe_bound = True;
559
560 return True;
561 }
562
563 /*******************************************************************
564 Handle an NTLMSSP bind auth.
565 *******************************************************************/
566
567 static bool pipe_ntlmssp_auth_bind(struct pipes_struct *p,
568 TALLOC_CTX *mem_ctx,
569 struct dcerpc_auth *auth_info,
570 DATA_BLOB *response)
571 {
572 struct auth_ntlmssp_state *ntlmssp_state = NULL;
573 NTSTATUS status;
574
575 if (strncmp((char *)auth_info->credentials.data, "NTLMSSP", 7) != 0) {
576 DEBUG(0, ("Failed to read NTLMSSP in blob\n"));
577 return false;
578 }
579
580 /* We have an NTLMSSP blob. */
581 status = ntlmssp_server_auth_start(p,
582 (auth_info->auth_level ==
583 DCERPC_AUTH_LEVEL_INTEGRITY),
584 (auth_info->auth_level ==
585 DCERPC_AUTH_LEVEL_PRIVACY),
586 true,
587 &auth_info->credentials,
588 response,
589 &ntlmssp_state);
590 if (!NT_STATUS_EQUAL(status, NT_STATUS_OK)) {
591 DEBUG(0, (__location__ ": auth_ntlmssp_start failed: %s\n",
592 nt_errstr(status)));
593 return false;
594 }
595
596 /* Make sure data is bound to the memctx, to be freed the caller */
597 talloc_steal(mem_ctx, response->data);
598
599 p->auth.auth_ctx = ntlmssp_state;
600 p->auth.auth_type = DCERPC_AUTH_TYPE_NTLMSSP;
601
602 DEBUG(10, (__location__ ": NTLMSSP auth started\n"));
603
604 return true;
605 }
606
607 /*******************************************************************
608 Process an NTLMSSP authentication response.
609 If this function succeeds, the user has been authenticated
610 and their domain, name and calling workstation stored in
611 the pipe struct.
612 *******************************************************************/
613
614 static bool pipe_ntlmssp_verify_final(TALLOC_CTX *mem_ctx,
615 struct auth_ntlmssp_state *ntlmssp_ctx,
616 enum dcerpc_AuthLevel auth_level,
617 struct client_address *client_id,
618 struct ndr_syntax_id *syntax,
619 struct auth_serversupplied_info **session_info)
620 {
621 NTSTATUS status;
622 bool ret;
623
624 DEBUG(5, (__location__ ": pipe %s checking user details\n",
625 get_pipe_name_from_syntax(talloc_tos(), syntax)));
626
627 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
628 ensure the underlying NTLMSSP flags are also set. If not we should
629 refuse the bind. */
630
631 status = ntlmssp_server_check_flags(ntlmssp_ctx,
632 (auth_level ==
633 DCERPC_AUTH_LEVEL_INTEGRITY),
634 (auth_level ==
635 DCERPC_AUTH_LEVEL_PRIVACY));
636 if (!NT_STATUS_IS_OK(status)) {
637 DEBUG(0, (__location__ ": Client failed to negotatie proper "
638 "security for pipe %s\n",
639 get_pipe_name_from_syntax(talloc_tos(), syntax)));
640 return false;
641 }
642
643 TALLOC_FREE(*session_info);
644
645 status = ntlmssp_server_get_user_info(ntlmssp_ctx,
646 mem_ctx, session_info);
647 if (!NT_STATUS_IS_OK(status)) {
648 DEBUG(0, (__location__ ": failed to obtain the server info "
649 "for authenticated user: %s\n", nt_errstr(status)));
650 return false;
651 }
652
653 if ((*session_info)->security_token == NULL) {
654 DEBUG(1, ("Auth module failed to provide nt_user_token\n"));
655 return false;
656 }
657
658 /*
659 * We're an authenticated bind over smb, so the session key needs to
660 * be set to "SystemLibraryDTC". Weird, but this is what Windows
661 * does. See the RPC-SAMBA3SESSIONKEY.
662 */
663
664 ret = session_info_set_session_key((*session_info), generic_session_key());
665 if (!ret) {
666 DEBUG(0, ("Failed to set session key!\n"));
667 return false;
668 }
669
670 return true;
671 }
672
673 /*******************************************************************
674 Handle a GSSAPI bind auth.
675 *******************************************************************/
676
677 static bool pipe_gssapi_auth_bind(struct pipes_struct *p,
678 TALLOC_CTX *mem_ctx,
679 struct dcerpc_auth *auth_info,
680 DATA_BLOB *response)
681 {
682 NTSTATUS status;
683 struct gse_context *gse_ctx = NULL;
684
685 status = gssapi_server_auth_start(p,
686 (auth_info->auth_level ==
687 DCERPC_AUTH_LEVEL_INTEGRITY),
688 (auth_info->auth_level ==
689 DCERPC_AUTH_LEVEL_PRIVACY),
690 true,
691 &auth_info->credentials,
692 response,
693 &gse_ctx);
694 if (!NT_STATUS_IS_OK(status)) {
695 DEBUG(0, ("Failed to init dcerpc gssapi server (%s)\n",
696 nt_errstr(status)));
697 goto err;
698 }
699
700 /* Make sure data is bound to the memctx, to be freed the caller */
701 talloc_steal(mem_ctx, response->data);
702
703 p->auth.auth_ctx = gse_ctx;
704 p->auth.auth_type = DCERPC_AUTH_TYPE_KRB5;
705
706 DEBUG(10, ("KRB5 auth started\n"));
707
708 return true;
709
710 err:
711 TALLOC_FREE(gse_ctx);
712 return false;
713 }
714
715 static NTSTATUS pipe_gssapi_verify_final(TALLOC_CTX *mem_ctx,
716 struct gse_context *gse_ctx,
717 struct client_address *client_id,
718 struct auth_serversupplied_info **session_info)
719 {
720 NTSTATUS status;
721 bool bret;
722
723 /* Finally - if the pipe negotiated integrity (sign) or privacy (seal)
724 ensure the underlying flags are also set. If not we should
725 refuse the bind. */
726
727 status = gssapi_server_check_flags(gse_ctx);
728 if (!NT_STATUS_IS_OK(status)) {
729 DEBUG(0, ("Requested Security Layers not honored!\n"));
730 return status;
731 }
732
733 status = gssapi_server_get_user_info(gse_ctx, mem_ctx,
734 client_id, session_info);
735 if (!NT_STATUS_IS_OK(status)) {
736 DEBUG(0, (__location__ ": failed to obtain the server info "
737 "for authenticated user: %s\n", nt_errstr(status)));
738 return status;
739 }
740
741 if ((*session_info)->security_token == NULL) {
742 status = create_local_token(*session_info);
743 if (!NT_STATUS_IS_OK(status)) {
744 DEBUG(1, ("Failed to create local user token (%s)\n",
745 nt_errstr(status)));
746 status = NT_STATUS_ACCESS_DENIED;
747 return status;
748 }
749 }
750
751 /* TODO: this is what the ntlmssp code does with the session_key, check
752 * it is ok with gssapi too */
753 /*
754 * We're an authenticated bind over smb, so the session key needs to
755 * be set to "SystemLibraryDTC". Weird, but this is what Windows
756 * does. See the RPC-SAMBA3SESSIONKEY.
757 */
758
759 bret = session_info_set_session_key((*session_info), generic_session_key());
760 if (!bret) {
761 return NT_STATUS_ACCESS_DENIED;
762 }
763
764 return NT_STATUS_OK;
765 }
766
767 static NTSTATUS pipe_auth_verify_final(struct pipes_struct *p)
768 {
769 enum spnego_mech auth_type;
770 struct auth_ntlmssp_state *ntlmssp_ctx;
771 struct spnego_context *spnego_ctx;
772 struct gse_context *gse_ctx;
773 void *mech_ctx;
774 NTSTATUS status;
775
776 switch (p->auth.auth_type) {
777 case DCERPC_AUTH_TYPE_NTLMSSP:
778 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
779 struct auth_ntlmssp_state);
780 if (!pipe_ntlmssp_verify_final(p, ntlmssp_ctx,
781 p->auth.auth_level,
782 p->client_id, &p->syntax,
783 &p->session_info)) {
784 return NT_STATUS_ACCESS_DENIED;
785 }
786 break;
787 case DCERPC_AUTH_TYPE_KRB5:
788 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
789 struct gse_context);
790 status = pipe_gssapi_verify_final(p, gse_ctx,
791 p->client_id,
792 &p->session_info);
793 if (!NT_STATUS_IS_OK(status)) {
794 DEBUG(1, ("gssapi bind failed with: %s",
795 nt_errstr(status)));
796 return status;
797 }
798 break;
799 case DCERPC_AUTH_TYPE_SPNEGO:
800 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
801 struct spnego_context);
802 status = spnego_get_negotiated_mech(spnego_ctx,
803 &auth_type, &mech_ctx);
804 if (!NT_STATUS_IS_OK(status)) {
805 DEBUG(0, ("Bad SPNEGO state (%s)\n",
806 nt_errstr(status)));
807 return status;
808 }
809 switch(auth_type) {
810 case SPNEGO_KRB5:
811 gse_ctx = talloc_get_type_abort(mech_ctx,
812 struct gse_context);
813 status = pipe_gssapi_verify_final(p, gse_ctx,
814 p->client_id,
815 &p->session_info);
816 if (!NT_STATUS_IS_OK(status)) {
817 DEBUG(1, ("gssapi bind failed with: %s",
818 nt_errstr(status)));
819 return status;
820 }
821 break;
822 case SPNEGO_NTLMSSP:
823 ntlmssp_ctx = talloc_get_type_abort(mech_ctx,
824 struct auth_ntlmssp_state);
825 if (!pipe_ntlmssp_verify_final(p, ntlmssp_ctx,
826 p->auth.auth_level,
827 p->client_id,
828 &p->syntax,
829 &p->session_info)) {
830 return NT_STATUS_ACCESS_DENIED;
831 }
832 break;
833 default:
834 DEBUG(0, (__location__ ": incorrect spnego type "
835 "(%d).\n", auth_type));
836 return NT_STATUS_ACCESS_DENIED;
837 }
838 break;
839 default:
840 DEBUG(0, (__location__ ": incorrect auth type (%u).\n",
841 (unsigned int)p->auth.auth_type));
842 return NT_STATUS_ACCESS_DENIED;
843 }
844
845 p->pipe_bound = true;
846
847 return NT_STATUS_OK;
848 }
849
850 /*******************************************************************
851 Respond to a pipe bind request.
852 *******************************************************************/
853
854 static bool api_pipe_bind_req(struct pipes_struct *p,
855 struct ncacn_packet *pkt)
856 {
857 struct dcerpc_auth auth_info;
858 uint16 assoc_gid;
859 unsigned int auth_type = DCERPC_AUTH_TYPE_NONE;
860 NTSTATUS status;
861 struct ndr_syntax_id id;
862 union dcerpc_payload u;
863 struct dcerpc_ack_ctx bind_ack_ctx;
864 DATA_BLOB auth_resp = data_blob_null;
865 DATA_BLOB auth_blob = data_blob_null;
866
867 /* No rebinds on a bound pipe - use alter context. */
868 if (p->pipe_bound) {
869 DEBUG(2,("api_pipe_bind_req: rejecting bind request on bound "
870 "pipe %s.\n",
871 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
872 return setup_bind_nak(p, pkt);
873 }
874
875 if (pkt->u.bind.num_contexts == 0) {
876 DEBUG(0, ("api_pipe_bind_req: no rpc contexts around\n"));
877 goto err_exit;
878 }
879
880 /*
881 * Try and find the correct pipe name to ensure
882 * that this is a pipe name we support.
883 */
884 id = pkt->u.bind.ctx_list[0].abstract_syntax;
885 if (rpc_srv_pipe_exists_by_id(&id)) {
886 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
887 rpc_srv_get_pipe_cli_name(&id),
888 rpc_srv_get_pipe_srv_name(&id)));
889 } else {
890 status = smb_probe_module(
891 "rpc", get_pipe_name_from_syntax(
892 talloc_tos(),
893 &pkt->u.bind.ctx_list[0].abstract_syntax));
894
895 if (NT_STATUS_IS_ERR(status)) {
896 DEBUG(3,("api_pipe_bind_req: Unknown pipe name %s in bind request.\n",
897 get_pipe_name_from_syntax(
898 talloc_tos(),
899 &pkt->u.bind.ctx_list[0].abstract_syntax)));
900
901 return setup_bind_nak(p, pkt);
902 }
903
904 if (rpc_srv_get_pipe_interface_by_cli_name(
905 get_pipe_name_from_syntax(talloc_tos(),
906 &p->syntax),
907 &id)) {
908 DEBUG(3, ("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
909 rpc_srv_get_pipe_cli_name(&id),
910 rpc_srv_get_pipe_srv_name(&id)));
911 } else {
912 DEBUG(0, ("module %s doesn't provide functions for "
913 "pipe %s!\n",
914 get_pipe_name_from_syntax(talloc_tos(),
915 &p->syntax),
916 get_pipe_name_from_syntax(talloc_tos(),
917 &p->syntax)));
918 return setup_bind_nak(p, pkt);
919 }
920 }
921
922 DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
923
924 if (pkt->u.bind.assoc_group_id != 0) {
925 assoc_gid = pkt->u.bind.assoc_group_id;
926 } else {
927 assoc_gid = 0x53f0;
928 }
929
930 /*
931 * Create the bind response struct.
932 */
933
934 /* If the requested abstract synt uuid doesn't match our client pipe,
935 reject the bind_ack & set the transfer interface synt to all 0's,
936 ver 0 (observed when NT5 attempts to bind to abstract interfaces
937 unknown to NT4)
938 Needed when adding entries to a DACL from NT5 - SK */
939
940 if (check_bind_req(p,
941 &pkt->u.bind.ctx_list[0].abstract_syntax,
942 &pkt->u.bind.ctx_list[0].transfer_syntaxes[0],
943 pkt->u.bind.ctx_list[0].context_id)) {
944
945 bind_ack_ctx.result = 0;
946 bind_ack_ctx.reason = 0;
947 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
948 } else {
949 p->pipe_bound = False;
950 /* Rejection reason: abstract syntax not supported */
951 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
952 bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
953 bind_ack_ctx.syntax = null_ndr_syntax_id;
954 }
955
956 /*
957 * Check if this is an authenticated bind request.
958 */
959 if (pkt->auth_length) {
960 /* Quick length check. Won't catch a bad auth footer,
961 * prevents overrun. */
962
963 if (pkt->frag_length < RPC_HEADER_LEN +
964 DCERPC_AUTH_TRAILER_LENGTH +
965 pkt->auth_length) {
966 DEBUG(0,("api_pipe_bind_req: auth_len (%u) "
967 "too long for fragment %u.\n",
968 (unsigned int)pkt->auth_length,
969 (unsigned int)pkt->frag_length));
970 goto err_exit;
971 }
972
973 /*
974 * Decode the authentication verifier.
975 */
976 status = dcerpc_pull_dcerpc_auth(pkt,
977 &pkt->u.bind.auth_info,
978 &auth_info, p->endian);
979 if (!NT_STATUS_IS_OK(status)) {
980 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
981 goto err_exit;
982 }
983
984 auth_type = auth_info.auth_type;
985
986 /* Work out if we have to sign or seal etc. */
987 switch (auth_info.auth_level) {
988 case DCERPC_AUTH_LEVEL_INTEGRITY:
989 p->auth.auth_level = DCERPC_AUTH_LEVEL_INTEGRITY;
990 break;
991 case DCERPC_AUTH_LEVEL_PRIVACY:
992 p->auth.auth_level = DCERPC_AUTH_LEVEL_PRIVACY;
993 break;
994 case DCERPC_AUTH_LEVEL_CONNECT:
995 p->auth.auth_level = DCERPC_AUTH_LEVEL_CONNECT;
996 break;
997 default:
998 DEBUG(0, ("Unexpected auth level (%u).\n",
999 (unsigned int)auth_info.auth_level ));
1000 goto err_exit;
1001 }
1002
1003 switch (auth_type) {
1004 case DCERPC_AUTH_TYPE_NTLMSSP:
1005 if (!pipe_ntlmssp_auth_bind(p, pkt,
1006 &auth_info, &auth_resp)) {
1007 goto err_exit;
1008 }
1009 assoc_gid = 0x7a77;
1010 break;
1011
1012 case DCERPC_AUTH_TYPE_SCHANNEL:
1013 if (!pipe_schannel_auth_bind(p, pkt,
1014 &auth_info, &auth_resp)) {
1015 goto err_exit;
1016 }
1017 break;
1018
1019 case DCERPC_AUTH_TYPE_SPNEGO:
1020 if (!pipe_spnego_auth_bind(p, pkt,
1021 &auth_info, &auth_resp)) {
1022 goto err_exit;
1023 }
1024 break;
1025
1026 case DCERPC_AUTH_TYPE_KRB5:
1027 if (!pipe_gssapi_auth_bind(p, pkt,
1028 &auth_info, &auth_resp)) {
1029 goto err_exit;
1030 }
1031 break;
1032
1033 case DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM:
1034 if (p->transport == NCALRPC && p->ncalrpc_as_system) {
1035 TALLOC_FREE(p->session_info);
1036
1037 status = make_session_info_system(p,
1038 &p->session_info);
1039 if (!NT_STATUS_IS_OK(status)) {
1040 goto err_exit;
1041 }
1042
1043 auth_resp = data_blob_talloc(pkt,
1044 "NCALRPC_AUTH_OK",
1045 15);
1046
1047 p->auth.auth_type = DCERPC_AUTH_TYPE_NCALRPC_AS_SYSTEM;
1048 p->pipe_bound = true;
1049 } else {
1050 goto err_exit;
1051 }
1052 break;
1053
1054 case DCERPC_AUTH_TYPE_NONE:
1055 break;
1056
1057 default:
1058 DEBUG(0, ("Unknown auth type %x requested.\n", auth_type));
1059 goto err_exit;
1060 }
1061 }
1062
1063 if (auth_type == DCERPC_AUTH_TYPE_NONE) {
1064 /* Unauthenticated bind request. */
1065 /* We're finished - no more packets. */
1066 p->auth.auth_type = DCERPC_AUTH_TYPE_NONE;
1067 /* We must set the pipe auth_level here also. */
1068 p->auth.auth_level = DCERPC_AUTH_LEVEL_NONE;
1069 p->pipe_bound = True;
1070 /* The session key was initialized from the SMB
1071 * session in make_internal_rpc_pipe_p */
1072 }
1073
1074 ZERO_STRUCT(u.bind_ack);
1075 u.bind_ack.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1076 u.bind_ack.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1077 u.bind_ack.assoc_group_id = assoc_gid;
1078
1079 /* name has to be \PIPE\xxxxx */
1080 u.bind_ack.secondary_address =
1081 talloc_asprintf(pkt, "\\PIPE\\%s",
1082 rpc_srv_get_pipe_srv_name(&id));
1083 if (!u.bind_ack.secondary_address) {
1084 DEBUG(0, ("Out of memory!\n"));
1085 goto err_exit;
1086 }
1087 u.bind_ack.secondary_address_size =
1088 strlen(u.bind_ack.secondary_address) + 1;
1089
1090 u.bind_ack.num_results = 1;
1091 u.bind_ack.ctx_list = &bind_ack_ctx;
1092
1093 /* NOTE: We leave the auth_info empty so we can calculate the padding
1094 * later and then append the auth_info --simo */
1095
1096 /*
1097 * Marshall directly into the outgoing PDU space. We
1098 * must do this as we need to set to the bind response
1099 * header and are never sending more than one PDU here.
1100 */
1101
1102 status = dcerpc_push_ncacn_packet(p->mem_ctx,
1103 DCERPC_PKT_BIND_ACK,
1104 DCERPC_PFC_FLAG_FIRST |
1105 DCERPC_PFC_FLAG_LAST,
1106 auth_resp.length,
1107 pkt->call_id,
1108 &u,
1109 &p->out_data.frag);
1110 if (!NT_STATUS_IS_OK(status)) {
1111 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
1112 nt_errstr(status)));
1113 }
1114
1115 if (auth_resp.length) {
1116
1117 status = dcerpc_push_dcerpc_auth(pkt,
1118 auth_type,
1119 auth_info.auth_level,
1120 0,
1121 1, /* auth_context_id */
1122 &auth_resp,
1123 &auth_blob);
1124 if (!NT_STATUS_IS_OK(status)) {
1125 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1126 goto err_exit;
1127 }
1128 }
1129
1130 /* Now that we have the auth len store it into the right place in
1131 * the dcerpc header */
1132 dcerpc_set_frag_length(&p->out_data.frag,
1133 p->out_data.frag.length + auth_blob.length);
1134
1135 if (auth_blob.length) {
1136
1137 if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
1138 auth_blob.data, auth_blob.length)) {
1139 DEBUG(0, ("Append of auth info failed.\n"));
1140 goto err_exit;
1141 }
1142 }
1143
1144 /*
1145 * Setup the lengths for the initial reply.
1146 */
1147
1148 p->out_data.data_sent_length = 0;
1149 p->out_data.current_pdu_sent = 0;
1150
1151 TALLOC_FREE(auth_blob.data);
1152 return True;
1153
1154 err_exit:
1155
1156 data_blob_free(&p->out_data.frag);
1157 TALLOC_FREE(auth_blob.data);
1158 return setup_bind_nak(p, pkt);
1159 }
1160
1161 /*******************************************************************
1162 This is the "stage3" response after a bind request and reply.
1163 *******************************************************************/
1164
1165 bool api_pipe_bind_auth3(struct pipes_struct *p, struct ncacn_packet *pkt)
1166 {
1167 struct dcerpc_auth auth_info;
1168 DATA_BLOB response = data_blob_null;
1169 struct auth_ntlmssp_state *ntlmssp_ctx;
1170 struct spnego_context *spnego_ctx;
1171 struct gse_context *gse_ctx;
1172 NTSTATUS status;
1173
1174 DEBUG(5, ("api_pipe_bind_auth3: decode request. %d\n", __LINE__));
1175
1176 if (pkt->auth_length == 0) {
1177 DEBUG(0, ("No auth field sent for bind request!\n"));
1178 goto err;
1179 }
1180
1181 /* Ensure there's enough data for an authenticated request. */
1182 if (pkt->frag_length < RPC_HEADER_LEN
1183 + DCERPC_AUTH_TRAILER_LENGTH
1184 + pkt->auth_length) {
1185 DEBUG(0,("api_pipe_ntlmssp_auth_process: auth_len "
1186 "%u is too large.\n",
1187 (unsigned int)pkt->auth_length));
1188 goto err;
1189 }
1190
1191 /*
1192 * Decode the authentication verifier response.
1193 */
1194
1195 status = dcerpc_pull_dcerpc_auth(pkt,
1196 &pkt->u.auth3.auth_info,
1197 &auth_info, p->endian);
1198 if (!NT_STATUS_IS_OK(status)) {
1199 DEBUG(0, ("Failed to unmarshall dcerpc_auth.\n"));
1200 goto err;
1201 }
1202
1203 /* We must NEVER look at auth_info->auth_pad_len here,
1204 * as old Samba client code gets it wrong and sends it
1205 * as zero. JRA.
1206 */
1207
1208 if (auth_info.auth_type != p->auth.auth_type) {
1209 DEBUG(0, ("Auth type mismatch! Client sent %d, "
1210 "but auth was started as type %d!\n",
1211 auth_info.auth_type, p->auth.auth_type));
1212 goto err;
1213 }
1214
1215 switch (auth_info.auth_type) {
1216 case DCERPC_AUTH_TYPE_NTLMSSP:
1217 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1218 struct auth_ntlmssp_state);
1219 status = ntlmssp_server_step(ntlmssp_ctx,
1220 pkt, &auth_info.credentials,
1221 &response);
1222 break;
1223 case DCERPC_AUTH_TYPE_KRB5:
1224 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1225 struct gse_context);
1226 status = gssapi_server_step(gse_ctx,
1227 pkt, &auth_info.credentials,
1228 &response);
1229 break;
1230 case DCERPC_AUTH_TYPE_SPNEGO:
1231 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1232 struct spnego_context);
1233 status = spnego_server_step(spnego_ctx,
1234 pkt, &auth_info.credentials,
1235 &response);
1236 break;
1237 default:
1238 DEBUG(0, (__location__ ": incorrect auth type (%u).\n",
1239 (unsigned int)auth_info.auth_type));
1240 return false;
1241 }
1242
1243 if (NT_STATUS_EQUAL(status,
1244 NT_STATUS_MORE_PROCESSING_REQUIRED) ||
1245 response.length) {
1246 DEBUG(0, (__location__ ": This was supposed to be the final "
1247 "leg, but crypto machinery claims a response is "
1248 "needed, aborting auth!\n"));
1249 data_blob_free(&response);
1250 goto err;
1251 }
1252 if (!NT_STATUS_IS_OK(status)) {
1253 DEBUG(0, ("Auth failed (%s)\n", nt_errstr(status)));
1254 goto err;
1255 }
1256
1257 /* Now verify auth was indeed successful and extract server info */
1258 status = pipe_auth_verify_final(p);
1259 if (!NT_STATUS_IS_OK(status)) {
1260 DEBUG(0, ("Auth Verify failed (%s)\n", nt_errstr(status)));
1261 goto err;
1262 }
1263
1264 return true;
1265
1266 err:
1267
1268 TALLOC_FREE(p->auth.auth_ctx);
1269 return false;
1270 }
1271
1272 /****************************************************************************
1273 Deal with an alter context call. Can be third part of 3 leg auth request for
1274 SPNEGO calls.
1275 ****************************************************************************/
1276
1277 static bool api_pipe_alter_context(struct pipes_struct *p,
1278 struct ncacn_packet *pkt)
1279 {
1280 struct dcerpc_auth auth_info;
1281 uint16 assoc_gid;
1282 NTSTATUS status;
1283 union dcerpc_payload u;
1284 struct dcerpc_ack_ctx bind_ack_ctx;
1285 DATA_BLOB auth_resp = data_blob_null;
1286 DATA_BLOB auth_blob = data_blob_null;
1287 int pad_len = 0;
1288 struct auth_ntlmssp_state *ntlmssp_ctx;
1289 struct spnego_context *spnego_ctx;
1290 struct gse_context *gse_ctx;
1291
1292 DEBUG(5,("api_pipe_alter_context: make response. %d\n", __LINE__));
1293
1294 if (pkt->u.bind.assoc_group_id != 0) {
1295 assoc_gid = pkt->u.bind.assoc_group_id;
1296 } else {
1297 assoc_gid = 0x53f0;
1298 }
1299
1300 /*
1301 * Create the bind response struct.
1302 */
1303
1304 /* If the requested abstract synt uuid doesn't match our client pipe,
1305 reject the bind_ack & set the transfer interface synt to all 0's,
1306 ver 0 (observed when NT5 attempts to bind to abstract interfaces
1307 unknown to NT4)
1308 Needed when adding entries to a DACL from NT5 - SK */
1309
1310 if (check_bind_req(p,
1311 &pkt->u.bind.ctx_list[0].abstract_syntax,
1312 &pkt->u.bind.ctx_list[0].transfer_syntaxes[0],
1313 pkt->u.bind.ctx_list[0].context_id)) {
1314
1315 bind_ack_ctx.result = 0;
1316 bind_ack_ctx.reason = 0;
1317 bind_ack_ctx.syntax = pkt->u.bind.ctx_list[0].transfer_syntaxes[0];
1318 } else {
1319 p->pipe_bound = False;
1320 /* Rejection reason: abstract syntax not supported */
1321 bind_ack_ctx.result = DCERPC_BIND_PROVIDER_REJECT;
1322 bind_ack_ctx.reason = DCERPC_BIND_REASON_ASYNTAX;
1323 bind_ack_ctx.syntax = null_ndr_syntax_id;
1324 }
1325
1326 /*
1327 * Check if this is an authenticated alter context request.
1328 */
1329 if (pkt->auth_length) {
1330 /* Quick length check. Won't catch a bad auth footer,
1331 * prevents overrun. */
1332
1333 if (pkt->frag_length < RPC_HEADER_LEN +
1334 DCERPC_AUTH_TRAILER_LENGTH +
1335 pkt->auth_length) {
1336 DEBUG(0,("api_pipe_alter_context: auth_len (%u) "
1337 "too long for fragment %u.\n",
1338 (unsigned int)pkt->auth_length,
1339 (unsigned int)pkt->frag_length ));
1340 goto err_exit;
1341 }
1342
1343 status = dcerpc_pull_dcerpc_auth(pkt,
1344 &pkt->u.bind.auth_info,
1345 &auth_info, p->endian);
1346 if (!NT_STATUS_IS_OK(status)) {
1347 DEBUG(0, ("Unable to unmarshall dcerpc_auth.\n"));
1348 goto err_exit;
1349 }
1350
1351 /* We can only finish if the pipe is unbound for now */
1352 if (p->pipe_bound) {
1353 DEBUG(0, (__location__ ": Pipe already bound, "
1354 "Altering Context not yet supported!\n"));
1355 goto err_exit;
1356 }
1357
1358 if (auth_info.auth_type != p->auth.auth_type) {
1359 DEBUG(0, ("Auth type mismatch! Client sent %d, "
1360 "but auth was started as type %d!\n",
1361 auth_info.auth_type, p->auth.auth_type));
1362 goto err_exit;
1363 }
1364
1365
1366 switch (auth_info.auth_type) {
1367 case DCERPC_AUTH_TYPE_SPNEGO:
1368 spnego_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1369 struct spnego_context);
1370 status = spnego_server_step(spnego_ctx,
1371 pkt,
1372 &auth_info.credentials,
1373 &auth_resp);
1374 break;
1375
1376 case DCERPC_AUTH_TYPE_KRB5:
1377 gse_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1378 struct gse_context);
1379 status = gssapi_server_step(gse_ctx,
1380 pkt,
1381 &auth_info.credentials,
1382 &auth_resp);
1383 break;
1384 case DCERPC_AUTH_TYPE_NTLMSSP:
1385 ntlmssp_ctx = talloc_get_type_abort(p->auth.auth_ctx,
1386 struct auth_ntlmssp_state);
1387 status = ntlmssp_server_step(ntlmssp_ctx,
1388 pkt,
1389 &auth_info.credentials,
1390 &auth_resp);
1391 break;
1392
1393 default:
1394 DEBUG(3, (__location__ ": Usupported auth type (%d) "
1395 "in alter-context call\n",
1396 auth_info.auth_type));
1397 goto err_exit;
1398 }
1399
1400 if (NT_STATUS_IS_OK(status)) {
1401 /* third leg of auth, verify auth info */
1402 status = pipe_auth_verify_final(p);
1403 if (!NT_STATUS_IS_OK(status)) {
1404 DEBUG(0, ("Auth Verify failed (%s)\n",
1405 nt_errstr(status)));
1406 goto err_exit;
1407 }
1408 } else if (NT_STATUS_EQUAL(status,
1409 NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1410 DEBUG(10, ("More auth legs required.\n"));
1411 } else {
1412 DEBUG(0, ("Auth step returned an error (%s)\n",
1413 nt_errstr(status)));
1414 goto err_exit;
1415 }
1416 }
1417
1418 ZERO_STRUCT(u.alter_resp);
1419 u.alter_resp.max_xmit_frag = RPC_MAX_PDU_FRAG_LEN;
1420 u.alter_resp.max_recv_frag = RPC_MAX_PDU_FRAG_LEN;
1421 u.alter_resp.assoc_group_id = assoc_gid;
1422
1423 /* secondary address CAN be NULL
1424 * as the specs say it's ignored.
1425 * It MUST be NULL to have the spoolss working.
1426 */
1427 u.alter_resp.secondary_address = "";
1428 u.alter_resp.secondary_address_size = 1;
1429
1430 u.alter_resp.num_results = 1;
1431 u.alter_resp.ctx_list = &bind_ack_ctx;
1432
1433 /* NOTE: We leave the auth_info empty so we can calculate the padding
1434 * later and then append the auth_info --simo */
1435
1436 /*
1437 * Marshall directly into the outgoing PDU space. We
1438 * must do this as we need to set to the bind response
1439 * header and are never sending more than one PDU here.
1440 */
1441
1442 status = dcerpc_push_ncacn_packet(p->mem_ctx,
1443 DCERPC_PKT_ALTER_RESP,
1444 DCERPC_PFC_FLAG_FIRST |
1445 DCERPC_PFC_FLAG_LAST,
1446 auth_resp.length,
1447 pkt->call_id,
1448 &u,
1449 &p->out_data.frag);
1450 if (!NT_STATUS_IS_OK(status)) {
1451 DEBUG(0, ("Failed to marshall bind_ack packet. (%s)\n",
1452 nt_errstr(status)));
1453 }
1454
1455 if (auth_resp.length) {
1456
1457 /* Work out any padding needed before the auth footer. */
1458 pad_len = p->out_data.frag.length % SERVER_NDR_PADDING_SIZE;
1459 if (pad_len) {
1460 pad_len = SERVER_NDR_PADDING_SIZE - pad_len;
1461 DEBUG(10, ("auth pad_len = %u\n",
1462 (unsigned int)pad_len));
1463 }
1464
1465 status = dcerpc_push_dcerpc_auth(pkt,
1466 auth_info.auth_type,
1467 auth_info.auth_level,
1468 pad_len,
1469 1, /* auth_context_id */
1470 &auth_resp,
1471 &auth_blob);
1472 if (!NT_STATUS_IS_OK(status)) {
1473 DEBUG(0, ("Marshalling of dcerpc_auth failed.\n"));
1474 goto err_exit;
1475 }
1476 }
1477
1478 /* Now that we have the auth len store it into the right place in
1479 * the dcerpc header */
1480 dcerpc_set_frag_length(&p->out_data.frag,
1481 p->out_data.frag.length +
1482 pad_len + auth_blob.length);
1483
1484 if (auth_resp.length) {
1485 if (pad_len) {
1486 char pad[SERVER_NDR_PADDING_SIZE];
1487 memset(pad, '\0', SERVER_NDR_PADDING_SIZE);
1488 if (!data_blob_append(p->mem_ctx,
1489 &p->out_data.frag,
1490 pad, pad_len)) {
1491 DEBUG(0, ("api_pipe_bind_req: failed to add "
1492 "%u bytes of pad data.\n",
1493 (unsigned int)pad_len));
1494 goto err_exit;
1495 }
1496 }
1497
1498 if (!data_blob_append(p->mem_ctx, &p->out_data.frag,
1499 auth_blob.data, auth_blob.length)) {
1500 DEBUG(0, ("Append of auth info failed.\n"));
1501 goto err_exit;
1502 }
1503 }
1504
1505 /*
1506 * Setup the lengths for the initial reply.
1507 */
1508
1509 p->out_data.data_sent_length = 0;
1510 p->out_data.current_pdu_sent = 0;
1511
1512 TALLOC_FREE(auth_blob.data);
1513 return True;
1514
1515 err_exit:
1516
1517 data_blob_free(&p->out_data.frag);
1518 TALLOC_FREE(auth_blob.data);
1519 return setup_bind_nak(p, pkt);
1520 }
1521
1522 /****************************************************************************
1523 Find the set of RPC functions associated with this context_id
1524 ****************************************************************************/
1525
1526 static PIPE_RPC_FNS* find_pipe_fns_by_context( PIPE_RPC_FNS *list, uint32 context_id )
1527 {
1528 PIPE_RPC_FNS *fns = NULL;
1529
1530 if ( !list ) {
1531 DEBUG(0,("find_pipe_fns_by_context: ERROR! No context list for pipe!\n"));
1532 return NULL;
1533 }
1534
1535 for (fns=list; fns; fns=fns->next ) {
1536 if ( fns->context_id == context_id )
1537 return fns;
1538 }
1539 return NULL;
1540 }
1541
1542 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
1543 const struct api_struct *api_rpc_cmds, int n_cmds);
1544
1545 /****************************************************************************
1546 Find the correct RPC function to call for this request.
1547 If the pipe is authenticated then become the correct UNIX user
1548 before doing the call.
1549 ****************************************************************************/
1550
1551 static bool api_pipe_request(struct pipes_struct *p,
1552 struct ncacn_packet *pkt)
1553 {
1554 bool ret = False;
1555 bool changed_user = False;
1556 PIPE_RPC_FNS *pipe_fns;
1557
1558 if (p->pipe_bound &&
1559 ((p->auth.auth_type == DCERPC_AUTH_TYPE_NTLMSSP) ||
1560 (p->auth.auth_type == DCERPC_AUTH_TYPE_KRB5) ||
1561 (p->auth.auth_type == DCERPC_AUTH_TYPE_SPNEGO))) {
1562 if(!become_authenticated_pipe_user(p)) {
1563 data_blob_free(&p->out_data.rdata);
1564 return False;
1565 }
1566 changed_user = True;
1567 }
1568
1569 DEBUG(5, ("Requested \\PIPE\\%s\n",
1570 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1571
1572 /* get the set of RPC functions for this context */
1573
1574 pipe_fns = find_pipe_fns_by_context(p->contexts,
1575 pkt->u.request.context_id);
1576
1577 if ( pipe_fns ) {
1578 TALLOC_CTX *frame = talloc_stackframe();
1579 ret = api_rpcTNP(p, pkt, pipe_fns->cmds, pipe_fns->n_cmds);
1580 TALLOC_FREE(frame);
1581 }
1582 else {
1583 DEBUG(0, ("No rpc function table associated with context "
1584 "[%d] on pipe [%s]\n",
1585 pkt->u.request.context_id,
1586 get_pipe_name_from_syntax(talloc_tos(),
1587 &p->syntax)));
1588 }
1589
1590 if (changed_user) {
1591 unbecome_authenticated_pipe_user();
1592 }
1593
1594 return ret;
1595 }
1596
1597 /*******************************************************************
1598 Calls the underlying RPC function for a named pipe.
1599 ********************************************************************/
1600
1601 static bool api_rpcTNP(struct pipes_struct *p, struct ncacn_packet *pkt,
1602 const struct api_struct *api_rpc_cmds, int n_cmds)
1603 {
1604 int fn_num;
1605 uint32_t offset1;
1606
1607 /* interpret the command */
1608 DEBUG(4,("api_rpcTNP: %s op 0x%x - ",
1609 get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
1610 pkt->u.request.opnum));
1611
1612 if (DEBUGLEVEL >= 50) {
1613 fstring name;
1614 slprintf(name, sizeof(name)-1, "in_%s",
1615 get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
1616 dump_pdu_region(name, pkt->u.request.opnum,
1617 &p->in_data.data, 0,
1618 p->in_data.data.length);
1619 }
1620
1621 for (fn_num = 0; fn_num < n_cmds; fn_num++) {
1622 if (api_rpc_cmds[fn_num].opnum == pkt->u.request.opnum &&
1623 api_rpc_cmds[fn_num].fn != NULL) {
1624 DEBUG(3, ("api_rpcTNP: rpc command: %s\n",
1625 api_rpc_cmds[fn_num].name));
1626 break;
1627 }
1628 }
1629
1630 if (fn_num == n_cmds) {
1631 /*
1632 * For an unknown RPC just return a fault PDU but
1633 * return True to allow RPC's on the pipe to continue
1634 * and not put the pipe into fault state. JRA.
1635 */
1636 DEBUG(4, ("unknown\n"));
1637 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1638 return True;
1639 }
1640
1641 offset1 = p->out_data.rdata.length;
1642
1643 DEBUG(6, ("api_rpc_cmds[%d].fn == %p\n",
1644 fn_num, api_rpc_cmds[fn_num].fn));
1645 /* do the actual command */
1646 if(!api_rpc_cmds[fn_num].fn(p)) {
1647 DEBUG(0,("api_rpcTNP: %s: %s failed.\n",
1648 get_pipe_name_from_syntax(talloc_tos(), &p->syntax),
1649 api_rpc_cmds[fn_num].name));
1650 data_blob_free(&p->out_data.rdata);
1651 return False;
1652 }
1653
1654 if (p->bad_handle_fault_state) {
1655 DEBUG(4,("api_rpcTNP: bad handle fault return.\n"));
1656 p->bad_handle_fault_state = False;
1657 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_CONTEXT_MISMATCH));
1658 return True;
1659 }
1660
1661 if (p->rng_fault_state) {
1662 DEBUG(4, ("api_rpcTNP: rng fault return\n"));
1663 p->rng_fault_state = False;
1664 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
1665 return True;
1666 }
1667
1668 if (DEBUGLEVEL >= 50) {
1669 fstring name;
1670 slprintf(name, sizeof(name)-1, "out_%s",
1671 get_pipe_name_from_syntax(talloc_tos(), &p->syntax));
1672 dump_pdu_region(name, pkt->u.request.opnum,
1673 &p->out_data.rdata, offset1,
1674 p->out_data.rdata.length);
1675 }
1676
1677 DEBUG(5,("api_rpcTNP: called %s successfully\n",
1678 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1679
1680 /* Check for buffer underflow in rpc parsing */
1681 if ((DEBUGLEVEL >= 10) &&
1682 (pkt->frag_length < p->in_data.data.length)) {
1683 DEBUG(10, ("api_rpcTNP: rpc input buffer underflow (parse error?)\n"));
1684 dump_data(10, p->in_data.data.data + pkt->frag_length,
1685 p->in_data.data.length - pkt->frag_length);
1686 }
1687
1688 return True;
1689 }
1690
1691 /****************************************************************************
1692 Initialise an outgoing packet.
1693 ****************************************************************************/
1694
1695 static bool pipe_init_outgoing_data(struct pipes_struct *p)
1696 {
1697 output_data *o_data = &p->out_data;
1698
1699 /* Reset the offset counters. */
1700 o_data->data_sent_length = 0;
1701 o_data->current_pdu_sent = 0;
1702
1703 data_blob_free(&o_data->frag);
1704
1705 /* Free any memory in the current return data buffer. */
1706 data_blob_free(&o_data->rdata);
1707
1708 return True;
1709 }
1710
1711 /****************************************************************************
1712 Sets the fault state on incoming packets.
1713 ****************************************************************************/
1714
1715 void set_incoming_fault(struct pipes_struct *p)
1716 {
1717 data_blob_free(&p->in_data.data);
1718 p->in_data.pdu_needed_len = 0;
1719 p->in_data.pdu.length = 0;
1720 p->fault_state = True;
1721 DEBUG(10, ("set_incoming_fault: Setting fault state on pipe %s\n",
1722 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1723 }
1724
1725 static NTSTATUS dcesrv_auth_request(struct pipe_auth_data *auth,
1726 struct ncacn_packet *pkt,
1727 DATA_BLOB *raw_pkt)
1728 {
1729 NTSTATUS status;
1730 size_t hdr_size = DCERPC_REQUEST_LENGTH;
1731 size_t pad_len;
1732
1733 DEBUG(10, ("Checking request auth.\n"));
1734
1735 if (pkt->pfc_flags & DCERPC_PFC_FLAG_OBJECT_UUID) {
1736 hdr_size += 16;
1737 }
1738
1739 /* in case of sealing this function will unseal the data in place */
1740 status = dcerpc_check_auth(auth, pkt,
1741 &pkt->u.request.stub_and_verifier,
1742 hdr_size, raw_pkt,
1743 &pad_len);
1744 if (!NT_STATUS_IS_OK(status)) {
1745 return status;
1746 }
1747
1748
1749 /* remove padding and auth trailer,
1750 * this way the caller will get just the data */
1751 if (pkt->auth_length) {
1752 size_t trail_len = pad_len
1753 + DCERPC_AUTH_TRAILER_LENGTH
1754 + pkt->auth_length;
1755 if (pkt->u.request.stub_and_verifier.length < trail_len) {
1756 return NT_STATUS_INFO_LENGTH_MISMATCH;
1757 }
1758 pkt->u.request.stub_and_verifier.length -= trail_len;
1759 }
1760
1761 return NT_STATUS_OK;
1762 }
1763
1764 /****************************************************************************
1765 Processes a request pdu. This will do auth processing if needed, and
1766 appends the data into the complete stream if the LAST flag is not set.
1767 ****************************************************************************/
1768
1769 static bool process_request_pdu(struct pipes_struct *p, struct ncacn_packet *pkt)
1770 {
1771 NTSTATUS status;
1772 DATA_BLOB data;
1773
1774 if (!p->pipe_bound) {
1775 DEBUG(0,("process_request_pdu: rpc request with no bind.\n"));
1776 set_incoming_fault(p);
1777 return False;
1778 }
1779
1780 /* Store the opnum */
1781 p->opnum = pkt->u.request.opnum;
1782
1783 status = dcesrv_auth_request(&p->auth, pkt, &p->in_data.pdu);
1784 if (!NT_STATUS_IS_OK(status)) {
1785 DEBUG(0, ("Failed to check packet auth. (%s)\n",
1786 nt_errstr(status)));
1787 set_incoming_fault(p);
1788 return false;
1789 }
1790
1791 data = pkt->u.request.stub_and_verifier;
1792
1793 /*
1794 * Check the data length doesn't go over the 15Mb limit.
1795 * increased after observing a bug in the Windows NT 4.0 SP6a
1796 * spoolsv.exe when the response to a GETPRINTERDRIVER2 RPC
1797 * will not fit in the initial buffer of size 0x1068 --jerry 22/01/2002
1798 */
1799
1800 if (p->in_data.data.length + data.length > MAX_RPC_DATA_SIZE) {
1801 DEBUG(0, ("process_request_pdu: "
1802 "rpc data buffer too large (%u) + (%u)\n",
1803 (unsigned int)p->in_data.data.length,
1804 (unsigned int)data.length));
1805 set_incoming_fault(p);
1806 return False;
1807 }
1808
1809 /*
1810 * Append the data portion into the buffer and return.
1811 */
1812
1813 if (data.length) {
1814 if (!data_blob_append(p->mem_ctx, &p->in_data.data,
1815 data.data, data.length)) {
1816 DEBUG(0, ("Unable to append data size %u "
1817 "to parse buffer of size %u.\n",
1818 (unsigned int)data.length,
1819 (unsigned int)p->in_data.data.length));
1820 set_incoming_fault(p);
1821 return False;
1822 }
1823 }
1824
1825 if (pkt->pfc_flags & DCERPC_PFC_FLAG_LAST) {
1826 bool ret = False;
1827 /*
1828 * Ok - we finally have a complete RPC stream.
1829 * Call the rpc command to process it.
1830 */
1831
1832 /*
1833 * Process the complete data stream here.
1834 */
1835 if (pipe_init_outgoing_data(p)) {
1836 ret = api_pipe_request(p, pkt);
1837 }
1838
1839 return ret;
1840 }
1841
1842 return True;
1843 }
1844
1845 /****************************************************************************
1846 Processes a finished PDU stored in p->in_data.pdu.
1847 ****************************************************************************/
1848
1849 void process_complete_pdu(struct pipes_struct *p)
1850 {
1851 struct ncacn_packet *pkt = NULL;
1852 NTSTATUS status;
1853 bool reply = False;
1854
1855 if(p->fault_state) {
1856 DEBUG(10,("process_complete_pdu: pipe %s in fault state.\n",
1857 get_pipe_name_from_syntax(talloc_tos(), &p->syntax)));
1858 goto done;
1859 }
1860
1861 pkt = talloc(p->mem_ctx, struct ncacn_packet);
1862 if (!pkt) {
1863 DEBUG(0, ("Out of memory!\n"));
1864 goto done;
1865 }
1866
1867 /*
1868 * Ensure we're using the corrent endianness for both the
1869 * RPC header flags and the raw data we will be reading from.
1870 */
1871 if (dcerpc_get_endian_flag(&p->in_data.pdu) & DCERPC_DREP_LE) {
1872 p->endian = RPC_LITTLE_ENDIAN;
1873 } else {
1874 p->endian = RPC_BIG_ENDIAN;
1875 }
1876 DEBUG(10, ("PDU is in %s Endian format!\n", p->endian?"Big":"Little"));
1877
1878 status = dcerpc_pull_ncacn_packet(pkt, &p->in_data.pdu,
1879 pkt, p->endian);
1880 if (!NT_STATUS_IS_OK(status)) {
1881 DEBUG(0, ("Failed to unmarshal rpc packet: %s!\n",
1882 nt_errstr(status)));
1883 goto done;
1884 }
1885
1886 /* Store the call_id */
1887 p->call_id = pkt->call_id;
1888
1889 DEBUG(10, ("Processing packet type %d\n", (int)pkt->ptype));
1890
1891 switch (pkt->ptype) {
1892 case DCERPC_PKT_REQUEST:
1893 reply = process_request_pdu(p, pkt);
1894 break;
1895
1896 case DCERPC_PKT_PING: /* CL request - ignore... */
1897 DEBUG(0, ("process_complete_pdu: Error. "
1898 "Connectionless packet type %d received on "
1899 "pipe %s.\n", (int)pkt->ptype,
1900 get_pipe_name_from_syntax(talloc_tos(),
1901 &p->syntax)));
1902 break;
1903
1904 case DCERPC_PKT_RESPONSE: /* No responses here. */
1905 DEBUG(0, ("process_complete_pdu: Error. "
1906 "DCERPC_PKT_RESPONSE received from client "
1907 "on pipe %s.\n",
1908 get_pipe_name_from_syntax(talloc_tos(),
1909 &p->syntax)));
1910 break;
1911
1912 case DCERPC_PKT_FAULT:
1913 case DCERPC_PKT_WORKING:
1914 /* CL request - reply to a ping when a call in process. */
1915 case DCERPC_PKT_NOCALL:
1916 /* CL - server reply to a ping call. */
1917 case DCERPC_PKT_REJECT:
1918 case DCERPC_PKT_ACK:
1919 case DCERPC_PKT_CL_CANCEL:
1920 case DCERPC_PKT_FACK:
1921 case DCERPC_PKT_CANCEL_ACK:
1922 DEBUG(0, ("process_complete_pdu: Error. "
1923 "Connectionless packet type %u received on "
1924 "pipe %s.\n", (unsigned int)pkt->ptype,
1925 get_pipe_name_from_syntax(talloc_tos(),
1926 &p->syntax)));
1927 break;
1928
1929 case DCERPC_PKT_BIND:
1930 /*
1931 * We assume that a pipe bind is only in one pdu.
1932 */
1933 if (pipe_init_outgoing_data(p)) {
1934 reply = api_pipe_bind_req(p, pkt);
1935 }
1936 break;
1937
1938 case DCERPC_PKT_BIND_ACK:
1939 case DCERPC_PKT_BIND_NAK:
1940 DEBUG(0, ("process_complete_pdu: Error. "
1941 "DCERPC_PKT_BINDACK/DCERPC_PKT_BINDNACK "
1942 "packet type %u received on pipe %s.\n",
1943 (unsigned int)pkt->ptype,
1944 get_pipe_name_from_syntax(talloc_tos(),
1945 &p->syntax)));
1946 break;
1947
1948
1949 case DCERPC_PKT_ALTER:
1950 /*
1951 * We assume that a pipe bind is only in one pdu.
1952 */
1953 if (pipe_init_outgoing_data(p)) {
1954 reply = api_pipe_alter_context(p, pkt);
1955 }
1956 break;
1957
1958 case DCERPC_PKT_ALTER_RESP:
1959 DEBUG(0, ("process_complete_pdu: Error. "
1960 "DCERPC_PKT_ALTER_RESP on pipe %s: "
1961 "Should only be server -> client.\n",
1962 get_pipe_name_from_syntax(talloc_tos(),
1963 &p->syntax)));
1964 break;
1965
1966 case DCERPC_PKT_AUTH3:
1967 /*
1968 * The third packet in an auth exchange.
1969 */
1970 if (pipe_init_outgoing_data(p)) {
1971 reply = api_pipe_bind_auth3(p, pkt);
1972 }
1973 break;
1974
1975 case DCERPC_PKT_SHUTDOWN:
1976 DEBUG(0, ("process_complete_pdu: Error. "
1977 "DCERPC_PKT_SHUTDOWN on pipe %s: "
1978 "Should only be server -> client.\n",
1979 get_pipe_name_from_syntax(talloc_tos(),
1980 &p->syntax)));
1981 break;
1982
1983 case DCERPC_PKT_CO_CANCEL:
1984 /* For now just free all client data and continue
1985 * processing. */
1986 DEBUG(3,("process_complete_pdu: DCERPC_PKT_CO_CANCEL."
1987 " Abandoning rpc call.\n"));
1988 /* As we never do asynchronous RPC serving, we can
1989 * never cancel a call (as far as I know).
1990 * If we ever did we'd have to send a cancel_ack reply.
1991 * For now, just free all client data and continue
1992 * processing. */
1993 reply = True;
1994 break;
1995
1996 #if 0
1997 /* Enable this if we're doing async rpc. */
1998 /* We must check the outstanding callid matches. */
1999 if (pipe_init_outgoing_data(p)) {
2000 /* Send a cancel_ack PDU reply. */
2001 /* We should probably check the auth-verifier here. */
2002 reply = setup_cancel_ack_reply(p, pkt);
2003 }
2004 break;
2005 #endif
2006
2007 case DCERPC_PKT_ORPHANED:
2008 /* We should probably check the auth-verifier here.
2009 * For now just free all client data and continue
2010 * processing. */
2011 DEBUG(3, ("process_complete_pdu: DCERPC_PKT_ORPHANED."
2012 " Abandoning rpc call.\n"));
2013 reply = True;
2014 break;
2015
2016 default:
2017 DEBUG(0, ("process_complete_pdu: "
2018 "Unknown rpc type = %u received.\n",
2019 (unsigned int)pkt->ptype));
2020 break;
2021 }
2022
2023 done:
2024 if (!reply) {
2025 DEBUG(3,("process_complete_pdu: DCE/RPC fault sent on "
2026 "pipe %s\n", get_pipe_name_from_syntax(talloc_tos(),
2027 &p->syntax)));
2028 set_incoming_fault(p);
2029 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
2030 TALLOC_FREE(pkt);
2031 } else {
2032 /*
2033 * Reset the lengths. We're ready for a new pdu.
2034 */
2035 TALLOC_FREE(p->in_data.pdu.data);
2036 p->in_data.pdu_needed_len = 0;
2037 p->in_data.pdu.length = 0;
2038 }
2039
2040 TALLOC_FREE(pkt);
2041 }
2042
Samba GIT mirror