search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
r4591: - converted the other _p talloc functions to not need _p
[Samba/gebeck_regimport.git] / source / libcli / raw / rawtrans.c
blob118ac5e3fdf90743d98ab7a81e3d2a6216a725c3
1 /*
2 Unix SMB/CIFS implementation.
3 raw trans/trans2/nttrans operations
4
5 Copyright (C) James Myers 2003 <myersjj@samba.org>
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 2 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program; if not, write to the Free Software
19 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20 */
21
22 #include "includes.h"
23 #include "dlinklist.h"
24 #include "libcli/raw/libcliraw.h"
25
26 #define TORTURE_TRANS_DATA 0
27
28 /*
29 check out of bounds for incoming data
30 */
31 static BOOL raw_trans_oob(struct smbcli_request *req,
32 uint_t offset, uint_t count)
33 {
34 uint8_t *ptr;
35
36 if (count == 0) {
37 return False;
38 }
39
40 ptr = req->in.hdr + offset;
41
42 /* be careful with wraparound! */
43 if (ptr < req->in.data ||
44 ptr >= req->in.data + req->in.data_size ||
45 count > req->in.data_size ||
46 ptr + count > req->in.data + req->in.data_size) {
47 return True;
48 }
49 return False;
50 }
51
52 /****************************************************************************
53 receive a SMB trans or trans2 response allocating the necessary memory
54 ****************************************************************************/
55 NTSTATUS smb_raw_trans2_recv(struct smbcli_request *req,
56 TALLOC_CTX *mem_ctx,
57 struct smb_trans2 *parms)
58 {
59 int total_data=0;
60 int total_param=0;
61 uint8_t *tdata;
62 uint8_t *tparam;
63
64 parms->out.data.length = 0;
65 parms->out.data.data = NULL;
66 parms->out.params.length = 0;
67 parms->out.params.data = NULL;
68
69 if (!smbcli_request_receive(req)) {
70 return smbcli_request_destroy(req);
71 }
72
73 /*
74 * An NT RPC pipe call can return ERRDOS, ERRmoredata
75 * to a trans call. This is not an error and should not
76 * be treated as such.
77 */
78 if (NT_STATUS_IS_ERR(req->status)) {
79 return smbcli_request_destroy(req);
80 }
81
82 SMBCLI_CHECK_MIN_WCT(req, 10);
83
84 /* parse out the lengths */
85 total_data = SVAL(req->in.vwv, VWV(1));
86 total_param = SVAL(req->in.vwv, VWV(0));
87
88 /* allocate it */
89 if (total_data != 0) {
90 tdata = talloc_size(mem_ctx, total_data);
91 if (!tdata) {
92 DEBUG(0,("smb_raw_receive_trans: failed to enlarge data buffer to %d bytes\n", total_data));
93 req->status = NT_STATUS_NO_MEMORY;
94 return smbcli_request_destroy(req);
95 }
96 parms->out.data.data = tdata;
97 }
98
99 if (total_param != 0) {
100 tparam = talloc_size(mem_ctx, total_param);
101 if (!tparam) {
102 DEBUG(0,("smb_raw_receive_trans: failed to enlarge param buffer to %d bytes\n", total_param));
103 req->status = NT_STATUS_NO_MEMORY;
104 return smbcli_request_destroy(req);
105 }
106 parms->out.params.data = tparam;
107 }
108
109 parms->out.setup_count = SVAL(req->in.vwv, VWV(9));
110 SMBCLI_CHECK_WCT(req, 10 + parms->out.setup_count);
111
112 if (parms->out.setup_count > 0) {
113 int i;
114 parms->out.setup = talloc_array(mem_ctx, uint16_t, parms->out.setup_count);
115 if (!parms->out.setup) {
116 req->status = NT_STATUS_NO_MEMORY;
117 return smbcli_request_destroy(req);
118 }
119 for (i=0;i<parms->out.setup_count;i++) {
120 parms->out.setup[i] = SVAL(req->in.vwv, VWV(10+i));
121 }
122 }
123
124 while (1) {
125 uint16_t param_count, param_ofs, param_disp;
126 uint16_t data_count, data_ofs, data_disp;
127 uint16_t total_data2, total_param2;
128
129 /* parse out the total lengths again - they can shrink! */
130 total_data2 = SVAL(req->in.vwv, VWV(1));
131 total_param2 = SVAL(req->in.vwv, VWV(0));
132
133 if (total_data2 > total_data ||
134 total_param2 > total_param) {
135 /* they must *only* shrink */
136 DEBUG(1,("smb_raw_receive_trans: data/params expanded!\n"));
137 req->status = NT_STATUS_BUFFER_TOO_SMALL;
138 return smbcli_request_destroy(req);
139 }
140
141 total_data = total_data2;
142 total_param = total_param2;
143
144 /* parse params for this lump */
145 param_count = SVAL(req->in.vwv, VWV(3));
146 param_ofs = SVAL(req->in.vwv, VWV(4));
147 param_disp = SVAL(req->in.vwv, VWV(5));
148
149 data_count = SVAL(req->in.vwv, VWV(6));
150 data_ofs = SVAL(req->in.vwv, VWV(7));
151 data_disp = SVAL(req->in.vwv, VWV(8));
152
153 if (data_count + data_disp > total_data ||
154 param_count + param_disp > total_param) {
155 DEBUG(1,("smb_raw_receive_trans: Buffer overflow\n"));
156 req->status = NT_STATUS_BUFFER_TOO_SMALL;
157 return smbcli_request_destroy(req);
158 }
159
160 /* check the server isn't being nasty */
161 if (raw_trans_oob(req, param_ofs, param_count) ||
162 raw_trans_oob(req, data_ofs, data_count)) {
163 DEBUG(1,("smb_raw_receive_trans: out of bounds parameters!\n"));
164 req->status = NT_STATUS_BUFFER_TOO_SMALL;
165 return smbcli_request_destroy(req);
166 }
167
168 if (data_count) {
169 memcpy(parms->out.data.data + data_disp,
170 req->in.hdr + data_ofs,
171 data_count);
172 }
173
174 if (param_count) {
175 memcpy(parms->out.params.data + param_disp,
176 req->in.hdr + param_ofs,
177 param_count);
178 }
179
180 parms->out.data.length += data_count;
181 parms->out.params.length += param_count;
182
183 if (total_data <= parms->out.data.length && total_param <= parms->out.params.length)
184 break;
185
186 if (!smbcli_request_receive_more(req)) {
187 req->status = NT_STATUS_UNSUCCESSFUL;
188 return smbcli_request_destroy(req);
189 }
190 }
191
192 failed:
193 return smbcli_request_destroy(req);
194 }
195
196 NTSTATUS smb_raw_trans_recv(struct smbcli_request *req,
197 TALLOC_CTX *mem_ctx,
198 struct smb_trans2 *parms)
199 {
200 return smb_raw_trans2_recv(req, mem_ctx, parms);
201 }
202
203
204 /*
205 trans/trans2 raw async interface - only BLOBs used in this interface.
206 */
207 struct smbcli_request *smb_raw_trans_send_backend(struct smbcli_tree *tree,
208 struct smb_trans2 *parms,
209 uint8_t command)
210 {
211 int wct = 14 + parms->in.setup_count;
212 struct smbcli_request *req, *req2;
213 uint8_t *outdata,*outparam;
214 int i;
215 int padding;
216 size_t namelen = 0;
217 uint16_t data_disp, data_length, max_data;
218
219 if (command == SMBtrans)
220 padding = 1;
221 else
222 padding = 3;
223
224 req = smbcli_request_setup(tree, command, wct, padding);
225 if (!req) {
226 return NULL;
227 }
228
229 /* Watch out, this changes the req->out.* pointers */
230 if (command == SMBtrans && parms->in.trans_name) {
231 namelen = smbcli_req_append_string(req, parms->in.trans_name,
232 STR_TERMINATE);
233 }
234
235 /* fill in SMB parameters */
236 outparam = req->out.data + padding;
237 outdata = outparam + parms->in.params.length;
238
239 /* make sure we don't leak data via the padding */
240 memset(req->out.data, 0, padding);
241
242 data_length = parms->in.data.length;
243
244 max_data = smb_raw_max_trans_data(tree, parms->in.params.length);
245 if (max_data < data_length) {
246 data_length = max_data;
247 }
248
249 #if TORTURE_TRANS_DATA
250 if (data_length > 1) {
251 data_length /= 2;
252 }
253 #endif
254
255 /* primary request */
256 SSVAL(req->out.vwv,VWV(0),parms->in.params.length);
257 SSVAL(req->out.vwv,VWV(1),parms->in.data.length);
258 SSVAL(req->out.vwv,VWV(2),parms->in.max_param);
259 SSVAL(req->out.vwv,VWV(3),parms->in.max_data);
260 SSVAL(req->out.vwv,VWV(4),parms->in.max_setup);
261 SSVAL(req->out.vwv,VWV(5),parms->in.flags);
262 SIVAL(req->out.vwv,VWV(6),parms->in.timeout);
263 SSVAL(req->out.vwv,VWV(8),0); /* reserved */
264 SSVAL(req->out.vwv,VWV(9),parms->in.params.length);
265 SSVAL(req->out.vwv,VWV(10),PTR_DIFF(outparam,req->out.hdr)+namelen);
266 SSVAL(req->out.vwv,VWV(11),data_length);
267 SSVAL(req->out.vwv,VWV(12),PTR_DIFF(outdata,req->out.hdr)+namelen);
268 SSVAL(req->out.vwv,VWV(13),parms->in.setup_count);
269 for (i=0;i<parms->in.setup_count;i++) {
270 SSVAL(req->out.vwv,VWV(14)+i*2,parms->in.setup[i]);
271 }
272 if (parms->in.params.data) {
273 smbcli_req_append_blob(req, &parms->in.params);
274 }
275 if (parms->in.data.data) {
276 DATA_BLOB data;
277 data.data = parms->in.data.data;
278 data.length = data_length;
279 smbcli_req_append_blob(req, &data);
280 }
281
282 if (!smbcli_request_send(req)) {
283 smbcli_request_destroy(req);
284 return NULL;
285 }
286
287 data_disp = data_length;
288
289
290 if (data_disp != parms->in.data.length) {
291 /* TODO: this should be done asynchronously .... */
292 if (!smbcli_request_receive(req) ||
293 !NT_STATUS_IS_OK(req->status)) {
294 return req;
295 }
296
297 req->state = SMBCLI_REQUEST_RECV;
298 DLIST_ADD(req->transport->pending_recv, req);
299 }
300
301
302 while (data_disp != parms->in.data.length) {
303 data_length = parms->in.data.length - data_disp;
304
305 max_data = smb_raw_max_trans_data(tree, 0);
306 if (max_data < data_length) {
307 data_length = max_data;
308 }
309
310 #if TORTURE_TRANS_DATA
311 if (data_length > 1) {
312 data_length /= 2;
313 }
314 #endif
315
316 req2 = smbcli_request_setup(tree, command+1, 9, data_length);
317 if (!req2) {
318 return NULL;
319 }
320 req2->mid = req->mid;
321 SSVAL(req2->out.hdr, HDR_MID, req2->mid);
322
323 outdata = req2->out.data;
324
325 SSVAL(req2->out.vwv,VWV(0), parms->in.params.length);
326 SSVAL(req2->out.vwv,VWV(1), parms->in.data.length);
327 SSVAL(req2->out.vwv,VWV(2), 0);
328 SSVAL(req2->out.vwv,VWV(3), 0);
329 SSVAL(req2->out.vwv,VWV(4), 0);
330 SSVAL(req2->out.vwv,VWV(5), data_length);
331 SSVAL(req2->out.vwv,VWV(6), PTR_DIFF(outdata,req2->out.hdr));
332 SSVAL(req2->out.vwv,VWV(7), data_disp);
333 SSVAL(req2->out.vwv,VWV(8), 0xFFFF);
334
335 memcpy(req2->out.data, parms->in.data.data + data_disp, data_length);
336
337 data_disp += data_length;
338
339 req2->one_way_request = 1;
340
341 if (!smbcli_request_send(req2)) {
342 smbcli_request_destroy(req2);
343 return NULL;
344 }
345
346 req->seq_num = req2->seq_num;
347 }
348
349
350 return req;
351 }
352
353
354 /*
355 trans/trans2 raw async interface - only BLOBs used in this interface.
356 note that this doesn't yet support multi-part requests
357 */
358 struct smbcli_request *smb_raw_trans_send(struct smbcli_tree *tree,
359 struct smb_trans2 *parms)
360 {
361 return smb_raw_trans_send_backend(tree, parms, SMBtrans);
362 }
363
364 struct smbcli_request *smb_raw_trans2_send(struct smbcli_tree *tree,
365 struct smb_trans2 *parms)
366 {
367 return smb_raw_trans_send_backend(tree, parms, SMBtrans2);
368 }
369
370 /*
371 trans2 synchronous blob interface
372 */
373 NTSTATUS smb_raw_trans2(struct smbcli_tree *tree,
374 TALLOC_CTX *mem_ctx,
375 struct smb_trans2 *parms)
376 {
377 struct smbcli_request *req;
378 req = smb_raw_trans2_send(tree, parms);
379 if (!req) return NT_STATUS_UNSUCCESSFUL;
380 return smb_raw_trans2_recv(req, mem_ctx, parms);
381 }
382
383
384 /*
385 trans synchronous blob interface
386 */
387 NTSTATUS smb_raw_trans(struct smbcli_tree *tree,
388 TALLOC_CTX *mem_ctx,
389 struct smb_trans2 *parms)
390 {
391 struct smbcli_request *req;
392 req = smb_raw_trans_send(tree, parms);
393 if (!req) return NT_STATUS_UNSUCCESSFUL;
394 return smb_raw_trans_recv(req, mem_ctx, parms);
395 }
396
397
398 /****************************************************************************
399 receive a SMB nttrans response allocating the necessary memory
400 ****************************************************************************/
401 NTSTATUS smb_raw_nttrans_recv(struct smbcli_request *req,
402 TALLOC_CTX *mem_ctx,
403 struct smb_nttrans *parms)
404 {
405 uint32_t total_data, recvd_data=0;
406 uint32_t total_param, recvd_param=0;
407
408 if (!smbcli_request_receive(req) ||
409 smbcli_request_is_error(req)) {
410 return smbcli_request_destroy(req);
411 }
412
413 /* sanity check */
414 if (CVAL(req->in.hdr, HDR_COM) != SMBnttrans) {
415 DEBUG(0,("smb_raw_receive_nttrans: Expected %s response, got command 0x%02x\n",
416 "SMBnttrans",
417 CVAL(req->in.hdr,HDR_COM)));
418 req->status = NT_STATUS_UNSUCCESSFUL;
419 return smbcli_request_destroy(req);
420 }
421
422 SMBCLI_CHECK_MIN_WCT(req, 18);
423
424 /* parse out the lengths */
425 total_param = IVAL(req->in.vwv, 3);
426 total_data = IVAL(req->in.vwv, 7);
427
428 parms->out.data = data_blob_talloc(mem_ctx, NULL, total_data);
429 parms->out.params = data_blob_talloc(mem_ctx, NULL, total_param);
430
431 if (parms->out.data.length != total_data ||
432 parms->out.params.length != total_param) {
433 req->status = NT_STATUS_NO_MEMORY;
434 return smbcli_request_destroy(req);
435 }
436
437 parms->out.setup_count = CVAL(req->in.vwv, 35);
438 SMBCLI_CHECK_WCT(req, 18 + parms->out.setup_count);
439
440 if (parms->out.setup_count > 0) {
441 int i;
442 parms->out.setup = talloc_array(mem_ctx, uint16_t, parms->out.setup_count);
443 if (!parms->out.setup) {
444 req->status = NT_STATUS_NO_MEMORY;
445 return smbcli_request_destroy(req);
446 }
447 for (i=0;i<parms->out.setup_count;i++) {
448 parms->out.setup[i] = SVAL(req->in.vwv, VWV(18+i));
449 }
450 }
451
452 while (recvd_data < total_data ||
453 recvd_param < total_param) {
454 uint32_t param_count, param_ofs, param_disp;
455 uint32_t data_count, data_ofs, data_disp;
456 uint32_t total_data2, total_param2;
457
458 /* parse out the total lengths again - they can shrink! */
459 total_param2 = IVAL(req->in.vwv, 3);
460 total_data2 = IVAL(req->in.vwv, 7);
461
462 if (total_data2 > total_data ||
463 total_param2 > total_param) {
464 /* they must *only* shrink */
465 DEBUG(1,("smb_raw_receive_nttrans: data/params expanded!\n"));
466 req->status = NT_STATUS_BUFFER_TOO_SMALL;
467 return smbcli_request_destroy(req);
468 }
469
470 total_data = total_data2;
471 total_param = total_param2;
472 parms->out.data.length = total_data;
473 parms->out.params.length = total_param;
474
475 /* parse params for this lump */
476 param_count = IVAL(req->in.vwv, 11);
477 param_ofs = IVAL(req->in.vwv, 15);
478 param_disp = IVAL(req->in.vwv, 19);
479
480 data_count = IVAL(req->in.vwv, 23);
481 data_ofs = IVAL(req->in.vwv, 27);
482 data_disp = IVAL(req->in.vwv, 31);
483
484 if (data_count + data_disp > total_data ||
485 param_count + param_disp > total_param) {
486 DEBUG(1,("smb_raw_receive_nttrans: Buffer overflow\n"));
487 req->status = NT_STATUS_BUFFER_TOO_SMALL;
488 return smbcli_request_destroy(req);
489 }
490
491 /* check the server isn't being nasty */
492 if (raw_trans_oob(req, param_ofs, param_count) ||
493 raw_trans_oob(req, data_ofs, data_count)) {
494 DEBUG(1,("smb_raw_receive_nttrans: out of bounds parameters!\n"));
495 req->status = NT_STATUS_BUFFER_TOO_SMALL;
496 return smbcli_request_destroy(req);
497 }
498
499 if (data_count) {
500 memcpy(parms->out.data.data + data_disp,
501 req->in.hdr + data_ofs,
502 data_count);
503 }
504
505 if (param_count) {
506 memcpy(parms->out.params.data + param_disp,
507 req->in.hdr + param_ofs,
508 param_count);
509 }
510
511 recvd_param += param_count;
512 recvd_data += data_count;
513
514 if (recvd_data >= total_data &&
515 recvd_param >= total_param) {
516 break;
517 }
518
519 if (!smbcli_request_receive(req) ||
520 smbcli_request_is_error(req)) {
521 return smbcli_request_destroy(req);
522 }
523
524 /* sanity check */
525 if (CVAL(req->in.hdr, HDR_COM) != SMBnttrans) {
526 DEBUG(0,("smb_raw_receive_nttrans: Expected nttranss, got command 0x%02x\n",
527 CVAL(req->in.hdr, HDR_COM)));
528 req->status = NT_STATUS_UNSUCCESSFUL;
529 return smbcli_request_destroy(req);
530 }
531 }
532
533 failed:
534 return smbcli_request_destroy(req);
535 }
536
537
538 /****************************************************************************
539 nttrans raw - only BLOBs used in this interface.
540 at the moment we only handle a single primary request
541 ****************************************************************************/
542 struct smbcli_request *smb_raw_nttrans_send(struct smbcli_tree *tree,
543 struct smb_nttrans *parms)
544 {
545 struct smbcli_request *req;
546 uint8_t *outdata, *outparam;
547 int i;
548 int align = 0;
549
550 /* only align if there are parameters or data */
551 if (parms->in.params.length || parms->in.data.length) {
552 align = 3;
553 }
554
555 req = smbcli_request_setup(tree, SMBnttrans,
556 19 + parms->in.setup_count,
557 align +
558 parms->in.params.length +
559 parms->in.data.length);
560 if (!req) {
561 return NULL;
562 }
563
564 /* fill in SMB parameters */
565 outparam = req->out.data + align;
566 outdata = outparam + parms->in.params.length;
567
568 if (align != 0) {
569 memset(req->out.data, 0, align);
570 }
571
572 SCVAL(req->out.vwv, 0, parms->in.max_setup);
573 SSVAL(req->out.vwv, 1, 0); /* reserved */
574 SIVAL(req->out.vwv, 3, parms->in.params.length);
575 SIVAL(req->out.vwv, 7, parms->in.data.length);
576 SIVAL(req->out.vwv, 11, parms->in.max_param);
577 SIVAL(req->out.vwv, 15, parms->in.max_data);
578 SIVAL(req->out.vwv, 19, parms->in.params.length);
579 SIVAL(req->out.vwv, 23, PTR_DIFF(outparam,req->out.hdr));
580 SIVAL(req->out.vwv, 27, parms->in.data.length);
581 SIVAL(req->out.vwv, 31, PTR_DIFF(outdata,req->out.hdr));
582 SCVAL(req->out.vwv, 35, parms->in.setup_count);
583 SSVAL(req->out.vwv, 36, parms->in.function);
584 for (i=0;i<parms->in.setup_count;i++) {
585 SSVAL(req->out.vwv,VWV(19+i),parms->in.setup[i]);
586 }
587 if (parms->in.params.length) {
588 memcpy(outparam, parms->in.params.data, parms->in.params.length);
589 }
590 if (parms->in.data.length) {
591 memcpy(outdata, parms->in.data.data, parms->in.data.length);
592 }
593
594 if (!smbcli_request_send(req)) {
595 smbcli_request_destroy(req);
596 return NULL;
597 }
598
599 return req;
600 }
601
602
603 /****************************************************************************
604 receive a SMB nttrans response allocating the necessary memory
605 ****************************************************************************/
606 NTSTATUS smb_raw_nttrans(struct smbcli_tree *tree,
607 TALLOC_CTX *mem_ctx,
608 struct smb_nttrans *parms)
609 {
610 struct smbcli_request *req;
611
612 req = smb_raw_nttrans_send(tree, parms);
613 if (!req) {
614 return NT_STATUS_UNSUCCESSFUL;
615 }
616
617 return smb_raw_nttrans_recv(req, mem_ctx, parms);
618 }
619
620 /*
621 work out the maximum data size for a trans request while avoiding
622 multi-part replies
623
624 TODO: we only need to avoid multi-part replies because the
625 multi-part trans receive code is broken.
626 */
627 size_t smb_raw_max_trans_data(struct smbcli_tree *tree, size_t param_size)
628 {
629 return tree->session->transport->negotiate.max_xmit - (70 + param_size);
630 }
reg import