search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:smbXsrv_open: add smbXsrv_open_global_traverse()
[Samba/gbeck.git] / source3 / smbd / nttrans.c
blobf5e5877d0937d45829b5bd59413cb78c0944a789
1 /*
2 Unix SMB/CIFS implementation.
3 SMB NT transaction handling
4 Copyright (C) Jeremy Allison 1994-2007
5 Copyright (C) Stefan (metze) Metzmacher 2003
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "system/filesys.h"
23 #include "smbd/smbd.h"
24 #include "smbd/globals.h"
25 #include "fake_file.h"
26 #include "../libcli/security/security.h"
27 #include "../librpc/gen_ndr/ndr_security.h"
28 #include "passdb/lookup_sid.h"
29 #include "auth.h"
30 #include "smbprofile.h"
31 #include "libsmb/libsmb.h"
32
33 extern const struct generic_mapping file_generic_mapping;
34
35 static char *nttrans_realloc(char **ptr, size_t size)
36 {
37 if (ptr==NULL) {
38 smb_panic("nttrans_realloc() called with NULL ptr");
39 }
40
41 *ptr = (char *)SMB_REALLOC(*ptr, size);
42 if(*ptr == NULL) {
43 return NULL;
44 }
45 memset(*ptr,'\0',size);
46 return *ptr;
47 }
48
49 /****************************************************************************
50 Send the required number of replies back.
51 We assume all fields other than the data fields are
52 set correctly for the type of call.
53 HACK ! Always assumes smb_setup field is zero.
54 ****************************************************************************/
55
56 static void send_nt_replies(connection_struct *conn,
57 struct smb_request *req, NTSTATUS nt_error,
58 char *params, int paramsize,
59 char *pdata, int datasize)
60 {
61 int data_to_send = datasize;
62 int params_to_send = paramsize;
63 int useable_space;
64 char *pp = params;
65 char *pd = pdata;
66 int params_sent_thistime, data_sent_thistime, total_sent_thistime;
67 int alignment_offset = 1;
68 int data_alignment_offset = 0;
69 struct smbd_server_connection *sconn = req->sconn;
70 int max_send = sconn->smb1.sessions.max_send;
71
72 /*
73 * If there genuinely are no parameters or data to send just send
74 * the empty packet.
75 */
76
77 if(params_to_send == 0 && data_to_send == 0) {
78 reply_outbuf(req, 18, 0);
79 if (NT_STATUS_V(nt_error)) {
80 error_packet_set((char *)req->outbuf,
81 0, 0, nt_error,
82 __LINE__,__FILE__);
83 }
84 show_msg((char *)req->outbuf);
85 if (!srv_send_smb(sconn,
86 (char *)req->outbuf,
87 true, req->seqnum+1,
88 IS_CONN_ENCRYPTED(conn),
89 &req->pcd)) {
90 exit_server_cleanly("send_nt_replies: srv_send_smb failed.");
91 }
92 TALLOC_FREE(req->outbuf);
93 return;
94 }
95
96 /*
97 * When sending params and data ensure that both are nicely aligned.
98 * Only do this alignment when there is also data to send - else
99 * can cause NT redirector problems.
100 */
101
102 if (((params_to_send % 4) != 0) && (data_to_send != 0)) {
103 data_alignment_offset = 4 - (params_to_send % 4);
104 }
105
106 /*
107 * Space is bufsize minus Netbios over TCP header minus SMB header.
108 * The alignment_offset is to align the param bytes on a four byte
109 * boundary (2 bytes for data len, one byte pad).
110 * NT needs this to work correctly.
111 */
112
113 useable_space = max_send - (smb_size
114 + 2 * 18 /* wct */
115 + alignment_offset
116 + data_alignment_offset);
117
118 if (useable_space < 0) {
119 char *msg = talloc_asprintf(
120 talloc_tos(),
121 "send_nt_replies failed sanity useable_space = %d!!!",
122 useable_space);
123 DEBUG(0, ("%s\n", msg));
124 exit_server_cleanly(msg);
125 }
126
127 while (params_to_send || data_to_send) {
128
129 /*
130 * Calculate whether we will totally or partially fill this packet.
131 */
132
133 total_sent_thistime = params_to_send + data_to_send;
134
135 /*
136 * We can never send more than useable_space.
137 */
138
139 total_sent_thistime = MIN(total_sent_thistime, useable_space);
140
141 reply_outbuf(req, 18,
142 total_sent_thistime + alignment_offset
143 + data_alignment_offset);
144
145 /*
146 * Set total params and data to be sent.
147 */
148
149 SIVAL(req->outbuf,smb_ntr_TotalParameterCount,paramsize);
150 SIVAL(req->outbuf,smb_ntr_TotalDataCount,datasize);
151
152 /*
153 * Calculate how many parameters and data we can fit into
154 * this packet. Parameters get precedence.
155 */
156
157 params_sent_thistime = MIN(params_to_send,useable_space);
158 data_sent_thistime = useable_space - params_sent_thistime;
159 data_sent_thistime = MIN(data_sent_thistime,data_to_send);
160
161 SIVAL(req->outbuf, smb_ntr_ParameterCount,
162 params_sent_thistime);
163
164 if(params_sent_thistime == 0) {
165 SIVAL(req->outbuf,smb_ntr_ParameterOffset,0);
166 SIVAL(req->outbuf,smb_ntr_ParameterDisplacement,0);
167 } else {
168 /*
169 * smb_ntr_ParameterOffset is the offset from the start of the SMB header to the
170 * parameter bytes, however the first 4 bytes of outbuf are
171 * the Netbios over TCP header. Thus use smb_base() to subtract
172 * them from the calculation.
173 */
174
175 SIVAL(req->outbuf,smb_ntr_ParameterOffset,
176 ((smb_buf(req->outbuf)+alignment_offset)
177 - smb_base(req->outbuf)));
178 /*
179 * Absolute displacement of param bytes sent in this packet.
180 */
181
182 SIVAL(req->outbuf, smb_ntr_ParameterDisplacement,
183 pp - params);
184 }
185
186 /*
187 * Deal with the data portion.
188 */
189
190 SIVAL(req->outbuf, smb_ntr_DataCount, data_sent_thistime);
191
192 if(data_sent_thistime == 0) {
193 SIVAL(req->outbuf,smb_ntr_DataOffset,0);
194 SIVAL(req->outbuf,smb_ntr_DataDisplacement, 0);
195 } else {
196 /*
197 * The offset of the data bytes is the offset of the
198 * parameter bytes plus the number of parameters being sent this time.
199 */
200
201 SIVAL(req->outbuf, smb_ntr_DataOffset,
202 ((smb_buf(req->outbuf)+alignment_offset) -
203 smb_base(req->outbuf))
204 + params_sent_thistime + data_alignment_offset);
205 SIVAL(req->outbuf,smb_ntr_DataDisplacement, pd - pdata);
206 }
207
208 /*
209 * Copy the param bytes into the packet.
210 */
211
212 if(params_sent_thistime) {
213 if (alignment_offset != 0) {
214 memset(smb_buf(req->outbuf), 0,
215 alignment_offset);
216 }
217 memcpy((smb_buf(req->outbuf)+alignment_offset), pp,
218 params_sent_thistime);
219 }
220
221 /*
222 * Copy in the data bytes
223 */
224
225 if(data_sent_thistime) {
226 if (data_alignment_offset != 0) {
227 memset((smb_buf(req->outbuf)+alignment_offset+
228 params_sent_thistime), 0,
229 data_alignment_offset);
230 }
231 memcpy(smb_buf(req->outbuf)+alignment_offset
232 +params_sent_thistime+data_alignment_offset,
233 pd,data_sent_thistime);
234 }
235
236 DEBUG(9,("nt_rep: params_sent_thistime = %d, data_sent_thistime = %d, useable_space = %d\n",
237 params_sent_thistime, data_sent_thistime, useable_space));
238 DEBUG(9,("nt_rep: params_to_send = %d, data_to_send = %d, paramsize = %d, datasize = %d\n",
239 params_to_send, data_to_send, paramsize, datasize));
240
241 if (NT_STATUS_V(nt_error)) {
242 error_packet_set((char *)req->outbuf,
243 0, 0, nt_error,
244 __LINE__,__FILE__);
245 }
246
247 /* Send the packet */
248 show_msg((char *)req->outbuf);
249 if (!srv_send_smb(sconn,
250 (char *)req->outbuf,
251 true, req->seqnum+1,
252 IS_CONN_ENCRYPTED(conn),
253 &req->pcd)) {
254 exit_server_cleanly("send_nt_replies: srv_send_smb failed.");
255 }
256
257 TALLOC_FREE(req->outbuf);
258
259 pp += params_sent_thistime;
260 pd += data_sent_thistime;
261
262 params_to_send -= params_sent_thistime;
263 data_to_send -= data_sent_thistime;
264
265 /*
266 * Sanity check
267 */
268
269 if(params_to_send < 0 || data_to_send < 0) {
270 DEBUG(0,("send_nt_replies failed sanity check pts = %d, dts = %d\n!!!",
271 params_to_send, data_to_send));
272 exit_server_cleanly("send_nt_replies: internal error");
273 }
274 }
275 }
276
277 /****************************************************************************
278 Reply to an NT create and X call on a pipe
279 ****************************************************************************/
280
281 static void nt_open_pipe(char *fname, connection_struct *conn,
282 struct smb_request *req, uint16_t *ppnum)
283 {
284 files_struct *fsp;
285 NTSTATUS status;
286
287 DEBUG(4,("nt_open_pipe: Opening pipe %s.\n", fname));
288
289 /* Strip \\ off the name if present. */
290 while (fname[0] == '\\') {
291 fname++;
292 }
293
294 status = open_np_file(req, fname, &fsp);
295 if (!NT_STATUS_IS_OK(status)) {
296 if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
297 reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND,
298 ERRDOS, ERRbadpipe);
299 return;
300 }
301 reply_nterror(req, status);
302 return;
303 }
304
305 *ppnum = fsp->fnum;
306 return;
307 }
308
309 /****************************************************************************
310 Reply to an NT create and X call for pipes.
311 ****************************************************************************/
312
313 static void do_ntcreate_pipe_open(connection_struct *conn,
314 struct smb_request *req)
315 {
316 char *fname = NULL;
317 uint16_t pnum = FNUM_FIELD_INVALID;
318 char *p = NULL;
319 uint32 flags = IVAL(req->vwv+3, 1);
320 TALLOC_CTX *ctx = talloc_tos();
321
322 srvstr_pull_req_talloc(ctx, req, &fname, req->buf, STR_TERMINATE);
323
324 if (!fname) {
325 reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND,
326 ERRDOS, ERRbadpipe);
327 return;
328 }
329 nt_open_pipe(fname, conn, req, &pnum);
330
331 if (req->outbuf) {
332 /* error reply */
333 return;
334 }
335
336 /*
337 * Deal with pipe return.
338 */
339
340 if (flags & EXTENDED_RESPONSE_REQUIRED) {
341 /* This is very strange. We
342 * return 50 words, but only set
343 * the wcnt to 42 ? It's definitely
344 * what happens on the wire....
345 */
346 reply_outbuf(req, 50, 0);
347 SCVAL(req->outbuf,smb_wct,42);
348 } else {
349 reply_outbuf(req, 34, 0);
350 }
351
352 SSVAL(req->outbuf, smb_vwv0, 0xff); /* andx chain ends */
353 SSVAL(req->outbuf, smb_vwv1, 0); /* no andx offset */
354
355 p = (char *)req->outbuf + smb_vwv2;
356 p++;
357 SSVAL(p,0,pnum);
358 p += 2;
359 SIVAL(p,0,FILE_WAS_OPENED);
360 p += 4;
361 p += 32;
362 SIVAL(p,0,FILE_ATTRIBUTE_NORMAL); /* File Attributes. */
363 p += 20;
364 /* File type. */
365 SSVAL(p,0,FILE_TYPE_MESSAGE_MODE_PIPE);
366 /* Device state. */
367 SSVAL(p,2, 0x5FF); /* ? */
368 p += 4;
369
370 if (flags & EXTENDED_RESPONSE_REQUIRED) {
371 p += 25;
372 SIVAL(p,0,FILE_GENERIC_ALL);
373 /*
374 * For pipes W2K3 seems to return
375 * 0x12019B next.
376 * This is ((FILE_GENERIC_READ|FILE_GENERIC_WRITE) & ~FILE_APPEND_DATA)
377 */
378 SIVAL(p,4,(FILE_GENERIC_READ|FILE_GENERIC_WRITE)&~FILE_APPEND_DATA);
379 }
380
381 DEBUG(5,("do_ntcreate_pipe_open: open pipe = %s\n", fname));
382 }
383
384 struct case_semantics_state {
385 connection_struct *conn;
386 bool case_sensitive;
387 bool case_preserve;
388 bool short_case_preserve;
389 };
390
391 /****************************************************************************
392 Restore case semantics.
393 ****************************************************************************/
394
395 static int restore_case_semantics(struct case_semantics_state *state)
396 {
397 state->conn->case_sensitive = state->case_sensitive;
398 state->conn->case_preserve = state->case_preserve;
399 state->conn->short_case_preserve = state->short_case_preserve;
400 return 0;
401 }
402
403 /****************************************************************************
404 Save case semantics.
405 ****************************************************************************/
406
407 static struct case_semantics_state *set_posix_case_semantics(TALLOC_CTX *mem_ctx,
408 connection_struct *conn)
409 {
410 struct case_semantics_state *result;
411
412 if (!(result = talloc(mem_ctx, struct case_semantics_state))) {
413 return NULL;
414 }
415
416 result->conn = conn;
417 result->case_sensitive = conn->case_sensitive;
418 result->case_preserve = conn->case_preserve;
419 result->short_case_preserve = conn->short_case_preserve;
420
421 /* Set to POSIX. */
422 conn->case_sensitive = True;
423 conn->case_preserve = True;
424 conn->short_case_preserve = True;
425
426 talloc_set_destructor(result, restore_case_semantics);
427
428 return result;
429 }
430
431 /****************************************************************************
432 Reply to an NT create and X call.
433 ****************************************************************************/
434
435 void reply_ntcreate_and_X(struct smb_request *req)
436 {
437 connection_struct *conn = req->conn;
438 struct smb_filename *smb_fname = NULL;
439 char *fname = NULL;
440 uint32 flags;
441 uint32 access_mask;
442 uint32 file_attributes;
443 uint32 share_access;
444 uint32 create_disposition;
445 uint32 create_options;
446 uint16 root_dir_fid;
447 uint64_t allocation_size;
448 /* Breakout the oplock request bits so we can set the
449 reply bits separately. */
450 uint32 fattr=0;
451 off_t file_len = 0;
452 int info = 0;
453 files_struct *fsp = NULL;
454 char *p = NULL;
455 struct timespec create_timespec;
456 struct timespec c_timespec;
457 struct timespec a_timespec;
458 struct timespec m_timespec;
459 struct timespec write_time_ts;
460 NTSTATUS status;
461 int oplock_request;
462 uint8_t oplock_granted = NO_OPLOCK_RETURN;
463 struct case_semantics_state *case_state = NULL;
464 TALLOC_CTX *ctx = talloc_tos();
465
466 START_PROFILE(SMBntcreateX);
467
468 if (req->wct < 24) {
469 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
470 goto out;
471 }
472
473 flags = IVAL(req->vwv+3, 1);
474 access_mask = IVAL(req->vwv+7, 1);
475 file_attributes = IVAL(req->vwv+13, 1);
476 share_access = IVAL(req->vwv+15, 1);
477 create_disposition = IVAL(req->vwv+17, 1);
478 create_options = IVAL(req->vwv+19, 1);
479 root_dir_fid = (uint16)IVAL(req->vwv+5, 1);
480
481 allocation_size = BVAL(req->vwv+9, 1);
482
483 srvstr_get_path_req(ctx, req, &fname, (const char *)req->buf,
484 STR_TERMINATE, &status);
485
486 if (!NT_STATUS_IS_OK(status)) {
487 reply_nterror(req, status);
488 goto out;
489 }
490
491 DEBUG(10,("reply_ntcreate_and_X: flags = 0x%x, access_mask = 0x%x "
492 "file_attributes = 0x%x, share_access = 0x%x, "
493 "create_disposition = 0x%x create_options = 0x%x "
494 "root_dir_fid = 0x%x, fname = %s\n",
495 (unsigned int)flags,
496 (unsigned int)access_mask,
497 (unsigned int)file_attributes,
498 (unsigned int)share_access,
499 (unsigned int)create_disposition,
500 (unsigned int)create_options,
501 (unsigned int)root_dir_fid,
502 fname));
503
504 /*
505 * we need to remove ignored bits when they come directly from the client
506 * because we reuse some of them for internal stuff
507 */
508 create_options &= ~NTCREATEX_OPTIONS_MUST_IGNORE_MASK;
509
510 /*
511 * If it's an IPC, use the pipe handler.
512 */
513
514 if (IS_IPC(conn)) {
515 if (lp_nt_pipe_support()) {
516 do_ntcreate_pipe_open(conn, req);
517 goto out;
518 }
519 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
520 goto out;
521 }
522
523 oplock_request = (flags & REQUEST_OPLOCK) ? EXCLUSIVE_OPLOCK : 0;
524 if (oplock_request) {
525 oplock_request |= (flags & REQUEST_BATCH_OPLOCK)
526 ? BATCH_OPLOCK : 0;
527 }
528
529 if (file_attributes & FILE_FLAG_POSIX_SEMANTICS) {
530 case_state = set_posix_case_semantics(ctx, conn);
531 if (!case_state) {
532 reply_nterror(req, NT_STATUS_NO_MEMORY);
533 goto out;
534 }
535 }
536
537 status = filename_convert(ctx,
538 conn,
539 req->flags2 & FLAGS2_DFS_PATHNAMES,
540 fname,
541 0,
542 NULL,
543 &smb_fname);
544
545 TALLOC_FREE(case_state);
546
547 if (!NT_STATUS_IS_OK(status)) {
548 if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
549 reply_botherror(req,
550 NT_STATUS_PATH_NOT_COVERED,
551 ERRSRV, ERRbadpath);
552 goto out;
553 }
554 reply_nterror(req, status);
555 goto out;
556 }
557
558 /*
559 * Bug #6898 - clients using Windows opens should
560 * never be able to set this attribute into the
561 * VFS.
562 */
563 file_attributes &= ~FILE_FLAG_POSIX_SEMANTICS;
564
565 status = SMB_VFS_CREATE_FILE(
566 conn, /* conn */
567 req, /* req */
568 root_dir_fid, /* root_dir_fid */
569 smb_fname, /* fname */
570 access_mask, /* access_mask */
571 share_access, /* share_access */
572 create_disposition, /* create_disposition*/
573 create_options, /* create_options */
574 file_attributes, /* file_attributes */
575 oplock_request, /* oplock_request */
576 allocation_size, /* allocation_size */
577 0, /* private_flags */
578 NULL, /* sd */
579 NULL, /* ea_list */
580 &fsp, /* result */
581 &info); /* pinfo */
582
583 if (!NT_STATUS_IS_OK(status)) {
584 if (open_was_deferred(req->sconn, req->mid)) {
585 /* We have re-scheduled this call, no error. */
586 goto out;
587 }
588 reply_openerror(req, status);
589 goto out;
590 }
591
592 /* Ensure we're pointing at the correct stat struct. */
593 TALLOC_FREE(smb_fname);
594 smb_fname = fsp->fsp_name;
595
596 /*
597 * If the caller set the extended oplock request bit
598 * and we granted one (by whatever means) - set the
599 * correct bit for extended oplock reply.
600 */
601
602 if (oplock_request &&
603 (lp_fake_oplocks(SNUM(conn))
604 || EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type))) {
605
606 /*
607 * Exclusive oplock granted
608 */
609
610 if (flags & REQUEST_BATCH_OPLOCK) {
611 oplock_granted = BATCH_OPLOCK_RETURN;
612 } else {
613 oplock_granted = EXCLUSIVE_OPLOCK_RETURN;
614 }
615 } else if (fsp->oplock_type == LEVEL_II_OPLOCK) {
616 oplock_granted = LEVEL_II_OPLOCK_RETURN;
617 } else {
618 oplock_granted = NO_OPLOCK_RETURN;
619 }
620
621 file_len = smb_fname->st.st_ex_size;
622
623 if (flags & EXTENDED_RESPONSE_REQUIRED) {
624 /* This is very strange. We
625 * return 50 words, but only set
626 * the wcnt to 42 ? It's definitely
627 * what happens on the wire....
628 */
629 reply_outbuf(req, 50, 0);
630 SCVAL(req->outbuf,smb_wct,42);
631 } else {
632 reply_outbuf(req, 34, 0);
633 }
634
635 SSVAL(req->outbuf, smb_vwv0, 0xff); /* andx chain ends */
636 SSVAL(req->outbuf, smb_vwv1, 0); /* no andx offset */
637
638 p = (char *)req->outbuf + smb_vwv2;
639
640 SCVAL(p, 0, oplock_granted);
641
642 p++;
643 SSVAL(p,0,fsp->fnum);
644 p += 2;
645 if ((create_disposition == FILE_SUPERSEDE)
646 && (info == FILE_WAS_OVERWRITTEN)) {
647 SIVAL(p,0,FILE_WAS_SUPERSEDED);
648 } else {
649 SIVAL(p,0,info);
650 }
651 p += 4;
652
653 fattr = dos_mode(conn, smb_fname);
654 if (fattr == 0) {
655 fattr = FILE_ATTRIBUTE_NORMAL;
656 }
657
658 /* Deal with other possible opens having a modified
659 write time. JRA. */
660 ZERO_STRUCT(write_time_ts);
661 get_file_infos(fsp->file_id, 0, NULL, &write_time_ts);
662 if (!null_timespec(write_time_ts)) {
663 update_stat_ex_mtime(&smb_fname->st, write_time_ts);
664 }
665
666 /* Create time. */
667 create_timespec = get_create_timespec(conn, fsp, smb_fname);
668 a_timespec = smb_fname->st.st_ex_atime;
669 m_timespec = smb_fname->st.st_ex_mtime;
670 c_timespec = get_change_timespec(conn, fsp, smb_fname);
671
672 if (lp_dos_filetime_resolution(SNUM(conn))) {
673 dos_filetime_timespec(&create_timespec);
674 dos_filetime_timespec(&a_timespec);
675 dos_filetime_timespec(&m_timespec);
676 dos_filetime_timespec(&c_timespec);
677 }
678
679 put_long_date_timespec(conn->ts_res, p, create_timespec); /* create time. */
680 p += 8;
681 put_long_date_timespec(conn->ts_res, p, a_timespec); /* access time */
682 p += 8;
683 put_long_date_timespec(conn->ts_res, p, m_timespec); /* write time */
684 p += 8;
685 put_long_date_timespec(conn->ts_res, p, c_timespec); /* change time */
686 p += 8;
687 SIVAL(p,0,fattr); /* File Attributes. */
688 p += 4;
689 SOFF_T(p, 0, SMB_VFS_GET_ALLOC_SIZE(conn,fsp,&smb_fname->st));
690 p += 8;
691 SOFF_T(p,0,file_len);
692 p += 8;
693 if (flags & EXTENDED_RESPONSE_REQUIRED) {
694 uint16_t file_status = (NO_EAS|NO_SUBSTREAMS|NO_REPARSETAG);
695 size_t num_names = 0;
696 unsigned int num_streams = 0;
697 struct stream_struct *streams = NULL;
698
699 /* Do we have any EA's ? */
700 status = get_ea_names_from_file(ctx, conn, fsp,
701 smb_fname->base_name, NULL, &num_names);
702 if (NT_STATUS_IS_OK(status) && num_names) {
703 file_status &= ~NO_EAS;
704 }
705 status = vfs_streaminfo(conn, NULL, smb_fname->base_name, ctx,
706 &num_streams, &streams);
707 /* There is always one stream, ::$DATA. */
708 if (NT_STATUS_IS_OK(status) && num_streams > 1) {
709 file_status &= ~NO_SUBSTREAMS;
710 }
711 TALLOC_FREE(streams);
712 SSVAL(p,2,file_status);
713 }
714 p += 4;
715 SCVAL(p,0,fsp->is_directory ? 1 : 0);
716
717 if (flags & EXTENDED_RESPONSE_REQUIRED) {
718 uint32 perms = 0;
719 p += 25;
720 if (fsp->is_directory ||
721 fsp->can_write ||
722 can_write_to_file(conn, smb_fname)) {
723 perms = FILE_GENERIC_ALL;
724 } else {
725 perms = FILE_GENERIC_READ|FILE_EXECUTE;
726 }
727 SIVAL(p,0,perms);
728 }
729
730 DEBUG(5,("reply_ntcreate_and_X: %s, open name = %s\n",
731 fsp_fnum_dbg(fsp), smb_fname_str_dbg(smb_fname)));
732
733 out:
734 END_PROFILE(SMBntcreateX);
735 return;
736 }
737
738 /****************************************************************************
739 Reply to a NT_TRANSACT_CREATE call to open a pipe.
740 ****************************************************************************/
741
742 static void do_nt_transact_create_pipe(connection_struct *conn,
743 struct smb_request *req,
744 uint16 **ppsetup, uint32 setup_count,
745 char **ppparams, uint32 parameter_count,
746 char **ppdata, uint32 data_count)
747 {
748 char *fname = NULL;
749 char *params = *ppparams;
750 uint16_t pnum = FNUM_FIELD_INVALID;
751 char *p = NULL;
752 NTSTATUS status;
753 size_t param_len;
754 uint32 flags;
755 TALLOC_CTX *ctx = talloc_tos();
756
757 /*
758 * Ensure minimum number of parameters sent.
759 */
760
761 if(parameter_count < 54) {
762 DEBUG(0,("do_nt_transact_create_pipe - insufficient parameters (%u)\n", (unsigned int)parameter_count));
763 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
764 return;
765 }
766
767 flags = IVAL(params,0);
768
769 srvstr_get_path(ctx, params, req->flags2, &fname, params+53,
770 parameter_count-53, STR_TERMINATE,
771 &status);
772 if (!NT_STATUS_IS_OK(status)) {
773 reply_nterror(req, status);
774 return;
775 }
776
777 nt_open_pipe(fname, conn, req, &pnum);
778
779 if (req->outbuf) {
780 /* Error return */
781 return;
782 }
783
784 /* Realloc the size of parameters and data we will return */
785 if (flags & EXTENDED_RESPONSE_REQUIRED) {
786 /* Extended response is 32 more byyes. */
787 param_len = 101;
788 } else {
789 param_len = 69;
790 }
791 params = nttrans_realloc(ppparams, param_len);
792 if(params == NULL) {
793 reply_nterror(req, NT_STATUS_NO_MEMORY);
794 return;
795 }
796
797 p = params;
798 SCVAL(p,0,NO_OPLOCK_RETURN);
799
800 p += 2;
801 SSVAL(p,0,pnum);
802 p += 2;
803 SIVAL(p,0,FILE_WAS_OPENED);
804 p += 8;
805
806 p += 32;
807 SIVAL(p,0,FILE_ATTRIBUTE_NORMAL); /* File Attributes. */
808 p += 20;
809 /* File type. */
810 SSVAL(p,0,FILE_TYPE_MESSAGE_MODE_PIPE);
811 /* Device state. */
812 SSVAL(p,2, 0x5FF); /* ? */
813 p += 4;
814
815 if (flags & EXTENDED_RESPONSE_REQUIRED) {
816 p += 25;
817 SIVAL(p,0,FILE_GENERIC_ALL);
818 /*
819 * For pipes W2K3 seems to return
820 * 0x12019B next.
821 * This is ((FILE_GENERIC_READ|FILE_GENERIC_WRITE) & ~FILE_APPEND_DATA)
822 */
823 SIVAL(p,4,(FILE_GENERIC_READ|FILE_GENERIC_WRITE)&~FILE_APPEND_DATA);
824 }
825
826 DEBUG(5,("do_nt_transact_create_pipe: open name = %s\n", fname));
827
828 /* Send the required number of replies */
829 send_nt_replies(conn, req, NT_STATUS_OK, params, param_len, *ppdata, 0);
830
831 return;
832 }
833
834 /*********************************************************************
835 Windows seems to do canonicalization of inheritance bits. Do the
836 same.
837 *********************************************************************/
838
839 static void canonicalize_inheritance_bits(struct security_descriptor *psd)
840 {
841 bool set_auto_inherited = false;
842
843 /*
844 * We need to filter out the
845 * SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ
846 * bits. If both are set we store SEC_DESC_DACL_AUTO_INHERITED
847 * as this alters whether SEC_ACE_FLAG_INHERITED_ACE is set
848 * when an ACE is inherited. Otherwise we zero these bits out.
849 * See:
850 *
851 * http://social.msdn.microsoft.com/Forums/eu/os_fileservices/thread/11f77b68-731e-407d-b1b3-064750716531
852 *
853 * for details.
854 */
855
856 if ((psd->type & (SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ))
857 == (SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ)) {
858 set_auto_inherited = true;
859 }
860
861 psd->type &= ~(SEC_DESC_DACL_AUTO_INHERITED|SEC_DESC_DACL_AUTO_INHERIT_REQ);
862 if (set_auto_inherited) {
863 psd->type |= SEC_DESC_DACL_AUTO_INHERITED;
864 }
865 }
866
867 /****************************************************************************
868 Internal fn to set security descriptors.
869 ****************************************************************************/
870
871 NTSTATUS set_sd(files_struct *fsp, struct security_descriptor *psd,
872 uint32_t security_info_sent)
873 {
874 NTSTATUS status;
875
876 if (!CAN_WRITE(fsp->conn)) {
877 return NT_STATUS_ACCESS_DENIED;
878 }
879
880 if (!lp_nt_acl_support(SNUM(fsp->conn))) {
881 return NT_STATUS_OK;
882 }
883
884 if (psd->owner_sid == NULL) {
885 security_info_sent &= ~SECINFO_OWNER;
886 }
887 if (psd->group_sid == NULL) {
888 security_info_sent &= ~SECINFO_GROUP;
889 }
890
891 /* Ensure we have at least one thing set. */
892 if ((security_info_sent & (SECINFO_OWNER|SECINFO_GROUP|SECINFO_DACL|SECINFO_SACL)) == 0) {
893 if (security_info_sent & SECINFO_LABEL) {
894 /* Only consider SECINFO_LABEL if no other
895 bits are set. Just like W2K3 we don't
896 store this. */
897 return NT_STATUS_OK;
898 }
899 return NT_STATUS_INVALID_PARAMETER;
900 }
901
902 /* Ensure we have the rights to do this. */
903 if (security_info_sent & SECINFO_OWNER) {
904 if (!(fsp->access_mask & SEC_STD_WRITE_OWNER)) {
905 return NT_STATUS_ACCESS_DENIED;
906 }
907 }
908
909 if (security_info_sent & SECINFO_GROUP) {
910 if (!(fsp->access_mask & SEC_STD_WRITE_OWNER)) {
911 return NT_STATUS_ACCESS_DENIED;
912 }
913 }
914
915 if (security_info_sent & SECINFO_DACL) {
916 if (!(fsp->access_mask & SEC_STD_WRITE_DAC)) {
917 return NT_STATUS_ACCESS_DENIED;
918 }
919 /* Convert all the generic bits. */
920 if (psd->dacl) {
921 security_acl_map_generic(psd->dacl, &file_generic_mapping);
922 }
923 }
924
925 if (security_info_sent & SECINFO_SACL) {
926 if (!(fsp->access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
927 return NT_STATUS_ACCESS_DENIED;
928 }
929 /* Convert all the generic bits. */
930 if (psd->sacl) {
931 security_acl_map_generic(psd->sacl, &file_generic_mapping);
932 }
933 }
934
935 canonicalize_inheritance_bits(psd);
936
937 if (DEBUGLEVEL >= 10) {
938 DEBUG(10,("set_sd for file %s\n", fsp_str_dbg(fsp)));
939 NDR_PRINT_DEBUG(security_descriptor, psd);
940 }
941
942 status = SMB_VFS_FSET_NT_ACL(fsp, security_info_sent, psd);
943
944 TALLOC_FREE(psd);
945
946 return status;
947 }
948
949 /****************************************************************************
950 Internal fn to set security descriptors from a data blob.
951 ****************************************************************************/
952
953 NTSTATUS set_sd_blob(files_struct *fsp, uint8_t *data, uint32_t sd_len,
954 uint32_t security_info_sent)
955 {
956 struct security_descriptor *psd = NULL;
957 NTSTATUS status;
958
959 if (sd_len == 0) {
960 return NT_STATUS_INVALID_PARAMETER;
961 }
962
963 status = unmarshall_sec_desc(talloc_tos(), data, sd_len, &psd);
964
965 if (!NT_STATUS_IS_OK(status)) {
966 return status;
967 }
968
969 return set_sd(fsp, psd, security_info_sent);
970 }
971
972 /****************************************************************************
973 Read a list of EA names and data from an incoming data buffer. Create an ea_list with them.
974 ****************************************************************************/
975
976 struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t data_size)
977 {
978 struct ea_list *ea_list_head = NULL;
979 size_t offset = 0;
980
981 if (data_size < 4) {
982 return NULL;
983 }
984
985 while (offset + 4 <= data_size) {
986 size_t next_offset = IVAL(pdata,offset);
987 struct ea_list *eal = read_ea_list_entry(ctx, pdata + offset + 4, data_size - offset - 4, NULL);
988
989 if (!eal) {
990 return NULL;
991 }
992
993 DLIST_ADD_END(ea_list_head, eal, struct ea_list *);
994 if (next_offset == 0) {
995 break;
996 }
997 offset += next_offset;
998 }
999
1000 return ea_list_head;
1001 }
1002
1003 /****************************************************************************
1004 Reply to a NT_TRANSACT_CREATE call (needs to process SD's).
1005 ****************************************************************************/
1006
1007 static void call_nt_transact_create(connection_struct *conn,
1008 struct smb_request *req,
1009 uint16 **ppsetup, uint32 setup_count,
1010 char **ppparams, uint32 parameter_count,
1011 char **ppdata, uint32 data_count,
1012 uint32 max_data_count)
1013 {
1014 struct smb_filename *smb_fname = NULL;
1015 char *fname = NULL;
1016 char *params = *ppparams;
1017 char *data = *ppdata;
1018 /* Breakout the oplock request bits so we can set the reply bits separately. */
1019 uint32 fattr=0;
1020 off_t file_len = 0;
1021 int info = 0;
1022 files_struct *fsp = NULL;
1023 char *p = NULL;
1024 uint32 flags;
1025 uint32 access_mask;
1026 uint32 file_attributes;
1027 uint32 share_access;
1028 uint32 create_disposition;
1029 uint32 create_options;
1030 uint32 sd_len;
1031 struct security_descriptor *sd = NULL;
1032 uint32 ea_len;
1033 uint16 root_dir_fid;
1034 struct timespec create_timespec;
1035 struct timespec c_timespec;
1036 struct timespec a_timespec;
1037 struct timespec m_timespec;
1038 struct timespec write_time_ts;
1039 struct ea_list *ea_list = NULL;
1040 NTSTATUS status;
1041 size_t param_len;
1042 uint64_t allocation_size;
1043 int oplock_request;
1044 uint8_t oplock_granted;
1045 struct case_semantics_state *case_state = NULL;
1046 TALLOC_CTX *ctx = talloc_tos();
1047
1048 DEBUG(5,("call_nt_transact_create\n"));
1049
1050 /*
1051 * If it's an IPC, use the pipe handler.
1052 */
1053
1054 if (IS_IPC(conn)) {
1055 if (lp_nt_pipe_support()) {
1056 do_nt_transact_create_pipe(
1057 conn, req,
1058 ppsetup, setup_count,
1059 ppparams, parameter_count,
1060 ppdata, data_count);
1061 goto out;
1062 }
1063 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1064 goto out;
1065 }
1066
1067 /*
1068 * Ensure minimum number of parameters sent.
1069 */
1070
1071 if(parameter_count < 54) {
1072 DEBUG(0,("call_nt_transact_create - insufficient parameters (%u)\n", (unsigned int)parameter_count));
1073 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1074 goto out;
1075 }
1076
1077 flags = IVAL(params,0);
1078 access_mask = IVAL(params,8);
1079 file_attributes = IVAL(params,20);
1080 share_access = IVAL(params,24);
1081 create_disposition = IVAL(params,28);
1082 create_options = IVAL(params,32);
1083 sd_len = IVAL(params,36);
1084 ea_len = IVAL(params,40);
1085 root_dir_fid = (uint16)IVAL(params,4);
1086 allocation_size = BVAL(params,12);
1087
1088 /*
1089 * we need to remove ignored bits when they come directly from the client
1090 * because we reuse some of them for internal stuff
1091 */
1092 create_options &= ~NTCREATEX_OPTIONS_MUST_IGNORE_MASK;
1093
1094 /* Ensure the data_len is correct for the sd and ea values given. */
1095 if ((ea_len + sd_len > data_count)
1096 || (ea_len > data_count) || (sd_len > data_count)
1097 || (ea_len + sd_len < ea_len) || (ea_len + sd_len < sd_len)) {
1098 DEBUG(10, ("call_nt_transact_create - ea_len = %u, sd_len = "
1099 "%u, data_count = %u\n", (unsigned int)ea_len,
1100 (unsigned int)sd_len, (unsigned int)data_count));
1101 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1102 goto out;
1103 }
1104
1105 if (sd_len) {
1106 DEBUG(10, ("call_nt_transact_create - sd_len = %d\n",
1107 sd_len));
1108
1109 status = unmarshall_sec_desc(ctx, (uint8_t *)data, sd_len,
1110 &sd);
1111 if (!NT_STATUS_IS_OK(status)) {
1112 DEBUG(10, ("call_nt_transact_create: "
1113 "unmarshall_sec_desc failed: %s\n",
1114 nt_errstr(status)));
1115 reply_nterror(req, status);
1116 goto out;
1117 }
1118 }
1119
1120 if (ea_len) {
1121 if (!lp_ea_support(SNUM(conn))) {
1122 DEBUG(10, ("call_nt_transact_create - ea_len = %u but "
1123 "EA's not supported.\n",
1124 (unsigned int)ea_len));
1125 reply_nterror(req, NT_STATUS_EAS_NOT_SUPPORTED);
1126 goto out;
1127 }
1128
1129 if (ea_len < 10) {
1130 DEBUG(10,("call_nt_transact_create - ea_len = %u - "
1131 "too small (should be more than 10)\n",
1132 (unsigned int)ea_len ));
1133 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1134 goto out;
1135 }
1136
1137 /* We have already checked that ea_len <= data_count here. */
1138 ea_list = read_nttrans_ea_list(talloc_tos(), data + sd_len,
1139 ea_len);
1140 if (ea_list == NULL) {
1141 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1142 goto out;
1143 }
1144 }
1145
1146 srvstr_get_path(ctx, params, req->flags2, &fname,
1147 params+53, parameter_count-53,
1148 STR_TERMINATE, &status);
1149 if (!NT_STATUS_IS_OK(status)) {
1150 reply_nterror(req, status);
1151 goto out;
1152 }
1153
1154 if (file_attributes & FILE_FLAG_POSIX_SEMANTICS) {
1155 case_state = set_posix_case_semantics(ctx, conn);
1156 if (!case_state) {
1157 reply_nterror(req, NT_STATUS_NO_MEMORY);
1158 goto out;
1159 }
1160 }
1161
1162 status = filename_convert(ctx,
1163 conn,
1164 req->flags2 & FLAGS2_DFS_PATHNAMES,
1165 fname,
1166 0,
1167 NULL,
1168 &smb_fname);
1169
1170 TALLOC_FREE(case_state);
1171
1172 if (!NT_STATUS_IS_OK(status)) {
1173 if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
1174 reply_botherror(req,
1175 NT_STATUS_PATH_NOT_COVERED,
1176 ERRSRV, ERRbadpath);
1177 goto out;
1178 }
1179 reply_nterror(req, status);
1180 goto out;
1181 }
1182
1183 oplock_request = (flags & REQUEST_OPLOCK) ? EXCLUSIVE_OPLOCK : 0;
1184 if (oplock_request) {
1185 oplock_request |= (flags & REQUEST_BATCH_OPLOCK)
1186 ? BATCH_OPLOCK : 0;
1187 }
1188
1189 /*
1190 * Bug #6898 - clients using Windows opens should
1191 * never be able to set this attribute into the
1192 * VFS.
1193 */
1194 file_attributes &= ~FILE_FLAG_POSIX_SEMANTICS;
1195
1196 status = SMB_VFS_CREATE_FILE(
1197 conn, /* conn */
1198 req, /* req */
1199 root_dir_fid, /* root_dir_fid */
1200 smb_fname, /* fname */
1201 access_mask, /* access_mask */
1202 share_access, /* share_access */
1203 create_disposition, /* create_disposition*/
1204 create_options, /* create_options */
1205 file_attributes, /* file_attributes */
1206 oplock_request, /* oplock_request */
1207 allocation_size, /* allocation_size */
1208 0, /* private_flags */
1209 sd, /* sd */
1210 ea_list, /* ea_list */
1211 &fsp, /* result */
1212 &info); /* pinfo */
1213
1214 if(!NT_STATUS_IS_OK(status)) {
1215 if (open_was_deferred(req->sconn, req->mid)) {
1216 /* We have re-scheduled this call, no error. */
1217 return;
1218 }
1219 reply_openerror(req, status);
1220 goto out;
1221 }
1222
1223 /* Ensure we're pointing at the correct stat struct. */
1224 TALLOC_FREE(smb_fname);
1225 smb_fname = fsp->fsp_name;
1226
1227 /*
1228 * If the caller set the extended oplock request bit
1229 * and we granted one (by whatever means) - set the
1230 * correct bit for extended oplock reply.
1231 */
1232
1233 if (oplock_request &&
1234 (lp_fake_oplocks(SNUM(conn))
1235 || EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type))) {
1236
1237 /*
1238 * Exclusive oplock granted
1239 */
1240
1241 if (flags & REQUEST_BATCH_OPLOCK) {
1242 oplock_granted = BATCH_OPLOCK_RETURN;
1243 } else {
1244 oplock_granted = EXCLUSIVE_OPLOCK_RETURN;
1245 }
1246 } else if (fsp->oplock_type == LEVEL_II_OPLOCK) {
1247 oplock_granted = LEVEL_II_OPLOCK_RETURN;
1248 } else {
1249 oplock_granted = NO_OPLOCK_RETURN;
1250 }
1251
1252 file_len = smb_fname->st.st_ex_size;
1253
1254 /* Realloc the size of parameters and data we will return */
1255 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1256 /* Extended response is 32 more byyes. */
1257 param_len = 101;
1258 } else {
1259 param_len = 69;
1260 }
1261 params = nttrans_realloc(ppparams, param_len);
1262 if(params == NULL) {
1263 reply_nterror(req, NT_STATUS_NO_MEMORY);
1264 goto out;
1265 }
1266
1267 p = params;
1268 SCVAL(p, 0, oplock_granted);
1269
1270 p += 2;
1271 SSVAL(p,0,fsp->fnum);
1272 p += 2;
1273 if ((create_disposition == FILE_SUPERSEDE)
1274 && (info == FILE_WAS_OVERWRITTEN)) {
1275 SIVAL(p,0,FILE_WAS_SUPERSEDED);
1276 } else {
1277 SIVAL(p,0,info);
1278 }
1279 p += 8;
1280
1281 fattr = dos_mode(conn, smb_fname);
1282 if (fattr == 0) {
1283 fattr = FILE_ATTRIBUTE_NORMAL;
1284 }
1285
1286 /* Deal with other possible opens having a modified
1287 write time. JRA. */
1288 ZERO_STRUCT(write_time_ts);
1289 get_file_infos(fsp->file_id, 0, NULL, &write_time_ts);
1290 if (!null_timespec(write_time_ts)) {
1291 update_stat_ex_mtime(&smb_fname->st, write_time_ts);
1292 }
1293
1294 /* Create time. */
1295 create_timespec = get_create_timespec(conn, fsp, smb_fname);
1296 a_timespec = smb_fname->st.st_ex_atime;
1297 m_timespec = smb_fname->st.st_ex_mtime;
1298 c_timespec = get_change_timespec(conn, fsp, smb_fname);
1299
1300 if (lp_dos_filetime_resolution(SNUM(conn))) {
1301 dos_filetime_timespec(&create_timespec);
1302 dos_filetime_timespec(&a_timespec);
1303 dos_filetime_timespec(&m_timespec);
1304 dos_filetime_timespec(&c_timespec);
1305 }
1306
1307 put_long_date_timespec(conn->ts_res, p, create_timespec); /* create time. */
1308 p += 8;
1309 put_long_date_timespec(conn->ts_res, p, a_timespec); /* access time */
1310 p += 8;
1311 put_long_date_timespec(conn->ts_res, p, m_timespec); /* write time */
1312 p += 8;
1313 put_long_date_timespec(conn->ts_res, p, c_timespec); /* change time */
1314 p += 8;
1315 SIVAL(p,0,fattr); /* File Attributes. */
1316 p += 4;
1317 SOFF_T(p, 0, SMB_VFS_GET_ALLOC_SIZE(conn, fsp, &smb_fname->st));
1318 p += 8;
1319 SOFF_T(p,0,file_len);
1320 p += 8;
1321 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1322 uint16_t file_status = (NO_EAS|NO_SUBSTREAMS|NO_REPARSETAG);
1323 size_t num_names = 0;
1324 unsigned int num_streams = 0;
1325 struct stream_struct *streams = NULL;
1326
1327 /* Do we have any EA's ? */
1328 status = get_ea_names_from_file(ctx, conn, fsp,
1329 smb_fname->base_name, NULL, &num_names);
1330 if (NT_STATUS_IS_OK(status) && num_names) {
1331 file_status &= ~NO_EAS;
1332 }
1333 status = vfs_streaminfo(conn, NULL, smb_fname->base_name, ctx,
1334 &num_streams, &streams);
1335 /* There is always one stream, ::$DATA. */
1336 if (NT_STATUS_IS_OK(status) && num_streams > 1) {
1337 file_status &= ~NO_SUBSTREAMS;
1338 }
1339 TALLOC_FREE(streams);
1340 SSVAL(p,2,file_status);
1341 }
1342 p += 4;
1343 SCVAL(p,0,fsp->is_directory ? 1 : 0);
1344
1345 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1346 uint32 perms = 0;
1347 p += 25;
1348 if (fsp->is_directory ||
1349 fsp->can_write ||
1350 can_write_to_file(conn, smb_fname)) {
1351 perms = FILE_GENERIC_ALL;
1352 } else {
1353 perms = FILE_GENERIC_READ|FILE_EXECUTE;
1354 }
1355 SIVAL(p,0,perms);
1356 }
1357
1358 DEBUG(5,("call_nt_transact_create: open name = %s\n",
1359 smb_fname_str_dbg(smb_fname)));
1360
1361 /* Send the required number of replies */
1362 send_nt_replies(conn, req, NT_STATUS_OK, params, param_len, *ppdata, 0);
1363 out:
1364 return;
1365 }
1366
1367 /****************************************************************************
1368 Reply to a NT CANCEL request.
1369 conn POINTER CAN BE NULL HERE !
1370 ****************************************************************************/
1371
1372 void reply_ntcancel(struct smb_request *req)
1373 {
1374 /*
1375 * Go through and cancel any pending change notifies.
1376 */
1377
1378 START_PROFILE(SMBntcancel);
1379 srv_cancel_sign_response(req->sconn);
1380 remove_pending_change_notify_requests_by_mid(req->sconn, req->mid);
1381 remove_pending_lock_requests_by_mid_smb1(req->sconn, req->mid);
1382
1383 DEBUG(3,("reply_ntcancel: cancel called on mid = %llu.\n",
1384 (unsigned long long)req->mid));
1385
1386 END_PROFILE(SMBntcancel);
1387 return;
1388 }
1389
1390 /****************************************************************************
1391 Copy a file.
1392 ****************************************************************************/
1393
1394 static NTSTATUS copy_internals(TALLOC_CTX *ctx,
1395 connection_struct *conn,
1396 struct smb_request *req,
1397 struct smb_filename *smb_fname_src,
1398 struct smb_filename *smb_fname_dst,
1399 uint32 attrs)
1400 {
1401 files_struct *fsp1,*fsp2;
1402 uint32 fattr;
1403 int info;
1404 off_t ret=-1;
1405 NTSTATUS status = NT_STATUS_OK;
1406 char *parent;
1407
1408 if (!CAN_WRITE(conn)) {
1409 status = NT_STATUS_MEDIA_WRITE_PROTECTED;
1410 goto out;
1411 }
1412
1413 /* Source must already exist. */
1414 if (!VALID_STAT(smb_fname_src->st)) {
1415 status = NT_STATUS_OBJECT_NAME_NOT_FOUND;
1416 goto out;
1417 }
1418
1419 /* Ensure attributes match. */
1420 fattr = dos_mode(conn, smb_fname_src);
1421 if ((fattr & ~attrs) & (FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM)) {
1422 status = NT_STATUS_NO_SUCH_FILE;
1423 goto out;
1424 }
1425
1426 /* Disallow if dst file already exists. */
1427 if (VALID_STAT(smb_fname_dst->st)) {
1428 status = NT_STATUS_OBJECT_NAME_COLLISION;
1429 goto out;
1430 }
1431
1432 /* No links from a directory. */
1433 if (S_ISDIR(smb_fname_src->st.st_ex_mode)) {
1434 status = NT_STATUS_FILE_IS_A_DIRECTORY;
1435 goto out;
1436 }
1437
1438 DEBUG(10,("copy_internals: doing file copy %s to %s\n",
1439 smb_fname_str_dbg(smb_fname_src),
1440 smb_fname_str_dbg(smb_fname_dst)));
1441
1442 status = SMB_VFS_CREATE_FILE(
1443 conn, /* conn */
1444 req, /* req */
1445 0, /* root_dir_fid */
1446 smb_fname_src, /* fname */
1447 FILE_READ_DATA|FILE_READ_ATTRIBUTES|
1448 FILE_READ_EA, /* access_mask */
1449 (FILE_SHARE_READ | FILE_SHARE_WRITE | /* share_access */
1450 FILE_SHARE_DELETE),
1451 FILE_OPEN, /* create_disposition*/
1452 0, /* create_options */
1453 FILE_ATTRIBUTE_NORMAL, /* file_attributes */
1454 NO_OPLOCK, /* oplock_request */
1455 0, /* allocation_size */
1456 0, /* private_flags */
1457 NULL, /* sd */
1458 NULL, /* ea_list */
1459 &fsp1, /* result */
1460 &info); /* pinfo */
1461
1462 if (!NT_STATUS_IS_OK(status)) {
1463 goto out;
1464 }
1465
1466 status = SMB_VFS_CREATE_FILE(
1467 conn, /* conn */
1468 req, /* req */
1469 0, /* root_dir_fid */
1470 smb_fname_dst, /* fname */
1471 FILE_WRITE_DATA|FILE_WRITE_ATTRIBUTES|
1472 FILE_WRITE_EA, /* access_mask */
1473 (FILE_SHARE_READ | FILE_SHARE_WRITE | /* share_access */
1474 FILE_SHARE_DELETE),
1475 FILE_CREATE, /* create_disposition*/
1476 0, /* create_options */
1477 fattr, /* file_attributes */
1478 NO_OPLOCK, /* oplock_request */
1479 0, /* allocation_size */
1480 0, /* private_flags */
1481 NULL, /* sd */
1482 NULL, /* ea_list */
1483 &fsp2, /* result */
1484 &info); /* pinfo */
1485
1486 if (!NT_STATUS_IS_OK(status)) {
1487 close_file(NULL, fsp1, ERROR_CLOSE);
1488 goto out;
1489 }
1490
1491 if (smb_fname_src->st.st_ex_size) {
1492 ret = vfs_transfer_file(fsp1, fsp2, smb_fname_src->st.st_ex_size);
1493 }
1494
1495 /*
1496 * As we are opening fsp1 read-only we only expect
1497 * an error on close on fsp2 if we are out of space.
1498 * Thus we don't look at the error return from the
1499 * close of fsp1.
1500 */
1501 close_file(NULL, fsp1, NORMAL_CLOSE);
1502
1503 /* Ensure the modtime is set correctly on the destination file. */
1504 set_close_write_time(fsp2, smb_fname_src->st.st_ex_mtime);
1505
1506 status = close_file(NULL, fsp2, NORMAL_CLOSE);
1507
1508 /* Grrr. We have to do this as open_file_ntcreate adds FILE_ATTRIBUTE_ARCHIVE when it
1509 creates the file. This isn't the correct thing to do in the copy
1510 case. JRA */
1511 if (!parent_dirname(talloc_tos(), smb_fname_dst->base_name, &parent,
1512 NULL)) {
1513 status = NT_STATUS_NO_MEMORY;
1514 goto out;
1515 }
1516 file_set_dosmode(conn, smb_fname_dst, fattr, parent, false);
1517 TALLOC_FREE(parent);
1518
1519 if (ret < (off_t)smb_fname_src->st.st_ex_size) {
1520 status = NT_STATUS_DISK_FULL;
1521 goto out;
1522 }
1523 out:
1524 if (!NT_STATUS_IS_OK(status)) {
1525 DEBUG(3,("copy_internals: Error %s copy file %s to %s\n",
1526 nt_errstr(status), smb_fname_str_dbg(smb_fname_src),
1527 smb_fname_str_dbg(smb_fname_dst)));
1528 }
1529
1530 return status;
1531 }
1532
1533 /****************************************************************************
1534 Reply to a NT rename request.
1535 ****************************************************************************/
1536
1537 void reply_ntrename(struct smb_request *req)
1538 {
1539 connection_struct *conn = req->conn;
1540 struct smb_filename *smb_fname_old = NULL;
1541 struct smb_filename *smb_fname_new = NULL;
1542 char *oldname = NULL;
1543 char *newname = NULL;
1544 const char *p;
1545 NTSTATUS status;
1546 bool src_has_wcard = False;
1547 bool dest_has_wcard = False;
1548 uint32 attrs;
1549 uint32_t ucf_flags_src = 0;
1550 uint32_t ucf_flags_dst = 0;
1551 uint16 rename_type;
1552 TALLOC_CTX *ctx = talloc_tos();
1553 bool stream_rename = false;
1554
1555 START_PROFILE(SMBntrename);
1556
1557 if (req->wct < 4) {
1558 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1559 goto out;
1560 }
1561
1562 attrs = SVAL(req->vwv+0, 0);
1563 rename_type = SVAL(req->vwv+1, 0);
1564
1565 p = (const char *)req->buf + 1;
1566 p += srvstr_get_path_req_wcard(ctx, req, &oldname, p, STR_TERMINATE,
1567 &status, &src_has_wcard);
1568 if (!NT_STATUS_IS_OK(status)) {
1569 reply_nterror(req, status);
1570 goto out;
1571 }
1572
1573 if (ms_has_wild(oldname)) {
1574 reply_nterror(req, NT_STATUS_OBJECT_PATH_SYNTAX_BAD);
1575 goto out;
1576 }
1577
1578 p++;
1579 p += srvstr_get_path_req_wcard(ctx, req, &newname, p, STR_TERMINATE,
1580 &status, &dest_has_wcard);
1581 if (!NT_STATUS_IS_OK(status)) {
1582 reply_nterror(req, status);
1583 goto out;
1584 }
1585
1586 if (!lp_posix_pathnames()) {
1587 /* The newname must begin with a ':' if the
1588 oldname contains a ':'. */
1589 if (strchr_m(oldname, ':')) {
1590 if (newname[0] != ':') {
1591 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1592 goto out;
1593 }
1594 stream_rename = true;
1595 }
1596 }
1597
1598 /*
1599 * If this is a rename operation, allow wildcards and save the
1600 * destination's last component.
1601 */
1602 if (rename_type == RENAME_FLAG_RENAME) {
1603 ucf_flags_src = UCF_COND_ALLOW_WCARD_LCOMP;
1604 ucf_flags_dst = UCF_COND_ALLOW_WCARD_LCOMP | UCF_SAVE_LCOMP;
1605 }
1606
1607 /* rename_internals() calls unix_convert(), so don't call it here. */
1608 status = filename_convert(ctx, conn,
1609 req->flags2 & FLAGS2_DFS_PATHNAMES,
1610 oldname,
1611 ucf_flags_src,
1612 NULL,
1613 &smb_fname_old);
1614 if (!NT_STATUS_IS_OK(status)) {
1615 if (NT_STATUS_EQUAL(status,
1616 NT_STATUS_PATH_NOT_COVERED)) {
1617 reply_botherror(req,
1618 NT_STATUS_PATH_NOT_COVERED,
1619 ERRSRV, ERRbadpath);
1620 goto out;
1621 }
1622 reply_nterror(req, status);
1623 goto out;
1624 }
1625
1626 status = filename_convert(ctx, conn,
1627 req->flags2 & FLAGS2_DFS_PATHNAMES,
1628 newname,
1629 ucf_flags_dst,
1630 &dest_has_wcard,
1631 &smb_fname_new);
1632 if (!NT_STATUS_IS_OK(status)) {
1633 if (NT_STATUS_EQUAL(status,
1634 NT_STATUS_PATH_NOT_COVERED)) {
1635 reply_botherror(req,
1636 NT_STATUS_PATH_NOT_COVERED,
1637 ERRSRV, ERRbadpath);
1638 goto out;
1639 }
1640 reply_nterror(req, status);
1641 goto out;
1642 }
1643
1644 if (stream_rename) {
1645 /* smb_fname_new must be the same as smb_fname_old. */
1646 TALLOC_FREE(smb_fname_new->base_name);
1647 smb_fname_new->base_name = talloc_strdup(smb_fname_new,
1648 smb_fname_old->base_name);
1649 if (!smb_fname_new->base_name) {
1650 reply_nterror(req, NT_STATUS_NO_MEMORY);
1651 goto out;
1652 }
1653 }
1654
1655 DEBUG(3,("reply_ntrename: %s -> %s\n",
1656 smb_fname_str_dbg(smb_fname_old),
1657 smb_fname_str_dbg(smb_fname_new)));
1658
1659 switch(rename_type) {
1660 case RENAME_FLAG_RENAME:
1661 status = rename_internals(ctx, conn, req,
1662 smb_fname_old, smb_fname_new,
1663 attrs, False, src_has_wcard,
1664 dest_has_wcard,
1665 DELETE_ACCESS);
1666 break;
1667 case RENAME_FLAG_HARD_LINK:
1668 if (src_has_wcard || dest_has_wcard) {
1669 /* No wildcards. */
1670 status = NT_STATUS_OBJECT_PATH_SYNTAX_BAD;
1671 } else {
1672 status = hardlink_internals(ctx, conn,
1673 req,
1674 false,
1675 smb_fname_old,
1676 smb_fname_new);
1677 }
1678 break;
1679 case RENAME_FLAG_COPY:
1680 if (src_has_wcard || dest_has_wcard) {
1681 /* No wildcards. */
1682 status = NT_STATUS_OBJECT_PATH_SYNTAX_BAD;
1683 } else {
1684 status = copy_internals(ctx, conn, req,
1685 smb_fname_old,
1686 smb_fname_new,
1687 attrs);
1688 }
1689 break;
1690 case RENAME_FLAG_MOVE_CLUSTER_INFORMATION:
1691 status = NT_STATUS_INVALID_PARAMETER;
1692 break;
1693 default:
1694 status = NT_STATUS_ACCESS_DENIED; /* Default error. */
1695 break;
1696 }
1697
1698 if (!NT_STATUS_IS_OK(status)) {
1699 if (open_was_deferred(req->sconn, req->mid)) {
1700 /* We have re-scheduled this call. */
1701 goto out;
1702 }
1703
1704 reply_nterror(req, status);
1705 goto out;
1706 }
1707
1708 reply_outbuf(req, 0, 0);
1709 out:
1710 END_PROFILE(SMBntrename);
1711 return;
1712 }
1713
1714 /****************************************************************************
1715 Reply to a notify change - queue the request and
1716 don't allow a directory to be opened.
1717 ****************************************************************************/
1718
1719 static void smbd_smb1_notify_reply(struct smb_request *req,
1720 NTSTATUS error_code,
1721 uint8_t *buf, size_t len)
1722 {
1723 send_nt_replies(req->conn, req, error_code, (char *)buf, len, NULL, 0);
1724 }
1725
1726 static void call_nt_transact_notify_change(connection_struct *conn,
1727 struct smb_request *req,
1728 uint16 **ppsetup,
1729 uint32 setup_count,
1730 char **ppparams,
1731 uint32 parameter_count,
1732 char **ppdata, uint32 data_count,
1733 uint32 max_data_count,
1734 uint32 max_param_count)
1735 {
1736 uint16 *setup = *ppsetup;
1737 files_struct *fsp;
1738 uint32 filter;
1739 NTSTATUS status;
1740 bool recursive;
1741
1742 if(setup_count < 6) {
1743 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1744 return;
1745 }
1746
1747 fsp = file_fsp(req, SVAL(setup,4));
1748 filter = IVAL(setup, 0);
1749 recursive = (SVAL(setup, 6) != 0) ? True : False;
1750
1751 DEBUG(3,("call_nt_transact_notify_change\n"));
1752
1753 if(!fsp) {
1754 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
1755 return;
1756 }
1757
1758 {
1759 char *filter_string;
1760
1761 if (!(filter_string = notify_filter_string(NULL, filter))) {
1762 reply_nterror(req,NT_STATUS_NO_MEMORY);
1763 return;
1764 }
1765
1766 DEBUG(3,("call_nt_transact_notify_change: notify change "
1767 "called on %s, filter = %s, recursive = %d\n",
1768 fsp_str_dbg(fsp), filter_string, recursive));
1769
1770 TALLOC_FREE(filter_string);
1771 }
1772
1773 if((!fsp->is_directory) || (conn != fsp->conn)) {
1774 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1775 return;
1776 }
1777
1778 if (fsp->notify == NULL) {
1779
1780 status = change_notify_create(fsp, filter, recursive);
1781
1782 if (!NT_STATUS_IS_OK(status)) {
1783 DEBUG(10, ("change_notify_create returned %s\n",
1784 nt_errstr(status)));
1785 reply_nterror(req, status);
1786 return;
1787 }
1788 }
1789
1790 if (change_notify_fsp_has_changes(fsp)) {
1791
1792 /*
1793 * We've got changes pending, respond immediately
1794 */
1795
1796 /*
1797 * TODO: write a torture test to check the filtering behaviour
1798 * here.
1799 */
1800
1801 change_notify_reply(req,
1802 NT_STATUS_OK,
1803 max_param_count,
1804 fsp->notify,
1805 smbd_smb1_notify_reply);
1806
1807 /*
1808 * change_notify_reply() above has independently sent its
1809 * results
1810 */
1811 return;
1812 }
1813
1814 /*
1815 * No changes pending, queue the request
1816 */
1817
1818 status = change_notify_add_request(req,
1819 max_param_count,
1820 filter,
1821 recursive, fsp,
1822 smbd_smb1_notify_reply);
1823 if (!NT_STATUS_IS_OK(status)) {
1824 reply_nterror(req, status);
1825 }
1826 return;
1827 }
1828
1829 /****************************************************************************
1830 Reply to an NT transact rename command.
1831 ****************************************************************************/
1832
1833 static void call_nt_transact_rename(connection_struct *conn,
1834 struct smb_request *req,
1835 uint16 **ppsetup, uint32 setup_count,
1836 char **ppparams, uint32 parameter_count,
1837 char **ppdata, uint32 data_count,
1838 uint32 max_data_count)
1839 {
1840 char *params = *ppparams;
1841 char *new_name = NULL;
1842 files_struct *fsp = NULL;
1843 bool dest_has_wcard = False;
1844 NTSTATUS status;
1845 TALLOC_CTX *ctx = talloc_tos();
1846
1847 if(parameter_count < 5) {
1848 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1849 return;
1850 }
1851
1852 fsp = file_fsp(req, SVAL(params, 0));
1853 if (!check_fsp(conn, req, fsp)) {
1854 return;
1855 }
1856 srvstr_get_path_wcard(ctx, params, req->flags2, &new_name, params+4,
1857 parameter_count - 4,
1858 STR_TERMINATE, &status, &dest_has_wcard);
1859 if (!NT_STATUS_IS_OK(status)) {
1860 reply_nterror(req, status);
1861 return;
1862 }
1863
1864 /*
1865 * W2K3 ignores this request as the RAW-RENAME test
1866 * demonstrates, so we do.
1867 */
1868 send_nt_replies(conn, req, NT_STATUS_OK, NULL, 0, NULL, 0);
1869
1870 DEBUG(3,("nt transact rename from = %s, to = %s ignored!\n",
1871 fsp_str_dbg(fsp), new_name));
1872
1873 return;
1874 }
1875
1876 /******************************************************************************
1877 Fake up a completely empty SD.
1878 *******************************************************************************/
1879
1880 static NTSTATUS get_null_nt_acl(TALLOC_CTX *mem_ctx, struct security_descriptor **ppsd)
1881 {
1882 size_t sd_size;
1883
1884 *ppsd = make_standard_sec_desc( mem_ctx, &global_sid_World, &global_sid_World, NULL, &sd_size);
1885 if(!*ppsd) {
1886 DEBUG(0,("get_null_nt_acl: Unable to malloc space for security descriptor.\n"));
1887 return NT_STATUS_NO_MEMORY;
1888 }
1889
1890 return NT_STATUS_OK;
1891 }
1892
1893 /****************************************************************************
1894 Reply to query a security descriptor.
1895 Callable from SMB2 and SMB2.
1896 If it returns NT_STATUS_BUFFER_TOO_SMALL, pdata_size is initialized with
1897 the required size.
1898 ****************************************************************************/
1899
1900 NTSTATUS smbd_do_query_security_desc(connection_struct *conn,
1901 TALLOC_CTX *mem_ctx,
1902 files_struct *fsp,
1903 uint32_t security_info_wanted,
1904 uint32_t max_data_count,
1905 uint8_t **ppmarshalled_sd,
1906 size_t *psd_size)
1907 {
1908 NTSTATUS status;
1909 struct security_descriptor *psd = NULL;
1910 TALLOC_CTX *frame = talloc_stackframe();
1911
1912 /*
1913 * Get the permissions to return.
1914 */
1915
1916 if ((security_info_wanted & SECINFO_SACL) &&
1917 !(fsp->access_mask & SEC_FLAG_SYSTEM_SECURITY)) {
1918 DEBUG(10, ("Access to SACL denied.\n"));
1919 TALLOC_FREE(frame);
1920 return NT_STATUS_ACCESS_DENIED;
1921 }
1922
1923 if ((security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|SECINFO_GROUP)) &&
1924 !(fsp->access_mask & SEC_STD_READ_CONTROL)) {
1925 DEBUG(10, ("Access to DACL, OWNER, or GROUP denied.\n"));
1926 TALLOC_FREE(frame);
1927 return NT_STATUS_ACCESS_DENIED;
1928 }
1929
1930 if (security_info_wanted & (SECINFO_DACL|SECINFO_OWNER|
1931 SECINFO_GROUP|SECINFO_SACL)) {
1932 /* Don't return SECINFO_LABEL if anything else was
1933 requested. See bug #8458. */
1934 security_info_wanted &= ~SECINFO_LABEL;
1935 }
1936
1937 if (!lp_nt_acl_support(SNUM(conn))) {
1938 status = get_null_nt_acl(frame, &psd);
1939 } else if (security_info_wanted & SECINFO_LABEL) {
1940 /* Like W2K3 return a null object. */
1941 status = get_null_nt_acl(frame, &psd);
1942 } else {
1943 status = SMB_VFS_FGET_NT_ACL(
1944 fsp, security_info_wanted, frame, &psd);
1945 }
1946 if (!NT_STATUS_IS_OK(status)) {
1947 TALLOC_FREE(frame);
1948 return status;
1949 }
1950
1951 if (!(security_info_wanted & SECINFO_OWNER)) {
1952 psd->owner_sid = NULL;
1953 }
1954 if (!(security_info_wanted & SECINFO_GROUP)) {
1955 psd->group_sid = NULL;
1956 }
1957 if (!(security_info_wanted & SECINFO_DACL)) {
1958 psd->type &= ~SEC_DESC_DACL_PRESENT;
1959 psd->dacl = NULL;
1960 }
1961 if (!(security_info_wanted & SECINFO_SACL)) {
1962 psd->type &= ~SEC_DESC_SACL_PRESENT;
1963 psd->sacl = NULL;
1964 }
1965
1966 /* If the SACL/DACL is NULL, but was requested, we mark that it is
1967 * present in the reply to match Windows behavior */
1968 if (psd->sacl == NULL &&
1969 security_info_wanted & SECINFO_SACL)
1970 psd->type |= SEC_DESC_SACL_PRESENT;
1971 if (psd->dacl == NULL &&
1972 security_info_wanted & SECINFO_DACL)
1973 psd->type |= SEC_DESC_DACL_PRESENT;
1974
1975 if (security_info_wanted & SECINFO_LABEL) {
1976 /* Like W2K3 return a null object. */
1977 psd->owner_sid = NULL;
1978 psd->group_sid = NULL;
1979 psd->dacl = NULL;
1980 psd->sacl = NULL;
1981 psd->type &= ~(SEC_DESC_DACL_PRESENT|SEC_DESC_SACL_PRESENT);
1982 }
1983
1984 *psd_size = ndr_size_security_descriptor(psd, 0);
1985
1986 DEBUG(3,("smbd_do_query_security_desc: sd_size = %lu.\n",
1987 (unsigned long)*psd_size));
1988
1989 if (DEBUGLEVEL >= 10) {
1990 DEBUG(10,("smbd_do_query_security_desc for file %s\n",
1991 fsp_str_dbg(fsp)));
1992 NDR_PRINT_DEBUG(security_descriptor, psd);
1993 }
1994
1995 if (max_data_count < *psd_size) {
1996 TALLOC_FREE(frame);
1997 return NT_STATUS_BUFFER_TOO_SMALL;
1998 }
1999
2000 status = marshall_sec_desc(mem_ctx, psd,
2001 ppmarshalled_sd, psd_size);
2002
2003 if (!NT_STATUS_IS_OK(status)) {
2004 TALLOC_FREE(frame);
2005 return status;
2006 }
2007
2008 TALLOC_FREE(frame);
2009 return NT_STATUS_OK;
2010 }
2011
2012 /****************************************************************************
2013 SMB1 reply to query a security descriptor.
2014 ****************************************************************************/
2015
2016 static void call_nt_transact_query_security_desc(connection_struct *conn,
2017 struct smb_request *req,
2018 uint16 **ppsetup,
2019 uint32 setup_count,
2020 char **ppparams,
2021 uint32 parameter_count,
2022 char **ppdata,
2023 uint32 data_count,
2024 uint32 max_data_count)
2025 {
2026 char *params = *ppparams;
2027 char *data = *ppdata;
2028 size_t sd_size = 0;
2029 uint32 security_info_wanted;
2030 files_struct *fsp = NULL;
2031 NTSTATUS status;
2032 uint8_t *marshalled_sd = NULL;
2033
2034 if(parameter_count < 8) {
2035 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2036 return;
2037 }
2038
2039 fsp = file_fsp(req, SVAL(params,0));
2040 if(!fsp) {
2041 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
2042 return;
2043 }
2044
2045 security_info_wanted = IVAL(params,4);
2046
2047 DEBUG(3,("call_nt_transact_query_security_desc: file = %s, "
2048 "info_wanted = 0x%x\n", fsp_str_dbg(fsp),
2049 (unsigned int)security_info_wanted));
2050
2051 params = nttrans_realloc(ppparams, 4);
2052 if(params == NULL) {
2053 reply_nterror(req, NT_STATUS_NO_MEMORY);
2054 return;
2055 }
2056
2057 /*
2058 * Get the permissions to return.
2059 */
2060
2061 status = smbd_do_query_security_desc(conn,
2062 talloc_tos(),
2063 fsp,
2064 security_info_wanted,
2065 max_data_count,
2066 &marshalled_sd,
2067 &sd_size);
2068
2069 if (NT_STATUS_EQUAL(status, NT_STATUS_BUFFER_TOO_SMALL)) {
2070 SIVAL(params,0,(uint32_t)sd_size);
2071 send_nt_replies(conn, req, NT_STATUS_BUFFER_TOO_SMALL,
2072 params, 4, NULL, 0);
2073 return;
2074 }
2075
2076 if (!NT_STATUS_IS_OK(status)) {
2077 reply_nterror(req, status);
2078 return;
2079 }
2080
2081 SMB_ASSERT(sd_size > 0);
2082
2083 SIVAL(params,0,(uint32_t)sd_size);
2084
2085 if (max_data_count < sd_size) {
2086 send_nt_replies(conn, req, NT_STATUS_BUFFER_TOO_SMALL,
2087 params, 4, NULL, 0);
2088 return;
2089 }
2090
2091 /*
2092 * Allocate the data we will return.
2093 */
2094
2095 data = nttrans_realloc(ppdata, sd_size);
2096 if(data == NULL) {
2097 reply_nterror(req, NT_STATUS_NO_MEMORY);
2098 return;
2099 }
2100
2101 memcpy(data, marshalled_sd, sd_size);
2102
2103 send_nt_replies(conn, req, NT_STATUS_OK, params, 4, data, (int)sd_size);
2104
2105 return;
2106 }
2107
2108 /****************************************************************************
2109 Reply to set a security descriptor. Map to UNIX perms or POSIX ACLs.
2110 ****************************************************************************/
2111
2112 static void call_nt_transact_set_security_desc(connection_struct *conn,
2113 struct smb_request *req,
2114 uint16 **ppsetup,
2115 uint32 setup_count,
2116 char **ppparams,
2117 uint32 parameter_count,
2118 char **ppdata,
2119 uint32 data_count,
2120 uint32 max_data_count)
2121 {
2122 char *params= *ppparams;
2123 char *data = *ppdata;
2124 files_struct *fsp = NULL;
2125 uint32 security_info_sent = 0;
2126 NTSTATUS status;
2127
2128 if(parameter_count < 8) {
2129 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2130 return;
2131 }
2132
2133 if((fsp = file_fsp(req, SVAL(params,0))) == NULL) {
2134 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
2135 return;
2136 }
2137
2138 if (!CAN_WRITE(fsp->conn)) {
2139 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
2140 return;
2141 }
2142
2143 if(!lp_nt_acl_support(SNUM(conn))) {
2144 goto done;
2145 }
2146
2147 security_info_sent = IVAL(params,4);
2148
2149 DEBUG(3,("call_nt_transact_set_security_desc: file = %s, sent 0x%x\n",
2150 fsp_str_dbg(fsp), (unsigned int)security_info_sent));
2151
2152 if (data_count == 0) {
2153 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2154 return;
2155 }
2156
2157 status = set_sd_blob(fsp, (uint8 *)data, data_count, security_info_sent);
2158
2159 if (!NT_STATUS_IS_OK(status)) {
2160 reply_nterror(req, status);
2161 return;
2162 }
2163
2164 done:
2165 send_nt_replies(conn, req, NT_STATUS_OK, NULL, 0, NULL, 0);
2166 return;
2167 }
2168
2169 /****************************************************************************
2170 Reply to NT IOCTL
2171 ****************************************************************************/
2172
2173 static void call_nt_transact_ioctl(connection_struct *conn,
2174 struct smb_request *req,
2175 uint16 **ppsetup, uint32 setup_count,
2176 char **ppparams, uint32 parameter_count,
2177 char **ppdata, uint32 data_count,
2178 uint32 max_data_count)
2179 {
2180 NTSTATUS status;
2181 uint32 function;
2182 uint16 fidnum;
2183 files_struct *fsp;
2184 uint8 isFSctl;
2185 uint8 compfilter;
2186 char *out_data = NULL;
2187 uint32 out_data_len = 0;
2188 char *pdata = *ppdata;
2189 TALLOC_CTX *ctx = talloc_tos();
2190
2191 if (setup_count != 8) {
2192 DEBUG(3,("call_nt_transact_ioctl: invalid setup count %d\n", setup_count));
2193 reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
2194 return;
2195 }
2196
2197 function = IVAL(*ppsetup, 0);
2198 fidnum = SVAL(*ppsetup, 4);
2199 isFSctl = CVAL(*ppsetup, 6);
2200 compfilter = CVAL(*ppsetup, 7);
2201
2202 DEBUG(10, ("call_nt_transact_ioctl: function[0x%08X] FID[0x%04X] isFSctl[0x%02X] compfilter[0x%02X]\n",
2203 function, fidnum, isFSctl, compfilter));
2204
2205 fsp=file_fsp(req, fidnum);
2206
2207 /*
2208 * We don't really implement IOCTLs, especially on files.
2209 */
2210 if (!isFSctl) {
2211 DEBUG(10, ("isFSctl: 0x%02X indicates IOCTL, not FSCTL!\n",
2212 isFSctl));
2213 reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
2214 return;
2215 }
2216
2217 /* Has to be for an open file! */
2218 if (!check_fsp_open(conn, req, fsp)) {
2219 return;
2220 }
2221
2222 SMB_PERFCOUNT_SET_IOCTL(&req->pcd, function);
2223
2224 /*
2225 * out_data might be allocated by the VFS module, but talloc should be
2226 * used, and should be cleaned up when the request ends.
2227 */
2228 status = SMB_VFS_FSCTL(fsp,
2229 ctx,
2230 function,
2231 req->flags2,
2232 (uint8_t *)pdata,
2233 data_count,
2234 (uint8_t **)&out_data,
2235 max_data_count,
2236 &out_data_len);
2237 if (!NT_STATUS_IS_OK(status)) {
2238 reply_nterror(req, status);
2239 } else {
2240 send_nt_replies(conn, req, NT_STATUS_OK, NULL, 0, out_data, out_data_len);
2241 }
2242 }
2243
2244
2245 #ifdef HAVE_SYS_QUOTAS
2246 /****************************************************************************
2247 Reply to get user quota
2248 ****************************************************************************/
2249
2250 static void call_nt_transact_get_user_quota(connection_struct *conn,
2251 struct smb_request *req,
2252 uint16 **ppsetup,
2253 uint32 setup_count,
2254 char **ppparams,
2255 uint32 parameter_count,
2256 char **ppdata,
2257 uint32 data_count,
2258 uint32 max_data_count)
2259 {
2260 NTSTATUS nt_status = NT_STATUS_OK;
2261 char *params = *ppparams;
2262 char *pdata = *ppdata;
2263 char *entry;
2264 int data_len=0,param_len=0;
2265 int qt_len=0;
2266 int entry_len = 0;
2267 files_struct *fsp = NULL;
2268 uint16 level = 0;
2269 size_t sid_len;
2270 struct dom_sid sid;
2271 bool start_enum = True;
2272 SMB_NTQUOTA_STRUCT qt;
2273 SMB_NTQUOTA_LIST *tmp_list;
2274 SMB_NTQUOTA_HANDLE *qt_handle = NULL;
2275
2276 ZERO_STRUCT(qt);
2277
2278 /* access check */
2279 if (get_current_uid(conn) != 0) {
2280 DEBUG(1,("get_user_quota: access_denied service [%s] user "
2281 "[%s]\n", lp_servicename(talloc_tos(), SNUM(conn)),
2282 conn->session_info->unix_info->unix_name));
2283 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
2284 return;
2285 }
2286
2287 /*
2288 * Ensure minimum number of parameters sent.
2289 */
2290
2291 if (parameter_count < 4) {
2292 DEBUG(0,("TRANSACT_GET_USER_QUOTA: requires %d >= 4 bytes parameters\n",parameter_count));
2293 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2294 return;
2295 }
2296
2297 /* maybe we can check the quota_fnum */
2298 fsp = file_fsp(req, SVAL(params,0));
2299 if (!check_fsp_ntquota_handle(conn, req, fsp)) {
2300 DEBUG(3,("TRANSACT_GET_USER_QUOTA: no valid QUOTA HANDLE\n"));
2301 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
2302 return;
2303 }
2304
2305 /* the NULL pointer checking for fsp->fake_file_handle->pd
2306 * is done by CHECK_NTQUOTA_HANDLE_OK()
2307 */
2308 qt_handle = (SMB_NTQUOTA_HANDLE *)fsp->fake_file_handle->private_data;
2309
2310 level = SVAL(params,2);
2311
2312 /* unknown 12 bytes leading in params */
2313
2314 switch (level) {
2315 case TRANSACT_GET_USER_QUOTA_LIST_CONTINUE:
2316 /* seems that we should continue with the enum here --metze */
2317
2318 if (qt_handle->quota_list!=NULL &&
2319 qt_handle->tmp_list==NULL) {
2320
2321 /* free the list */
2322 free_ntquota_list(&(qt_handle->quota_list));
2323
2324 /* Realloc the size of parameters and data we will return */
2325 param_len = 4;
2326 params = nttrans_realloc(ppparams, param_len);
2327 if(params == NULL) {
2328 reply_nterror(req, NT_STATUS_NO_MEMORY);
2329 return;
2330 }
2331
2332 data_len = 0;
2333 SIVAL(params,0,data_len);
2334
2335 break;
2336 }
2337
2338 start_enum = False;
2339
2340 case TRANSACT_GET_USER_QUOTA_LIST_START:
2341
2342 if (qt_handle->quota_list==NULL &&
2343 qt_handle->tmp_list==NULL) {
2344 start_enum = True;
2345 }
2346
2347 if (start_enum && vfs_get_user_ntquota_list(fsp,&(qt_handle->quota_list))!=0) {
2348 reply_nterror(req, NT_STATUS_INTERNAL_ERROR);
2349 return;
2350 }
2351
2352 /* Realloc the size of parameters and data we will return */
2353 param_len = 4;
2354 params = nttrans_realloc(ppparams, param_len);
2355 if(params == NULL) {
2356 reply_nterror(req, NT_STATUS_NO_MEMORY);
2357 return;
2358 }
2359
2360 /* we should not trust the value in max_data_count*/
2361 max_data_count = MIN(max_data_count,2048);
2362
2363 pdata = nttrans_realloc(ppdata, max_data_count);/* should be max data count from client*/
2364 if(pdata == NULL) {
2365 reply_nterror(req, NT_STATUS_NO_MEMORY);
2366 return;
2367 }
2368
2369 entry = pdata;
2370
2371 /* set params Size of returned Quota Data 4 bytes*/
2372 /* but set it later when we know it */
2373
2374 /* for each entry push the data */
2375
2376 if (start_enum) {
2377 qt_handle->tmp_list = qt_handle->quota_list;
2378 }
2379
2380 tmp_list = qt_handle->tmp_list;
2381
2382 for (;((tmp_list!=NULL)&&((qt_len +40+SID_MAX_SIZE)<max_data_count));
2383 tmp_list=tmp_list->next,entry+=entry_len,qt_len+=entry_len) {
2384
2385 sid_len = ndr_size_dom_sid(
2386 &tmp_list->quotas->sid, 0);
2387 entry_len = 40 + sid_len;
2388
2389 /* nextoffset entry 4 bytes */
2390 SIVAL(entry,0,entry_len);
2391
2392 /* then the len of the SID 4 bytes */
2393 SIVAL(entry,4,sid_len);
2394
2395 /* unknown data 8 bytes uint64_t */
2396 SBIG_UINT(entry,8,(uint64_t)0); /* this is not 0 in windows...-metze*/
2397
2398 /* the used disk space 8 bytes uint64_t */
2399 SBIG_UINT(entry,16,tmp_list->quotas->usedspace);
2400
2401 /* the soft quotas 8 bytes uint64_t */
2402 SBIG_UINT(entry,24,tmp_list->quotas->softlim);
2403
2404 /* the hard quotas 8 bytes uint64_t */
2405 SBIG_UINT(entry,32,tmp_list->quotas->hardlim);
2406
2407 /* and now the SID */
2408 sid_linearize(entry+40, sid_len, &tmp_list->quotas->sid);
2409 }
2410
2411 qt_handle->tmp_list = tmp_list;
2412
2413 /* overwrite the offset of the last entry */
2414 SIVAL(entry-entry_len,0,0);
2415
2416 data_len = 4+qt_len;
2417 /* overwrite the params quota_data_len */
2418 SIVAL(params,0,data_len);
2419
2420 break;
2421
2422 case TRANSACT_GET_USER_QUOTA_FOR_SID:
2423
2424 /* unknown 4 bytes IVAL(pdata,0) */
2425
2426 if (data_count < 8) {
2427 DEBUG(0,("TRANSACT_GET_USER_QUOTA_FOR_SID: requires %d >= %d bytes data\n",data_count,8));
2428 reply_nterror(req, NT_STATUS_INVALID_LEVEL);
2429 return;
2430 }
2431
2432 sid_len = IVAL(pdata,4);
2433 /* Ensure this is less than 1mb. */
2434 if (sid_len > (1024*1024)) {
2435 reply_nterror(req, NT_STATUS_NO_MEMORY);
2436 return;
2437 }
2438
2439 if (data_count < 8+sid_len) {
2440 DEBUG(0,("TRANSACT_GET_USER_QUOTA_FOR_SID: requires %d >= %lu bytes data\n",data_count,(unsigned long)(8+sid_len)));
2441 reply_nterror(req, NT_STATUS_INVALID_LEVEL);
2442 return;
2443 }
2444
2445 data_len = 4+40+sid_len;
2446
2447 if (max_data_count < data_len) {
2448 DEBUG(0,("TRANSACT_GET_USER_QUOTA_FOR_SID: max_data_count(%d) < data_len(%d)\n",
2449 max_data_count, data_len));
2450 param_len = 4;
2451 SIVAL(params,0,data_len);
2452 data_len = 0;
2453 nt_status = NT_STATUS_BUFFER_TOO_SMALL;
2454 break;
2455 }
2456
2457 if (!sid_parse(pdata+8,sid_len,&sid)) {
2458 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2459 return;
2460 }
2461
2462 if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
2463 ZERO_STRUCT(qt);
2464 /*
2465 * we have to return zero's in all fields
2466 * instead of returning an error here
2467 * --metze
2468 */
2469 }
2470
2471 /* Realloc the size of parameters and data we will return */
2472 param_len = 4;
2473 params = nttrans_realloc(ppparams, param_len);
2474 if(params == NULL) {
2475 reply_nterror(req, NT_STATUS_NO_MEMORY);
2476 return;
2477 }
2478
2479 pdata = nttrans_realloc(ppdata, data_len);
2480 if(pdata == NULL) {
2481 reply_nterror(req, NT_STATUS_NO_MEMORY);
2482 return;
2483 }
2484
2485 entry = pdata;
2486
2487 /* set params Size of returned Quota Data 4 bytes*/
2488 SIVAL(params,0,data_len);
2489
2490 /* nextoffset entry 4 bytes */
2491 SIVAL(entry,0,0);
2492
2493 /* then the len of the SID 4 bytes */
2494 SIVAL(entry,4,sid_len);
2495
2496 /* unknown data 8 bytes uint64_t */
2497 SBIG_UINT(entry,8,(uint64_t)0); /* this is not 0 in windows...-mezte*/
2498
2499 /* the used disk space 8 bytes uint64_t */
2500 SBIG_UINT(entry,16,qt.usedspace);
2501
2502 /* the soft quotas 8 bytes uint64_t */
2503 SBIG_UINT(entry,24,qt.softlim);
2504
2505 /* the hard quotas 8 bytes uint64_t */
2506 SBIG_UINT(entry,32,qt.hardlim);
2507
2508 /* and now the SID */
2509 sid_linearize(entry+40, sid_len, &sid);
2510
2511 break;
2512
2513 default:
2514 DEBUG(0, ("do_nt_transact_get_user_quota: %s: unknown "
2515 "level 0x%04hX\n",
2516 fsp_fnum_dbg(fsp), level));
2517 reply_nterror(req, NT_STATUS_INVALID_LEVEL);
2518 return;
2519 break;
2520 }
2521
2522 send_nt_replies(conn, req, nt_status, params, param_len,
2523 pdata, data_len);
2524 }
2525
2526 /****************************************************************************
2527 Reply to set user quota
2528 ****************************************************************************/
2529
2530 static void call_nt_transact_set_user_quota(connection_struct *conn,
2531 struct smb_request *req,
2532 uint16 **ppsetup,
2533 uint32 setup_count,
2534 char **ppparams,
2535 uint32 parameter_count,
2536 char **ppdata,
2537 uint32 data_count,
2538 uint32 max_data_count)
2539 {
2540 char *params = *ppparams;
2541 char *pdata = *ppdata;
2542 int data_len=0,param_len=0;
2543 SMB_NTQUOTA_STRUCT qt;
2544 size_t sid_len;
2545 struct dom_sid sid;
2546 files_struct *fsp = NULL;
2547
2548 ZERO_STRUCT(qt);
2549
2550 /* access check */
2551 if (get_current_uid(conn) != 0) {
2552 DEBUG(1,("set_user_quota: access_denied service [%s] user "
2553 "[%s]\n", lp_servicename(talloc_tos(), SNUM(conn)),
2554 conn->session_info->unix_info->unix_name));
2555 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
2556 return;
2557 }
2558
2559 /*
2560 * Ensure minimum number of parameters sent.
2561 */
2562
2563 if (parameter_count < 2) {
2564 DEBUG(0,("TRANSACT_SET_USER_QUOTA: requires %d >= 2 bytes parameters\n",parameter_count));
2565 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2566 return;
2567 }
2568
2569 /* maybe we can check the quota_fnum */
2570 fsp = file_fsp(req, SVAL(params,0));
2571 if (!check_fsp_ntquota_handle(conn, req, fsp)) {
2572 DEBUG(3,("TRANSACT_GET_USER_QUOTA: no valid QUOTA HANDLE\n"));
2573 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
2574 return;
2575 }
2576
2577 if (data_count < 40) {
2578 DEBUG(0,("TRANSACT_SET_USER_QUOTA: requires %d >= %d bytes data\n",data_count,40));
2579 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2580 return;
2581 }
2582
2583 /* offset to next quota record.
2584 * 4 bytes IVAL(pdata,0)
2585 * unused here...
2586 */
2587
2588 /* sid len */
2589 sid_len = IVAL(pdata,4);
2590
2591 if (data_count < 40+sid_len || (40+sid_len < sid_len)) {
2592 DEBUG(0,("TRANSACT_SET_USER_QUOTA: requires %d >= %lu bytes data\n",data_count,(unsigned long)40+sid_len));
2593 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2594 return;
2595 }
2596
2597 /* unknown 8 bytes in pdata
2598 * maybe its the change time in NTTIME
2599 */
2600
2601 /* the used space 8 bytes (uint64_t)*/
2602 qt.usedspace = BVAL(pdata,16);
2603
2604 /* the soft quotas 8 bytes (uint64_t)*/
2605 qt.softlim = BVAL(pdata,24);
2606
2607 /* the hard quotas 8 bytes (uint64_t)*/
2608 qt.hardlim = BVAL(pdata,32);
2609
2610 if (!sid_parse(pdata+40,sid_len,&sid)) {
2611 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2612 return;
2613 }
2614
2615 DEBUGADD(8,("SID: %s\n", sid_string_dbg(&sid)));
2616
2617 /* 44 unknown bytes left... */
2618
2619 if (vfs_set_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
2620 reply_nterror(req, NT_STATUS_INTERNAL_ERROR);
2621 return;
2622 }
2623
2624 send_nt_replies(conn, req, NT_STATUS_OK, params, param_len,
2625 pdata, data_len);
2626 }
2627 #endif /* HAVE_SYS_QUOTAS */
2628
2629 static void handle_nttrans(connection_struct *conn,
2630 struct trans_state *state,
2631 struct smb_request *req)
2632 {
2633 if (get_Protocol() >= PROTOCOL_NT1) {
2634 req->flags2 |= 0x40; /* IS_LONG_NAME */
2635 SSVAL(discard_const_p(uint8_t, req->inbuf),smb_flg2,req->flags2);
2636 }
2637
2638
2639 SMB_PERFCOUNT_SET_SUBOP(&req->pcd, state->call);
2640
2641 /* Now we must call the relevant NT_TRANS function */
2642 switch(state->call) {
2643 case NT_TRANSACT_CREATE:
2644 {
2645 START_PROFILE(NT_transact_create);
2646 call_nt_transact_create(
2647 conn, req,
2648 &state->setup, state->setup_count,
2649 &state->param, state->total_param,
2650 &state->data, state->total_data,
2651 state->max_data_return);
2652 END_PROFILE(NT_transact_create);
2653 break;
2654 }
2655
2656 case NT_TRANSACT_IOCTL:
2657 {
2658 START_PROFILE(NT_transact_ioctl);
2659 call_nt_transact_ioctl(
2660 conn, req,
2661 &state->setup, state->setup_count,
2662 &state->param, state->total_param,
2663 &state->data, state->total_data,
2664 state->max_data_return);
2665 END_PROFILE(NT_transact_ioctl);
2666 break;
2667 }
2668
2669 case NT_TRANSACT_SET_SECURITY_DESC:
2670 {
2671 START_PROFILE(NT_transact_set_security_desc);
2672 call_nt_transact_set_security_desc(
2673 conn, req,
2674 &state->setup, state->setup_count,
2675 &state->param, state->total_param,
2676 &state->data, state->total_data,
2677 state->max_data_return);
2678 END_PROFILE(NT_transact_set_security_desc);
2679 break;
2680 }
2681
2682 case NT_TRANSACT_NOTIFY_CHANGE:
2683 {
2684 START_PROFILE(NT_transact_notify_change);
2685 call_nt_transact_notify_change(
2686 conn, req,
2687 &state->setup, state->setup_count,
2688 &state->param, state->total_param,
2689 &state->data, state->total_data,
2690 state->max_data_return,
2691 state->max_param_return);
2692 END_PROFILE(NT_transact_notify_change);
2693 break;
2694 }
2695
2696 case NT_TRANSACT_RENAME:
2697 {
2698 START_PROFILE(NT_transact_rename);
2699 call_nt_transact_rename(
2700 conn, req,
2701 &state->setup, state->setup_count,
2702 &state->param, state->total_param,
2703 &state->data, state->total_data,
2704 state->max_data_return);
2705 END_PROFILE(NT_transact_rename);
2706 break;
2707 }
2708
2709 case NT_TRANSACT_QUERY_SECURITY_DESC:
2710 {
2711 START_PROFILE(NT_transact_query_security_desc);
2712 call_nt_transact_query_security_desc(
2713 conn, req,
2714 &state->setup, state->setup_count,
2715 &state->param, state->total_param,
2716 &state->data, state->total_data,
2717 state->max_data_return);
2718 END_PROFILE(NT_transact_query_security_desc);
2719 break;
2720 }
2721
2722 #ifdef HAVE_SYS_QUOTAS
2723 case NT_TRANSACT_GET_USER_QUOTA:
2724 {
2725 START_PROFILE(NT_transact_get_user_quota);
2726 call_nt_transact_get_user_quota(
2727 conn, req,
2728 &state->setup, state->setup_count,
2729 &state->param, state->total_param,
2730 &state->data, state->total_data,
2731 state->max_data_return);
2732 END_PROFILE(NT_transact_get_user_quota);
2733 break;
2734 }
2735
2736 case NT_TRANSACT_SET_USER_QUOTA:
2737 {
2738 START_PROFILE(NT_transact_set_user_quota);
2739 call_nt_transact_set_user_quota(
2740 conn, req,
2741 &state->setup, state->setup_count,
2742 &state->param, state->total_param,
2743 &state->data, state->total_data,
2744 state->max_data_return);
2745 END_PROFILE(NT_transact_set_user_quota);
2746 break;
2747 }
2748 #endif /* HAVE_SYS_QUOTAS */
2749
2750 default:
2751 /* Error in request */
2752 DEBUG(0,("handle_nttrans: Unknown request %d in "
2753 "nttrans call\n", state->call));
2754 reply_nterror(req, NT_STATUS_INVALID_LEVEL);
2755 return;
2756 }
2757 return;
2758 }
2759
2760 /****************************************************************************
2761 Reply to a SMBNTtrans.
2762 ****************************************************************************/
2763
2764 void reply_nttrans(struct smb_request *req)
2765 {
2766 connection_struct *conn = req->conn;
2767 uint32_t pscnt;
2768 uint32_t psoff;
2769 uint32_t dscnt;
2770 uint32_t dsoff;
2771 uint16 function_code;
2772 NTSTATUS result;
2773 struct trans_state *state;
2774
2775 START_PROFILE(SMBnttrans);
2776
2777 if (req->wct < 19) {
2778 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2779 END_PROFILE(SMBnttrans);
2780 return;
2781 }
2782
2783 pscnt = IVAL(req->vwv+9, 1);
2784 psoff = IVAL(req->vwv+11, 1);
2785 dscnt = IVAL(req->vwv+13, 1);
2786 dsoff = IVAL(req->vwv+15, 1);
2787 function_code = SVAL(req->vwv+18, 0);
2788
2789 if (IS_IPC(conn) && (function_code != NT_TRANSACT_CREATE)) {
2790 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
2791 END_PROFILE(SMBnttrans);
2792 return;
2793 }
2794
2795 result = allow_new_trans(conn->pending_trans, req->mid);
2796 if (!NT_STATUS_IS_OK(result)) {
2797 DEBUG(2, ("Got invalid nttrans request: %s\n", nt_errstr(result)));
2798 reply_nterror(req, result);
2799 END_PROFILE(SMBnttrans);
2800 return;
2801 }
2802
2803 if ((state = talloc(conn, struct trans_state)) == NULL) {
2804 reply_nterror(req, NT_STATUS_NO_MEMORY);
2805 END_PROFILE(SMBnttrans);
2806 return;
2807 }
2808
2809 state->cmd = SMBnttrans;
2810
2811 state->mid = req->mid;
2812 state->vuid = req->vuid;
2813 state->total_data = IVAL(req->vwv+3, 1);
2814 state->data = NULL;
2815 state->total_param = IVAL(req->vwv+1, 1);
2816 state->param = NULL;
2817 state->max_data_return = IVAL(req->vwv+7, 1);
2818 state->max_param_return = IVAL(req->vwv+5, 1);
2819
2820 /* setup count is in *words* */
2821 state->setup_count = 2*CVAL(req->vwv+17, 1);
2822 state->setup = NULL;
2823 state->call = function_code;
2824
2825 DEBUG(10, ("num_setup=%u, "
2826 "param_total=%u, this_param=%u, max_param=%u, "
2827 "data_total=%u, this_data=%u, max_data=%u, "
2828 "param_offset=%u, data_offset=%u\n",
2829 (unsigned)state->setup_count,
2830 (unsigned)state->total_param, (unsigned)pscnt,
2831 (unsigned)state->max_param_return,
2832 (unsigned)state->total_data, (unsigned)dscnt,
2833 (unsigned)state->max_data_return,
2834 (unsigned)psoff, (unsigned)dsoff));
2835
2836 /*
2837 * All nttrans messages we handle have smb_wct == 19 +
2838 * state->setup_count. Ensure this is so as a sanity check.
2839 */
2840
2841 if(req->wct != 19 + (state->setup_count/2)) {
2842 DEBUG(2,("Invalid smb_wct %d in nttrans call (should be %d)\n",
2843 req->wct, 19 + (state->setup_count/2)));
2844 goto bad_param;
2845 }
2846
2847 /* Don't allow more than 128mb for each value. */
2848 if ((state->total_data > (1024*1024*128)) ||
2849 (state->total_param > (1024*1024*128))) {
2850 reply_nterror(req, NT_STATUS_NO_MEMORY);
2851 END_PROFILE(SMBnttrans);
2852 return;
2853 }
2854
2855 if ((dscnt > state->total_data) || (pscnt > state->total_param))
2856 goto bad_param;
2857
2858 if (state->total_data) {
2859
2860 if (trans_oob(state->total_data, 0, dscnt)
2861 || trans_oob(smb_len(req->inbuf), dsoff, dscnt)) {
2862 goto bad_param;
2863 }
2864
2865 /* Can't use talloc here, the core routines do realloc on the
2866 * params and data. */
2867 if ((state->data = (char *)SMB_MALLOC(state->total_data)) == NULL) {
2868 DEBUG(0,("reply_nttrans: data malloc fail for %u "
2869 "bytes !\n", (unsigned int)state->total_data));
2870 TALLOC_FREE(state);
2871 reply_nterror(req, NT_STATUS_NO_MEMORY);
2872 END_PROFILE(SMBnttrans);
2873 return;
2874 }
2875
2876 memcpy(state->data,smb_base(req->inbuf)+dsoff,dscnt);
2877 }
2878
2879 if (state->total_param) {
2880
2881 if (trans_oob(state->total_param, 0, pscnt)
2882 || trans_oob(smb_len(req->inbuf), psoff, pscnt)) {
2883 goto bad_param;
2884 }
2885
2886 /* Can't use talloc here, the core routines do realloc on the
2887 * params and data. */
2888 if ((state->param = (char *)SMB_MALLOC(state->total_param)) == NULL) {
2889 DEBUG(0,("reply_nttrans: param malloc fail for %u "
2890 "bytes !\n", (unsigned int)state->total_param));
2891 SAFE_FREE(state->data);
2892 TALLOC_FREE(state);
2893 reply_nterror(req, NT_STATUS_NO_MEMORY);
2894 END_PROFILE(SMBnttrans);
2895 return;
2896 }
2897
2898 memcpy(state->param,smb_base(req->inbuf)+psoff,pscnt);
2899 }
2900
2901 state->received_data = dscnt;
2902 state->received_param = pscnt;
2903
2904 if(state->setup_count > 0) {
2905 DEBUG(10,("reply_nttrans: state->setup_count = %d\n",
2906 state->setup_count));
2907
2908 /*
2909 * No overflow possible here, state->setup_count is an
2910 * unsigned int, being filled by a single byte from
2911 * CVAL(req->vwv+13, 0) above. The cast in the comparison
2912 * below is not necessary, it's here to clarify things. The
2913 * validity of req->vwv and req->wct has been checked in
2914 * init_smb_request already.
2915 */
2916 if ((state->setup_count/2) + 19 > (unsigned int)req->wct) {
2917 goto bad_param;
2918 }
2919
2920 state->setup = (uint16 *)TALLOC(state, state->setup_count);
2921 if (state->setup == NULL) {
2922 DEBUG(0,("reply_nttrans : Out of memory\n"));
2923 SAFE_FREE(state->data);
2924 SAFE_FREE(state->param);
2925 TALLOC_FREE(state);
2926 reply_nterror(req, NT_STATUS_NO_MEMORY);
2927 END_PROFILE(SMBnttrans);
2928 return;
2929 }
2930
2931 memcpy(state->setup, req->vwv+19, state->setup_count);
2932 dump_data(10, (uint8 *)state->setup, state->setup_count);
2933 }
2934
2935 if ((state->received_data == state->total_data) &&
2936 (state->received_param == state->total_param)) {
2937 handle_nttrans(conn, state, req);
2938 SAFE_FREE(state->param);
2939 SAFE_FREE(state->data);
2940 TALLOC_FREE(state);
2941 END_PROFILE(SMBnttrans);
2942 return;
2943 }
2944
2945 DLIST_ADD(conn->pending_trans, state);
2946
2947 /* We need to send an interim response then receive the rest
2948 of the parameter/data bytes */
2949 reply_outbuf(req, 0, 0);
2950 show_msg((char *)req->outbuf);
2951 END_PROFILE(SMBnttrans);
2952 return;
2953
2954 bad_param:
2955
2956 DEBUG(0,("reply_nttrans: invalid trans parameters\n"));
2957 SAFE_FREE(state->data);
2958 SAFE_FREE(state->param);
2959 TALLOC_FREE(state);
2960 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2961 END_PROFILE(SMBnttrans);
2962 return;
2963 }
2964
2965 /****************************************************************************
2966 Reply to a SMBnttranss
2967 ****************************************************************************/
2968
2969 void reply_nttranss(struct smb_request *req)
2970 {
2971 connection_struct *conn = req->conn;
2972 uint32_t pcnt,poff,dcnt,doff,pdisp,ddisp;
2973 struct trans_state *state;
2974
2975 START_PROFILE(SMBnttranss);
2976
2977 show_msg((const char *)req->inbuf);
2978
2979 /* Windows clients expect all replies to
2980 an NT transact secondary (SMBnttranss 0xA1)
2981 to have a command code of NT transact
2982 (SMBnttrans 0xA0). See bug #8989 for details. */
2983 req->cmd = SMBnttrans;
2984
2985 if (req->wct < 18) {
2986 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2987 END_PROFILE(SMBnttranss);
2988 return;
2989 }
2990
2991 for (state = conn->pending_trans; state != NULL;
2992 state = state->next) {
2993 if (state->mid == req->mid) {
2994 break;
2995 }
2996 }
2997
2998 if ((state == NULL) || (state->cmd != SMBnttrans)) {
2999 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
3000 END_PROFILE(SMBnttranss);
3001 return;
3002 }
3003
3004 /* Revise state->total_param and state->total_data in case they have
3005 changed downwards */
3006 if (IVAL(req->vwv+1, 1) < state->total_param) {
3007 state->total_param = IVAL(req->vwv+1, 1);
3008 }
3009 if (IVAL(req->vwv+3, 1) < state->total_data) {
3010 state->total_data = IVAL(req->vwv+3, 1);
3011 }
3012
3013 pcnt = IVAL(req->vwv+5, 1);
3014 poff = IVAL(req->vwv+7, 1);
3015 pdisp = IVAL(req->vwv+9, 1);
3016
3017 dcnt = IVAL(req->vwv+11, 1);
3018 doff = IVAL(req->vwv+13, 1);
3019 ddisp = IVAL(req->vwv+15, 1);
3020
3021 state->received_param += pcnt;
3022 state->received_data += dcnt;
3023
3024 if ((state->received_data > state->total_data) ||
3025 (state->received_param > state->total_param))
3026 goto bad_param;
3027
3028 if (pcnt) {
3029 if (trans_oob(state->total_param, pdisp, pcnt)
3030 || trans_oob(smb_len(req->inbuf), poff, pcnt)) {
3031 goto bad_param;
3032 }
3033 memcpy(state->param+pdisp, smb_base(req->inbuf)+poff,pcnt);
3034 }
3035
3036 if (dcnt) {
3037 if (trans_oob(state->total_data, ddisp, dcnt)
3038 || trans_oob(smb_len(req->inbuf), doff, dcnt)) {
3039 goto bad_param;
3040 }
3041 memcpy(state->data+ddisp, smb_base(req->inbuf)+doff,dcnt);
3042 }
3043
3044 if ((state->received_param < state->total_param) ||
3045 (state->received_data < state->total_data)) {
3046 END_PROFILE(SMBnttranss);
3047 return;
3048 }
3049
3050 handle_nttrans(conn, state, req);
3051
3052 DLIST_REMOVE(conn->pending_trans, state);
3053 SAFE_FREE(state->data);
3054 SAFE_FREE(state->param);
3055 TALLOC_FREE(state);
3056 END_PROFILE(SMBnttranss);
3057 return;
3058
3059 bad_param:
3060
3061 DEBUG(0,("reply_nttranss: invalid trans parameters\n"));
3062 DLIST_REMOVE(conn->pending_trans, state);
3063 SAFE_FREE(state->data);
3064 SAFE_FREE(state->param);
3065 TALLOC_FREE(state);
3066 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
3067 END_PROFILE(SMBnttranss);
3068 return;
3069 }
WIP