search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:smb2_server: simplify smbd_smb2_request_verify_creditcharge() a bit.
[Samba/gebeck_regimport.git] / source3 / smbd / smb2_server.c
bloba6efdbe6864e3731f1bc697b3b077ebefcef729c
1 /*
2 Unix SMB/CIFS implementation.
3 Core SMB2 server
4
5 Copyright (C) Stefan Metzmacher 2009
6 Copyright (C) Jeremy Allison 2010
7
8 This program is free software; you can redistribute it and/or modify
9 it under the terms of the GNU General Public License as published by
10 the Free Software Foundation; either version 3 of the License, or
11 (at your option) any later version.
12
13 This program is distributed in the hope that it will be useful,
14 but WITHOUT ANY WARRANTY; without even the implied warranty of
15 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 GNU General Public License for more details.
17
18 You should have received a copy of the GNU General Public License
19 along with this program. If not, see <http://www.gnu.org/licenses/>.
20 */
21
22 #include "includes.h"
23 #include "smbd/smbd.h"
24 #include "smbd/globals.h"
25 #include "../libcli/smb/smb_common.h"
26 #include "../lib/tsocket/tsocket.h"
27 #include "../lib/util/tevent_ntstatus.h"
28 #include "smbprofile.h"
29 #include "../lib/util/bitmap.h"
30 #include "../librpc/gen_ndr/krb5pac.h"
31 #include "auth.h"
32
33 #define OUTVEC_ALLOC_SIZE (SMB2_HDR_BODY + 9)
34
35 static const char *smb2_names[] = {
36 "SMB2_NEGPROT",
37 "SMB2_SESSSETUP",
38 "SMB2_LOGOFF",
39 "SMB2_TCON",
40 "SMB2_TDIS",
41 "SMB2_CREATE",
42 "SMB2_CLOSE",
43 "SMB2_FLUSH",
44 "SMB2_READ",
45 "SMB2_WRITE",
46 "SMB2_LOCK",
47 "SMB2_IOCTL",
48 "SMB2_CANCEL",
49 "SMB2_KEEPALIVE",
50 "SMB2_FIND",
51 "SMB2_NOTIFY",
52 "SMB2_GETINFO",
53 "SMB2_SETINFO",
54 "SMB2_BREAK"
55 };
56
57 const char *smb2_opcode_name(uint16_t opcode)
58 {
59 if (opcode > 0x12) {
60 return "Bad SMB2 opcode";
61 }
62 return smb2_names[opcode];
63 }
64
65 static void print_req_vectors(struct smbd_smb2_request *req)
66 {
67 int i;
68
69 for (i = 0; i < req->in.vector_count; i++) {
70 dbgtext("\treq->in.vector[%u].iov_len = %u\n",
71 (unsigned int)i,
72 (unsigned int)req->in.vector[i].iov_len);
73 }
74 for (i = 0; i < req->out.vector_count; i++) {
75 dbgtext("\treq->out.vector[%u].iov_len = %u\n",
76 (unsigned int)i,
77 (unsigned int)req->out.vector[i].iov_len);
78 }
79 }
80
81 bool smbd_is_smb2_header(const uint8_t *inbuf, size_t size)
82 {
83 if (size < (4 + SMB2_HDR_BODY)) {
84 return false;
85 }
86
87 if (IVAL(inbuf, 4) != SMB2_MAGIC) {
88 return false;
89 }
90
91 return true;
92 }
93
94 static NTSTATUS smbd_initialize_smb2(struct smbd_server_connection *sconn)
95 {
96 NTSTATUS status;
97 int ret;
98
99 TALLOC_FREE(sconn->smb1.fde);
100
101 sconn->smb2.recv_queue = tevent_queue_create(sconn, "smb2 recv queue");
102 if (sconn->smb2.recv_queue == NULL) {
103 return NT_STATUS_NO_MEMORY;
104 }
105
106 sconn->smb2.send_queue = tevent_queue_create(sconn, "smb2 send queue");
107 if (sconn->smb2.send_queue == NULL) {
108 return NT_STATUS_NO_MEMORY;
109 }
110
111 sconn->smb2.seqnum_low = 0;
112 sconn->smb2.seqnum_range = 1;
113 sconn->smb2.credits_granted = 1;
114 sconn->smb2.max_credits = lp_smb2_max_credits();
115 sconn->smb2.credits_bitmap = bitmap_talloc(sconn,
116 sconn->smb2.max_credits);
117 if (sconn->smb2.credits_bitmap == NULL) {
118 return NT_STATUS_NO_MEMORY;
119 }
120
121 ret = tstream_bsd_existing_socket(sconn, sconn->sock,
122 &sconn->smb2.stream);
123 if (ret == -1) {
124 status = map_nt_error_from_unix(errno);
125 return status;
126 }
127
128 /* Ensure child is set to non-blocking mode */
129 set_blocking(sconn->sock, false);
130 return NT_STATUS_OK;
131 }
132
133 #define smb2_len(buf) (PVAL(buf,3)|(PVAL(buf,2)<<8)|(PVAL(buf,1)<<16))
134 #define _smb2_setlen(_buf,len) do { \
135 uint8_t *buf = (uint8_t *)_buf; \
136 buf[0] = 0; \
137 buf[1] = ((len)&0xFF0000)>>16; \
138 buf[2] = ((len)&0xFF00)>>8; \
139 buf[3] = (len)&0xFF; \
140 } while (0)
141
142 static void smb2_setup_nbt_length(struct iovec *vector, int count)
143 {
144 size_t len = 0;
145 int i;
146
147 for (i=1; i < count; i++) {
148 len += vector[i].iov_len;
149 }
150
151 _smb2_setlen(vector[0].iov_base, len);
152 }
153
154 static int smbd_smb2_request_parent_destructor(struct smbd_smb2_request **req)
155 {
156 if (*req) {
157 (*req)->parent = NULL;
158 (*req)->mem_pool = NULL;
159 }
160
161 return 0;
162 }
163
164 static int smbd_smb2_request_destructor(struct smbd_smb2_request *req)
165 {
166 if (req->parent) {
167 *req->parent = NULL;
168 talloc_free(req->mem_pool);
169 }
170
171 return 0;
172 }
173
174 static struct smbd_smb2_request *smbd_smb2_request_allocate(TALLOC_CTX *mem_ctx)
175 {
176 TALLOC_CTX *mem_pool;
177 struct smbd_smb2_request **parent;
178 struct smbd_smb2_request *req;
179
180 #if 0
181 /* Enable this to find subtle valgrind errors. */
182 mem_pool = talloc_init("smbd_smb2_request_allocate");
183 #else
184 mem_pool = talloc_pool(mem_ctx, 8192);
185 #endif
186 if (mem_pool == NULL) {
187 return NULL;
188 }
189
190 parent = talloc(mem_pool, struct smbd_smb2_request *);
191 if (parent == NULL) {
192 talloc_free(mem_pool);
193 return NULL;
194 }
195
196 req = talloc_zero(parent, struct smbd_smb2_request);
197 if (req == NULL) {
198 talloc_free(mem_pool);
199 return NULL;
200 }
201 *parent = req;
202 req->mem_pool = mem_pool;
203 req->parent = parent;
204
205 req->last_session_id = UINT64_MAX;
206 req->last_tid = UINT32_MAX;
207
208 talloc_set_destructor(parent, smbd_smb2_request_parent_destructor);
209 talloc_set_destructor(req, smbd_smb2_request_destructor);
210
211 return req;
212 }
213
214 static NTSTATUS smbd_smb2_request_create(struct smbd_server_connection *sconn,
215 const uint8_t *inbuf, size_t size,
216 struct smbd_smb2_request **_req)
217 {
218 struct smbd_smb2_request *req;
219 uint32_t protocol_version;
220 const uint8_t *inhdr = NULL;
221 off_t ofs = 0;
222 uint16_t cmd;
223 uint32_t next_command_ofs;
224
225 if (size < (4 + SMB2_HDR_BODY + 2)) {
226 DEBUG(0,("Invalid SMB2 packet length count %ld\n", (long)size));
227 return NT_STATUS_INVALID_PARAMETER;
228 }
229
230 inhdr = inbuf + 4;
231
232 protocol_version = IVAL(inhdr, SMB2_HDR_PROTOCOL_ID);
233 if (protocol_version != SMB2_MAGIC) {
234 DEBUG(0,("Invalid SMB packet: protocol prefix: 0x%08X\n",
235 protocol_version));
236 return NT_STATUS_INVALID_PARAMETER;
237 }
238
239 cmd = SVAL(inhdr, SMB2_HDR_OPCODE);
240 if (cmd != SMB2_OP_NEGPROT) {
241 DEBUG(0,("Invalid SMB packet: first request: 0x%04X\n",
242 cmd));
243 return NT_STATUS_INVALID_PARAMETER;
244 }
245
246 next_command_ofs = IVAL(inhdr, SMB2_HDR_NEXT_COMMAND);
247 if (next_command_ofs != 0) {
248 DEBUG(0,("Invalid SMB packet: next_command: 0x%08X\n",
249 next_command_ofs));
250 return NT_STATUS_INVALID_PARAMETER;
251 }
252
253 req = smbd_smb2_request_allocate(sconn);
254 if (req == NULL) {
255 return NT_STATUS_NO_MEMORY;
256 }
257 req->sconn = sconn;
258
259 talloc_steal(req, inbuf);
260
261 req->in.vector = talloc_array(req, struct iovec, 4);
262 if (req->in.vector == NULL) {
263 TALLOC_FREE(req);
264 return NT_STATUS_NO_MEMORY;
265 }
266 req->in.vector_count = 4;
267
268 memcpy(req->in.nbt_hdr, inbuf, 4);
269
270 ofs = 0;
271 req->in.vector[0].iov_base = discard_const_p(void, req->in.nbt_hdr);
272 req->in.vector[0].iov_len = 4;
273 ofs += req->in.vector[0].iov_len;
274
275 req->in.vector[1].iov_base = discard_const_p(void, (inbuf + ofs));
276 req->in.vector[1].iov_len = SMB2_HDR_BODY;
277 ofs += req->in.vector[1].iov_len;
278
279 req->in.vector[2].iov_base = discard_const_p(void, (inbuf + ofs));
280 req->in.vector[2].iov_len = SVAL(inbuf, ofs) & 0xFFFE;
281 ofs += req->in.vector[2].iov_len;
282
283 if (ofs > size) {
284 return NT_STATUS_INVALID_PARAMETER;
285 }
286
287 req->in.vector[3].iov_base = discard_const_p(void, (inbuf + ofs));
288 req->in.vector[3].iov_len = size - ofs;
289 ofs += req->in.vector[3].iov_len;
290
291 req->current_idx = 1;
292
293 *_req = req;
294 return NT_STATUS_OK;
295 }
296
297 static bool smb2_validate_sequence_number(struct smbd_server_connection *sconn,
298 uint64_t message_id, uint64_t seq_id)
299 {
300 struct bitmap *credits_bm = sconn->smb2.credits_bitmap;
301 unsigned int offset;
302
303 if (seq_id < sconn->smb2.seqnum_low) {
304 DEBUG(0,("smb2_validate_sequence_number: bad message_id "
305 "%llu (sequence id %llu) "
306 "(granted = %u, low = %llu, range = %u)\n",
307 (unsigned long long)message_id,
308 (unsigned long long)seq_id,
309 (unsigned int)sconn->smb2.credits_granted,
310 (unsigned long long)sconn->smb2.seqnum_low,
311 (unsigned int)sconn->smb2.seqnum_range));
312 return false;
313 }
314
315 if (seq_id >= sconn->smb2.seqnum_low + sconn->smb2.seqnum_range) {
316 DEBUG(0,("smb2_validate_sequence_number: bad message_id "
317 "%llu (sequence id %llu) "
318 "(granted = %u, low = %llu, range = %u)\n",
319 (unsigned long long)message_id,
320 (unsigned long long)seq_id,
321 (unsigned int)sconn->smb2.credits_granted,
322 (unsigned long long)sconn->smb2.seqnum_low,
323 (unsigned int)sconn->smb2.seqnum_range));
324 return false;
325 }
326
327 offset = seq_id % sconn->smb2.max_credits;
328
329 if (bitmap_query(credits_bm, offset)) {
330 DEBUG(0,("smb2_validate_sequence_number: duplicate message_id "
331 "%llu (sequence id %llu) "
332 "(granted = %u, low = %llu, range = %u) "
333 "(bm offset %u)\n",
334 (unsigned long long)message_id,
335 (unsigned long long)seq_id,
336 (unsigned int)sconn->smb2.credits_granted,
337 (unsigned long long)sconn->smb2.seqnum_low,
338 (unsigned int)sconn->smb2.seqnum_range,
339 offset));
340 return false;
341 }
342
343 /* Mark the message_ids as seen in the bitmap. */
344 bitmap_set(credits_bm, offset);
345
346 if (seq_id != sconn->smb2.seqnum_low) {
347 return true;
348 }
349
350 /*
351 * Move the window forward by all the message_id's
352 * already seen.
353 */
354 while (bitmap_query(credits_bm, offset)) {
355 DEBUG(10,("smb2_validate_sequence_number: clearing "
356 "id %llu (position %u) from bitmap\n",
357 (unsigned long long)(sconn->smb2.seqnum_low),
358 offset));
359 bitmap_clear(credits_bm, offset);
360
361 sconn->smb2.seqnum_low += 1;
362 sconn->smb2.seqnum_range -= 1;
363 offset = sconn->smb2.seqnum_low % sconn->smb2.max_credits;
364 }
365
366 return true;
367 }
368
369 static bool smb2_validate_message_id(struct smbd_server_connection *sconn,
370 const uint8_t *inhdr)
371 {
372 uint64_t message_id = BVAL(inhdr, SMB2_HDR_MESSAGE_ID);
373 uint16_t opcode = IVAL(inhdr, SMB2_HDR_OPCODE);
374 uint16_t credit_charge = 1;
375 uint64_t i;
376
377 if (opcode == SMB2_OP_CANCEL) {
378 /* SMB2_CANCEL requests by definition resend messageids. */
379 return true;
380 }
381
382 if (sconn->smb2.supports_multicredit) {
383 credit_charge = SVAL(inhdr, SMB2_HDR_CREDIT_CHARGE);
384 credit_charge = MAX(credit_charge, 1);
385 }
386
387 DEBUG(11, ("smb2_validate_message_id: mid %llu (charge %llu), "
388 "credits_granted %llu, "
389 "seqnum low/range: %llu/%llu\n",
390 (unsigned long long) message_id,
391 (unsigned long long) credit_charge,
392 (unsigned long long) sconn->smb2.credits_granted,
393 (unsigned long long) sconn->smb2.seqnum_low,
394 (unsigned long long) sconn->smb2.seqnum_range));
395
396 if (sconn->smb2.credits_granted < credit_charge) {
397 DEBUG(0, ("smb2_validate_message_id: client used more "
398 "credits than granted, mid %llu, charge %llu, "
399 "credits_granted %llu, "
400 "seqnum low/range: %llu/%llu\n",
401 (unsigned long long) message_id,
402 (unsigned long long) credit_charge,
403 (unsigned long long) sconn->smb2.credits_granted,
404 (unsigned long long) sconn->smb2.seqnum_low,
405 (unsigned long long) sconn->smb2.seqnum_range));
406 return false;
407 }
408
409 /*
410 * now check the message ids
411 *
412 * for multi-credit requests we need to check all current mid plus
413 * the implicit mids caused by the credit charge
414 * e.g. current mid = 15, charge 5 => mark 15-19 as used
415 */
416
417 for (i = 0; i <= (credit_charge-1); i++) {
418 uint64_t id = message_id + i;
419 bool ok;
420
421 DEBUG(11, ("Iterating mid %llu charge %u (sequence %llu)\n",
422 (unsigned long long)message_id,
423 credit_charge,
424 (unsigned long long)id));
425
426 ok = smb2_validate_sequence_number(sconn, message_id, id);
427 if (!ok) {
428 return false;
429 }
430 }
431
432 /* substract used credits */
433 sconn->smb2.credits_granted -= credit_charge;
434
435 return true;
436 }
437
438 static NTSTATUS smbd_smb2_request_validate(struct smbd_smb2_request *req)
439 {
440 int count;
441 int idx;
442
443 count = req->in.vector_count;
444
445 if (count < 4) {
446 /* It's not a SMB2 request */
447 return NT_STATUS_INVALID_PARAMETER;
448 }
449
450 for (idx=1; idx < count; idx += 3) {
451 const uint8_t *inhdr = NULL;
452 uint32_t flags;
453
454 if (req->in.vector[idx].iov_len != SMB2_HDR_BODY) {
455 return NT_STATUS_INVALID_PARAMETER;
456 }
457
458 if (req->in.vector[idx+1].iov_len < 2) {
459 return NT_STATUS_INVALID_PARAMETER;
460 }
461
462 inhdr = (const uint8_t *)req->in.vector[idx].iov_base;
463
464 /* Check the SMB2 header */
465 if (IVAL(inhdr, SMB2_HDR_PROTOCOL_ID) != SMB2_MAGIC) {
466 return NT_STATUS_INVALID_PARAMETER;
467 }
468
469 if (!smb2_validate_message_id(req->sconn, inhdr)) {
470 return NT_STATUS_INVALID_PARAMETER;
471 }
472
473 flags = IVAL(inhdr, SMB2_HDR_FLAGS);
474 if (idx == 1) {
475 /*
476 * the 1st request should never have the
477 * SMB2_HDR_FLAG_CHAINED flag set
478 */
479 if (flags & SMB2_HDR_FLAG_CHAINED) {
480 req->next_status = NT_STATUS_INVALID_PARAMETER;
481 return NT_STATUS_OK;
482 }
483 } else if (idx == 4) {
484 /*
485 * the 2nd request triggers related vs. unrelated
486 * compounded requests
487 */
488 if (flags & SMB2_HDR_FLAG_CHAINED) {
489 req->compound_related = true;
490 }
491 } else if (idx > 4) {
492 #if 0
493 /*
494 * It seems the this tests are wrong
495 * see the SMB2-COMPOUND test
496 */
497
498 /*
499 * all other requests should match the 2nd one
500 */
501 if (flags & SMB2_HDR_FLAG_CHAINED) {
502 if (!req->compound_related) {
503 req->next_status =
504 NT_STATUS_INVALID_PARAMETER;
505 return NT_STATUS_OK;
506 }
507 } else {
508 if (req->compound_related) {
509 req->next_status =
510 NT_STATUS_INVALID_PARAMETER;
511 return NT_STATUS_OK;
512 }
513 }
514 #endif
515 }
516 }
517
518 return NT_STATUS_OK;
519 }
520
521 static void smb2_set_operation_credit(struct smbd_server_connection *sconn,
522 const struct iovec *in_vector,
523 struct iovec *out_vector)
524 {
525 const uint8_t *inhdr = (const uint8_t *)in_vector->iov_base;
526 uint8_t *outhdr = (uint8_t *)out_vector->iov_base;
527 uint16_t credit_charge = 1;
528 uint16_t credits_requested;
529 uint32_t out_flags;
530 uint16_t cmd;
531 NTSTATUS out_status;
532 uint16_t credits_granted = 0;
533 uint64_t credits_possible;
534 uint16_t current_max_credits;
535
536 /*
537 * first we grant only 1/16th of the max range.
538 *
539 * Windows also starts with the 1/16th and then grants
540 * more later. I was only able to trigger higher
541 * values, when using a verify high credit charge.
542 *
543 * TODO: scale up depending one load, free memory
544 * or other stuff.
545 * Maybe also on the relationship between number
546 * of requests and the used sequence number.
547 * Which means we would grant more credits
548 * for client which use multi credit requests.
549 */
550 current_max_credits = sconn->smb2.max_credits / 16;
551 current_max_credits = MAX(current_max_credits, 1);
552
553 if (sconn->smb2.supports_multicredit) {
554 credit_charge = SVAL(inhdr, SMB2_HDR_CREDIT_CHARGE);
555 credit_charge = MAX(credit_charge, 1);
556 }
557
558 cmd = SVAL(inhdr, SMB2_HDR_OPCODE);
559 credits_requested = SVAL(inhdr, SMB2_HDR_CREDIT);
560 out_flags = IVAL(outhdr, SMB2_HDR_FLAGS);
561 out_status = NT_STATUS(IVAL(outhdr, SMB2_HDR_STATUS));
562
563 SMB_ASSERT(sconn->smb2.max_credits >= sconn->smb2.credits_granted);
564 SMB_ASSERT(sconn->smb2.max_credits >= credit_charge);
565
566 if (out_flags & SMB2_HDR_FLAG_ASYNC) {
567 /*
568 * In case we already send an async interim
569 * response, we should not grant
570 * credits on the final response.
571 */
572 credits_granted = 0;
573 } else if (credits_requested > 0) {
574 uint16_t additional_max = 0;
575 uint16_t additional_credits = credits_requested - 1;
576
577 switch (cmd) {
578 case SMB2_OP_NEGPROT:
579 break;
580 case SMB2_OP_SESSSETUP:
581 /*
582 * Windows 2012 RC1 starts to grant
583 * additional credits
584 * with a successful session setup
585 */
586 if (NT_STATUS_IS_OK(out_status)) {
587 additional_max = 32;
588 }
589 break;
590 default:
591 /*
592 * We match windows and only grant additional credits
593 * in chunks of 32.
594 */
595 additional_max = 32;
596 break;
597 }
598
599 additional_credits = MIN(additional_credits, additional_max);
600
601 credits_granted = credit_charge + additional_credits;
602 } else if (sconn->smb2.credits_granted == 0) {
603 /*
604 * Make sure the client has always at least one credit
605 */
606 credits_granted = 1;
607 }
608
609 /*
610 * sequence numbers should not wrap
611 *
612 * 1. calculate the possible credits until
613 * the sequence numbers start to wrap on 64-bit.
614 *
615 * 2. UINT64_MAX is used for Break Notifications.
616 *
617 * 2. truncate the possible credits to the maximum
618 * credits we want to grant to the client in total.
619 *
620 * 3. remove the range we'll already granted to the client
621 * this makes sure the client consumes the lowest sequence
622 * number, before we can grant additional credits.
623 */
624 credits_possible = UINT64_MAX - sconn->smb2.seqnum_low;
625 if (credits_possible > 0) {
626 /* remove UINT64_MAX */
627 credits_possible -= 1;
628 }
629 credits_possible = MIN(credits_possible, current_max_credits);
630 credits_possible -= sconn->smb2.seqnum_range;
631
632 credits_granted = MIN(credits_granted, credits_possible);
633
634 SSVAL(outhdr, SMB2_HDR_CREDIT, credits_granted);
635 sconn->smb2.credits_granted += credits_granted;
636 sconn->smb2.seqnum_range += credits_granted;
637
638 DEBUG(10,("smb2_set_operation_credit: requested %u, charge %u, "
639 "granted %u, current possible/max %u/%u, "
640 "total granted/max/low/range %u/%u/%llu/%u\n",
641 (unsigned int)credits_requested,
642 (unsigned int)credit_charge,
643 (unsigned int)credits_granted,
644 (unsigned int)credits_possible,
645 (unsigned int)current_max_credits,
646 (unsigned int)sconn->smb2.credits_granted,
647 (unsigned int)sconn->smb2.max_credits,
648 (unsigned long long)sconn->smb2.seqnum_low,
649 (unsigned int)sconn->smb2.seqnum_range));
650 }
651
652 static void smb2_calculate_credits(const struct smbd_smb2_request *inreq,
653 struct smbd_smb2_request *outreq)
654 {
655 int count, idx;
656 uint16_t total_credits = 0;
657
658 count = outreq->out.vector_count;
659
660 for (idx=1; idx < count; idx += 3) {
661 uint8_t *outhdr = (uint8_t *)outreq->out.vector[idx].iov_base;
662 smb2_set_operation_credit(outreq->sconn,
663 &inreq->in.vector[idx],
664 &outreq->out.vector[idx]);
665 /* To match Windows, count up what we
666 just granted. */
667 total_credits += SVAL(outhdr, SMB2_HDR_CREDIT);
668 /* Set to zero in all but the last reply. */
669 if (idx + 3 < count) {
670 SSVAL(outhdr, SMB2_HDR_CREDIT, 0);
671 } else {
672 SSVAL(outhdr, SMB2_HDR_CREDIT, total_credits);
673 }
674 }
675 }
676
677 static NTSTATUS smbd_smb2_request_setup_out(struct smbd_smb2_request *req)
678 {
679 struct iovec *vector;
680 int count;
681 int idx;
682
683 req->request_time = timeval_current();
684
685 count = req->in.vector_count;
686 vector = talloc_zero_array(req, struct iovec, count);
687 if (vector == NULL) {
688 return NT_STATUS_NO_MEMORY;
689 }
690
691 vector[0].iov_base = req->out.nbt_hdr;
692 vector[0].iov_len = 4;
693 SIVAL(req->out.nbt_hdr, 0, 0);
694
695 for (idx=1; idx < count; idx += 3) {
696 const uint8_t *inhdr = NULL;
697 uint8_t *outhdr = NULL;
698 uint8_t *outbody = NULL;
699 uint32_t next_command_ofs = 0;
700 struct iovec *current = &vector[idx];
701
702 if ((idx + 3) < count) {
703 /* we have a next command -
704 * setup for the error case. */
705 next_command_ofs = SMB2_HDR_BODY + 9;
706 }
707
708 inhdr = (const uint8_t *)req->in.vector[idx].iov_base;
709
710 outhdr = talloc_zero_array(vector, uint8_t,
711 OUTVEC_ALLOC_SIZE);
712 if (outhdr == NULL) {
713 return NT_STATUS_NO_MEMORY;
714 }
715
716 outbody = outhdr + SMB2_HDR_BODY;
717
718 current[0].iov_base = (void *)outhdr;
719 current[0].iov_len = SMB2_HDR_BODY;
720
721 current[1].iov_base = (void *)outbody;
722 current[1].iov_len = 8;
723
724 current[2].iov_base = NULL;
725 current[2].iov_len = 0;
726
727 /* setup the SMB2 header */
728 SIVAL(outhdr, SMB2_HDR_PROTOCOL_ID, SMB2_MAGIC);
729 SSVAL(outhdr, SMB2_HDR_LENGTH, SMB2_HDR_BODY);
730 SSVAL(outhdr, SMB2_HDR_CREDIT_CHARGE,
731 SVAL(inhdr, SMB2_HDR_CREDIT_CHARGE));
732 SIVAL(outhdr, SMB2_HDR_STATUS,
733 NT_STATUS_V(NT_STATUS_INTERNAL_ERROR));
734 SSVAL(outhdr, SMB2_HDR_OPCODE,
735 SVAL(inhdr, SMB2_HDR_OPCODE));
736 SIVAL(outhdr, SMB2_HDR_FLAGS,
737 IVAL(inhdr, SMB2_HDR_FLAGS) | SMB2_HDR_FLAG_REDIRECT);
738 SIVAL(outhdr, SMB2_HDR_NEXT_COMMAND, next_command_ofs);
739 SBVAL(outhdr, SMB2_HDR_MESSAGE_ID,
740 BVAL(inhdr, SMB2_HDR_MESSAGE_ID));
741 SIVAL(outhdr, SMB2_HDR_PID,
742 IVAL(inhdr, SMB2_HDR_PID));
743 SIVAL(outhdr, SMB2_HDR_TID,
744 IVAL(inhdr, SMB2_HDR_TID));
745 SBVAL(outhdr, SMB2_HDR_SESSION_ID,
746 BVAL(inhdr, SMB2_HDR_SESSION_ID));
747 memcpy(outhdr + SMB2_HDR_SIGNATURE,
748 inhdr + SMB2_HDR_SIGNATURE, 16);
749
750 /* setup error body header */
751 SSVAL(outbody, 0x00, 0x08 + 1);
752 SSVAL(outbody, 0x02, 0);
753 SIVAL(outbody, 0x04, 0);
754 }
755
756 req->out.vector = vector;
757 req->out.vector_count = count;
758
759 /* setup the length of the NBT packet */
760 smb2_setup_nbt_length(req->out.vector, req->out.vector_count);
761
762 DLIST_ADD_END(req->sconn->smb2.requests, req, struct smbd_smb2_request *);
763
764 return NT_STATUS_OK;
765 }
766
767 void smbd_server_connection_terminate_ex(struct smbd_server_connection *sconn,
768 const char *reason,
769 const char *location)
770 {
771 DEBUG(10,("smbd_server_connection_terminate_ex: reason[%s] at %s\n",
772 reason, location));
773 exit_server_cleanly(reason);
774 }
775
776 static bool dup_smb2_vec3(TALLOC_CTX *ctx,
777 struct iovec *outvec,
778 const struct iovec *srcvec)
779 {
780 /* vec[0] is always boilerplate and must
781 * be allocated with size OUTVEC_ALLOC_SIZE. */
782
783 outvec[0].iov_base = talloc_memdup(ctx,
784 srcvec[0].iov_base,
785 OUTVEC_ALLOC_SIZE);
786 if (!outvec[0].iov_base) {
787 return false;
788 }
789 outvec[0].iov_len = SMB2_HDR_BODY;
790
791 /*
792 * If this is a "standard" vec[1] of length 8,
793 * pointing to srcvec[0].iov_base + SMB2_HDR_BODY,
794 * then duplicate this. Else use talloc_memdup().
795 */
796
797 if (srcvec[1].iov_len == 8 &&
798 srcvec[1].iov_base ==
799 ((uint8_t *)srcvec[0].iov_base) +
800 SMB2_HDR_BODY) {
801 outvec[1].iov_base = ((uint8_t *)outvec[0].iov_base) +
802 SMB2_HDR_BODY;
803 outvec[1].iov_len = 8;
804 } else {
805 outvec[1].iov_base = talloc_memdup(ctx,
806 srcvec[1].iov_base,
807 srcvec[1].iov_len);
808 if (!outvec[1].iov_base) {
809 return false;
810 }
811 outvec[1].iov_len = srcvec[1].iov_len;
812 }
813
814 /*
815 * If this is a "standard" vec[2] of length 1,
816 * pointing to srcvec[0].iov_base + (OUTVEC_ALLOC_SIZE - 1)
817 * then duplicate this. Else use talloc_memdup().
818 */
819
820 if (srcvec[2].iov_base &&
821 srcvec[2].iov_len) {
822 if (srcvec[2].iov_base ==
823 ((uint8_t *)srcvec[0].iov_base) +
824 (OUTVEC_ALLOC_SIZE - 1) &&
825 srcvec[2].iov_len == 1) {
826 /* Common SMB2 error packet case. */
827 outvec[2].iov_base = ((uint8_t *)outvec[0].iov_base) +
828 (OUTVEC_ALLOC_SIZE - 1);
829 } else {
830 outvec[2].iov_base = talloc_memdup(ctx,
831 srcvec[2].iov_base,
832 srcvec[2].iov_len);
833 if (!outvec[2].iov_base) {
834 return false;
835 }
836 }
837 outvec[2].iov_len = srcvec[2].iov_len;
838 } else {
839 outvec[2].iov_base = NULL;
840 outvec[2].iov_len = 0;
841 }
842 return true;
843 }
844
845 static struct smbd_smb2_request *dup_smb2_req(const struct smbd_smb2_request *req)
846 {
847 struct smbd_smb2_request *newreq = NULL;
848 struct iovec *outvec = NULL;
849 int count = req->out.vector_count;
850 int i;
851
852 newreq = smbd_smb2_request_allocate(req->sconn);
853 if (!newreq) {
854 return NULL;
855 }
856
857 newreq->sconn = req->sconn;
858 newreq->session = req->session;
859 newreq->do_signing = req->do_signing;
860 newreq->current_idx = req->current_idx;
861
862 outvec = talloc_zero_array(newreq, struct iovec, count);
863 if (!outvec) {
864 TALLOC_FREE(newreq);
865 return NULL;
866 }
867 newreq->out.vector = outvec;
868 newreq->out.vector_count = count;
869
870 /* Setup the outvec's identically to req. */
871 outvec[0].iov_base = newreq->out.nbt_hdr;
872 outvec[0].iov_len = 4;
873 memcpy(newreq->out.nbt_hdr, req->out.nbt_hdr, 4);
874
875 /* Setup the vectors identically to the ones in req. */
876 for (i = 1; i < count; i += 3) {
877 if (!dup_smb2_vec3(outvec, &outvec[i], &req->out.vector[i])) {
878 break;
879 }
880 }
881
882 if (i < count) {
883 /* Alloc failed. */
884 TALLOC_FREE(newreq);
885 return NULL;
886 }
887
888 smb2_setup_nbt_length(newreq->out.vector,
889 newreq->out.vector_count);
890
891 return newreq;
892 }
893
894 static void smbd_smb2_request_writev_done(struct tevent_req *subreq);
895
896 static NTSTATUS smb2_send_async_interim_response(const struct smbd_smb2_request *req)
897 {
898 int i = 0;
899 uint8_t *outhdr = NULL;
900 struct smbd_smb2_request *nreq = NULL;
901
902 /* Create a new smb2 request we'll use
903 for the interim return. */
904 nreq = dup_smb2_req(req);
905 if (!nreq) {
906 return NT_STATUS_NO_MEMORY;
907 }
908
909 /* Lose the last 3 out vectors. They're the
910 ones we'll be using for the async reply. */
911 nreq->out.vector_count -= 3;
912
913 smb2_setup_nbt_length(nreq->out.vector,
914 nreq->out.vector_count);
915
916 /* Step back to the previous reply. */
917 i = nreq->current_idx - 3;
918 outhdr = (uint8_t *)nreq->out.vector[i].iov_base;
919 /* And end the chain. */
920 SIVAL(outhdr, SMB2_HDR_NEXT_COMMAND, 0);
921
922 /* Calculate outgoing credits */
923 smb2_calculate_credits(req, nreq);
924
925 /* Re-sign if needed. */
926 if (nreq->do_signing) {
927 NTSTATUS status;
928 struct smbXsrv_session *x = nreq->session;
929 struct smbXsrv_connection *conn = x->connection;
930 DATA_BLOB signing_key = x->global->channels[0].signing_key;
931
932 status = smb2_signing_sign_pdu(signing_key,
933 conn->protocol,
934 &nreq->out.vector[i], 3);
935 if (!NT_STATUS_IS_OK(status)) {
936 return status;
937 }
938 }
939 if (DEBUGLEVEL >= 10) {
940 dbgtext("smb2_send_async_interim_response: nreq->current_idx = %u\n",
941 (unsigned int)nreq->current_idx );
942 dbgtext("smb2_send_async_interim_response: returning %u vectors\n",
943 (unsigned int)nreq->out.vector_count );
944 print_req_vectors(nreq);
945 }
946 nreq->subreq = tstream_writev_queue_send(nreq,
947 nreq->sconn->ev_ctx,
948 nreq->sconn->smb2.stream,
949 nreq->sconn->smb2.send_queue,
950 nreq->out.vector,
951 nreq->out.vector_count);
952
953 if (nreq->subreq == NULL) {
954 return NT_STATUS_NO_MEMORY;
955 }
956
957 tevent_req_set_callback(nreq->subreq,
958 smbd_smb2_request_writev_done,
959 nreq);
960
961 return NT_STATUS_OK;
962 }
963
964 struct smbd_smb2_request_pending_state {
965 struct smbd_server_connection *sconn;
966 uint8_t buf[4 + SMB2_HDR_BODY + 0x08 + 1];
967 struct iovec vector[3];
968 };
969
970 static void smbd_smb2_request_pending_writev_done(struct tevent_req *subreq)
971 {
972 struct smbd_smb2_request_pending_state *state =
973 tevent_req_callback_data(subreq,
974 struct smbd_smb2_request_pending_state);
975 struct smbd_server_connection *sconn = state->sconn;
976 int ret;
977 int sys_errno;
978
979 ret = tstream_writev_queue_recv(subreq, &sys_errno);
980 TALLOC_FREE(subreq);
981 if (ret == -1) {
982 NTSTATUS status = map_nt_error_from_unix(sys_errno);
983 smbd_server_connection_terminate(sconn, nt_errstr(status));
984 return;
985 }
986
987 TALLOC_FREE(state);
988 }
989
990 static void smbd_smb2_request_pending_timer(struct tevent_context *ev,
991 struct tevent_timer *te,
992 struct timeval current_time,
993 void *private_data);
994
995 NTSTATUS smbd_smb2_request_pending_queue(struct smbd_smb2_request *req,
996 struct tevent_req *subreq,
997 uint32_t defer_time)
998 {
999 NTSTATUS status;
1000 int i = req->current_idx;
1001 struct timeval defer_endtime;
1002 uint8_t *outhdr = NULL;
1003 uint32_t flags;
1004
1005 if (!tevent_req_is_in_progress(subreq)) {
1006 return NT_STATUS_OK;
1007 }
1008
1009 req->subreq = subreq;
1010 subreq = NULL;
1011
1012 if (req->async_te) {
1013 /* We're already async. */
1014 return NT_STATUS_OK;
1015 }
1016
1017 outhdr = (uint8_t *)req->out.vector[i].iov_base;
1018 flags = IVAL(outhdr, SMB2_HDR_FLAGS);
1019 if (flags & SMB2_HDR_FLAG_ASYNC) {
1020 /* We're already async. */
1021 return NT_STATUS_OK;
1022 }
1023
1024 if (req->in.vector_count > i + 3) {
1025 /*
1026 * We're trying to go async in a compound
1027 * request chain. This is not allowed.
1028 * Cancel the outstanding request.
1029 */
1030 tevent_req_cancel(req->subreq);
1031 return smbd_smb2_request_error(req,
1032 NT_STATUS_INSUFFICIENT_RESOURCES);
1033 }
1034
1035 if (DEBUGLEVEL >= 10) {
1036 dbgtext("smbd_smb2_request_pending_queue: req->current_idx = %u\n",
1037 (unsigned int)req->current_idx );
1038 print_req_vectors(req);
1039 }
1040
1041 if (req->out.vector_count > 4) {
1042 struct iovec *outvec = NULL;
1043
1044 /* This is a compound reply. We
1045 * must do an interim response
1046 * followed by the async response
1047 * to match W2K8R2.
1048 */
1049 status = smb2_send_async_interim_response(req);
1050 if (!NT_STATUS_IS_OK(status)) {
1051 return status;
1052 }
1053
1054 /*
1055 * We're splitting off the last SMB2
1056 * request in a compound set, and the
1057 * smb2_send_async_interim_response()
1058 * call above just sent all the replies
1059 * for the previous SMB2 requests in
1060 * this compound set. So we're no longer
1061 * in the "compound_related_in_progress"
1062 * state, and this is no longer a compound
1063 * request.
1064 */
1065 req->compound_related = false;
1066 req->sconn->smb2.compound_related_in_progress = false;
1067
1068 /* Re-arrange the in.vectors. */
1069 req->in.vector[1] = req->in.vector[i];
1070 req->in.vector[2] = req->in.vector[i+1];
1071 req->in.vector[3] = req->in.vector[i+2];
1072 req->in.vector_count = 4;
1073
1074 /* Reset the new in size. */
1075 smb2_setup_nbt_length(req->in.vector, 4);
1076
1077 /* Now recreate the out.vectors. */
1078 outvec = talloc_zero_array(req, struct iovec, 4);
1079 if (!outvec) {
1080 return NT_STATUS_NO_MEMORY;
1081 }
1082
1083 /* 0 is always boilerplate and must
1084 * be of size 4 for the length field. */
1085
1086 outvec[0].iov_base = req->out.nbt_hdr;
1087 outvec[0].iov_len = 4;
1088 SIVAL(req->out.nbt_hdr, 0, 0);
1089
1090 if (!dup_smb2_vec3(outvec, &outvec[1], &req->out.vector[i])) {
1091 return NT_STATUS_NO_MEMORY;
1092 }
1093
1094 TALLOC_FREE(req->out.vector);
1095
1096 req->out.vector = outvec;
1097
1098 req->current_idx = 1;
1099 req->out.vector_count = 4;
1100
1101 outhdr = (uint8_t *)req->out.vector[1].iov_base;
1102 flags = (IVAL(outhdr, SMB2_HDR_FLAGS) & ~SMB2_HDR_FLAG_CHAINED);
1103 SIVAL(outhdr, SMB2_HDR_FLAGS, flags);
1104 }
1105
1106 defer_endtime = timeval_current_ofs_usec(defer_time);
1107 req->async_te = tevent_add_timer(req->sconn->ev_ctx,
1108 req, defer_endtime,
1109 smbd_smb2_request_pending_timer,
1110 req);
1111 if (req->async_te == NULL) {
1112 return NT_STATUS_NO_MEMORY;
1113 }
1114
1115 return NT_STATUS_OK;
1116 }
1117
1118 static void smbd_smb2_request_pending_timer(struct tevent_context *ev,
1119 struct tevent_timer *te,
1120 struct timeval current_time,
1121 void *private_data)
1122 {
1123 struct smbd_smb2_request *req =
1124 talloc_get_type_abort(private_data,
1125 struct smbd_smb2_request);
1126 struct smbd_smb2_request_pending_state *state = NULL;
1127 int i = req->current_idx;
1128 uint8_t *outhdr = NULL;
1129 const uint8_t *inhdr = NULL;
1130 uint8_t *hdr = NULL;
1131 uint8_t *body = NULL;
1132 uint32_t flags = 0;
1133 uint64_t message_id = 0;
1134 uint64_t async_id = 0;
1135 struct tevent_req *subreq = NULL;
1136
1137 TALLOC_FREE(req->async_te);
1138
1139 /* Ensure our final reply matches the interim one. */
1140 inhdr = (const uint8_t *)req->in.vector[1].iov_base;
1141 outhdr = (uint8_t *)req->out.vector[1].iov_base;
1142 flags = IVAL(outhdr, SMB2_HDR_FLAGS);
1143 message_id = BVAL(outhdr, SMB2_HDR_MESSAGE_ID);
1144
1145 async_id = message_id; /* keep it simple for now... */
1146
1147 SIVAL(outhdr, SMB2_HDR_FLAGS, flags | SMB2_HDR_FLAG_ASYNC);
1148 SBVAL(outhdr, SMB2_HDR_ASYNC_ID, async_id);
1149
1150 DEBUG(10,("smbd_smb2_request_pending_queue: opcode[%s] mid %llu "
1151 "going async\n",
1152 smb2_opcode_name((uint16_t)IVAL(inhdr, SMB2_HDR_OPCODE)),
1153 (unsigned long long)async_id ));
1154
1155 /*
1156 * What we send is identical to a smbd_smb2_request_error
1157 * packet with an error status of STATUS_PENDING. Make use
1158 * of this fact sometime when refactoring. JRA.
1159 */
1160
1161 state = talloc_zero(req->sconn, struct smbd_smb2_request_pending_state);
1162 if (state == NULL) {
1163 smbd_server_connection_terminate(req->sconn,
1164 nt_errstr(NT_STATUS_NO_MEMORY));
1165 return;
1166 }
1167 state->sconn = req->sconn;
1168
1169 state->vector[0].iov_base = (void *)state->buf;
1170 state->vector[0].iov_len = 4;
1171
1172 state->vector[1].iov_base = state->buf + 4;
1173 state->vector[1].iov_len = SMB2_HDR_BODY;
1174
1175 state->vector[2].iov_base = state->buf + 4 + SMB2_HDR_BODY;
1176 state->vector[2].iov_len = 9;
1177
1178 smb2_setup_nbt_length(state->vector, 3);
1179
1180 hdr = (uint8_t *)state->vector[1].iov_base;
1181 body = (uint8_t *)state->vector[2].iov_base;
1182
1183 SIVAL(hdr, SMB2_HDR_PROTOCOL_ID, SMB2_MAGIC);
1184 SSVAL(hdr, SMB2_HDR_LENGTH, SMB2_HDR_BODY);
1185 SSVAL(hdr, SMB2_HDR_EPOCH, 0);
1186 SIVAL(hdr, SMB2_HDR_STATUS, NT_STATUS_V(STATUS_PENDING));
1187 SSVAL(hdr, SMB2_HDR_OPCODE, SVAL(outhdr, SMB2_HDR_OPCODE));
1188
1189 SIVAL(hdr, SMB2_HDR_FLAGS, flags);
1190 SIVAL(hdr, SMB2_HDR_NEXT_COMMAND, 0);
1191 SBVAL(hdr, SMB2_HDR_MESSAGE_ID, message_id);
1192 SBVAL(hdr, SMB2_HDR_PID, async_id);
1193 SBVAL(hdr, SMB2_HDR_SESSION_ID,
1194 BVAL(outhdr, SMB2_HDR_SESSION_ID));
1195 memcpy(hdr+SMB2_HDR_SIGNATURE,
1196 outhdr+SMB2_HDR_SIGNATURE, 16);
1197
1198 SSVAL(body, 0x00, 0x08 + 1);
1199
1200 SCVAL(body, 0x02, 0);
1201 SCVAL(body, 0x03, 0);
1202 SIVAL(body, 0x04, 0);
1203 /* Match W2K8R2... */
1204 SCVAL(body, 0x08, 0x21);
1205
1206 /* Ensure we correctly go through crediting. Grant
1207 the credits now, and zero credits on the final
1208 response. */
1209 smb2_set_operation_credit(req->sconn,
1210 &req->in.vector[i],
1211 &state->vector[1]);
1212
1213 SIVAL(hdr, SMB2_HDR_FLAGS, flags | SMB2_HDR_FLAG_ASYNC);
1214
1215 if (req->do_signing) {
1216 NTSTATUS status;
1217 struct smbXsrv_session *x = req->session;
1218 struct smbXsrv_connection *conn = x->connection;
1219 DATA_BLOB signing_key = x->global->channels[0].signing_key;
1220
1221 status = smb2_signing_sign_pdu(signing_key,
1222 conn->protocol,
1223 &state->vector[1], 2);
1224 if (!NT_STATUS_IS_OK(status)) {
1225 smbd_server_connection_terminate(req->sconn,
1226 nt_errstr(status));
1227 return;
1228 }
1229 }
1230
1231 subreq = tstream_writev_queue_send(state,
1232 state->sconn->ev_ctx,
1233 state->sconn->smb2.stream,
1234 state->sconn->smb2.send_queue,
1235 state->vector,
1236 3);
1237 if (subreq == NULL) {
1238 smbd_server_connection_terminate(state->sconn,
1239 nt_errstr(NT_STATUS_NO_MEMORY));
1240 return;
1241 }
1242 tevent_req_set_callback(subreq,
1243 smbd_smb2_request_pending_writev_done,
1244 state);
1245 }
1246
1247 static NTSTATUS smbd_smb2_request_process_cancel(struct smbd_smb2_request *req)
1248 {
1249 struct smbd_server_connection *sconn = req->sconn;
1250 struct smbd_smb2_request *cur;
1251 const uint8_t *inhdr;
1252 int i = req->current_idx;
1253 uint32_t flags;
1254 uint64_t search_message_id;
1255 uint64_t search_async_id;
1256 uint64_t found_id;
1257
1258 inhdr = (const uint8_t *)req->in.vector[i].iov_base;
1259
1260 flags = IVAL(inhdr, SMB2_HDR_FLAGS);
1261 search_message_id = BVAL(inhdr, SMB2_HDR_MESSAGE_ID);
1262 search_async_id = BVAL(inhdr, SMB2_HDR_PID);
1263
1264 /*
1265 * we don't need the request anymore
1266 * cancel requests never have a response
1267 */
1268 DLIST_REMOVE(req->sconn->smb2.requests, req);
1269 TALLOC_FREE(req);
1270
1271 for (cur = sconn->smb2.requests; cur; cur = cur->next) {
1272 const uint8_t *outhdr;
1273 uint64_t message_id;
1274 uint64_t async_id;
1275
1276 i = cur->current_idx;
1277
1278 outhdr = (const uint8_t *)cur->out.vector[i].iov_base;
1279
1280 message_id = BVAL(outhdr, SMB2_HDR_MESSAGE_ID);
1281 async_id = BVAL(outhdr, SMB2_HDR_PID);
1282
1283 if (flags & SMB2_HDR_FLAG_ASYNC) {
1284 if (search_async_id == async_id) {
1285 found_id = async_id;
1286 break;
1287 }
1288 } else {
1289 if (search_message_id == message_id) {
1290 found_id = message_id;
1291 break;
1292 }
1293 }
1294 }
1295
1296 if (cur && cur->subreq) {
1297 inhdr = (const uint8_t *)cur->in.vector[i].iov_base;
1298 DEBUG(10,("smbd_smb2_request_process_cancel: attempting to "
1299 "cancel opcode[%s] mid %llu\n",
1300 smb2_opcode_name((uint16_t)IVAL(inhdr, SMB2_HDR_OPCODE)),
1301 (unsigned long long)found_id ));
1302 tevent_req_cancel(cur->subreq);
1303 }
1304
1305 return NT_STATUS_OK;
1306 }
1307
1308 /*************************************************************
1309 Ensure an incoming tid is a valid one for us to access.
1310 Change to the associated uid credentials and chdir to the
1311 valid tid directory.
1312 *************************************************************/
1313
1314 static NTSTATUS smbd_smb2_request_check_tcon(struct smbd_smb2_request *req)
1315 {
1316 const uint8_t *inhdr;
1317 int i = req->current_idx;
1318 uint32_t in_flags;
1319 uint32_t in_tid;
1320 struct smbXsrv_tcon0 *tcon;
1321 NTSTATUS status;
1322 NTTIME now = timeval_to_nttime(&req->request_time);
1323
1324 req->tcon = NULL;
1325
1326 inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
1327
1328 in_flags = IVAL(inhdr, SMB2_HDR_FLAGS);
1329 in_tid = IVAL(inhdr, SMB2_HDR_TID);
1330
1331 if (in_flags & SMB2_HDR_FLAG_CHAINED) {
1332 in_tid = req->last_tid;
1333 }
1334
1335 status = smb2srv_tcon_lookup(req->session,
1336 in_tid, now, &tcon);
1337 if (!NT_STATUS_IS_OK(status)) {
1338 return status;
1339 }
1340
1341 if (!change_to_user(tcon->compat, req->session->compat->vuid)) {
1342 return NT_STATUS_ACCESS_DENIED;
1343 }
1344
1345 /* should we pass FLAG_CASELESS_PATHNAMES here? */
1346 if (!set_current_service(tcon->compat, 0, true)) {
1347 return NT_STATUS_ACCESS_DENIED;
1348 }
1349
1350 req->tcon = tcon;
1351 req->last_tid = in_tid;
1352
1353 return NT_STATUS_OK;
1354 }
1355
1356 /*************************************************************
1357 Ensure an incoming session_id is a valid one for us to access.
1358 *************************************************************/
1359
1360 static NTSTATUS smbd_smb2_request_check_session(struct smbd_smb2_request *req)
1361 {
1362 const uint8_t *inhdr;
1363 int i = req->current_idx;
1364 uint32_t in_flags;
1365 uint16_t in_opcode;
1366 uint64_t in_session_id;
1367 struct smbXsrv_session *session = NULL;
1368 struct auth_session_info *session_info;
1369 NTSTATUS status;
1370 NTTIME now = timeval_to_nttime(&req->request_time);
1371
1372 req->session = NULL;
1373 req->tcon = NULL;
1374
1375 inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
1376
1377 in_flags = IVAL(inhdr, SMB2_HDR_FLAGS);
1378 in_opcode = IVAL(inhdr, SMB2_HDR_OPCODE);
1379 in_session_id = BVAL(inhdr, SMB2_HDR_SESSION_ID);
1380
1381 if (in_flags & SMB2_HDR_FLAG_CHAINED) {
1382 in_session_id = req->last_session_id;
1383 }
1384
1385 /* lookup an existing session */
1386 status = smb2srv_session_lookup(req->sconn->conn,
1387 in_session_id, now,
1388 &session);
1389 if (session) {
1390 req->session = session;
1391 req->last_session_id = in_session_id;
1392 }
1393 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)) {
1394 switch (in_opcode) {
1395 case SMB2_OP_SESSSETUP:
1396 status = NT_STATUS_OK;
1397 break;
1398 default:
1399 break;
1400 }
1401 }
1402 if (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
1403 switch (in_opcode) {
1404 case SMB2_OP_TCON:
1405 case SMB2_OP_CREATE:
1406 case SMB2_OP_GETINFO:
1407 case SMB2_OP_SETINFO:
1408 return NT_STATUS_INVALID_HANDLE;
1409 default:
1410 /*
1411 * Notice the check for
1412 * (session_info == NULL)
1413 * below.
1414 */
1415 status = NT_STATUS_OK;
1416 break;
1417 }
1418 }
1419 if (!NT_STATUS_IS_OK(status)) {
1420 return status;
1421 }
1422
1423 session_info = session->global->auth_session_info;
1424 if (session_info == NULL) {
1425 return NT_STATUS_INVALID_HANDLE;
1426 }
1427
1428 set_current_user_info(session_info->unix_info->sanitized_username,
1429 session_info->unix_info->unix_name,
1430 session_info->info->domain_name);
1431
1432 return NT_STATUS_OK;
1433 }
1434
1435 NTSTATUS smbd_smb2_request_verify_creditcharge(struct smbd_smb2_request *req,
1436 uint32_t data_length)
1437 {
1438 uint16_t needed_charge;
1439 uint16_t credit_charge;
1440 const uint8_t *inhdr;
1441 int i = req->current_idx;
1442
1443 if (!req->sconn->smb2.supports_multicredit) {
1444 if (data_length > 65536) {
1445 return NT_STATUS_INVALID_PARAMETER;
1446 }
1447 return NT_STATUS_OK;
1448 }
1449
1450 inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
1451 credit_charge = SVAL(inhdr, SMB2_HDR_CREDIT_CHARGE);
1452 credit_charge = MAX(credit_charge, 1);
1453
1454 needed_charge = (data_length - 1)/ 65536 + 1;
1455
1456 DEBUG(10, ("mid %llu, CreditCharge: %d, NeededCharge: %d\n",
1457 (unsigned long long) BVAL(inhdr, SMB2_HDR_MESSAGE_ID),
1458 credit_charge, needed_charge));
1459
1460 if (needed_charge > credit_charge) {
1461 DEBUG(2, ("CreditCharge too low, given %d, needed %d\n",
1462 credit_charge, needed_charge));
1463 return NT_STATUS_INVALID_PARAMETER;
1464 }
1465
1466 return NT_STATUS_OK;
1467 }
1468
1469 NTSTATUS smbd_smb2_request_verify_sizes(struct smbd_smb2_request *req,
1470 size_t expected_body_size)
1471 {
1472 const uint8_t *inhdr;
1473 uint16_t opcode;
1474 const uint8_t *inbody;
1475 int i = req->current_idx;
1476 size_t body_size;
1477 size_t min_dyn_size = expected_body_size & 0x00000001;
1478
1479 /*
1480 * The following should be checked already.
1481 */
1482 if ((i+2) > req->in.vector_count) {
1483 return NT_STATUS_INTERNAL_ERROR;
1484 }
1485 if (req->in.vector[i+0].iov_len != SMB2_HDR_BODY) {
1486 return NT_STATUS_INTERNAL_ERROR;
1487 }
1488 if (req->in.vector[i+1].iov_len < 2) {
1489 return NT_STATUS_INTERNAL_ERROR;
1490 }
1491
1492 inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
1493 opcode = SVAL(inhdr, SMB2_HDR_OPCODE);
1494
1495 switch (opcode) {
1496 case SMB2_OP_IOCTL:
1497 case SMB2_OP_GETINFO:
1498 min_dyn_size = 0;
1499 break;
1500 }
1501
1502 /*
1503 * Now check the expected body size,
1504 * where the last byte might be in the
1505 * dynamic section..
1506 */
1507 if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
1508 return NT_STATUS_INVALID_PARAMETER;
1509 }
1510 if (req->in.vector[i+2].iov_len < min_dyn_size) {
1511 return NT_STATUS_INVALID_PARAMETER;
1512 }
1513
1514 inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
1515
1516 body_size = SVAL(inbody, 0x00);
1517 if (body_size != expected_body_size) {
1518 return NT_STATUS_INVALID_PARAMETER;
1519 }
1520
1521 return NT_STATUS_OK;
1522 }
1523
1524 NTSTATUS smbd_smb2_request_dispatch(struct smbd_smb2_request *req)
1525 {
1526 const uint8_t *inhdr;
1527 int i = req->current_idx;
1528 uint16_t opcode;
1529 uint32_t flags;
1530 uint64_t mid;
1531 NTSTATUS status;
1532 NTSTATUS session_status;
1533 uint32_t allowed_flags;
1534 NTSTATUS return_value;
1535 struct smbXsrv_session *x = NULL;
1536 bool signing_required = false;
1537
1538 inhdr = (const uint8_t *)req->in.vector[i].iov_base;
1539
1540 /* TODO: verify more things */
1541
1542 flags = IVAL(inhdr, SMB2_HDR_FLAGS);
1543 opcode = IVAL(inhdr, SMB2_HDR_OPCODE);
1544 mid = BVAL(inhdr, SMB2_HDR_MESSAGE_ID);
1545 DEBUG(10,("smbd_smb2_request_dispatch: opcode[%s] mid = %llu\n",
1546 smb2_opcode_name(opcode),
1547 (unsigned long long)mid));
1548
1549 if (get_Protocol() >= PROTOCOL_SMB2_02) {
1550 /*
1551 * once the protocol is negotiated
1552 * SMB2_OP_NEGPROT is not allowed anymore
1553 */
1554 if (opcode == SMB2_OP_NEGPROT) {
1555 /* drop the connection */
1556 return NT_STATUS_INVALID_PARAMETER;
1557 }
1558 } else {
1559 /*
1560 * if the protocol is not negotiated yet
1561 * only SMB2_OP_NEGPROT is allowed.
1562 */
1563 if (opcode != SMB2_OP_NEGPROT) {
1564 /* drop the connection */
1565 return NT_STATUS_INVALID_PARAMETER;
1566 }
1567 }
1568
1569 allowed_flags = SMB2_HDR_FLAG_CHAINED |
1570 SMB2_HDR_FLAG_SIGNED |
1571 SMB2_HDR_FLAG_DFS;
1572 if (opcode == SMB2_OP_CANCEL) {
1573 allowed_flags |= SMB2_HDR_FLAG_ASYNC;
1574 }
1575 if ((flags & ~allowed_flags) != 0) {
1576 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
1577 }
1578
1579 /*
1580 * Check if the client provided a valid session id,
1581 * if so smbd_smb2_request_check_session() calls
1582 * set_current_user_info().
1583 *
1584 * As some command don't require a valid session id
1585 * we defer the check of the session_status
1586 */
1587 session_status = smbd_smb2_request_check_session(req);
1588 x = req->session;
1589
1590 if (x != NULL) {
1591 signing_required = x->global->signing_required;
1592
1593 if (opcode == SMB2_OP_SESSSETUP &&
1594 x->global->channels[0].signing_key.length) {
1595 signing_required = true;
1596 }
1597 }
1598
1599 req->do_signing = false;
1600 if (flags & SMB2_HDR_FLAG_SIGNED) {
1601 struct smbXsrv_connection *conn = x->connection;
1602 DATA_BLOB signing_key = x->global->channels[0].signing_key;
1603
1604 if (!NT_STATUS_IS_OK(session_status)) {
1605 return smbd_smb2_request_error(req, session_status);
1606 }
1607
1608 req->do_signing = true;
1609 status = smb2_signing_check_pdu(signing_key,
1610 conn->protocol,
1611 &req->in.vector[i], 3);
1612 if (!NT_STATUS_IS_OK(status)) {
1613 return smbd_smb2_request_error(req, status);
1614 }
1615 } else if (opcode == SMB2_OP_CANCEL) {
1616 /* Cancel requests are allowed to skip the signing */
1617 } else if (signing_required) {
1618 return smbd_smb2_request_error(req, NT_STATUS_ACCESS_DENIED);
1619 }
1620
1621 if (flags & SMB2_HDR_FLAG_CHAINED) {
1622 /*
1623 * This check is mostly for giving the correct error code
1624 * for compounded requests.
1625 *
1626 * TODO: we may need to move this after the session
1627 * and tcon checks.
1628 */
1629 if (!NT_STATUS_IS_OK(req->next_status)) {
1630 return smbd_smb2_request_error(req, req->next_status);
1631 }
1632 } else {
1633 req->compat_chain_fsp = NULL;
1634 }
1635
1636 if (req->compound_related) {
1637 req->sconn->smb2.compound_related_in_progress = true;
1638 }
1639
1640 switch (opcode) {
1641 case SMB2_OP_NEGPROT:
1642 /* This call needs to be run as root */
1643 change_to_root_user();
1644
1645 {
1646 START_PROFILE(smb2_negprot);
1647 return_value = smbd_smb2_request_process_negprot(req);
1648 END_PROFILE(smb2_negprot);
1649 }
1650 break;
1651
1652 case SMB2_OP_SESSSETUP:
1653 /* This call needs to be run as root */
1654 change_to_root_user();
1655
1656 {
1657 START_PROFILE(smb2_sesssetup);
1658 return_value = smbd_smb2_request_process_sesssetup(req);
1659 END_PROFILE(smb2_sesssetup);
1660 }
1661 break;
1662
1663 case SMB2_OP_LOGOFF:
1664 if (!NT_STATUS_IS_OK(session_status)) {
1665 return_value = smbd_smb2_request_error(req, session_status);
1666 break;
1667 }
1668
1669 /* This call needs to be run as root */
1670 change_to_root_user();
1671
1672 {
1673 START_PROFILE(smb2_logoff);
1674 return_value = smbd_smb2_request_process_logoff(req);
1675 END_PROFILE(smb2_logoff);
1676 }
1677 break;
1678
1679 case SMB2_OP_TCON:
1680 if (!NT_STATUS_IS_OK(session_status)) {
1681 return_value = smbd_smb2_request_error(req, session_status);
1682 break;
1683 }
1684
1685 /*
1686 * This call needs to be run as root.
1687 *
1688 * smbd_smb2_request_process_tcon()
1689 * calls make_connection_snum(), which will call
1690 * change_to_user(), when needed.
1691 */
1692 change_to_root_user();
1693
1694 {
1695 START_PROFILE(smb2_tcon);
1696 return_value = smbd_smb2_request_process_tcon(req);
1697 END_PROFILE(smb2_tcon);
1698 }
1699 break;
1700
1701 case SMB2_OP_TDIS:
1702 if (!NT_STATUS_IS_OK(session_status)) {
1703 return_value = smbd_smb2_request_error(req, session_status);
1704 break;
1705 }
1706 /*
1707 * This call needs to be run as user.
1708 *
1709 * smbd_smb2_request_check_tcon()
1710 * calls change_to_user() on success.
1711 */
1712 status = smbd_smb2_request_check_tcon(req);
1713 if (!NT_STATUS_IS_OK(status)) {
1714 return_value = smbd_smb2_request_error(req, status);
1715 break;
1716 }
1717 /* This call needs to be run as root */
1718 change_to_root_user();
1719
1720
1721 {
1722 START_PROFILE(smb2_tdis);
1723 return_value = smbd_smb2_request_process_tdis(req);
1724 END_PROFILE(smb2_tdis);
1725 }
1726 break;
1727
1728 case SMB2_OP_CREATE:
1729 if (!NT_STATUS_IS_OK(session_status)) {
1730 return_value = smbd_smb2_request_error(req, session_status);
1731 break;
1732 }
1733 /*
1734 * This call needs to be run as user.
1735 *
1736 * smbd_smb2_request_check_tcon()
1737 * calls change_to_user() on success.
1738 */
1739 status = smbd_smb2_request_check_tcon(req);
1740 if (!NT_STATUS_IS_OK(status)) {
1741 return_value = smbd_smb2_request_error(req, status);
1742 break;
1743 }
1744
1745 {
1746 START_PROFILE(smb2_create);
1747 return_value = smbd_smb2_request_process_create(req);
1748 END_PROFILE(smb2_create);
1749 }
1750 break;
1751
1752 case SMB2_OP_CLOSE:
1753 if (!NT_STATUS_IS_OK(session_status)) {
1754 return_value = smbd_smb2_request_error(req, session_status);
1755 break;
1756 }
1757 /*
1758 * This call needs to be run as user.
1759 *
1760 * smbd_smb2_request_check_tcon()
1761 * calls change_to_user() on success.
1762 */
1763 status = smbd_smb2_request_check_tcon(req);
1764 if (!NT_STATUS_IS_OK(status)) {
1765 return_value = smbd_smb2_request_error(req, status);
1766 break;
1767 }
1768
1769 {
1770 START_PROFILE(smb2_close);
1771 return_value = smbd_smb2_request_process_close(req);
1772 END_PROFILE(smb2_close);
1773 }
1774 break;
1775
1776 case SMB2_OP_FLUSH:
1777 if (!NT_STATUS_IS_OK(session_status)) {
1778 return_value = smbd_smb2_request_error(req, session_status);
1779 break;
1780 }
1781 /*
1782 * This call needs to be run as user.
1783 *
1784 * smbd_smb2_request_check_tcon()
1785 * calls change_to_user() on success.
1786 */
1787 status = smbd_smb2_request_check_tcon(req);
1788 if (!NT_STATUS_IS_OK(status)) {
1789 return_value = smbd_smb2_request_error(req, status);
1790 break;
1791 }
1792
1793 {
1794 START_PROFILE(smb2_flush);
1795 return_value = smbd_smb2_request_process_flush(req);
1796 END_PROFILE(smb2_flush);
1797 }
1798 break;
1799
1800 case SMB2_OP_READ:
1801 if (!NT_STATUS_IS_OK(session_status)) {
1802 return_value = smbd_smb2_request_error(req, session_status);
1803 break;
1804 }
1805 /*
1806 * This call needs to be run as user.
1807 *
1808 * smbd_smb2_request_check_tcon()
1809 * calls change_to_user() on success.
1810 */
1811 status = smbd_smb2_request_check_tcon(req);
1812 if (!NT_STATUS_IS_OK(status)) {
1813 return_value = smbd_smb2_request_error(req, status);
1814 break;
1815 }
1816
1817 {
1818 START_PROFILE(smb2_read);
1819 return_value = smbd_smb2_request_process_read(req);
1820 END_PROFILE(smb2_read);
1821 }
1822 break;
1823
1824 case SMB2_OP_WRITE:
1825 if (!NT_STATUS_IS_OK(session_status)) {
1826 return_value = smbd_smb2_request_error(req, session_status);
1827 break;
1828 }
1829 /*
1830 * This call needs to be run as user.
1831 *
1832 * smbd_smb2_request_check_tcon()
1833 * calls change_to_user() on success.
1834 */
1835 status = smbd_smb2_request_check_tcon(req);
1836 if (!NT_STATUS_IS_OK(status)) {
1837 return_value = smbd_smb2_request_error(req, status);
1838 break;
1839 }
1840
1841 {
1842 START_PROFILE(smb2_write);
1843 return_value = smbd_smb2_request_process_write(req);
1844 END_PROFILE(smb2_write);
1845 }
1846 break;
1847
1848 case SMB2_OP_LOCK:
1849 if (!NT_STATUS_IS_OK(session_status)) {
1850 /* Too ugly to live ? JRA. */
1851 if (NT_STATUS_EQUAL(session_status,NT_STATUS_USER_SESSION_DELETED)) {
1852 session_status = NT_STATUS_FILE_CLOSED;
1853 }
1854 return_value = smbd_smb2_request_error(req, session_status);
1855 break;
1856 }
1857 /*
1858 * This call needs to be run as user.
1859 *
1860 * smbd_smb2_request_check_tcon()
1861 * calls change_to_user() on success.
1862 */
1863 status = smbd_smb2_request_check_tcon(req);
1864 if (!NT_STATUS_IS_OK(status)) {
1865 /* Too ugly to live ? JRA. */
1866 if (NT_STATUS_EQUAL(status,NT_STATUS_NETWORK_NAME_DELETED)) {
1867 status = NT_STATUS_FILE_CLOSED;
1868 }
1869 return_value = smbd_smb2_request_error(req, status);
1870 break;
1871 }
1872
1873 {
1874 START_PROFILE(smb2_lock);
1875 return_value = smbd_smb2_request_process_lock(req);
1876 END_PROFILE(smb2_lock);
1877 }
1878 break;
1879
1880 case SMB2_OP_IOCTL:
1881 if (!NT_STATUS_IS_OK(session_status)) {
1882 return_value = smbd_smb2_request_error(req, session_status);
1883 break;
1884 }
1885 /*
1886 * This call needs to be run as user.
1887 *
1888 * smbd_smb2_request_check_tcon()
1889 * calls change_to_user() on success.
1890 */
1891 status = smbd_smb2_request_check_tcon(req);
1892 if (!NT_STATUS_IS_OK(status)) {
1893 return_value = smbd_smb2_request_error(req, status);
1894 break;
1895 }
1896
1897 {
1898 START_PROFILE(smb2_ioctl);
1899 return_value = smbd_smb2_request_process_ioctl(req);
1900 END_PROFILE(smb2_ioctl);
1901 }
1902 break;
1903
1904 case SMB2_OP_CANCEL:
1905 /*
1906 * This call needs to be run as root
1907 *
1908 * That is what we also do in the SMB1 case.
1909 */
1910 change_to_root_user();
1911
1912 {
1913 START_PROFILE(smb2_cancel);
1914 return_value = smbd_smb2_request_process_cancel(req);
1915 END_PROFILE(smb2_cancel);
1916 }
1917 break;
1918
1919 case SMB2_OP_KEEPALIVE:
1920 /* This call needs to be run as root */
1921 change_to_root_user();
1922
1923 {
1924 START_PROFILE(smb2_keepalive);
1925 return_value = smbd_smb2_request_process_keepalive(req);
1926 END_PROFILE(smb2_keepalive);
1927 }
1928 break;
1929
1930 case SMB2_OP_FIND:
1931 if (!NT_STATUS_IS_OK(session_status)) {
1932 return_value = smbd_smb2_request_error(req, session_status);
1933 break;
1934 }
1935 /*
1936 * This call needs to be run as user.
1937 *
1938 * smbd_smb2_request_check_tcon()
1939 * calls change_to_user() on success.
1940 */
1941 status = smbd_smb2_request_check_tcon(req);
1942 if (!NT_STATUS_IS_OK(status)) {
1943 return_value = smbd_smb2_request_error(req, status);
1944 break;
1945 }
1946
1947 {
1948 START_PROFILE(smb2_find);
1949 return_value = smbd_smb2_request_process_find(req);
1950 END_PROFILE(smb2_find);
1951 }
1952 break;
1953
1954 case SMB2_OP_NOTIFY:
1955 if (!NT_STATUS_IS_OK(session_status)) {
1956 return_value = smbd_smb2_request_error(req, session_status);
1957 break;
1958 }
1959 /*
1960 * This call needs to be run as user.
1961 *
1962 * smbd_smb2_request_check_tcon()
1963 * calls change_to_user() on success.
1964 */
1965 status = smbd_smb2_request_check_tcon(req);
1966 if (!NT_STATUS_IS_OK(status)) {
1967 return_value = smbd_smb2_request_error(req, status);
1968 break;
1969 }
1970
1971 {
1972 START_PROFILE(smb2_notify);
1973 return_value = smbd_smb2_request_process_notify(req);
1974 END_PROFILE(smb2_notify);
1975 }
1976 break;
1977
1978 case SMB2_OP_GETINFO:
1979 if (!NT_STATUS_IS_OK(session_status)) {
1980 return_value = smbd_smb2_request_error(req, session_status);
1981 break;
1982 }
1983 /*
1984 * This call needs to be run as user.
1985 *
1986 * smbd_smb2_request_check_tcon()
1987 * calls change_to_user() on success.
1988 */
1989 status = smbd_smb2_request_check_tcon(req);
1990 if (!NT_STATUS_IS_OK(status)) {
1991 return_value = smbd_smb2_request_error(req, status);
1992 break;
1993 }
1994
1995 {
1996 START_PROFILE(smb2_getinfo);
1997 return_value = smbd_smb2_request_process_getinfo(req);
1998 END_PROFILE(smb2_getinfo);
1999 }
2000 break;
2001
2002 case SMB2_OP_SETINFO:
2003 if (!NT_STATUS_IS_OK(session_status)) {
2004 return_value = smbd_smb2_request_error(req, session_status);
2005 break;
2006 }
2007 /*
2008 * This call needs to be run as user.
2009 *
2010 * smbd_smb2_request_check_tcon()
2011 * calls change_to_user() on success.
2012 */
2013 status = smbd_smb2_request_check_tcon(req);
2014 if (!NT_STATUS_IS_OK(status)) {
2015 return_value = smbd_smb2_request_error(req, status);
2016 break;
2017 }
2018
2019 {
2020 START_PROFILE(smb2_setinfo);
2021 return_value = smbd_smb2_request_process_setinfo(req);
2022 END_PROFILE(smb2_setinfo);
2023 }
2024 break;
2025
2026 case SMB2_OP_BREAK:
2027 if (!NT_STATUS_IS_OK(session_status)) {
2028 return_value = smbd_smb2_request_error(req, session_status);
2029 break;
2030 }
2031 /*
2032 * This call needs to be run as user.
2033 *
2034 * smbd_smb2_request_check_tcon()
2035 * calls change_to_user() on success.
2036 */
2037 status = smbd_smb2_request_check_tcon(req);
2038 if (!NT_STATUS_IS_OK(status)) {
2039 return_value = smbd_smb2_request_error(req, status);
2040 break;
2041 }
2042
2043 {
2044 START_PROFILE(smb2_break);
2045 return_value = smbd_smb2_request_process_break(req);
2046 END_PROFILE(smb2_break);
2047 }
2048 break;
2049
2050 default:
2051 return_value = smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
2052 break;
2053 }
2054 return return_value;
2055 }
2056
2057 static NTSTATUS smbd_smb2_request_reply(struct smbd_smb2_request *req)
2058 {
2059 struct tevent_req *subreq;
2060 int i = req->current_idx;
2061
2062 req->subreq = NULL;
2063 TALLOC_FREE(req->async_te);
2064
2065 req->current_idx += 3;
2066
2067 if (req->current_idx < req->out.vector_count) {
2068 /*
2069 * We must process the remaining compound
2070 * SMB2 requests before any new incoming SMB2
2071 * requests. This is because incoming SMB2
2072 * requests may include a cancel for a
2073 * compound request we haven't processed
2074 * yet.
2075 */
2076 struct tevent_immediate *im = tevent_create_immediate(req);
2077 if (!im) {
2078 return NT_STATUS_NO_MEMORY;
2079 }
2080 tevent_schedule_immediate(im,
2081 req->sconn->ev_ctx,
2082 smbd_smb2_request_dispatch_immediate,
2083 req);
2084 return NT_STATUS_OK;
2085 }
2086
2087 if (req->compound_related) {
2088 req->sconn->smb2.compound_related_in_progress = false;
2089 }
2090
2091 smb2_setup_nbt_length(req->out.vector, req->out.vector_count);
2092
2093 /* Set credit for these operations (zero credits if this
2094 is a final reply for an async operation). */
2095 smb2_calculate_credits(req, req);
2096
2097 if (req->do_signing) {
2098 NTSTATUS status;
2099 struct smbXsrv_session *x = req->session;
2100 struct smbXsrv_connection *conn = x->connection;
2101 DATA_BLOB signing_key = x->global->channels[0].signing_key;
2102
2103 status = smb2_signing_sign_pdu(signing_key,
2104 conn->protocol,
2105 &req->out.vector[i], 3);
2106 if (!NT_STATUS_IS_OK(status)) {
2107 return status;
2108 }
2109 }
2110
2111 if (DEBUGLEVEL >= 10) {
2112 dbgtext("smbd_smb2_request_reply: sending...\n");
2113 print_req_vectors(req);
2114 }
2115
2116 /* I am a sick, sick man... :-). Sendfile hack ... JRA. */
2117 if (req->out.vector_count == 4 &&
2118 req->out.vector[3].iov_base == NULL &&
2119 req->out.vector[3].iov_len != 0) {
2120 /* Dynamic part is NULL. Chop it off,
2121 We're going to send it via sendfile. */
2122 req->out.vector_count -= 1;
2123 }
2124
2125 subreq = tstream_writev_queue_send(req,
2126 req->sconn->ev_ctx,
2127 req->sconn->smb2.stream,
2128 req->sconn->smb2.send_queue,
2129 req->out.vector,
2130 req->out.vector_count);
2131 if (subreq == NULL) {
2132 return NT_STATUS_NO_MEMORY;
2133 }
2134 tevent_req_set_callback(subreq, smbd_smb2_request_writev_done, req);
2135 /*
2136 * We're done with this request -
2137 * move it off the "being processed" queue.
2138 */
2139 DLIST_REMOVE(req->sconn->smb2.requests, req);
2140
2141 return NT_STATUS_OK;
2142 }
2143
2144 static NTSTATUS smbd_smb2_request_next_incoming(struct smbd_server_connection *sconn);
2145
2146 void smbd_smb2_request_dispatch_immediate(struct tevent_context *ctx,
2147 struct tevent_immediate *im,
2148 void *private_data)
2149 {
2150 struct smbd_smb2_request *req = talloc_get_type_abort(private_data,
2151 struct smbd_smb2_request);
2152 struct smbd_server_connection *sconn = req->sconn;
2153 NTSTATUS status;
2154
2155 TALLOC_FREE(im);
2156
2157 if (DEBUGLEVEL >= 10) {
2158 DEBUG(10,("smbd_smb2_request_dispatch_immediate: idx[%d] of %d vectors\n",
2159 req->current_idx, req->in.vector_count));
2160 print_req_vectors(req);
2161 }
2162
2163 status = smbd_smb2_request_dispatch(req);
2164 if (!NT_STATUS_IS_OK(status)) {
2165 smbd_server_connection_terminate(sconn, nt_errstr(status));
2166 return;
2167 }
2168
2169 status = smbd_smb2_request_next_incoming(sconn);
2170 if (!NT_STATUS_IS_OK(status)) {
2171 smbd_server_connection_terminate(sconn, nt_errstr(status));
2172 return;
2173 }
2174 }
2175
2176 static void smbd_smb2_request_writev_done(struct tevent_req *subreq)
2177 {
2178 struct smbd_smb2_request *req = tevent_req_callback_data(subreq,
2179 struct smbd_smb2_request);
2180 struct smbd_server_connection *sconn = req->sconn;
2181 int ret;
2182 int sys_errno;
2183 NTSTATUS status;
2184
2185 ret = tstream_writev_queue_recv(subreq, &sys_errno);
2186 TALLOC_FREE(subreq);
2187 TALLOC_FREE(req);
2188 if (ret == -1) {
2189 status = map_nt_error_from_unix(sys_errno);
2190 DEBUG(2,("smbd_smb2_request_writev_done: client write error %s\n",
2191 nt_errstr(status)));
2192 smbd_server_connection_terminate(sconn, nt_errstr(status));
2193 return;
2194 }
2195
2196 status = smbd_smb2_request_next_incoming(sconn);
2197 if (!NT_STATUS_IS_OK(status)) {
2198 smbd_server_connection_terminate(sconn, nt_errstr(status));
2199 return;
2200 }
2201 }
2202
2203 NTSTATUS smbd_smb2_request_done_ex(struct smbd_smb2_request *req,
2204 NTSTATUS status,
2205 DATA_BLOB body, DATA_BLOB *dyn,
2206 const char *location)
2207 {
2208 uint8_t *outhdr;
2209 int i = req->current_idx;
2210 uint32_t next_command_ofs;
2211
2212 DEBUG(10,("smbd_smb2_request_done_ex: "
2213 "idx[%d] status[%s] body[%u] dyn[%s:%u] at %s\n",
2214 i, nt_errstr(status), (unsigned int)body.length,
2215 dyn ? "yes": "no",
2216 (unsigned int)(dyn ? dyn->length : 0),
2217 location));
2218
2219 if (body.length < 2) {
2220 return smbd_smb2_request_error(req, NT_STATUS_INTERNAL_ERROR);
2221 }
2222
2223 if ((body.length % 2) != 0) {
2224 return smbd_smb2_request_error(req, NT_STATUS_INTERNAL_ERROR);
2225 }
2226
2227 outhdr = (uint8_t *)req->out.vector[i].iov_base;
2228
2229 next_command_ofs = IVAL(outhdr, SMB2_HDR_NEXT_COMMAND);
2230 SIVAL(outhdr, SMB2_HDR_STATUS, NT_STATUS_V(status));
2231
2232 req->out.vector[i+1].iov_base = (void *)body.data;
2233 req->out.vector[i+1].iov_len = body.length;
2234
2235 if (dyn) {
2236 req->out.vector[i+2].iov_base = (void *)dyn->data;
2237 req->out.vector[i+2].iov_len = dyn->length;
2238 } else {
2239 req->out.vector[i+2].iov_base = NULL;
2240 req->out.vector[i+2].iov_len = 0;
2241 }
2242
2243 /* see if we need to recalculate the offset to the next response */
2244 if (next_command_ofs > 0) {
2245 next_command_ofs = SMB2_HDR_BODY;
2246 next_command_ofs += req->out.vector[i+1].iov_len;
2247 next_command_ofs += req->out.vector[i+2].iov_len;
2248 }
2249
2250 if ((next_command_ofs % 8) != 0) {
2251 size_t pad_size = 8 - (next_command_ofs % 8);
2252 if (req->out.vector[i+2].iov_len == 0) {
2253 /*
2254 * if the dyn buffer is empty
2255 * we can use it to add padding
2256 */
2257 uint8_t *pad;
2258
2259 pad = talloc_zero_array(req->out.vector,
2260 uint8_t, pad_size);
2261 if (pad == NULL) {
2262 return smbd_smb2_request_error(req,
2263 NT_STATUS_NO_MEMORY);
2264 }
2265
2266 req->out.vector[i+2].iov_base = (void *)pad;
2267 req->out.vector[i+2].iov_len = pad_size;
2268 } else {
2269 /*
2270 * For now we copy the dynamic buffer
2271 * and add the padding to the new buffer
2272 */
2273 size_t old_size;
2274 uint8_t *old_dyn;
2275 size_t new_size;
2276 uint8_t *new_dyn;
2277
2278 old_size = req->out.vector[i+2].iov_len;
2279 old_dyn = (uint8_t *)req->out.vector[i+2].iov_base;
2280
2281 new_size = old_size + pad_size;
2282 new_dyn = talloc_zero_array(req->out.vector,
2283 uint8_t, new_size);
2284 if (new_dyn == NULL) {
2285 return smbd_smb2_request_error(req,
2286 NT_STATUS_NO_MEMORY);
2287 }
2288
2289 memcpy(new_dyn, old_dyn, old_size);
2290 memset(new_dyn + old_size, 0, pad_size);
2291
2292 req->out.vector[i+2].iov_base = (void *)new_dyn;
2293 req->out.vector[i+2].iov_len = new_size;
2294 }
2295 next_command_ofs += pad_size;
2296 }
2297
2298 SIVAL(outhdr, SMB2_HDR_NEXT_COMMAND, next_command_ofs);
2299
2300 return smbd_smb2_request_reply(req);
2301 }
2302
2303 NTSTATUS smbd_smb2_request_error_ex(struct smbd_smb2_request *req,
2304 NTSTATUS status,
2305 DATA_BLOB *info,
2306 const char *location)
2307 {
2308 DATA_BLOB body;
2309 int i = req->current_idx;
2310 uint8_t *outhdr = (uint8_t *)req->out.vector[i].iov_base;
2311
2312 DEBUG(10,("smbd_smb2_request_error_ex: idx[%d] status[%s] |%s| at %s\n",
2313 i, nt_errstr(status), info ? " +info" : "",
2314 location));
2315
2316 body.data = outhdr + SMB2_HDR_BODY;
2317 body.length = 8;
2318 SSVAL(body.data, 0, 9);
2319
2320 if (info) {
2321 SIVAL(body.data, 0x04, info->length);
2322 } else {
2323 /* Allocated size of req->out.vector[i].iov_base
2324 * *MUST BE* OUTVEC_ALLOC_SIZE. So we have room for
2325 * 1 byte without having to do an alloc.
2326 */
2327 info = talloc_zero_array(req->out.vector,
2328 DATA_BLOB,
2329 1);
2330 if (!info) {
2331 return NT_STATUS_NO_MEMORY;
2332 }
2333 info->data = ((uint8_t *)outhdr) +
2334 OUTVEC_ALLOC_SIZE - 1;
2335 info->length = 1;
2336 SCVAL(info->data, 0, 0);
2337 }
2338
2339 /*
2340 * if a request fails, all other remaining
2341 * compounded requests should fail too
2342 */
2343 req->next_status = NT_STATUS_INVALID_PARAMETER;
2344
2345 return smbd_smb2_request_done_ex(req, status, body, info, __location__);
2346 }
2347
2348
2349 struct smbd_smb2_send_oplock_break_state {
2350 struct smbd_server_connection *sconn;
2351 uint8_t buf[4 + SMB2_HDR_BODY + 0x18];
2352 struct iovec vector;
2353 };
2354
2355 static void smbd_smb2_oplock_break_writev_done(struct tevent_req *subreq);
2356
2357 NTSTATUS smbd_smb2_send_oplock_break(struct smbd_server_connection *sconn,
2358 uint64_t file_id_persistent,
2359 uint64_t file_id_volatile,
2360 uint8_t oplock_level)
2361 {
2362 struct smbd_smb2_send_oplock_break_state *state;
2363 struct tevent_req *subreq;
2364 uint8_t *hdr;
2365 uint8_t *body;
2366
2367 state = talloc(sconn, struct smbd_smb2_send_oplock_break_state);
2368 if (state == NULL) {
2369 return NT_STATUS_NO_MEMORY;
2370 }
2371 state->sconn = sconn;
2372
2373 state->vector.iov_base = (void *)state->buf;
2374 state->vector.iov_len = sizeof(state->buf);
2375
2376 _smb2_setlen(state->buf, sizeof(state->buf) - 4);
2377 hdr = state->buf + 4;
2378 body = hdr + SMB2_HDR_BODY;
2379
2380 SIVAL(hdr, 0, SMB2_MAGIC);
2381 SSVAL(hdr, SMB2_HDR_LENGTH, SMB2_HDR_BODY);
2382 SSVAL(hdr, SMB2_HDR_EPOCH, 0);
2383 SIVAL(hdr, SMB2_HDR_STATUS, 0);
2384 SSVAL(hdr, SMB2_HDR_OPCODE, SMB2_OP_BREAK);
2385 SSVAL(hdr, SMB2_HDR_CREDIT, 0);
2386 SIVAL(hdr, SMB2_HDR_FLAGS, SMB2_HDR_FLAG_REDIRECT);
2387 SIVAL(hdr, SMB2_HDR_NEXT_COMMAND, 0);
2388 SBVAL(hdr, SMB2_HDR_MESSAGE_ID, UINT64_MAX);
2389 SIVAL(hdr, SMB2_HDR_PID, 0);
2390 SIVAL(hdr, SMB2_HDR_TID, 0);
2391 SBVAL(hdr, SMB2_HDR_SESSION_ID, 0);
2392 memset(hdr+SMB2_HDR_SIGNATURE, 0, 16);
2393
2394 SSVAL(body, 0x00, 0x18);
2395
2396 SCVAL(body, 0x02, oplock_level);
2397 SCVAL(body, 0x03, 0); /* reserved */
2398 SIVAL(body, 0x04, 0); /* reserved */
2399 SBVAL(body, 0x08, file_id_persistent);
2400 SBVAL(body, 0x10, file_id_volatile);
2401
2402 subreq = tstream_writev_queue_send(state,
2403 sconn->ev_ctx,
2404 sconn->smb2.stream,
2405 sconn->smb2.send_queue,
2406 &state->vector, 1);
2407 if (subreq == NULL) {
2408 return NT_STATUS_NO_MEMORY;
2409 }
2410 tevent_req_set_callback(subreq,
2411 smbd_smb2_oplock_break_writev_done,
2412 state);
2413
2414 return NT_STATUS_OK;
2415 }
2416
2417 static void smbd_smb2_oplock_break_writev_done(struct tevent_req *subreq)
2418 {
2419 struct smbd_smb2_send_oplock_break_state *state =
2420 tevent_req_callback_data(subreq,
2421 struct smbd_smb2_send_oplock_break_state);
2422 struct smbd_server_connection *sconn = state->sconn;
2423 int ret;
2424 int sys_errno;
2425
2426 ret = tstream_writev_queue_recv(subreq, &sys_errno);
2427 TALLOC_FREE(subreq);
2428 if (ret == -1) {
2429 NTSTATUS status = map_nt_error_from_unix(sys_errno);
2430 smbd_server_connection_terminate(sconn, nt_errstr(status));
2431 return;
2432 }
2433
2434 TALLOC_FREE(state);
2435 }
2436
2437 struct smbd_smb2_request_read_state {
2438 size_t missing;
2439 bool asked_for_header;
2440 struct smbd_smb2_request *smb2_req;
2441 };
2442
2443 static int smbd_smb2_request_next_vector(struct tstream_context *stream,
2444 void *private_data,
2445 TALLOC_CTX *mem_ctx,
2446 struct iovec **_vector,
2447 size_t *_count);
2448 static void smbd_smb2_request_read_done(struct tevent_req *subreq);
2449
2450 static struct tevent_req *smbd_smb2_request_read_send(TALLOC_CTX *mem_ctx,
2451 struct tevent_context *ev,
2452 struct smbd_server_connection *sconn)
2453 {
2454 struct tevent_req *req;
2455 struct smbd_smb2_request_read_state *state;
2456 struct tevent_req *subreq;
2457
2458 req = tevent_req_create(mem_ctx, &state,
2459 struct smbd_smb2_request_read_state);
2460 if (req == NULL) {
2461 return NULL;
2462 }
2463 state->missing = 0;
2464 state->asked_for_header = false;
2465
2466 state->smb2_req = smbd_smb2_request_allocate(state);
2467 if (tevent_req_nomem(state->smb2_req, req)) {
2468 return tevent_req_post(req, ev);
2469 }
2470 state->smb2_req->sconn = sconn;
2471
2472 subreq = tstream_readv_pdu_queue_send(state, ev, sconn->smb2.stream,
2473 sconn->smb2.recv_queue,
2474 smbd_smb2_request_next_vector,
2475 state);
2476 if (tevent_req_nomem(subreq, req)) {
2477 return tevent_req_post(req, ev);
2478 }
2479 tevent_req_set_callback(subreq, smbd_smb2_request_read_done, req);
2480
2481 return req;
2482 }
2483
2484 static int smbd_smb2_request_next_vector(struct tstream_context *stream,
2485 void *private_data,
2486 TALLOC_CTX *mem_ctx,
2487 struct iovec **_vector,
2488 size_t *_count)
2489 {
2490 struct smbd_smb2_request_read_state *state =
2491 talloc_get_type_abort(private_data,
2492 struct smbd_smb2_request_read_state);
2493 struct smbd_smb2_request *req = state->smb2_req;
2494 struct iovec *vector;
2495 int idx = req->in.vector_count;
2496 size_t len = 0;
2497 uint8_t *buf = NULL;
2498
2499 if (req->in.vector_count == 0) {
2500 /*
2501 * first we need to get the NBT header
2502 */
2503 req->in.vector = talloc_array(req, struct iovec,
2504 req->in.vector_count + 1);
2505 if (req->in.vector == NULL) {
2506 return -1;
2507 }
2508 req->in.vector_count += 1;
2509
2510 req->in.vector[idx].iov_base = (void *)req->in.nbt_hdr;
2511 req->in.vector[idx].iov_len = 4;
2512
2513 vector = talloc_array(mem_ctx, struct iovec, 1);
2514 if (vector == NULL) {
2515 return -1;
2516 }
2517
2518 vector[0] = req->in.vector[idx];
2519
2520 *_vector = vector;
2521 *_count = 1;
2522 return 0;
2523 }
2524
2525 if (req->in.vector_count == 1) {
2526 /*
2527 * Now we analyze the NBT header
2528 */
2529 state->missing = smb2_len(req->in.vector[0].iov_base);
2530
2531 if (state->missing == 0) {
2532 /* if there're no remaining bytes, we're done */
2533 *_vector = NULL;
2534 *_count = 0;
2535 return 0;
2536 }
2537
2538 req->in.vector = talloc_realloc(req, req->in.vector,
2539 struct iovec,
2540 req->in.vector_count + 1);
2541 if (req->in.vector == NULL) {
2542 return -1;
2543 }
2544 req->in.vector_count += 1;
2545
2546 if (CVAL(req->in.vector[0].iov_base, 0) != 0) {
2547 /*
2548 * it's a special NBT message,
2549 * so get all remaining bytes
2550 */
2551 len = state->missing;
2552 } else if (state->missing < (SMB2_HDR_BODY + 2)) {
2553 /*
2554 * it's an invalid message, just read what we can get
2555 * and let the caller handle the error
2556 */
2557 len = state->missing;
2558 } else {
2559 /*
2560 * We assume it's a SMB2 request,
2561 * and we first get the header and the
2562 * first 2 bytes (the struct size) of the body
2563 */
2564 len = SMB2_HDR_BODY + 2;
2565
2566 state->asked_for_header = true;
2567 }
2568
2569 state->missing -= len;
2570
2571 buf = talloc_array(req->in.vector, uint8_t, len);
2572 if (buf == NULL) {
2573 return -1;
2574 }
2575
2576 req->in.vector[idx].iov_base = (void *)buf;
2577 req->in.vector[idx].iov_len = len;
2578
2579 vector = talloc_array(mem_ctx, struct iovec, 1);
2580 if (vector == NULL) {
2581 return -1;
2582 }
2583
2584 vector[0] = req->in.vector[idx];
2585
2586 *_vector = vector;
2587 *_count = 1;
2588 return 0;
2589 }
2590
2591 if (state->missing == 0) {
2592 /* if there're no remaining bytes, we're done */
2593 *_vector = NULL;
2594 *_count = 0;
2595 return 0;
2596 }
2597
2598 if (state->asked_for_header) {
2599 const uint8_t *hdr;
2600 size_t full_size;
2601 size_t next_command_ofs;
2602 size_t body_size;
2603 uint8_t *body;
2604 size_t dyn_size;
2605 uint8_t *dyn;
2606 bool invalid = false;
2607
2608 state->asked_for_header = false;
2609
2610 /*
2611 * We got the SMB2 header and the first 2 bytes
2612 * of the body. We fix the size to just the header
2613 * and manually copy the 2 first bytes to the body section
2614 */
2615 req->in.vector[idx-1].iov_len = SMB2_HDR_BODY;
2616 hdr = (const uint8_t *)req->in.vector[idx-1].iov_base;
2617
2618 /* allocate vectors for body and dynamic areas */
2619 req->in.vector = talloc_realloc(req, req->in.vector,
2620 struct iovec,
2621 req->in.vector_count + 2);
2622 if (req->in.vector == NULL) {
2623 return -1;
2624 }
2625 req->in.vector_count += 2;
2626
2627 full_size = state->missing + SMB2_HDR_BODY + 2;
2628 next_command_ofs = IVAL(hdr, SMB2_HDR_NEXT_COMMAND);
2629 body_size = SVAL(hdr, SMB2_HDR_BODY);
2630
2631 if (next_command_ofs != 0) {
2632 if (next_command_ofs < (SMB2_HDR_BODY + 2)) {
2633 /*
2634 * this is invalid, just return a zero
2635 * body and let the caller deal with the error
2636 */
2637 invalid = true;
2638 } else if (next_command_ofs > full_size) {
2639 /*
2640 * this is invalid, just return a zero
2641 * body and let the caller deal with the error
2642 */
2643 invalid = true;
2644 } else {
2645 full_size = next_command_ofs;
2646 }
2647 }
2648
2649 if (!invalid) {
2650 if (body_size < 2) {
2651 /*
2652 * this is invalid, just return a zero
2653 * body and let the caller deal with the error
2654 */
2655 invalid = true;
2656 }
2657
2658 /*
2659 * Mask out the lowest bit, the "dynamic" part
2660 * of body_size.
2661 */
2662 body_size &= ~1;
2663
2664 if (body_size > (full_size - SMB2_HDR_BODY)) {
2665 /*
2666 * this is invalid, just return a zero
2667 * body and let the caller deal with the error
2668 */
2669 invalid = true;
2670 }
2671 }
2672
2673 if (invalid) {
2674 /* the caller should check this */
2675 body_size = 2;
2676 }
2677
2678 dyn_size = full_size - (SMB2_HDR_BODY + body_size);
2679
2680 state->missing -= (body_size - 2) + dyn_size;
2681
2682 body = talloc_array(req->in.vector, uint8_t, body_size);
2683 if (body == NULL) {
2684 return -1;
2685 }
2686
2687 dyn = talloc_array(req->in.vector, uint8_t, dyn_size);
2688 if (dyn == NULL) {
2689 return -1;
2690 }
2691
2692 req->in.vector[idx].iov_base = (void *)body;
2693 req->in.vector[idx].iov_len = body_size;
2694 req->in.vector[idx+1].iov_base = (void *)dyn;
2695 req->in.vector[idx+1].iov_len = dyn_size;
2696
2697 vector = talloc_array(mem_ctx, struct iovec, 2);
2698 if (vector == NULL) {
2699 return -1;
2700 }
2701
2702 /*
2703 * the first 2 bytes of the body were already fetched
2704 * together with the header
2705 */
2706 memcpy(body, hdr + SMB2_HDR_BODY, 2);
2707 vector[0].iov_base = body + 2;
2708 vector[0].iov_len = body_size - 2;
2709
2710 vector[1] = req->in.vector[idx+1];
2711
2712 *_vector = vector;
2713 *_count = 2;
2714 return 0;
2715 }
2716
2717 /*
2718 * when we endup here, we're looking for a new SMB2 request
2719 * next. And we ask for its header and the first 2 bytes of
2720 * the body (like we did for the first SMB2 request).
2721 */
2722
2723 req->in.vector = talloc_realloc(req, req->in.vector,
2724 struct iovec,
2725 req->in.vector_count + 1);
2726 if (req->in.vector == NULL) {
2727 return -1;
2728 }
2729 req->in.vector_count += 1;
2730
2731 /*
2732 * We assume it's a SMB2 request,
2733 * and we first get the header and the
2734 * first 2 bytes (the struct size) of the body
2735 */
2736 len = SMB2_HDR_BODY + 2;
2737
2738 if (len > state->missing) {
2739 /* let the caller handle the error */
2740 len = state->missing;
2741 }
2742
2743 state->missing -= len;
2744 state->asked_for_header = true;
2745
2746 buf = talloc_array(req->in.vector, uint8_t, len);
2747 if (buf == NULL) {
2748 return -1;
2749 }
2750
2751 req->in.vector[idx].iov_base = (void *)buf;
2752 req->in.vector[idx].iov_len = len;
2753
2754 vector = talloc_array(mem_ctx, struct iovec, 1);
2755 if (vector == NULL) {
2756 return -1;
2757 }
2758
2759 vector[0] = req->in.vector[idx];
2760
2761 *_vector = vector;
2762 *_count = 1;
2763 return 0;
2764 }
2765
2766 static void smbd_smb2_request_read_done(struct tevent_req *subreq)
2767 {
2768 struct tevent_req *req =
2769 tevent_req_callback_data(subreq,
2770 struct tevent_req);
2771 int ret;
2772 int sys_errno;
2773 NTSTATUS status;
2774
2775 ret = tstream_readv_pdu_queue_recv(subreq, &sys_errno);
2776 if (ret == -1) {
2777 status = map_nt_error_from_unix(sys_errno);
2778 tevent_req_nterror(req, status);
2779 return;
2780 }
2781
2782 tevent_req_done(req);
2783 }
2784
2785 static NTSTATUS smbd_smb2_request_read_recv(struct tevent_req *req,
2786 TALLOC_CTX *mem_ctx,
2787 struct smbd_smb2_request **_smb2_req)
2788 {
2789 struct smbd_smb2_request_read_state *state =
2790 tevent_req_data(req,
2791 struct smbd_smb2_request_read_state);
2792 NTSTATUS status;
2793
2794 if (tevent_req_is_nterror(req, &status)) {
2795 tevent_req_received(req);
2796 return status;
2797 }
2798
2799 talloc_steal(mem_ctx, state->smb2_req->mem_pool);
2800 *_smb2_req = state->smb2_req;
2801 tevent_req_received(req);
2802 return NT_STATUS_OK;
2803 }
2804
2805 static void smbd_smb2_request_incoming(struct tevent_req *subreq);
2806
2807 static NTSTATUS smbd_smb2_request_next_incoming(struct smbd_server_connection *sconn)
2808 {
2809 size_t max_send_queue_len;
2810 size_t cur_send_queue_len;
2811 struct tevent_req *subreq;
2812
2813 if (sconn->smb2.compound_related_in_progress) {
2814 /*
2815 * Can't read another until the related
2816 * compound is done.
2817 */
2818 return NT_STATUS_OK;
2819 }
2820
2821 if (tevent_queue_length(sconn->smb2.recv_queue) > 0) {
2822 /*
2823 * if there is already a smbd_smb2_request_read
2824 * pending, we are done.
2825 */
2826 return NT_STATUS_OK;
2827 }
2828
2829 max_send_queue_len = MAX(1, sconn->smb2.max_credits/16);
2830 cur_send_queue_len = tevent_queue_length(sconn->smb2.send_queue);
2831
2832 if (cur_send_queue_len > max_send_queue_len) {
2833 /*
2834 * if we have a lot of requests to send,
2835 * we wait until they are on the wire until we
2836 * ask for the next request.
2837 */
2838 return NT_STATUS_OK;
2839 }
2840
2841 /* ask for the next request */
2842 subreq = smbd_smb2_request_read_send(sconn, sconn->ev_ctx, sconn);
2843 if (subreq == NULL) {
2844 return NT_STATUS_NO_MEMORY;
2845 }
2846 tevent_req_set_callback(subreq, smbd_smb2_request_incoming, sconn);
2847
2848 return NT_STATUS_OK;
2849 }
2850
2851 void smbd_smb2_first_negprot(struct smbd_server_connection *sconn,
2852 const uint8_t *inbuf, size_t size)
2853 {
2854 NTSTATUS status;
2855 struct smbd_smb2_request *req = NULL;
2856
2857 DEBUG(10,("smbd_smb2_first_negprot: packet length %u\n",
2858 (unsigned int)size));
2859
2860 status = smbd_initialize_smb2(sconn);
2861 if (!NT_STATUS_IS_OK(status)) {
2862 smbd_server_connection_terminate(sconn, nt_errstr(status));
2863 return;
2864 }
2865
2866 status = smbd_smb2_request_create(sconn, inbuf, size, &req);
2867 if (!NT_STATUS_IS_OK(status)) {
2868 smbd_server_connection_terminate(sconn, nt_errstr(status));
2869 return;
2870 }
2871
2872 status = smbd_smb2_request_validate(req);
2873 if (!NT_STATUS_IS_OK(status)) {
2874 smbd_server_connection_terminate(sconn, nt_errstr(status));
2875 return;
2876 }
2877
2878 status = smbd_smb2_request_setup_out(req);
2879 if (!NT_STATUS_IS_OK(status)) {
2880 smbd_server_connection_terminate(sconn, nt_errstr(status));
2881 return;
2882 }
2883
2884 status = smbd_smb2_request_dispatch(req);
2885 if (!NT_STATUS_IS_OK(status)) {
2886 smbd_server_connection_terminate(sconn, nt_errstr(status));
2887 return;
2888 }
2889
2890 status = smbd_smb2_request_next_incoming(sconn);
2891 if (!NT_STATUS_IS_OK(status)) {
2892 smbd_server_connection_terminate(sconn, nt_errstr(status));
2893 return;
2894 }
2895
2896 sconn->num_requests++;
2897 }
2898
2899 static void smbd_smb2_request_incoming(struct tevent_req *subreq)
2900 {
2901 struct smbd_server_connection *sconn = tevent_req_callback_data(subreq,
2902 struct smbd_server_connection);
2903 NTSTATUS status;
2904 struct smbd_smb2_request *req = NULL;
2905
2906 status = smbd_smb2_request_read_recv(subreq, sconn, &req);
2907 TALLOC_FREE(subreq);
2908 if (!NT_STATUS_IS_OK(status)) {
2909 DEBUG(2,("smbd_smb2_request_incoming: client read error %s\n",
2910 nt_errstr(status)));
2911 smbd_server_connection_terminate(sconn, nt_errstr(status));
2912 return;
2913 }
2914
2915 if (req->in.nbt_hdr[0] != 0x00) {
2916 DEBUG(1,("smbd_smb2_request_incoming: ignore NBT[0x%02X] msg\n",
2917 req->in.nbt_hdr[0]));
2918 TALLOC_FREE(req);
2919 goto next;
2920 }
2921
2922 req->current_idx = 1;
2923
2924 DEBUG(10,("smbd_smb2_request_incoming: idx[%d] of %d vectors\n",
2925 req->current_idx, req->in.vector_count));
2926
2927 status = smbd_smb2_request_validate(req);
2928 if (!NT_STATUS_IS_OK(status)) {
2929 smbd_server_connection_terminate(sconn, nt_errstr(status));
2930 return;
2931 }
2932
2933 status = smbd_smb2_request_setup_out(req);
2934 if (!NT_STATUS_IS_OK(status)) {
2935 smbd_server_connection_terminate(sconn, nt_errstr(status));
2936 return;
2937 }
2938
2939 status = smbd_smb2_request_dispatch(req);
2940 if (!NT_STATUS_IS_OK(status)) {
2941 smbd_server_connection_terminate(sconn, nt_errstr(status));
2942 return;
2943 }
2944
2945 next:
2946 status = smbd_smb2_request_next_incoming(sconn);
2947 if (!NT_STATUS_IS_OK(status)) {
2948 smbd_server_connection_terminate(sconn, nt_errstr(status));
2949 return;
2950 }
2951
2952 sconn->num_requests++;
2953
2954 /* The timeout_processing function isn't run nearly
2955 often enough to implement 'max log size' without
2956 overrunning the size of the file by many megabytes.
2957 This is especially true if we are running at debug
2958 level 10. Checking every 50 SMB2s is a nice
2959 tradeoff of performance vs log file size overrun. */
2960
2961 if ((sconn->num_requests % 50) == 0 &&
2962 need_to_check_log_size()) {
2963 change_to_root_user();
2964 check_log_size();
2965 }
2966 }
reg import