search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:NBT-WINSREPLICATION: test replication with names including scopes
[Samba/fernandojvsilva.git] / source3 / smbd / process.c
blob65bb25db5961d298fe5c95347a8e3c6eb3b28ea8
1 /*
2 Unix SMB/CIFS implementation.
3 process incoming packets - main loop
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Volker Lendecke 2005-2007
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "smbd/globals.h"
23 #include "../librpc/gen_ndr/srv_dfs.h"
24 #include "../librpc/gen_ndr/srv_dssetup.h"
25 #include "../librpc/gen_ndr/srv_echo.h"
26 #include "../librpc/gen_ndr/srv_eventlog.h"
27 #include "../librpc/gen_ndr/srv_initshutdown.h"
28 #include "../librpc/gen_ndr/srv_lsa.h"
29 #include "../librpc/gen_ndr/srv_netlogon.h"
30 #include "../librpc/gen_ndr/srv_ntsvcs.h"
31 #include "../librpc/gen_ndr/srv_samr.h"
32 #include "../librpc/gen_ndr/srv_spoolss.h"
33 #include "../librpc/gen_ndr/srv_srvsvc.h"
34 #include "../librpc/gen_ndr/srv_svcctl.h"
35 #include "../librpc/gen_ndr/srv_winreg.h"
36 #include "../librpc/gen_ndr/srv_wkssvc.h"
37
38 extern bool global_machine_password_needs_changing;
39
40 static void construct_reply_common(struct smb_request *req, const char *inbuf,
41 char *outbuf);
42
43 /* Accessor function for smb_read_error for smbd functions. */
44
45 /****************************************************************************
46 Send an smb to a fd.
47 ****************************************************************************/
48
49 bool srv_send_smb(int fd, char *buffer,
50 bool do_signing, uint32_t seqnum,
51 bool do_encrypt,
52 struct smb_perfcount_data *pcd)
53 {
54 size_t len = 0;
55 size_t nwritten=0;
56 ssize_t ret;
57 char *buf_out = buffer;
58
59 if (do_signing) {
60 /* Sign the outgoing packet if required. */
61 srv_calculate_sign_mac(smbd_server_conn, buf_out, seqnum);
62 }
63
64 if (do_encrypt) {
65 NTSTATUS status = srv_encrypt_buffer(buffer, &buf_out);
66 if (!NT_STATUS_IS_OK(status)) {
67 DEBUG(0, ("send_smb: SMB encryption failed "
68 "on outgoing packet! Error %s\n",
69 nt_errstr(status) ));
70 goto out;
71 }
72 }
73
74 len = smb_len(buf_out) + 4;
75
76 ret = write_data(fd,buf_out+nwritten,len - nwritten);
77 if (ret <= 0) {
78 DEBUG(0,("Error writing %d bytes to client. %d. (%s)\n",
79 (int)len,(int)ret, strerror(errno) ));
80 srv_free_enc_buffer(buf_out);
81 goto out;
82 }
83
84 SMB_PERFCOUNT_SET_MSGLEN_OUT(pcd, len);
85 srv_free_enc_buffer(buf_out);
86 out:
87 SMB_PERFCOUNT_END(pcd);
88 return true;
89 }
90
91 /*******************************************************************
92 Setup the word count and byte count for a smb message.
93 ********************************************************************/
94
95 int srv_set_message(char *buf,
96 int num_words,
97 int num_bytes,
98 bool zero)
99 {
100 if (zero && (num_words || num_bytes)) {
101 memset(buf + smb_size,'\0',num_words*2 + num_bytes);
102 }
103 SCVAL(buf,smb_wct,num_words);
104 SSVAL(buf,smb_vwv + num_words*SIZEOFWORD,num_bytes);
105 smb_setlen(buf,(smb_size + num_words*2 + num_bytes - 4));
106 return (smb_size + num_words*2 + num_bytes);
107 }
108
109 static bool valid_smb_header(const uint8_t *inbuf)
110 {
111 if (is_encrypted_packet(inbuf)) {
112 return true;
113 }
114 /*
115 * This used to be (strncmp(smb_base(inbuf),"\377SMB",4) == 0)
116 * but it just looks weird to call strncmp for this one.
117 */
118 return (IVAL(smb_base(inbuf), 0) == 0x424D53FF);
119 }
120
121 /* Socket functions for smbd packet processing. */
122
123 static bool valid_packet_size(size_t len)
124 {
125 /*
126 * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
127 * of header. Don't print the error if this fits.... JRA.
128 */
129
130 if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
131 DEBUG(0,("Invalid packet length! (%lu bytes).\n",
132 (unsigned long)len));
133 return false;
134 }
135 return true;
136 }
137
138 static NTSTATUS read_packet_remainder(int fd, char *buffer,
139 unsigned int timeout, ssize_t len)
140 {
141 if (len <= 0) {
142 return NT_STATUS_OK;
143 }
144
145 return read_fd_with_timeout(fd, buffer, len, len, timeout, NULL);
146 }
147
148 /****************************************************************************
149 Attempt a zerocopy writeX read. We know here that len > smb_size-4
150 ****************************************************************************/
151
152 /*
153 * Unfortunately, earlier versions of smbclient/libsmbclient
154 * don't send this "standard" writeX header. I've fixed this
155 * for 3.2 but we'll use the old method with earlier versions.
156 * Windows and CIFSFS at least use this standard size. Not
157 * sure about MacOSX.
158 */
159
160 #define STANDARD_WRITE_AND_X_HEADER_SIZE (smb_size - 4 + /* basic header */ \
161 (2*14) + /* word count (including bcc) */ \
162 1 /* pad byte */)
163
164 static NTSTATUS receive_smb_raw_talloc_partial_read(TALLOC_CTX *mem_ctx,
165 const char lenbuf[4],
166 int fd, char **buffer,
167 unsigned int timeout,
168 size_t *p_unread,
169 size_t *len_ret)
170 {
171 /* Size of a WRITEX call (+4 byte len). */
172 char writeX_header[4 + STANDARD_WRITE_AND_X_HEADER_SIZE];
173 ssize_t len = smb_len_large(lenbuf); /* Could be a UNIX large writeX. */
174 ssize_t toread;
175 NTSTATUS status;
176
177 memcpy(writeX_header, lenbuf, 4);
178
179 status = read_fd_with_timeout(
180 fd, writeX_header + 4,
181 STANDARD_WRITE_AND_X_HEADER_SIZE,
182 STANDARD_WRITE_AND_X_HEADER_SIZE,
183 timeout, NULL);
184
185 if (!NT_STATUS_IS_OK(status)) {
186 return status;
187 }
188
189 /*
190 * Ok - now try and see if this is a possible
191 * valid writeX call.
192 */
193
194 if (is_valid_writeX_buffer((uint8_t *)writeX_header)) {
195 /*
196 * If the data offset is beyond what
197 * we've read, drain the extra bytes.
198 */
199 uint16_t doff = SVAL(writeX_header,smb_vwv11);
200 ssize_t newlen;
201
202 if (doff > STANDARD_WRITE_AND_X_HEADER_SIZE) {
203 size_t drain = doff - STANDARD_WRITE_AND_X_HEADER_SIZE;
204 if (drain_socket(smbd_server_fd(), drain) != drain) {
205 smb_panic("receive_smb_raw_talloc_partial_read:"
206 " failed to drain pending bytes");
207 }
208 } else {
209 doff = STANDARD_WRITE_AND_X_HEADER_SIZE;
210 }
211
212 /* Spoof down the length and null out the bcc. */
213 set_message_bcc(writeX_header, 0);
214 newlen = smb_len(writeX_header);
215
216 /* Copy the header we've written. */
217
218 *buffer = (char *)TALLOC_MEMDUP(mem_ctx,
219 writeX_header,
220 sizeof(writeX_header));
221
222 if (*buffer == NULL) {
223 DEBUG(0, ("Could not allocate inbuf of length %d\n",
224 (int)sizeof(writeX_header)));
225 return NT_STATUS_NO_MEMORY;
226 }
227
228 /* Work out the remaining bytes. */
229 *p_unread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
230 *len_ret = newlen + 4;
231 return NT_STATUS_OK;
232 }
233
234 if (!valid_packet_size(len)) {
235 return NT_STATUS_INVALID_PARAMETER;
236 }
237
238 /*
239 * Not a valid writeX call. Just do the standard
240 * talloc and return.
241 */
242
243 *buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
244
245 if (*buffer == NULL) {
246 DEBUG(0, ("Could not allocate inbuf of length %d\n",
247 (int)len+4));
248 return NT_STATUS_NO_MEMORY;
249 }
250
251 /* Copy in what we already read. */
252 memcpy(*buffer,
253 writeX_header,
254 4 + STANDARD_WRITE_AND_X_HEADER_SIZE);
255 toread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
256
257 if(toread > 0) {
258 status = read_packet_remainder(
259 fd, (*buffer) + 4 + STANDARD_WRITE_AND_X_HEADER_SIZE,
260 timeout, toread);
261
262 if (!NT_STATUS_IS_OK(status)) {
263 DEBUG(10, ("receive_smb_raw_talloc_partial_read: %s\n",
264 nt_errstr(status)));
265 return status;
266 }
267 }
268
269 *len_ret = len + 4;
270 return NT_STATUS_OK;
271 }
272
273 static NTSTATUS receive_smb_raw_talloc(TALLOC_CTX *mem_ctx, int fd,
274 char **buffer, unsigned int timeout,
275 size_t *p_unread, size_t *plen)
276 {
277 char lenbuf[4];
278 size_t len;
279 int min_recv_size = lp_min_receive_file_size();
280 NTSTATUS status;
281
282 *p_unread = 0;
283
284 status = read_smb_length_return_keepalive(fd, lenbuf, timeout, &len);
285 if (!NT_STATUS_IS_OK(status)) {
286 DEBUG(10, ("receive_smb_raw: %s\n", nt_errstr(status)));
287 return status;
288 }
289
290 if (CVAL(lenbuf,0) == 0 && min_recv_size &&
291 (smb_len_large(lenbuf) > /* Could be a UNIX large writeX. */
292 (min_recv_size + STANDARD_WRITE_AND_X_HEADER_SIZE)) &&
293 !srv_is_signing_active(smbd_server_conn)) {
294
295 return receive_smb_raw_talloc_partial_read(
296 mem_ctx, lenbuf, fd, buffer, timeout, p_unread, plen);
297 }
298
299 if (!valid_packet_size(len)) {
300 return NT_STATUS_INVALID_PARAMETER;
301 }
302
303 /*
304 * The +4 here can't wrap, we've checked the length above already.
305 */
306
307 *buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
308
309 if (*buffer == NULL) {
310 DEBUG(0, ("Could not allocate inbuf of length %d\n",
311 (int)len+4));
312 return NT_STATUS_NO_MEMORY;
313 }
314
315 memcpy(*buffer, lenbuf, sizeof(lenbuf));
316
317 status = read_packet_remainder(fd, (*buffer)+4, timeout, len);
318 if (!NT_STATUS_IS_OK(status)) {
319 return status;
320 }
321
322 *plen = len + 4;
323 return NT_STATUS_OK;
324 }
325
326 static NTSTATUS receive_smb_talloc(TALLOC_CTX *mem_ctx, int fd,
327 char **buffer, unsigned int timeout,
328 size_t *p_unread, bool *p_encrypted,
329 size_t *p_len,
330 uint32_t *seqnum)
331 {
332 size_t len = 0;
333 NTSTATUS status;
334
335 *p_encrypted = false;
336
337 status = receive_smb_raw_talloc(mem_ctx, fd, buffer, timeout,
338 p_unread, &len);
339 if (!NT_STATUS_IS_OK(status)) {
340 return status;
341 }
342
343 if (is_encrypted_packet((uint8_t *)*buffer)) {
344 status = srv_decrypt_buffer(*buffer);
345 if (!NT_STATUS_IS_OK(status)) {
346 DEBUG(0, ("receive_smb_talloc: SMB decryption failed on "
347 "incoming packet! Error %s\n",
348 nt_errstr(status) ));
349 return status;
350 }
351 *p_encrypted = true;
352 }
353
354 /* Check the incoming SMB signature. */
355 if (!srv_check_sign_mac(smbd_server_conn, *buffer, seqnum)) {
356 DEBUG(0, ("receive_smb: SMB Signature verification failed on "
357 "incoming packet!\n"));
358 return NT_STATUS_INVALID_NETWORK_RESPONSE;
359 }
360
361 *p_len = len;
362 return NT_STATUS_OK;
363 }
364
365 /*
366 * Initialize a struct smb_request from an inbuf
367 */
368
369 static void init_smb_request(struct smb_request *req, const uint8 *inbuf,
370 size_t unread_bytes, bool encrypted,
371 uint32_t seqnum)
372 {
373 struct smbd_server_connection *sconn = smbd_server_conn;
374 size_t req_size = smb_len(inbuf) + 4;
375 /* Ensure we have at least smb_size bytes. */
376 if (req_size < smb_size) {
377 DEBUG(0,("init_smb_request: invalid request size %u\n",
378 (unsigned int)req_size ));
379 exit_server_cleanly("Invalid SMB request");
380 }
381 req->cmd = CVAL(inbuf, smb_com);
382 req->flags2 = SVAL(inbuf, smb_flg2);
383 req->smbpid = SVAL(inbuf, smb_pid);
384 req->mid = SVAL(inbuf, smb_mid);
385 req->seqnum = seqnum;
386 req->vuid = SVAL(inbuf, smb_uid);
387 req->tid = SVAL(inbuf, smb_tid);
388 req->wct = CVAL(inbuf, smb_wct);
389 req->vwv = (uint16_t *)(inbuf+smb_vwv);
390 req->buflen = smb_buflen(inbuf);
391 req->buf = (const uint8_t *)smb_buf(inbuf);
392 req->unread_bytes = unread_bytes;
393 req->encrypted = encrypted;
394 req->conn = conn_find(sconn,req->tid);
395 req->chain_fsp = NULL;
396 req->chain_outbuf = NULL;
397 req->done = false;
398 smb_init_perfcount_data(&req->pcd);
399
400 /* Ensure we have at least wct words and 2 bytes of bcc. */
401 if (smb_size + req->wct*2 > req_size) {
402 DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n",
403 (unsigned int)req->wct,
404 (unsigned int)req_size));
405 exit_server_cleanly("Invalid SMB request");
406 }
407 /* Ensure bcc is correct. */
408 if (((uint8 *)smb_buf(inbuf)) + req->buflen > inbuf + req_size) {
409 DEBUG(0,("init_smb_request: invalid bcc number %u "
410 "(wct = %u, size %u)\n",
411 (unsigned int)req->buflen,
412 (unsigned int)req->wct,
413 (unsigned int)req_size));
414 exit_server_cleanly("Invalid SMB request");
415 }
416
417 req->outbuf = NULL;
418 }
419
420 static void process_smb(struct smbd_server_connection *conn,
421 uint8_t *inbuf, size_t nread, size_t unread_bytes,
422 uint32_t seqnum, bool encrypted,
423 struct smb_perfcount_data *deferred_pcd);
424
425 static void smbd_deferred_open_timer(struct event_context *ev,
426 struct timed_event *te,
427 struct timeval _tval,
428 void *private_data)
429 {
430 struct pending_message_list *msg = talloc_get_type(private_data,
431 struct pending_message_list);
432 TALLOC_CTX *mem_ctx = talloc_tos();
433 uint16_t mid = SVAL(msg->buf.data,smb_mid);
434 uint8_t *inbuf;
435
436 inbuf = (uint8_t *)talloc_memdup(mem_ctx, msg->buf.data,
437 msg->buf.length);
438 if (inbuf == NULL) {
439 exit_server("smbd_deferred_open_timer: talloc failed\n");
440 return;
441 }
442
443 /* We leave this message on the queue so the open code can
444 know this is a retry. */
445 DEBUG(5,("smbd_deferred_open_timer: trigger mid %u.\n",
446 (unsigned int)mid ));
447
448 /* Mark the message as processed so this is not
449 * re-processed in error. */
450 msg->processed = true;
451
452 process_smb(smbd_server_conn, inbuf,
453 msg->buf.length, 0,
454 msg->seqnum, msg->encrypted, &msg->pcd);
455
456 /* If it's still there and was processed, remove it. */
457 msg = get_open_deferred_message(mid);
458 if (msg && msg->processed) {
459 remove_deferred_open_smb_message(mid);
460 }
461 }
462
463 /****************************************************************************
464 Function to push a message onto the tail of a linked list of smb messages ready
465 for processing.
466 ****************************************************************************/
467
468 static bool push_queued_message(struct smb_request *req,
469 struct timeval request_time,
470 struct timeval end_time,
471 char *private_data, size_t private_len)
472 {
473 int msg_len = smb_len(req->inbuf) + 4;
474 struct pending_message_list *msg;
475
476 msg = TALLOC_ZERO_P(NULL, struct pending_message_list);
477
478 if(msg == NULL) {
479 DEBUG(0,("push_message: malloc fail (1)\n"));
480 return False;
481 }
482
483 msg->buf = data_blob_talloc(msg, req->inbuf, msg_len);
484 if(msg->buf.data == NULL) {
485 DEBUG(0,("push_message: malloc fail (2)\n"));
486 TALLOC_FREE(msg);
487 return False;
488 }
489
490 msg->request_time = request_time;
491 msg->seqnum = req->seqnum;
492 msg->encrypted = req->encrypted;
493 msg->processed = false;
494 SMB_PERFCOUNT_DEFER_OP(&req->pcd, &msg->pcd);
495
496 if (private_data) {
497 msg->private_data = data_blob_talloc(msg, private_data,
498 private_len);
499 if (msg->private_data.data == NULL) {
500 DEBUG(0,("push_message: malloc fail (3)\n"));
501 TALLOC_FREE(msg);
502 return False;
503 }
504 }
505
506 msg->te = event_add_timed(smbd_event_context(),
507 msg,
508 end_time,
509 smbd_deferred_open_timer,
510 msg);
511 if (!msg->te) {
512 DEBUG(0,("push_message: event_add_timed failed\n"));
513 TALLOC_FREE(msg);
514 return false;
515 }
516
517 DLIST_ADD_END(deferred_open_queue, msg, struct pending_message_list *);
518
519 DEBUG(10,("push_message: pushed message length %u on "
520 "deferred_open_queue\n", (unsigned int)msg_len));
521
522 return True;
523 }
524
525 /****************************************************************************
526 Function to delete a sharing violation open message by mid.
527 ****************************************************************************/
528
529 void remove_deferred_open_smb_message(uint16 mid)
530 {
531 struct pending_message_list *pml;
532
533 for (pml = deferred_open_queue; pml; pml = pml->next) {
534 if (mid == SVAL(pml->buf.data,smb_mid)) {
535 DEBUG(10,("remove_deferred_open_smb_message: "
536 "deleting mid %u len %u\n",
537 (unsigned int)mid,
538 (unsigned int)pml->buf.length ));
539 DLIST_REMOVE(deferred_open_queue, pml);
540 TALLOC_FREE(pml);
541 return;
542 }
543 }
544 }
545
546 /****************************************************************************
547 Move a sharing violation open retry message to the front of the list and
548 schedule it for immediate processing.
549 ****************************************************************************/
550
551 void schedule_deferred_open_smb_message(uint16 mid)
552 {
553 struct pending_message_list *pml;
554 int i = 0;
555
556 for (pml = deferred_open_queue; pml; pml = pml->next) {
557 uint16 msg_mid = SVAL(pml->buf.data,smb_mid);
558
559 DEBUG(10,("schedule_deferred_open_smb_message: [%d] msg_mid = %u\n", i++,
560 (unsigned int)msg_mid ));
561
562 if (mid == msg_mid) {
563 struct timed_event *te;
564
565 if (pml->processed) {
566 /* A processed message should not be
567 * rescheduled. */
568 DEBUG(0,("schedule_deferred_open_smb_message: LOGIC ERROR "
569 "message mid %u was already processed\n",
570 msg_mid ));
571 continue;
572 }
573
574 DEBUG(10,("schedule_deferred_open_smb_message: scheduling mid %u\n",
575 mid ));
576
577 te = event_add_timed(smbd_event_context(),
578 pml,
579 timeval_zero(),
580 smbd_deferred_open_timer,
581 pml);
582 if (!te) {
583 DEBUG(10,("schedule_deferred_open_smb_message: "
584 "event_add_timed() failed, skipping mid %u\n",
585 mid ));
586 }
587
588 TALLOC_FREE(pml->te);
589 pml->te = te;
590 DLIST_PROMOTE(deferred_open_queue, pml);
591 return;
592 }
593 }
594
595 DEBUG(10,("schedule_deferred_open_smb_message: failed to find message mid %u\n",
596 mid ));
597 }
598
599 /****************************************************************************
600 Return true if this mid is on the deferred queue and was not yet processed.
601 ****************************************************************************/
602
603 bool open_was_deferred(uint16 mid)
604 {
605 struct pending_message_list *pml;
606
607 for (pml = deferred_open_queue; pml; pml = pml->next) {
608 if (SVAL(pml->buf.data,smb_mid) == mid && !pml->processed) {
609 return True;
610 }
611 }
612 return False;
613 }
614
615 /****************************************************************************
616 Return the message queued by this mid.
617 ****************************************************************************/
618
619 struct pending_message_list *get_open_deferred_message(uint16 mid)
620 {
621 struct pending_message_list *pml;
622
623 for (pml = deferred_open_queue; pml; pml = pml->next) {
624 if (SVAL(pml->buf.data,smb_mid) == mid) {
625 return pml;
626 }
627 }
628 return NULL;
629 }
630
631 /****************************************************************************
632 Function to push a deferred open smb message onto a linked list of local smb
633 messages ready for processing.
634 ****************************************************************************/
635
636 bool push_deferred_smb_message(struct smb_request *req,
637 struct timeval request_time,
638 struct timeval timeout,
639 char *private_data, size_t priv_len)
640 {
641 struct timeval end_time;
642
643 if (req->unread_bytes) {
644 DEBUG(0,("push_deferred_smb_message: logic error ! "
645 "unread_bytes = %u\n",
646 (unsigned int)req->unread_bytes ));
647 smb_panic("push_deferred_smb_message: "
648 "logic error unread_bytes != 0" );
649 }
650
651 end_time = timeval_sum(&request_time, &timeout);
652
653 DEBUG(10,("push_deferred_open_smb_message: pushing message len %u mid %u "
654 "timeout time [%u.%06u]\n",
655 (unsigned int) smb_len(req->inbuf)+4, (unsigned int)req->mid,
656 (unsigned int)end_time.tv_sec,
657 (unsigned int)end_time.tv_usec));
658
659 return push_queued_message(req, request_time, end_time,
660 private_data, priv_len);
661 }
662
663 struct idle_event {
664 struct timed_event *te;
665 struct timeval interval;
666 char *name;
667 bool (*handler)(const struct timeval *now, void *private_data);
668 void *private_data;
669 };
670
671 static void smbd_idle_event_handler(struct event_context *ctx,
672 struct timed_event *te,
673 struct timeval now,
674 void *private_data)
675 {
676 struct idle_event *event =
677 talloc_get_type_abort(private_data, struct idle_event);
678
679 TALLOC_FREE(event->te);
680
681 DEBUG(10,("smbd_idle_event_handler: %s %p called\n",
682 event->name, event->te));
683
684 if (!event->handler(&now, event->private_data)) {
685 DEBUG(10,("smbd_idle_event_handler: %s %p stopped\n",
686 event->name, event->te));
687 /* Don't repeat, delete ourselves */
688 TALLOC_FREE(event);
689 return;
690 }
691
692 DEBUG(10,("smbd_idle_event_handler: %s %p rescheduled\n",
693 event->name, event->te));
694
695 event->te = event_add_timed(ctx, event,
696 timeval_sum(&now, &event->interval),
697 smbd_idle_event_handler, event);
698
699 /* We can't do much but fail here. */
700 SMB_ASSERT(event->te != NULL);
701 }
702
703 struct idle_event *event_add_idle(struct event_context *event_ctx,
704 TALLOC_CTX *mem_ctx,
705 struct timeval interval,
706 const char *name,
707 bool (*handler)(const struct timeval *now,
708 void *private_data),
709 void *private_data)
710 {
711 struct idle_event *result;
712 struct timeval now = timeval_current();
713
714 result = TALLOC_P(mem_ctx, struct idle_event);
715 if (result == NULL) {
716 DEBUG(0, ("talloc failed\n"));
717 return NULL;
718 }
719
720 result->interval = interval;
721 result->handler = handler;
722 result->private_data = private_data;
723
724 if (!(result->name = talloc_asprintf(result, "idle_evt(%s)", name))) {
725 DEBUG(0, ("talloc failed\n"));
726 TALLOC_FREE(result);
727 return NULL;
728 }
729
730 result->te = event_add_timed(event_ctx, result,
731 timeval_sum(&now, &interval),
732 smbd_idle_event_handler, result);
733 if (result->te == NULL) {
734 DEBUG(0, ("event_add_timed failed\n"));
735 TALLOC_FREE(result);
736 return NULL;
737 }
738
739 DEBUG(10,("event_add_idle: %s %p\n", result->name, result->te));
740 return result;
741 }
742
743 static void smbd_sig_term_handler(struct tevent_context *ev,
744 struct tevent_signal *se,
745 int signum,
746 int count,
747 void *siginfo,
748 void *private_data)
749 {
750 exit_server_cleanly("termination signal");
751 }
752
753 void smbd_setup_sig_term_handler(void)
754 {
755 struct tevent_signal *se;
756
757 se = tevent_add_signal(smbd_event_context(),
758 smbd_event_context(),
759 SIGTERM, 0,
760 smbd_sig_term_handler,
761 NULL);
762 if (!se) {
763 exit_server("failed to setup SIGTERM handler");
764 }
765 }
766
767 static void smbd_sig_hup_handler(struct tevent_context *ev,
768 struct tevent_signal *se,
769 int signum,
770 int count,
771 void *siginfo,
772 void *private_data)
773 {
774 change_to_root_user();
775 DEBUG(1,("Reloading services after SIGHUP\n"));
776 reload_services(False);
777 }
778
779 void smbd_setup_sig_hup_handler(void)
780 {
781 struct tevent_signal *se;
782
783 se = tevent_add_signal(smbd_event_context(),
784 smbd_event_context(),
785 SIGHUP, 0,
786 smbd_sig_hup_handler,
787 NULL);
788 if (!se) {
789 exit_server("failed to setup SIGHUP handler");
790 }
791 }
792
793 static NTSTATUS smbd_server_connection_loop_once(struct smbd_server_connection *conn)
794 {
795 fd_set r_fds, w_fds;
796 int selrtn;
797 struct timeval to;
798 int maxfd = 0;
799
800 to.tv_sec = SMBD_SELECT_TIMEOUT;
801 to.tv_usec = 0;
802
803 /*
804 * Setup the select fd sets.
805 */
806
807 FD_ZERO(&r_fds);
808 FD_ZERO(&w_fds);
809
810 /*
811 * Are there any timed events waiting ? If so, ensure we don't
812 * select for longer than it would take to wait for them.
813 */
814
815 {
816 struct timeval now;
817 GetTimeOfDay(&now);
818
819 event_add_to_select_args(smbd_event_context(), &now,
820 &r_fds, &w_fds, &to, &maxfd);
821 }
822
823 /* Process a signal and timed events now... */
824 if (run_events(smbd_event_context(), 0, NULL, NULL)) {
825 return NT_STATUS_RETRY;
826 }
827
828 {
829 int sav;
830 START_PROFILE(smbd_idle);
831
832 selrtn = sys_select(maxfd+1,&r_fds,&w_fds,NULL,&to);
833 sav = errno;
834
835 END_PROFILE(smbd_idle);
836 errno = sav;
837 }
838
839 if (run_events(smbd_event_context(), selrtn, &r_fds, &w_fds)) {
840 return NT_STATUS_RETRY;
841 }
842
843 /* Check if error */
844 if (selrtn == -1) {
845 /* something is wrong. Maybe the socket is dead? */
846 return map_nt_error_from_unix(errno);
847 }
848
849 /* Did we timeout ? */
850 if (selrtn == 0) {
851 return NT_STATUS_RETRY;
852 }
853
854 /* should not be reached */
855 return NT_STATUS_INTERNAL_ERROR;
856 }
857
858 /*
859 * Only allow 5 outstanding trans requests. We're allocating memory, so
860 * prevent a DoS.
861 */
862
863 NTSTATUS allow_new_trans(struct trans_state *list, int mid)
864 {
865 int count = 0;
866 for (; list != NULL; list = list->next) {
867
868 if (list->mid == mid) {
869 return NT_STATUS_INVALID_PARAMETER;
870 }
871
872 count += 1;
873 }
874 if (count > 5) {
875 return NT_STATUS_INSUFFICIENT_RESOURCES;
876 }
877
878 return NT_STATUS_OK;
879 }
880
881 /*
882 These flags determine some of the permissions required to do an operation
883
884 Note that I don't set NEED_WRITE on some write operations because they
885 are used by some brain-dead clients when printing, and I don't want to
886 force write permissions on print services.
887 */
888 #define AS_USER (1<<0)
889 #define NEED_WRITE (1<<1) /* Must be paired with AS_USER */
890 #define TIME_INIT (1<<2)
891 #define CAN_IPC (1<<3) /* Must be paired with AS_USER */
892 #define AS_GUEST (1<<5) /* Must *NOT* be paired with AS_USER */
893 #define DO_CHDIR (1<<6)
894
895 /*
896 define a list of possible SMB messages and their corresponding
897 functions. Any message that has a NULL function is unimplemented -
898 please feel free to contribute implementations!
899 */
900 static const struct smb_message_struct {
901 const char *name;
902 void (*fn)(struct smb_request *req);
903 int flags;
904 } smb_messages[256] = {
905
906 /* 0x00 */ { "SMBmkdir",reply_mkdir,AS_USER | NEED_WRITE},
907 /* 0x01 */ { "SMBrmdir",reply_rmdir,AS_USER | NEED_WRITE},
908 /* 0x02 */ { "SMBopen",reply_open,AS_USER },
909 /* 0x03 */ { "SMBcreate",reply_mknew,AS_USER},
910 /* 0x04 */ { "SMBclose",reply_close,AS_USER | CAN_IPC },
911 /* 0x05 */ { "SMBflush",reply_flush,AS_USER},
912 /* 0x06 */ { "SMBunlink",reply_unlink,AS_USER | NEED_WRITE },
913 /* 0x07 */ { "SMBmv",reply_mv,AS_USER | NEED_WRITE },
914 /* 0x08 */ { "SMBgetatr",reply_getatr,AS_USER},
915 /* 0x09 */ { "SMBsetatr",reply_setatr,AS_USER | NEED_WRITE},
916 /* 0x0a */ { "SMBread",reply_read,AS_USER},
917 /* 0x0b */ { "SMBwrite",reply_write,AS_USER | CAN_IPC },
918 /* 0x0c */ { "SMBlock",reply_lock,AS_USER},
919 /* 0x0d */ { "SMBunlock",reply_unlock,AS_USER},
920 /* 0x0e */ { "SMBctemp",reply_ctemp,AS_USER },
921 /* 0x0f */ { "SMBmknew",reply_mknew,AS_USER},
922 /* 0x10 */ { "SMBcheckpath",reply_checkpath,AS_USER},
923 /* 0x11 */ { "SMBexit",reply_exit,DO_CHDIR},
924 /* 0x12 */ { "SMBlseek",reply_lseek,AS_USER},
925 /* 0x13 */ { "SMBlockread",reply_lockread,AS_USER},
926 /* 0x14 */ { "SMBwriteunlock",reply_writeunlock,AS_USER},
927 /* 0x15 */ { NULL, NULL, 0 },
928 /* 0x16 */ { NULL, NULL, 0 },
929 /* 0x17 */ { NULL, NULL, 0 },
930 /* 0x18 */ { NULL, NULL, 0 },
931 /* 0x19 */ { NULL, NULL, 0 },
932 /* 0x1a */ { "SMBreadbraw",reply_readbraw,AS_USER},
933 /* 0x1b */ { "SMBreadBmpx",reply_readbmpx,AS_USER},
934 /* 0x1c */ { "SMBreadBs",reply_readbs,AS_USER },
935 /* 0x1d */ { "SMBwritebraw",reply_writebraw,AS_USER},
936 /* 0x1e */ { "SMBwriteBmpx",reply_writebmpx,AS_USER},
937 /* 0x1f */ { "SMBwriteBs",reply_writebs,AS_USER},
938 /* 0x20 */ { "SMBwritec", NULL,0},
939 /* 0x21 */ { NULL, NULL, 0 },
940 /* 0x22 */ { "SMBsetattrE",reply_setattrE,AS_USER | NEED_WRITE },
941 /* 0x23 */ { "SMBgetattrE",reply_getattrE,AS_USER },
942 /* 0x24 */ { "SMBlockingX",reply_lockingX,AS_USER },
943 /* 0x25 */ { "SMBtrans",reply_trans,AS_USER | CAN_IPC },
944 /* 0x26 */ { "SMBtranss",reply_transs,AS_USER | CAN_IPC},
945 /* 0x27 */ { "SMBioctl",reply_ioctl,0},
946 /* 0x28 */ { "SMBioctls", NULL,AS_USER},
947 /* 0x29 */ { "SMBcopy",reply_copy,AS_USER | NEED_WRITE },
948 /* 0x2a */ { "SMBmove", NULL,AS_USER | NEED_WRITE },
949 /* 0x2b */ { "SMBecho",reply_echo,0},
950 /* 0x2c */ { "SMBwriteclose",reply_writeclose,AS_USER},
951 /* 0x2d */ { "SMBopenX",reply_open_and_X,AS_USER | CAN_IPC },
952 /* 0x2e */ { "SMBreadX",reply_read_and_X,AS_USER | CAN_IPC },
953 /* 0x2f */ { "SMBwriteX",reply_write_and_X,AS_USER | CAN_IPC },
954 /* 0x30 */ { NULL, NULL, 0 },
955 /* 0x31 */ { NULL, NULL, 0 },
956 /* 0x32 */ { "SMBtrans2",reply_trans2, AS_USER | CAN_IPC },
957 /* 0x33 */ { "SMBtranss2",reply_transs2, AS_USER | CAN_IPC },
958 /* 0x34 */ { "SMBfindclose",reply_findclose,AS_USER},
959 /* 0x35 */ { "SMBfindnclose",reply_findnclose,AS_USER},
960 /* 0x36 */ { NULL, NULL, 0 },
961 /* 0x37 */ { NULL, NULL, 0 },
962 /* 0x38 */ { NULL, NULL, 0 },
963 /* 0x39 */ { NULL, NULL, 0 },
964 /* 0x3a */ { NULL, NULL, 0 },
965 /* 0x3b */ { NULL, NULL, 0 },
966 /* 0x3c */ { NULL, NULL, 0 },
967 /* 0x3d */ { NULL, NULL, 0 },
968 /* 0x3e */ { NULL, NULL, 0 },
969 /* 0x3f */ { NULL, NULL, 0 },
970 /* 0x40 */ { NULL, NULL, 0 },
971 /* 0x41 */ { NULL, NULL, 0 },
972 /* 0x42 */ { NULL, NULL, 0 },
973 /* 0x43 */ { NULL, NULL, 0 },
974 /* 0x44 */ { NULL, NULL, 0 },
975 /* 0x45 */ { NULL, NULL, 0 },
976 /* 0x46 */ { NULL, NULL, 0 },
977 /* 0x47 */ { NULL, NULL, 0 },
978 /* 0x48 */ { NULL, NULL, 0 },
979 /* 0x49 */ { NULL, NULL, 0 },
980 /* 0x4a */ { NULL, NULL, 0 },
981 /* 0x4b */ { NULL, NULL, 0 },
982 /* 0x4c */ { NULL, NULL, 0 },
983 /* 0x4d */ { NULL, NULL, 0 },
984 /* 0x4e */ { NULL, NULL, 0 },
985 /* 0x4f */ { NULL, NULL, 0 },
986 /* 0x50 */ { NULL, NULL, 0 },
987 /* 0x51 */ { NULL, NULL, 0 },
988 /* 0x52 */ { NULL, NULL, 0 },
989 /* 0x53 */ { NULL, NULL, 0 },
990 /* 0x54 */ { NULL, NULL, 0 },
991 /* 0x55 */ { NULL, NULL, 0 },
992 /* 0x56 */ { NULL, NULL, 0 },
993 /* 0x57 */ { NULL, NULL, 0 },
994 /* 0x58 */ { NULL, NULL, 0 },
995 /* 0x59 */ { NULL, NULL, 0 },
996 /* 0x5a */ { NULL, NULL, 0 },
997 /* 0x5b */ { NULL, NULL, 0 },
998 /* 0x5c */ { NULL, NULL, 0 },
999 /* 0x5d */ { NULL, NULL, 0 },
1000 /* 0x5e */ { NULL, NULL, 0 },
1001 /* 0x5f */ { NULL, NULL, 0 },
1002 /* 0x60 */ { NULL, NULL, 0 },
1003 /* 0x61 */ { NULL, NULL, 0 },
1004 /* 0x62 */ { NULL, NULL, 0 },
1005 /* 0x63 */ { NULL, NULL, 0 },
1006 /* 0x64 */ { NULL, NULL, 0 },
1007 /* 0x65 */ { NULL, NULL, 0 },
1008 /* 0x66 */ { NULL, NULL, 0 },
1009 /* 0x67 */ { NULL, NULL, 0 },
1010 /* 0x68 */ { NULL, NULL, 0 },
1011 /* 0x69 */ { NULL, NULL, 0 },
1012 /* 0x6a */ { NULL, NULL, 0 },
1013 /* 0x6b */ { NULL, NULL, 0 },
1014 /* 0x6c */ { NULL, NULL, 0 },
1015 /* 0x6d */ { NULL, NULL, 0 },
1016 /* 0x6e */ { NULL, NULL, 0 },
1017 /* 0x6f */ { NULL, NULL, 0 },
1018 /* 0x70 */ { "SMBtcon",reply_tcon,0},
1019 /* 0x71 */ { "SMBtdis",reply_tdis,DO_CHDIR},
1020 /* 0x72 */ { "SMBnegprot",reply_negprot,0},
1021 /* 0x73 */ { "SMBsesssetupX",reply_sesssetup_and_X,0},
1022 /* 0x74 */ { "SMBulogoffX",reply_ulogoffX, 0}, /* ulogoff doesn't give a valid TID */
1023 /* 0x75 */ { "SMBtconX",reply_tcon_and_X,0},
1024 /* 0x76 */ { NULL, NULL, 0 },
1025 /* 0x77 */ { NULL, NULL, 0 },
1026 /* 0x78 */ { NULL, NULL, 0 },
1027 /* 0x79 */ { NULL, NULL, 0 },
1028 /* 0x7a */ { NULL, NULL, 0 },
1029 /* 0x7b */ { NULL, NULL, 0 },
1030 /* 0x7c */ { NULL, NULL, 0 },
1031 /* 0x7d */ { NULL, NULL, 0 },
1032 /* 0x7e */ { NULL, NULL, 0 },
1033 /* 0x7f */ { NULL, NULL, 0 },
1034 /* 0x80 */ { "SMBdskattr",reply_dskattr,AS_USER},
1035 /* 0x81 */ { "SMBsearch",reply_search,AS_USER},
1036 /* 0x82 */ { "SMBffirst",reply_search,AS_USER},
1037 /* 0x83 */ { "SMBfunique",reply_search,AS_USER},
1038 /* 0x84 */ { "SMBfclose",reply_fclose,AS_USER},
1039 /* 0x85 */ { NULL, NULL, 0 },
1040 /* 0x86 */ { NULL, NULL, 0 },
1041 /* 0x87 */ { NULL, NULL, 0 },
1042 /* 0x88 */ { NULL, NULL, 0 },
1043 /* 0x89 */ { NULL, NULL, 0 },
1044 /* 0x8a */ { NULL, NULL, 0 },
1045 /* 0x8b */ { NULL, NULL, 0 },
1046 /* 0x8c */ { NULL, NULL, 0 },
1047 /* 0x8d */ { NULL, NULL, 0 },
1048 /* 0x8e */ { NULL, NULL, 0 },
1049 /* 0x8f */ { NULL, NULL, 0 },
1050 /* 0x90 */ { NULL, NULL, 0 },
1051 /* 0x91 */ { NULL, NULL, 0 },
1052 /* 0x92 */ { NULL, NULL, 0 },
1053 /* 0x93 */ { NULL, NULL, 0 },
1054 /* 0x94 */ { NULL, NULL, 0 },
1055 /* 0x95 */ { NULL, NULL, 0 },
1056 /* 0x96 */ { NULL, NULL, 0 },
1057 /* 0x97 */ { NULL, NULL, 0 },
1058 /* 0x98 */ { NULL, NULL, 0 },
1059 /* 0x99 */ { NULL, NULL, 0 },
1060 /* 0x9a */ { NULL, NULL, 0 },
1061 /* 0x9b */ { NULL, NULL, 0 },
1062 /* 0x9c */ { NULL, NULL, 0 },
1063 /* 0x9d */ { NULL, NULL, 0 },
1064 /* 0x9e */ { NULL, NULL, 0 },
1065 /* 0x9f */ { NULL, NULL, 0 },
1066 /* 0xa0 */ { "SMBnttrans",reply_nttrans, AS_USER | CAN_IPC },
1067 /* 0xa1 */ { "SMBnttranss",reply_nttranss, AS_USER | CAN_IPC },
1068 /* 0xa2 */ { "SMBntcreateX",reply_ntcreate_and_X, AS_USER | CAN_IPC },
1069 /* 0xa3 */ { NULL, NULL, 0 },
1070 /* 0xa4 */ { "SMBntcancel",reply_ntcancel, 0 },
1071 /* 0xa5 */ { "SMBntrename",reply_ntrename, AS_USER | NEED_WRITE },
1072 /* 0xa6 */ { NULL, NULL, 0 },
1073 /* 0xa7 */ { NULL, NULL, 0 },
1074 /* 0xa8 */ { NULL, NULL, 0 },
1075 /* 0xa9 */ { NULL, NULL, 0 },
1076 /* 0xaa */ { NULL, NULL, 0 },
1077 /* 0xab */ { NULL, NULL, 0 },
1078 /* 0xac */ { NULL, NULL, 0 },
1079 /* 0xad */ { NULL, NULL, 0 },
1080 /* 0xae */ { NULL, NULL, 0 },
1081 /* 0xaf */ { NULL, NULL, 0 },
1082 /* 0xb0 */ { NULL, NULL, 0 },
1083 /* 0xb1 */ { NULL, NULL, 0 },
1084 /* 0xb2 */ { NULL, NULL, 0 },
1085 /* 0xb3 */ { NULL, NULL, 0 },
1086 /* 0xb4 */ { NULL, NULL, 0 },
1087 /* 0xb5 */ { NULL, NULL, 0 },
1088 /* 0xb6 */ { NULL, NULL, 0 },
1089 /* 0xb7 */ { NULL, NULL, 0 },
1090 /* 0xb8 */ { NULL, NULL, 0 },
1091 /* 0xb9 */ { NULL, NULL, 0 },
1092 /* 0xba */ { NULL, NULL, 0 },
1093 /* 0xbb */ { NULL, NULL, 0 },
1094 /* 0xbc */ { NULL, NULL, 0 },
1095 /* 0xbd */ { NULL, NULL, 0 },
1096 /* 0xbe */ { NULL, NULL, 0 },
1097 /* 0xbf */ { NULL, NULL, 0 },
1098 /* 0xc0 */ { "SMBsplopen",reply_printopen,AS_USER},
1099 /* 0xc1 */ { "SMBsplwr",reply_printwrite,AS_USER},
1100 /* 0xc2 */ { "SMBsplclose",reply_printclose,AS_USER},
1101 /* 0xc3 */ { "SMBsplretq",reply_printqueue,AS_USER},
1102 /* 0xc4 */ { NULL, NULL, 0 },
1103 /* 0xc5 */ { NULL, NULL, 0 },
1104 /* 0xc6 */ { NULL, NULL, 0 },
1105 /* 0xc7 */ { NULL, NULL, 0 },
1106 /* 0xc8 */ { NULL, NULL, 0 },
1107 /* 0xc9 */ { NULL, NULL, 0 },
1108 /* 0xca */ { NULL, NULL, 0 },
1109 /* 0xcb */ { NULL, NULL, 0 },
1110 /* 0xcc */ { NULL, NULL, 0 },
1111 /* 0xcd */ { NULL, NULL, 0 },
1112 /* 0xce */ { NULL, NULL, 0 },
1113 /* 0xcf */ { NULL, NULL, 0 },
1114 /* 0xd0 */ { "SMBsends",reply_sends,AS_GUEST},
1115 /* 0xd1 */ { "SMBsendb", NULL,AS_GUEST},
1116 /* 0xd2 */ { "SMBfwdname", NULL,AS_GUEST},
1117 /* 0xd3 */ { "SMBcancelf", NULL,AS_GUEST},
1118 /* 0xd4 */ { "SMBgetmac", NULL,AS_GUEST},
1119 /* 0xd5 */ { "SMBsendstrt",reply_sendstrt,AS_GUEST},
1120 /* 0xd6 */ { "SMBsendend",reply_sendend,AS_GUEST},
1121 /* 0xd7 */ { "SMBsendtxt",reply_sendtxt,AS_GUEST},
1122 /* 0xd8 */ { NULL, NULL, 0 },
1123 /* 0xd9 */ { NULL, NULL, 0 },
1124 /* 0xda */ { NULL, NULL, 0 },
1125 /* 0xdb */ { NULL, NULL, 0 },
1126 /* 0xdc */ { NULL, NULL, 0 },
1127 /* 0xdd */ { NULL, NULL, 0 },
1128 /* 0xde */ { NULL, NULL, 0 },
1129 /* 0xdf */ { NULL, NULL, 0 },
1130 /* 0xe0 */ { NULL, NULL, 0 },
1131 /* 0xe1 */ { NULL, NULL, 0 },
1132 /* 0xe2 */ { NULL, NULL, 0 },
1133 /* 0xe3 */ { NULL, NULL, 0 },
1134 /* 0xe4 */ { NULL, NULL, 0 },
1135 /* 0xe5 */ { NULL, NULL, 0 },
1136 /* 0xe6 */ { NULL, NULL, 0 },
1137 /* 0xe7 */ { NULL, NULL, 0 },
1138 /* 0xe8 */ { NULL, NULL, 0 },
1139 /* 0xe9 */ { NULL, NULL, 0 },
1140 /* 0xea */ { NULL, NULL, 0 },
1141 /* 0xeb */ { NULL, NULL, 0 },
1142 /* 0xec */ { NULL, NULL, 0 },
1143 /* 0xed */ { NULL, NULL, 0 },
1144 /* 0xee */ { NULL, NULL, 0 },
1145 /* 0xef */ { NULL, NULL, 0 },
1146 /* 0xf0 */ { NULL, NULL, 0 },
1147 /* 0xf1 */ { NULL, NULL, 0 },
1148 /* 0xf2 */ { NULL, NULL, 0 },
1149 /* 0xf3 */ { NULL, NULL, 0 },
1150 /* 0xf4 */ { NULL, NULL, 0 },
1151 /* 0xf5 */ { NULL, NULL, 0 },
1152 /* 0xf6 */ { NULL, NULL, 0 },
1153 /* 0xf7 */ { NULL, NULL, 0 },
1154 /* 0xf8 */ { NULL, NULL, 0 },
1155 /* 0xf9 */ { NULL, NULL, 0 },
1156 /* 0xfa */ { NULL, NULL, 0 },
1157 /* 0xfb */ { NULL, NULL, 0 },
1158 /* 0xfc */ { NULL, NULL, 0 },
1159 /* 0xfd */ { NULL, NULL, 0 },
1160 /* 0xfe */ { NULL, NULL, 0 },
1161 /* 0xff */ { NULL, NULL, 0 }
1162
1163 };
1164
1165 /*******************************************************************
1166 allocate and initialize a reply packet
1167 ********************************************************************/
1168
1169 static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req,
1170 const char *inbuf, char **outbuf, uint8_t num_words,
1171 uint32_t num_bytes)
1172 {
1173 /*
1174 * Protect against integer wrap
1175 */
1176 if ((num_bytes > 0xffffff)
1177 || ((num_bytes + smb_size + num_words*2) > 0xffffff)) {
1178 char *msg;
1179 if (asprintf(&msg, "num_bytes too large: %u",
1180 (unsigned)num_bytes) == -1) {
1181 msg = CONST_DISCARD(char *, "num_bytes too large");
1182 }
1183 smb_panic(msg);
1184 }
1185
1186 *outbuf = TALLOC_ARRAY(mem_ctx, char,
1187 smb_size + num_words*2 + num_bytes);
1188 if (*outbuf == NULL) {
1189 return false;
1190 }
1191
1192 construct_reply_common(req, inbuf, *outbuf);
1193 srv_set_message(*outbuf, num_words, num_bytes, false);
1194 /*
1195 * Zero out the word area, the caller has to take care of the bcc area
1196 * himself
1197 */
1198 if (num_words != 0) {
1199 memset(*outbuf + smb_vwv0, 0, num_words*2);
1200 }
1201
1202 return true;
1203 }
1204
1205 void reply_outbuf(struct smb_request *req, uint8 num_words, uint32 num_bytes)
1206 {
1207 char *outbuf;
1208 if (!create_outbuf(req, req, (char *)req->inbuf, &outbuf, num_words,
1209 num_bytes)) {
1210 smb_panic("could not allocate output buffer\n");
1211 }
1212 req->outbuf = (uint8_t *)outbuf;
1213 }
1214
1215
1216 /*******************************************************************
1217 Dump a packet to a file.
1218 ********************************************************************/
1219
1220 static void smb_dump(const char *name, int type, const char *data, ssize_t len)
1221 {
1222 int fd, i;
1223 char *fname = NULL;
1224 if (DEBUGLEVEL < 50) {
1225 return;
1226 }
1227
1228 if (len < 4) len = smb_len(data)+4;
1229 for (i=1;i<100;i++) {
1230 if (asprintf(&fname, "/tmp/%s.%d.%s", name, i,
1231 type ? "req" : "resp") == -1) {
1232 return;
1233 }
1234 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
1235 if (fd != -1 || errno != EEXIST) break;
1236 }
1237 if (fd != -1) {
1238 ssize_t ret = write(fd, data, len);
1239 if (ret != len)
1240 DEBUG(0,("smb_dump: problem: write returned %d\n", (int)ret ));
1241 close(fd);
1242 DEBUG(0,("created %s len %lu\n", fname, (unsigned long)len));
1243 }
1244 SAFE_FREE(fname);
1245 }
1246
1247 /****************************************************************************
1248 Prepare everything for calling the actual request function, and potentially
1249 call the request function via the "new" interface.
1250
1251 Return False if the "legacy" function needs to be called, everything is
1252 prepared.
1253
1254 Return True if we're done.
1255
1256 I know this API sucks, but it is the one with the least code change I could
1257 find.
1258 ****************************************************************************/
1259
1260 static connection_struct *switch_message(uint8 type, struct smb_request *req, int size)
1261 {
1262 int flags;
1263 uint16 session_tag;
1264 connection_struct *conn = NULL;
1265 struct smbd_server_connection *sconn = smbd_server_conn;
1266
1267 errno = 0;
1268
1269 /* Make sure this is an SMB packet. smb_size contains NetBIOS header
1270 * so subtract 4 from it. */
1271 if (!valid_smb_header(req->inbuf)
1272 || (size < (smb_size - 4))) {
1273 DEBUG(2,("Non-SMB packet of length %d. Terminating server\n",
1274 smb_len(req->inbuf)));
1275 exit_server_cleanly("Non-SMB packet");
1276 }
1277
1278 if (smb_messages[type].fn == NULL) {
1279 DEBUG(0,("Unknown message type %d!\n",type));
1280 smb_dump("Unknown", 1, (char *)req->inbuf, size);
1281 reply_unknown_new(req, type);
1282 return NULL;
1283 }
1284
1285 flags = smb_messages[type].flags;
1286
1287 /* In share mode security we must ignore the vuid. */
1288 session_tag = (lp_security() == SEC_SHARE)
1289 ? UID_FIELD_INVALID : req->vuid;
1290 conn = req->conn;
1291
1292 DEBUG(3,("switch message %s (pid %d) conn 0x%lx\n", smb_fn_name(type),
1293 (int)sys_getpid(), (unsigned long)conn));
1294
1295 smb_dump(smb_fn_name(type), 1, (char *)req->inbuf, size);
1296
1297 /* Ensure this value is replaced in the incoming packet. */
1298 SSVAL(req->inbuf,smb_uid,session_tag);
1299
1300 /*
1301 * Ensure the correct username is in current_user_info. This is a
1302 * really ugly bugfix for problems with multiple session_setup_and_X's
1303 * being done and allowing %U and %G substitutions to work correctly.
1304 * There is a reason this code is done here, don't move it unless you
1305 * know what you're doing... :-).
1306 * JRA.
1307 */
1308
1309 if (session_tag != sconn->smb1.sessions.last_session_tag) {
1310 user_struct *vuser = NULL;
1311
1312 sconn->smb1.sessions.last_session_tag = session_tag;
1313 if(session_tag != UID_FIELD_INVALID) {
1314 vuser = get_valid_user_struct(sconn, session_tag);
1315 if (vuser) {
1316 set_current_user_info(
1317 vuser->server_info->sanitized_username,
1318 vuser->server_info->unix_name,
1319 pdb_get_domain(vuser->server_info
1320 ->sam_account));
1321 }
1322 }
1323 }
1324
1325 /* Does this call need to be run as the connected user? */
1326 if (flags & AS_USER) {
1327
1328 /* Does this call need a valid tree connection? */
1329 if (!conn) {
1330 /*
1331 * Amazingly, the error code depends on the command
1332 * (from Samba4).
1333 */
1334 if (type == SMBntcreateX) {
1335 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
1336 } else {
1337 reply_nterror(req, NT_STATUS_NETWORK_NAME_DELETED);
1338 }
1339 return NULL;
1340 }
1341
1342 if (!change_to_user(conn,session_tag)) {
1343 DEBUG(0, ("Error: Could not change to user. Removing "
1344 "deferred open, mid=%d.\n", req->mid));
1345 reply_force_doserror(req, ERRSRV, ERRbaduid);
1346 return conn;
1347 }
1348
1349 /* All NEED_WRITE and CAN_IPC flags must also have AS_USER. */
1350
1351 /* Does it need write permission? */
1352 if ((flags & NEED_WRITE) && !CAN_WRITE(conn)) {
1353 reply_nterror(req, NT_STATUS_MEDIA_WRITE_PROTECTED);
1354 return conn;
1355 }
1356
1357 /* IPC services are limited */
1358 if (IS_IPC(conn) && !(flags & CAN_IPC)) {
1359 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1360 return conn;
1361 }
1362 } else {
1363 /* This call needs to be run as root */
1364 change_to_root_user();
1365 }
1366
1367 /* load service specific parameters */
1368 if (conn) {
1369 if (req->encrypted) {
1370 conn->encrypted_tid = true;
1371 /* encrypted required from now on. */
1372 conn->encrypt_level = Required;
1373 } else if (ENCRYPTION_REQUIRED(conn)) {
1374 if (req->cmd != SMBtrans2 && req->cmd != SMBtranss2) {
1375 exit_server_cleanly("encryption required "
1376 "on connection");
1377 return conn;
1378 }
1379 }
1380
1381 if (!set_current_service(conn,SVAL(req->inbuf,smb_flg),
1382 (flags & (AS_USER|DO_CHDIR)
1383 ?True:False))) {
1384 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1385 return conn;
1386 }
1387 conn->num_smb_operations++;
1388 }
1389
1390 /* does this protocol need to be run as guest? */
1391 if ((flags & AS_GUEST)
1392 && (!change_to_guest() ||
1393 !check_access(smbd_server_fd(), lp_hostsallow(-1),
1394 lp_hostsdeny(-1)))) {
1395 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1396 return conn;
1397 }
1398
1399 smb_messages[type].fn(req);
1400 return req->conn;
1401 }
1402
1403 /****************************************************************************
1404 Construct a reply to the incoming packet.
1405 ****************************************************************************/
1406
1407 static void construct_reply(char *inbuf, int size, size_t unread_bytes,
1408 uint32_t seqnum, bool encrypted,
1409 struct smb_perfcount_data *deferred_pcd)
1410 {
1411 connection_struct *conn;
1412 struct smb_request *req;
1413
1414 if (!(req = talloc(talloc_tos(), struct smb_request))) {
1415 smb_panic("could not allocate smb_request");
1416 }
1417
1418 init_smb_request(req, (uint8 *)inbuf, unread_bytes, encrypted, seqnum);
1419 req->inbuf = (uint8_t *)talloc_move(req, &inbuf);
1420
1421 /* we popped this message off the queue - keep original perf data */
1422 if (deferred_pcd)
1423 req->pcd = *deferred_pcd;
1424 else {
1425 SMB_PERFCOUNT_START(&req->pcd);
1426 SMB_PERFCOUNT_SET_OP(&req->pcd, req->cmd);
1427 SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, size);
1428 }
1429
1430 conn = switch_message(req->cmd, req, size);
1431
1432 if (req->unread_bytes) {
1433 /* writeX failed. drain socket. */
1434 if (drain_socket(smbd_server_fd(), req->unread_bytes) !=
1435 req->unread_bytes) {
1436 smb_panic("failed to drain pending bytes");
1437 }
1438 req->unread_bytes = 0;
1439 }
1440
1441 if (req->done) {
1442 TALLOC_FREE(req);
1443 return;
1444 }
1445
1446 if (req->outbuf == NULL) {
1447 return;
1448 }
1449
1450 if (CVAL(req->outbuf,0) == 0) {
1451 show_msg((char *)req->outbuf);
1452 }
1453
1454 if (!srv_send_smb(smbd_server_fd(),
1455 (char *)req->outbuf,
1456 true, req->seqnum+1,
1457 IS_CONN_ENCRYPTED(conn)||req->encrypted,
1458 &req->pcd)) {
1459 exit_server_cleanly("construct_reply: srv_send_smb failed.");
1460 }
1461
1462 TALLOC_FREE(req);
1463
1464 return;
1465 }
1466
1467 /****************************************************************************
1468 Process an smb from the client
1469 ****************************************************************************/
1470 static void process_smb(struct smbd_server_connection *conn,
1471 uint8_t *inbuf, size_t nread, size_t unread_bytes,
1472 uint32_t seqnum, bool encrypted,
1473 struct smb_perfcount_data *deferred_pcd)
1474 {
1475 int msg_type = CVAL(inbuf,0);
1476
1477 DO_PROFILE_INC(smb_count);
1478
1479 DEBUG( 6, ( "got message type 0x%x of len 0x%x\n", msg_type,
1480 smb_len(inbuf) ) );
1481 DEBUG( 3, ( "Transaction %d of length %d (%u toread)\n", trans_num,
1482 (int)nread,
1483 (unsigned int)unread_bytes ));
1484
1485 if (msg_type != 0) {
1486 /*
1487 * NetBIOS session request, keepalive, etc.
1488 */
1489 reply_special((char *)inbuf);
1490 goto done;
1491 }
1492
1493 if (smbd_server_conn->allow_smb2) {
1494 if (smbd_is_smb2_header(inbuf, nread)) {
1495 smbd_smb2_first_negprot(smbd_server_conn, inbuf, nread);
1496 return;
1497 }
1498 smbd_server_conn->allow_smb2 = false;
1499 }
1500
1501 show_msg((char *)inbuf);
1502
1503 construct_reply((char *)inbuf,nread,unread_bytes,seqnum,encrypted,deferred_pcd);
1504 trans_num++;
1505
1506 done:
1507 conn->smb1.num_requests++;
1508
1509 /* The timeout_processing function isn't run nearly
1510 often enough to implement 'max log size' without
1511 overrunning the size of the file by many megabytes.
1512 This is especially true if we are running at debug
1513 level 10. Checking every 50 SMBs is a nice
1514 tradeoff of performance vs log file size overrun. */
1515
1516 if ((conn->smb1.num_requests % 50) == 0 &&
1517 need_to_check_log_size()) {
1518 change_to_root_user();
1519 check_log_size();
1520 }
1521 }
1522
1523 /****************************************************************************
1524 Return a string containing the function name of a SMB command.
1525 ****************************************************************************/
1526
1527 const char *smb_fn_name(int type)
1528 {
1529 const char *unknown_name = "SMBunknown";
1530
1531 if (smb_messages[type].name == NULL)
1532 return(unknown_name);
1533
1534 return(smb_messages[type].name);
1535 }
1536
1537 /****************************************************************************
1538 Helper functions for contruct_reply.
1539 ****************************************************************************/
1540
1541 void add_to_common_flags2(uint32 v)
1542 {
1543 common_flags2 |= v;
1544 }
1545
1546 void remove_from_common_flags2(uint32 v)
1547 {
1548 common_flags2 &= ~v;
1549 }
1550
1551 static void construct_reply_common(struct smb_request *req, const char *inbuf,
1552 char *outbuf)
1553 {
1554 srv_set_message(outbuf,0,0,false);
1555
1556 SCVAL(outbuf, smb_com, req->cmd);
1557 SIVAL(outbuf,smb_rcls,0);
1558 SCVAL(outbuf,smb_flg, FLAG_REPLY | (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES));
1559 SSVAL(outbuf,smb_flg2,
1560 (SVAL(inbuf,smb_flg2) & FLAGS2_UNICODE_STRINGS) |
1561 common_flags2);
1562 memset(outbuf+smb_pidhigh,'\0',(smb_tid-smb_pidhigh));
1563
1564 SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid));
1565 SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid));
1566 SSVAL(outbuf,smb_uid,SVAL(inbuf,smb_uid));
1567 SSVAL(outbuf,smb_mid,SVAL(inbuf,smb_mid));
1568 }
1569
1570 void construct_reply_common_req(struct smb_request *req, char *outbuf)
1571 {
1572 construct_reply_common(req, (char *)req->inbuf, outbuf);
1573 }
1574
1575 /*
1576 * How many bytes have we already accumulated up to the current wct field
1577 * offset?
1578 */
1579
1580 size_t req_wct_ofs(struct smb_request *req)
1581 {
1582 size_t buf_size;
1583
1584 if (req->chain_outbuf == NULL) {
1585 return smb_wct - 4;
1586 }
1587 buf_size = talloc_get_size(req->chain_outbuf);
1588 if ((buf_size % 4) != 0) {
1589 buf_size += (4 - (buf_size % 4));
1590 }
1591 return buf_size - 4;
1592 }
1593
1594 /*
1595 * Hack around reply_nterror & friends not being aware of chained requests,
1596 * generating illegal (i.e. wct==0) chain replies.
1597 */
1598
1599 static void fixup_chain_error_packet(struct smb_request *req)
1600 {
1601 uint8_t *outbuf = req->outbuf;
1602 req->outbuf = NULL;
1603 reply_outbuf(req, 2, 0);
1604 memcpy(req->outbuf, outbuf, smb_wct);
1605 TALLOC_FREE(outbuf);
1606 SCVAL(req->outbuf, smb_vwv0, 0xff);
1607 }
1608
1609 /**
1610 * @brief Find the smb_cmd offset of the last command pushed
1611 * @param[in] buf The buffer we're building up
1612 * @retval Where can we put our next andx cmd?
1613 *
1614 * While chaining requests, the "next" request we're looking at needs to put
1615 * its SMB_Command before the data the previous request already built up added
1616 * to the chain. Find the offset to the place where we have to put our cmd.
1617 */
1618
1619 static bool find_andx_cmd_ofs(uint8_t *buf, size_t *pofs)
1620 {
1621 uint8_t cmd;
1622 size_t ofs;
1623
1624 cmd = CVAL(buf, smb_com);
1625
1626 SMB_ASSERT(is_andx_req(cmd));
1627
1628 ofs = smb_vwv0;
1629
1630 while (CVAL(buf, ofs) != 0xff) {
1631
1632 if (!is_andx_req(CVAL(buf, ofs))) {
1633 return false;
1634 }
1635
1636 /*
1637 * ofs is from start of smb header, so add the 4 length
1638 * bytes. The next cmd is right after the wct field.
1639 */
1640 ofs = SVAL(buf, ofs+2) + 4 + 1;
1641
1642 SMB_ASSERT(ofs+4 < talloc_get_size(buf));
1643 }
1644
1645 *pofs = ofs;
1646 return true;
1647 }
1648
1649 /**
1650 * @brief Do the smb chaining at a buffer level
1651 * @param[in] poutbuf Pointer to the talloc'ed buffer to be modified
1652 * @param[in] smb_command The command that we want to issue
1653 * @param[in] wct How many words?
1654 * @param[in] vwv The words, already in network order
1655 * @param[in] bytes_alignment How shall we align "bytes"?
1656 * @param[in] num_bytes How many bytes?
1657 * @param[in] bytes The data the request ships
1658 *
1659 * smb_splice_chain() adds the vwv and bytes to the request already present in
1660 * *poutbuf.
1661 */
1662
1663 static bool smb_splice_chain(uint8_t **poutbuf, uint8_t smb_command,
1664 uint8_t wct, const uint16_t *vwv,
1665 size_t bytes_alignment,
1666 uint32_t num_bytes, const uint8_t *bytes)
1667 {
1668 uint8_t *outbuf;
1669 size_t old_size, new_size;
1670 size_t ofs;
1671 size_t chain_padding = 0;
1672 size_t bytes_padding = 0;
1673 bool first_request;
1674
1675 old_size = talloc_get_size(*poutbuf);
1676
1677 /*
1678 * old_size == smb_wct means we're pushing the first request in for
1679 * libsmb/
1680 */
1681
1682 first_request = (old_size == smb_wct);
1683
1684 if (!first_request && ((old_size % 4) != 0)) {
1685 /*
1686 * Align the wct field of subsequent requests to a 4-byte
1687 * boundary
1688 */
1689 chain_padding = 4 - (old_size % 4);
1690 }
1691
1692 /*
1693 * After the old request comes the new wct field (1 byte), the vwv's
1694 * and the num_bytes field. After at we might need to align the bytes
1695 * given to us to "bytes_alignment", increasing the num_bytes value.
1696 */
1697
1698 new_size = old_size + chain_padding + 1 + wct * sizeof(uint16_t) + 2;
1699
1700 if ((bytes_alignment != 0) && ((new_size % bytes_alignment) != 0)) {
1701 bytes_padding = bytes_alignment - (new_size % bytes_alignment);
1702 }
1703
1704 new_size += bytes_padding + num_bytes;
1705
1706 if ((smb_command != SMBwriteX) && (new_size > 0xffff)) {
1707 DEBUG(1, ("splice_chain: %u bytes won't fit\n",
1708 (unsigned)new_size));
1709 return false;
1710 }
1711
1712 outbuf = TALLOC_REALLOC_ARRAY(NULL, *poutbuf, uint8_t, new_size);
1713 if (outbuf == NULL) {
1714 DEBUG(0, ("talloc failed\n"));
1715 return false;
1716 }
1717 *poutbuf = outbuf;
1718
1719 if (first_request) {
1720 SCVAL(outbuf, smb_com, smb_command);
1721 } else {
1722 size_t andx_cmd_ofs;
1723
1724 if (!find_andx_cmd_ofs(outbuf, &andx_cmd_ofs)) {
1725 DEBUG(1, ("invalid command chain\n"));
1726 *poutbuf = TALLOC_REALLOC_ARRAY(
1727 NULL, *poutbuf, uint8_t, old_size);
1728 return false;
1729 }
1730
1731 if (chain_padding != 0) {
1732 memset(outbuf + old_size, 0, chain_padding);
1733 old_size += chain_padding;
1734 }
1735
1736 SCVAL(outbuf, andx_cmd_ofs, smb_command);
1737 SSVAL(outbuf, andx_cmd_ofs + 2, old_size - 4);
1738 }
1739
1740 ofs = old_size;
1741
1742 /*
1743 * Push the chained request:
1744 *
1745 * wct field
1746 */
1747
1748 SCVAL(outbuf, ofs, wct);
1749 ofs += 1;
1750
1751 /*
1752 * vwv array
1753 */
1754
1755 memcpy(outbuf + ofs, vwv, sizeof(uint16_t) * wct);
1756 ofs += sizeof(uint16_t) * wct;
1757
1758 /*
1759 * bcc (byte count)
1760 */
1761
1762 SSVAL(outbuf, ofs, num_bytes + bytes_padding);
1763 ofs += sizeof(uint16_t);
1764
1765 /*
1766 * padding
1767 */
1768
1769 if (bytes_padding != 0) {
1770 memset(outbuf + ofs, 0, bytes_padding);
1771 ofs += bytes_padding;
1772 }
1773
1774 /*
1775 * The bytes field
1776 */
1777
1778 memcpy(outbuf + ofs, bytes, num_bytes);
1779
1780 return true;
1781 }
1782
1783 /****************************************************************************
1784 Construct a chained reply and add it to the already made reply
1785 ****************************************************************************/
1786
1787 void chain_reply(struct smb_request *req)
1788 {
1789 size_t smblen = smb_len(req->inbuf);
1790 size_t already_used, length_needed;
1791 uint8_t chain_cmd;
1792 uint32_t chain_offset; /* uint32_t to avoid overflow */
1793
1794 uint8_t wct;
1795 uint16_t *vwv;
1796 uint16_t buflen;
1797 uint8_t *buf;
1798
1799 if (IVAL(req->outbuf, smb_rcls) != 0) {
1800 fixup_chain_error_packet(req);
1801 }
1802
1803 /*
1804 * Any of the AndX requests and replies have at least a wct of
1805 * 2. vwv[0] is the next command, vwv[1] is the offset from the
1806 * beginning of the SMB header to the next wct field.
1807 *
1808 * None of the AndX requests put anything valuable in vwv[0] and [1],
1809 * so we can overwrite it here to form the chain.
1810 */
1811
1812 if ((req->wct < 2) || (CVAL(req->outbuf, smb_wct) < 2)) {
1813 goto error;
1814 }
1815
1816 /*
1817 * Here we assume that this is the end of the chain. For that we need
1818 * to set "next command" to 0xff and the offset to 0. If we later find
1819 * more commands in the chain, this will be overwritten again.
1820 */
1821
1822 SCVAL(req->outbuf, smb_vwv0, 0xff);
1823 SCVAL(req->outbuf, smb_vwv0+1, 0);
1824 SSVAL(req->outbuf, smb_vwv1, 0);
1825
1826 if (req->chain_outbuf == NULL) {
1827 /*
1828 * In req->chain_outbuf we collect all the replies. Start the
1829 * chain by copying in the first reply.
1830 *
1831 * We do the realloc because later on we depend on
1832 * talloc_get_size to determine the length of
1833 * chain_outbuf. The reply_xxx routines might have
1834 * over-allocated (reply_pipe_read_and_X used to be such an
1835 * example).
1836 */
1837 req->chain_outbuf = TALLOC_REALLOC_ARRAY(
1838 req, req->outbuf, uint8_t, smb_len(req->outbuf) + 4);
1839 if (req->chain_outbuf == NULL) {
1840 goto error;
1841 }
1842 req->outbuf = NULL;
1843 } else {
1844 /*
1845 * Update smb headers where subsequent chained commands
1846 * may have updated them.
1847 */
1848 SCVAL(req->chain_outbuf, smb_tid, CVAL(req->outbuf, smb_tid));
1849 SCVAL(req->chain_outbuf, smb_uid, CVAL(req->outbuf, smb_uid));
1850
1851 if (!smb_splice_chain(&req->chain_outbuf,
1852 CVAL(req->outbuf, smb_com),
1853 CVAL(req->outbuf, smb_wct),
1854 (uint16_t *)(req->outbuf + smb_vwv),
1855 0, smb_buflen(req->outbuf),
1856 (uint8_t *)smb_buf(req->outbuf))) {
1857 goto error;
1858 }
1859 TALLOC_FREE(req->outbuf);
1860 }
1861
1862 /*
1863 * We use the old request's vwv field to grab the next chained command
1864 * and offset into the chained fields.
1865 */
1866
1867 chain_cmd = CVAL(req->vwv+0, 0);
1868 chain_offset = SVAL(req->vwv+1, 0);
1869
1870 if (chain_cmd == 0xff) {
1871 /*
1872 * End of chain, no more requests from the client. So ship the
1873 * replies.
1874 */
1875 smb_setlen((char *)(req->chain_outbuf),
1876 talloc_get_size(req->chain_outbuf) - 4);
1877
1878 if (!srv_send_smb(smbd_server_fd(), (char *)req->chain_outbuf,
1879 true, req->seqnum+1,
1880 IS_CONN_ENCRYPTED(req->conn)
1881 ||req->encrypted,
1882 &req->pcd)) {
1883 exit_server_cleanly("chain_reply: srv_send_smb "
1884 "failed.");
1885 }
1886 TALLOC_FREE(req->chain_outbuf);
1887 req->done = true;
1888 return;
1889 }
1890
1891 /* add a new perfcounter for this element of chain */
1892 SMB_PERFCOUNT_ADD(&req->pcd);
1893 SMB_PERFCOUNT_SET_OP(&req->pcd, chain_cmd);
1894 SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, smblen);
1895
1896 /*
1897 * Check if the client tries to fool us. The request so far uses the
1898 * space to the end of the byte buffer in the request just
1899 * processed. The chain_offset can't point into that area. If that was
1900 * the case, we could end up with an endless processing of the chain,
1901 * we would always handle the same request.
1902 */
1903
1904 already_used = PTR_DIFF(req->buf+req->buflen, smb_base(req->inbuf));
1905 if (chain_offset < already_used) {
1906 goto error;
1907 }
1908
1909 /*
1910 * Next check: Make sure the chain offset does not point beyond the
1911 * overall smb request length.
1912 */
1913
1914 length_needed = chain_offset+1; /* wct */
1915 if (length_needed > smblen) {
1916 goto error;
1917 }
1918
1919 /*
1920 * Now comes the pointer magic. Goal here is to set up req->vwv and
1921 * req->buf correctly again to be able to call the subsequent
1922 * switch_message(). The chain offset (the former vwv[1]) points at
1923 * the new wct field.
1924 */
1925
1926 wct = CVAL(smb_base(req->inbuf), chain_offset);
1927
1928 /*
1929 * Next consistency check: Make the new vwv array fits in the overall
1930 * smb request.
1931 */
1932
1933 length_needed += (wct+1)*sizeof(uint16_t); /* vwv+buflen */
1934 if (length_needed > smblen) {
1935 goto error;
1936 }
1937 vwv = (uint16_t *)(smb_base(req->inbuf) + chain_offset + 1);
1938
1939 /*
1940 * Now grab the new byte buffer....
1941 */
1942
1943 buflen = SVAL(vwv+wct, 0);
1944
1945 /*
1946 * .. and check that it fits.
1947 */
1948
1949 length_needed += buflen;
1950 if (length_needed > smblen) {
1951 goto error;
1952 }
1953 buf = (uint8_t *)(vwv+wct+1);
1954
1955 req->cmd = chain_cmd;
1956 req->wct = wct;
1957 req->vwv = vwv;
1958 req->buflen = buflen;
1959 req->buf = buf;
1960
1961 switch_message(chain_cmd, req, smblen);
1962
1963 if (req->outbuf == NULL) {
1964 /*
1965 * This happens if the chained command has suspended itself or
1966 * if it has called srv_send_smb() itself.
1967 */
1968 return;
1969 }
1970
1971 /*
1972 * We end up here if the chained command was not itself chained or
1973 * suspended, but for example a close() command. We now need to splice
1974 * the chained commands' outbuf into the already built up chain_outbuf
1975 * and ship the result.
1976 */
1977 goto done;
1978
1979 error:
1980 /*
1981 * We end up here if there's any error in the chain syntax. Report a
1982 * DOS error, just like Windows does.
1983 */
1984 reply_force_doserror(req, ERRSRV, ERRerror);
1985 fixup_chain_error_packet(req);
1986
1987 done:
1988 /*
1989 * This scary statement intends to set the
1990 * FLAGS2_32_BIT_ERROR_CODES flg2 field in req->chain_outbuf
1991 * to the value req->outbuf carries
1992 */
1993 SSVAL(req->chain_outbuf, smb_flg2,
1994 (SVAL(req->chain_outbuf, smb_flg2) & ~FLAGS2_32_BIT_ERROR_CODES)
1995 | (SVAL(req->outbuf, smb_flg2) & FLAGS2_32_BIT_ERROR_CODES));
1996
1997 /*
1998 * Transfer the error codes from the subrequest to the main one
1999 */
2000 SSVAL(req->chain_outbuf, smb_rcls, SVAL(req->outbuf, smb_rcls));
2001 SSVAL(req->chain_outbuf, smb_err, SVAL(req->outbuf, smb_err));
2002
2003 if (!smb_splice_chain(&req->chain_outbuf,
2004 CVAL(req->outbuf, smb_com),
2005 CVAL(req->outbuf, smb_wct),
2006 (uint16_t *)(req->outbuf + smb_vwv),
2007 0, smb_buflen(req->outbuf),
2008 (uint8_t *)smb_buf(req->outbuf))) {
2009 exit_server_cleanly("chain_reply: smb_splice_chain failed\n");
2010 }
2011 TALLOC_FREE(req->outbuf);
2012
2013 smb_setlen((char *)(req->chain_outbuf),
2014 talloc_get_size(req->chain_outbuf) - 4);
2015
2016 show_msg((char *)(req->chain_outbuf));
2017
2018 if (!srv_send_smb(smbd_server_fd(), (char *)req->chain_outbuf,
2019 true, req->seqnum+1,
2020 IS_CONN_ENCRYPTED(req->conn)||req->encrypted,
2021 &req->pcd)) {
2022 exit_server_cleanly("construct_reply: srv_send_smb failed.");
2023 }
2024 TALLOC_FREE(req->chain_outbuf);
2025 req->done = true;
2026 }
2027
2028 /****************************************************************************
2029 Check if services need reloading.
2030 ****************************************************************************/
2031
2032 void check_reload(time_t t)
2033 {
2034 time_t printcap_cache_time = (time_t)lp_printcap_cache_time();
2035
2036 if(last_smb_conf_reload_time == 0) {
2037 last_smb_conf_reload_time = t;
2038 /* Our printing subsystem might not be ready at smbd start up.
2039 Then no printer is available till the first printers check
2040 is performed. A lower initial interval circumvents this. */
2041 if ( printcap_cache_time > 60 )
2042 last_printer_reload_time = t - printcap_cache_time + 60;
2043 else
2044 last_printer_reload_time = t;
2045 }
2046
2047 if (mypid != getpid()) { /* First time or fork happened meanwhile */
2048 /* randomize over 60 second the printcap reload to avoid all
2049 * process hitting cupsd at the same time */
2050 int time_range = 60;
2051
2052 last_printer_reload_time += random() % time_range;
2053 mypid = getpid();
2054 }
2055
2056 if (t >= last_smb_conf_reload_time+SMBD_RELOAD_CHECK) {
2057 reload_services(True);
2058 last_smb_conf_reload_time = t;
2059 }
2060
2061 /* 'printcap cache time = 0' disable the feature */
2062
2063 if ( printcap_cache_time != 0 )
2064 {
2065 /* see if it's time to reload or if the clock has been set back */
2066
2067 if ( (t >= last_printer_reload_time+printcap_cache_time)
2068 || (t-last_printer_reload_time < 0) )
2069 {
2070 DEBUG( 3,( "Printcap cache time expired.\n"));
2071 reload_printers();
2072 last_printer_reload_time = t;
2073 }
2074 }
2075 }
2076
2077 static void smbd_server_connection_write_handler(struct smbd_server_connection *conn)
2078 {
2079 /* TODO: make write nonblocking */
2080 }
2081
2082 static void smbd_server_connection_read_handler(struct smbd_server_connection *conn)
2083 {
2084 uint8_t *inbuf = NULL;
2085 size_t inbuf_len = 0;
2086 size_t unread_bytes = 0;
2087 bool encrypted = false;
2088 TALLOC_CTX *mem_ctx = talloc_tos();
2089 NTSTATUS status;
2090 uint32_t seqnum;
2091
2092 /* TODO: make this completely nonblocking */
2093
2094 status = receive_smb_talloc(mem_ctx, smbd_server_fd(),
2095 (char **)(void *)&inbuf,
2096 0, /* timeout */
2097 &unread_bytes,
2098 &encrypted,
2099 &inbuf_len, &seqnum);
2100 if (NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
2101 goto process;
2102 }
2103 if (NT_STATUS_IS_ERR(status)) {
2104 exit_server_cleanly("failed to receive smb request");
2105 }
2106 if (!NT_STATUS_IS_OK(status)) {
2107 return;
2108 }
2109
2110 process:
2111 process_smb(conn, inbuf, inbuf_len, unread_bytes,
2112 seqnum, encrypted, NULL);
2113 }
2114
2115 static void smbd_server_connection_handler(struct event_context *ev,
2116 struct fd_event *fde,
2117 uint16_t flags,
2118 void *private_data)
2119 {
2120 struct smbd_server_connection *conn = talloc_get_type(private_data,
2121 struct smbd_server_connection);
2122
2123 if (flags & EVENT_FD_WRITE) {
2124 smbd_server_connection_write_handler(conn);
2125 } else if (flags & EVENT_FD_READ) {
2126 smbd_server_connection_read_handler(conn);
2127 }
2128 }
2129
2130
2131 /****************************************************************************
2132 received when we should release a specific IP
2133 ****************************************************************************/
2134 static void release_ip(const char *ip, void *priv)
2135 {
2136 char addr[INET6_ADDRSTRLEN];
2137 char *p = addr;
2138
2139 client_socket_addr(get_client_fd(),addr,sizeof(addr));
2140
2141 if (strncmp("::ffff:", addr, 7) == 0) {
2142 p = addr + 7;
2143 }
2144
2145 if ((strcmp(p, ip) == 0) || ((p != addr) && strcmp(addr, ip) == 0)) {
2146 /* we can't afford to do a clean exit - that involves
2147 database writes, which would potentially mean we
2148 are still running after the failover has finished -
2149 we have to get rid of this process ID straight
2150 away */
2151 DEBUG(0,("Got release IP message for our IP %s - exiting immediately\n",
2152 ip));
2153 /* note we must exit with non-zero status so the unclean handler gets
2154 called in the parent, so that the brl database is tickled */
2155 _exit(1);
2156 }
2157 }
2158
2159 static void msg_release_ip(struct messaging_context *msg_ctx, void *private_data,
2160 uint32_t msg_type, struct server_id server_id, DATA_BLOB *data)
2161 {
2162 release_ip((char *)data->data, NULL);
2163 }
2164
2165 #ifdef CLUSTER_SUPPORT
2166 static int client_get_tcp_info(struct sockaddr_storage *server,
2167 struct sockaddr_storage *client)
2168 {
2169 socklen_t length;
2170 if (server_fd == -1) {
2171 return -1;
2172 }
2173 length = sizeof(*server);
2174 if (getsockname(server_fd, (struct sockaddr *)server, &length) != 0) {
2175 return -1;
2176 }
2177 length = sizeof(*client);
2178 if (getpeername(server_fd, (struct sockaddr *)client, &length) != 0) {
2179 return -1;
2180 }
2181 return 0;
2182 }
2183 #endif
2184
2185 /*
2186 * Send keepalive packets to our client
2187 */
2188 static bool keepalive_fn(const struct timeval *now, void *private_data)
2189 {
2190 if (!send_keepalive(smbd_server_fd())) {
2191 DEBUG( 2, ( "Keepalive failed - exiting.\n" ) );
2192 return False;
2193 }
2194 return True;
2195 }
2196
2197 /*
2198 * Do the recurring check if we're idle
2199 */
2200 static bool deadtime_fn(const struct timeval *now, void *private_data)
2201 {
2202 struct smbd_server_connection *sconn = smbd_server_conn;
2203 if ((conn_num_open(sconn) == 0)
2204 || (conn_idle_all(sconn, now->tv_sec))) {
2205 DEBUG( 2, ( "Closing idle connection\n" ) );
2206 messaging_send(smbd_messaging_context(), procid_self(),
2207 MSG_SHUTDOWN, &data_blob_null);
2208 return False;
2209 }
2210
2211 return True;
2212 }
2213
2214 /*
2215 * Do the recurring log file and smb.conf reload checks.
2216 */
2217
2218 static bool housekeeping_fn(const struct timeval *now, void *private_data)
2219 {
2220 change_to_root_user();
2221
2222 /* update printer queue caches if necessary */
2223 update_monitored_printq_cache();
2224
2225 /* check if we need to reload services */
2226 check_reload(time(NULL));
2227
2228 /* Change machine password if neccessary. */
2229 attempt_machine_password_change();
2230
2231 /*
2232 * Force a log file check.
2233 */
2234 force_check_log_size();
2235 check_log_size();
2236 return true;
2237 }
2238
2239 /****************************************************************************
2240 Process commands from the client
2241 ****************************************************************************/
2242
2243 void smbd_process(void)
2244 {
2245 TALLOC_CTX *frame = talloc_stackframe();
2246 char remaddr[INET6_ADDRSTRLEN];
2247
2248 if (lp_maxprotocol() == PROTOCOL_SMB2 &&
2249 lp_security() != SEC_SHARE) {
2250 smbd_server_conn->allow_smb2 = true;
2251 }
2252
2253 /* Ensure child is set to blocking mode */
2254 set_blocking(smbd_server_fd(),True);
2255
2256 set_socket_options(smbd_server_fd(),"SO_KEEPALIVE");
2257 set_socket_options(smbd_server_fd(), lp_socket_options());
2258
2259 /* this is needed so that we get decent entries
2260 in smbstatus for port 445 connects */
2261 set_remote_machine_name(get_peer_addr(smbd_server_fd(),
2262 remaddr,
2263 sizeof(remaddr)),
2264 false);
2265 reload_services(true);
2266
2267 /*
2268 * Before the first packet, check the global hosts allow/ hosts deny
2269 * parameters before doing any parsing of packets passed to us by the
2270 * client. This prevents attacks on our parsing code from hosts not in
2271 * the hosts allow list.
2272 */
2273
2274 if (!check_access(smbd_server_fd(), lp_hostsallow(-1),
2275 lp_hostsdeny(-1))) {
2276 char addr[INET6_ADDRSTRLEN];
2277
2278 /*
2279 * send a negative session response "not listening on calling
2280 * name"
2281 */
2282 unsigned char buf[5] = {0x83, 0, 0, 1, 0x81};
2283 DEBUG( 1, ("Connection denied from %s\n",
2284 client_addr(get_client_fd(),addr,sizeof(addr)) ) );
2285 (void)srv_send_smb(smbd_server_fd(),(char *)buf, false,
2286 0, false, NULL);
2287 exit_server_cleanly("connection denied");
2288 }
2289
2290 static_init_rpc;
2291
2292 init_modules();
2293
2294 smb_perfcount_init();
2295
2296 if (!init_account_policy()) {
2297 exit_server("Could not open account policy tdb.\n");
2298 }
2299
2300 if (*lp_rootdir()) {
2301 if (chroot(lp_rootdir()) != 0) {
2302 DEBUG(0,("Failed to change root to %s\n", lp_rootdir()));
2303 exit_server("Failed to chroot()");
2304 }
2305 if (chdir("/") == -1) {
2306 DEBUG(0,("Failed to chdir to / on chroot to %s\n", lp_rootdir()));
2307 exit_server("Failed to chroot()");
2308 }
2309 DEBUG(0,("Changed root to %s\n", lp_rootdir()));
2310 }
2311
2312 if (!srv_init_signing(smbd_server_conn)) {
2313 exit_server("Failed to init smb_signing");
2314 }
2315
2316 /* Setup oplocks */
2317 if (!init_oplocks(smbd_messaging_context()))
2318 exit_server("Failed to init oplocks");
2319
2320 /* Setup aio signal handler. */
2321 initialize_async_io_handler();
2322
2323 /* register our message handlers */
2324 messaging_register(smbd_messaging_context(), NULL,
2325 MSG_SMB_FORCE_TDIS, msg_force_tdis);
2326 messaging_register(smbd_messaging_context(), NULL,
2327 MSG_SMB_RELEASE_IP, msg_release_ip);
2328 messaging_register(smbd_messaging_context(), NULL,
2329 MSG_SMB_CLOSE_FILE, msg_close_file);
2330
2331 /*
2332 * Use the default MSG_DEBUG handler to avoid rebroadcasting
2333 * MSGs to all child processes
2334 */
2335 messaging_deregister(smbd_messaging_context(),
2336 MSG_DEBUG, NULL);
2337 messaging_register(smbd_messaging_context(), NULL,
2338 MSG_DEBUG, debug_message);
2339
2340 if ((lp_keepalive() != 0)
2341 && !(event_add_idle(smbd_event_context(), NULL,
2342 timeval_set(lp_keepalive(), 0),
2343 "keepalive", keepalive_fn,
2344 NULL))) {
2345 DEBUG(0, ("Could not add keepalive event\n"));
2346 exit(1);
2347 }
2348
2349 if (!(event_add_idle(smbd_event_context(), NULL,
2350 timeval_set(IDLE_CLOSED_TIMEOUT, 0),
2351 "deadtime", deadtime_fn, NULL))) {
2352 DEBUG(0, ("Could not add deadtime event\n"));
2353 exit(1);
2354 }
2355
2356 if (!(event_add_idle(smbd_event_context(), NULL,
2357 timeval_set(SMBD_SELECT_TIMEOUT, 0),
2358 "housekeeping", housekeeping_fn, NULL))) {
2359 DEBUG(0, ("Could not add housekeeping event\n"));
2360 exit(1);
2361 }
2362
2363 #ifdef CLUSTER_SUPPORT
2364
2365 if (lp_clustering()) {
2366 /*
2367 * We need to tell ctdb about our client's TCP
2368 * connection, so that for failover ctdbd can send
2369 * tickle acks, triggering a reconnection by the
2370 * client.
2371 */
2372
2373 struct sockaddr_storage srv, clnt;
2374
2375 if (client_get_tcp_info(&srv, &clnt) == 0) {
2376
2377 NTSTATUS status;
2378
2379 status = ctdbd_register_ips(
2380 messaging_ctdbd_connection(),
2381 &srv, &clnt, release_ip, NULL);
2382
2383 if (!NT_STATUS_IS_OK(status)) {
2384 DEBUG(0, ("ctdbd_register_ips failed: %s\n",
2385 nt_errstr(status)));
2386 }
2387 } else
2388 {
2389 DEBUG(0,("Unable to get tcp info for "
2390 "CTDB_CONTROL_TCP_CLIENT: %s\n",
2391 strerror(errno)));
2392 }
2393 }
2394
2395 #endif
2396
2397 smbd_server_conn->nbt.got_session = false;
2398
2399 smbd_server_conn->smb1.negprot.max_recv = MIN(lp_maxxmit(),BUFFER_SIZE);
2400
2401 smbd_server_conn->smb1.sessions.done_sesssetup = false;
2402 smbd_server_conn->smb1.sessions.max_send = BUFFER_SIZE;
2403 smbd_server_conn->smb1.sessions.last_session_tag = UID_FIELD_INVALID;
2404 /* users from session setup */
2405 smbd_server_conn->smb1.sessions.session_userlist = NULL;
2406 /* workgroup from session setup. */
2407 smbd_server_conn->smb1.sessions.session_workgroup = NULL;
2408 /* this holds info on user ids that are already validated for this VC */
2409 smbd_server_conn->smb1.sessions.validated_users = NULL;
2410 smbd_server_conn->smb1.sessions.next_vuid = VUID_OFFSET;
2411 smbd_server_conn->smb1.sessions.num_validated_vuids = 0;
2412 #ifdef HAVE_NETGROUP
2413 smbd_server_conn->smb1.sessions.my_yp_domain = NULL;
2414 #endif
2415
2416 conn_init(smbd_server_conn);
2417 if (!init_dptrs(smbd_server_conn)) {
2418 exit_server("init_dptrs() failed");
2419 }
2420
2421 smbd_server_conn->smb1.fde = event_add_fd(smbd_event_context(),
2422 smbd_server_conn,
2423 smbd_server_fd(),
2424 EVENT_FD_READ,
2425 smbd_server_connection_handler,
2426 smbd_server_conn);
2427 if (!smbd_server_conn->smb1.fde) {
2428 exit_server("failed to create smbd_server_connection fde");
2429 }
2430
2431 TALLOC_FREE(frame);
2432
2433 while (True) {
2434 NTSTATUS status;
2435
2436 frame = talloc_stackframe_pool(8192);
2437
2438 errno = 0;
2439
2440 status = smbd_server_connection_loop_once(smbd_server_conn);
2441 if (!NT_STATUS_EQUAL(status, NT_STATUS_RETRY) &&
2442 !NT_STATUS_IS_OK(status)) {
2443 DEBUG(3, ("smbd_server_connection_loop_once failed: %s,"
2444 " exiting\n", nt_errstr(status)));
2445 break;
2446 }
2447
2448 TALLOC_FREE(frame);
2449 }
2450
2451 exit_server_cleanly(NULL);
2452 }
2453
2454 bool req_is_in_chain(struct smb_request *req)
2455 {
2456 if (req->vwv != (uint16_t *)(req->inbuf+smb_vwv)) {
2457 /*
2458 * We're right now handling a subsequent request, so we must
2459 * be in a chain
2460 */
2461 return true;
2462 }
2463
2464 if (!is_andx_req(req->cmd)) {
2465 return false;
2466 }
2467
2468 if (req->wct < 2) {
2469 /*
2470 * Okay, an illegal request, but definitely not chained :-)
2471 */
2472 return false;
2473 }
2474
2475 return (CVAL(req->vwv+0, 0) != 0xFF);
2476 }
fernandojvsilva's samba4 branch