search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:smbd: make use of smbXsrv_session for smb1
[Samba/gebeck_regimport.git] / source3 / smbd / process.c
blob1cff64a3001009b0f9f1ea2229381452e7bbc922
1 /*
2 Unix SMB/CIFS implementation.
3 process incoming packets - main loop
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Volker Lendecke 2005-2007
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "../lib/tsocket/tsocket.h"
23 #include "system/filesys.h"
24 #include "smbd/smbd.h"
25 #include "smbd/globals.h"
26 #include "librpc/gen_ndr/netlogon.h"
27 #include "../lib/async_req/async_sock.h"
28 #include "ctdbd_conn.h"
29 #include "../lib/util/select.h"
30 #include "printing/queue_process.h"
31 #include "system/select.h"
32 #include "passdb.h"
33 #include "auth.h"
34 #include "messages.h"
35 #include "smbprofile.h"
36 #include "rpc_server/spoolss/srv_spoolss_nt.h"
37 #include "libsmb/libsmb.h"
38 #include "../lib/util/tevent_ntstatus.h"
39 #include "../libcli/security/dom_sid.h"
40 #include "../libcli/security/security_token.h"
41 #include "lib/id_cache.h"
42 #include "serverid.h"
43
44 extern bool global_machine_password_needs_changing;
45
46 /* Internal message queue for deferred opens. */
47 struct pending_message_list {
48 struct pending_message_list *next, *prev;
49 struct timeval request_time; /* When was this first issued? */
50 struct smbd_server_connection *sconn;
51 struct timed_event *te;
52 struct smb_perfcount_data pcd;
53 uint32_t seqnum;
54 bool encrypted;
55 bool processed;
56 DATA_BLOB buf;
57 DATA_BLOB private_data;
58 };
59
60 static void construct_reply_common(struct smb_request *req, const char *inbuf,
61 char *outbuf);
62 static struct pending_message_list *get_deferred_open_message_smb(
63 struct smbd_server_connection *sconn, uint64_t mid);
64 static bool smb_splice_chain(uint8_t **poutbuf, const uint8_t *andx_buf);
65
66 static bool smbd_lock_socket_internal(struct smbd_server_connection *sconn)
67 {
68 bool ok;
69
70 if (sconn->smb1.echo_handler.socket_lock_fd == -1) {
71 return true;
72 }
73
74 sconn->smb1.echo_handler.ref_count++;
75
76 if (sconn->smb1.echo_handler.ref_count > 1) {
77 return true;
78 }
79
80 DEBUG(10,("pid[%d] wait for socket lock\n", (int)getpid()));
81
82 do {
83 ok = fcntl_lock(
84 sconn->smb1.echo_handler.socket_lock_fd,
85 F_SETLKW, 0, 0, F_WRLCK);
86 } while (!ok && (errno == EINTR));
87
88 if (!ok) {
89 DEBUG(1, ("fcntl_lock failed: %s\n", strerror(errno)));
90 return false;
91 }
92
93 DEBUG(10,("pid[%d] got for socket lock\n", (int)getpid()));
94
95 return true;
96 }
97
98 void smbd_lock_socket(struct smbd_server_connection *sconn)
99 {
100 if (!smbd_lock_socket_internal(sconn)) {
101 exit_server_cleanly("failed to lock socket");
102 }
103 }
104
105 static bool smbd_unlock_socket_internal(struct smbd_server_connection *sconn)
106 {
107 bool ok;
108
109 if (sconn->smb1.echo_handler.socket_lock_fd == -1) {
110 return true;
111 }
112
113 sconn->smb1.echo_handler.ref_count--;
114
115 if (sconn->smb1.echo_handler.ref_count > 0) {
116 return true;
117 }
118
119 do {
120 ok = fcntl_lock(
121 sconn->smb1.echo_handler.socket_lock_fd,
122 F_SETLKW, 0, 0, F_UNLCK);
123 } while (!ok && (errno == EINTR));
124
125 if (!ok) {
126 DEBUG(1, ("fcntl_lock failed: %s\n", strerror(errno)));
127 return false;
128 }
129
130 DEBUG(10,("pid[%d] unlocked socket\n", (int)getpid()));
131
132 return true;
133 }
134
135 void smbd_unlock_socket(struct smbd_server_connection *sconn)
136 {
137 if (!smbd_unlock_socket_internal(sconn)) {
138 exit_server_cleanly("failed to unlock socket");
139 }
140 }
141
142 /* Accessor function for smb_read_error for smbd functions. */
143
144 /****************************************************************************
145 Send an smb to a fd.
146 ****************************************************************************/
147
148 bool srv_send_smb(struct smbd_server_connection *sconn, char *buffer,
149 bool do_signing, uint32_t seqnum,
150 bool do_encrypt,
151 struct smb_perfcount_data *pcd)
152 {
153 size_t len = 0;
154 size_t nwritten=0;
155 ssize_t ret;
156 char *buf_out = buffer;
157
158 smbd_lock_socket(sconn);
159
160 if (do_signing) {
161 /* Sign the outgoing packet if required. */
162 srv_calculate_sign_mac(sconn, buf_out, seqnum);
163 }
164
165 if (do_encrypt) {
166 NTSTATUS status = srv_encrypt_buffer(sconn, buffer, &buf_out);
167 if (!NT_STATUS_IS_OK(status)) {
168 DEBUG(0, ("send_smb: SMB encryption failed "
169 "on outgoing packet! Error %s\n",
170 nt_errstr(status) ));
171 goto out;
172 }
173 }
174
175 len = smb_len(buf_out) + 4;
176
177 ret = write_data(sconn->sock, buf_out+nwritten, len - nwritten);
178 if (ret <= 0) {
179
180 char addr[INET6_ADDRSTRLEN];
181 /*
182 * Try and give an error message saying what
183 * client failed.
184 */
185 DEBUG(1,("pid[%d] Error writing %d bytes to client %s. %d. (%s)\n",
186 (int)getpid(), (int)len,
187 get_peer_addr(sconn->sock, addr, sizeof(addr)),
188 (int)ret, strerror(errno) ));
189
190 srv_free_enc_buffer(sconn, buf_out);
191 goto out;
192 }
193
194 SMB_PERFCOUNT_SET_MSGLEN_OUT(pcd, len);
195 srv_free_enc_buffer(sconn, buf_out);
196 out:
197 SMB_PERFCOUNT_END(pcd);
198
199 smbd_unlock_socket(sconn);
200 return true;
201 }
202
203 /*******************************************************************
204 Setup the word count and byte count for a smb message.
205 ********************************************************************/
206
207 int srv_set_message(char *buf,
208 int num_words,
209 int num_bytes,
210 bool zero)
211 {
212 if (zero && (num_words || num_bytes)) {
213 memset(buf + smb_size,'\0',num_words*2 + num_bytes);
214 }
215 SCVAL(buf,smb_wct,num_words);
216 SSVAL(buf,smb_vwv + num_words*SIZEOFWORD,num_bytes);
217 smb_setlen(buf,(smb_size + num_words*2 + num_bytes - 4));
218 return (smb_size + num_words*2 + num_bytes);
219 }
220
221 static bool valid_smb_header(struct smbd_server_connection *sconn,
222 const uint8_t *inbuf)
223 {
224 if (is_encrypted_packet(sconn, inbuf)) {
225 return true;
226 }
227 /*
228 * This used to be (strncmp(smb_base(inbuf),"\377SMB",4) == 0)
229 * but it just looks weird to call strncmp for this one.
230 */
231 return (IVAL(smb_base(inbuf), 0) == 0x424D53FF);
232 }
233
234 /* Socket functions for smbd packet processing. */
235
236 static bool valid_packet_size(size_t len)
237 {
238 /*
239 * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
240 * of header. Don't print the error if this fits.... JRA.
241 */
242
243 if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
244 DEBUG(0,("Invalid packet length! (%lu bytes).\n",
245 (unsigned long)len));
246 return false;
247 }
248 return true;
249 }
250
251 static NTSTATUS read_packet_remainder(int fd, char *buffer,
252 unsigned int timeout, ssize_t len)
253 {
254 NTSTATUS status;
255
256 if (len <= 0) {
257 return NT_STATUS_OK;
258 }
259
260 status = read_fd_with_timeout(fd, buffer, len, len, timeout, NULL);
261 if (!NT_STATUS_IS_OK(status)) {
262 char addr[INET6_ADDRSTRLEN];
263 DEBUG(0, ("read_fd_with_timeout failed for client %s read "
264 "error = %s.\n",
265 get_peer_addr(fd, addr, sizeof(addr)),
266 nt_errstr(status)));
267 }
268 return status;
269 }
270
271 /****************************************************************************
272 Attempt a zerocopy writeX read. We know here that len > smb_size-4
273 ****************************************************************************/
274
275 /*
276 * Unfortunately, earlier versions of smbclient/libsmbclient
277 * don't send this "standard" writeX header. I've fixed this
278 * for 3.2 but we'll use the old method with earlier versions.
279 * Windows and CIFSFS at least use this standard size. Not
280 * sure about MacOSX.
281 */
282
283 #define STANDARD_WRITE_AND_X_HEADER_SIZE (smb_size - 4 + /* basic header */ \
284 (2*14) + /* word count (including bcc) */ \
285 1 /* pad byte */)
286
287 static NTSTATUS receive_smb_raw_talloc_partial_read(TALLOC_CTX *mem_ctx,
288 const char lenbuf[4],
289 struct smbd_server_connection *sconn,
290 int sock,
291 char **buffer,
292 unsigned int timeout,
293 size_t *p_unread,
294 size_t *len_ret)
295 {
296 /* Size of a WRITEX call (+4 byte len). */
297 char writeX_header[4 + STANDARD_WRITE_AND_X_HEADER_SIZE];
298 ssize_t len = smb_len_large(lenbuf); /* Could be a UNIX large writeX. */
299 ssize_t toread;
300 NTSTATUS status;
301
302 memcpy(writeX_header, lenbuf, 4);
303
304 status = read_fd_with_timeout(
305 sock, writeX_header + 4,
306 STANDARD_WRITE_AND_X_HEADER_SIZE,
307 STANDARD_WRITE_AND_X_HEADER_SIZE,
308 timeout, NULL);
309
310 if (!NT_STATUS_IS_OK(status)) {
311 DEBUG(0, ("read_fd_with_timeout failed for client %s read "
312 "error = %s.\n",
313 tsocket_address_string(sconn->remote_address,
314 talloc_tos()),
315 nt_errstr(status)));
316 return status;
317 }
318
319 /*
320 * Ok - now try and see if this is a possible
321 * valid writeX call.
322 */
323
324 if (is_valid_writeX_buffer(sconn, (uint8_t *)writeX_header)) {
325 /*
326 * If the data offset is beyond what
327 * we've read, drain the extra bytes.
328 */
329 uint16_t doff = SVAL(writeX_header,smb_vwv11);
330 ssize_t newlen;
331
332 if (doff > STANDARD_WRITE_AND_X_HEADER_SIZE) {
333 size_t drain = doff - STANDARD_WRITE_AND_X_HEADER_SIZE;
334 if (drain_socket(sock, drain) != drain) {
335 smb_panic("receive_smb_raw_talloc_partial_read:"
336 " failed to drain pending bytes");
337 }
338 } else {
339 doff = STANDARD_WRITE_AND_X_HEADER_SIZE;
340 }
341
342 /* Spoof down the length and null out the bcc. */
343 set_message_bcc(writeX_header, 0);
344 newlen = smb_len(writeX_header);
345
346 /* Copy the header we've written. */
347
348 *buffer = (char *)talloc_memdup(mem_ctx,
349 writeX_header,
350 sizeof(writeX_header));
351
352 if (*buffer == NULL) {
353 DEBUG(0, ("Could not allocate inbuf of length %d\n",
354 (int)sizeof(writeX_header)));
355 return NT_STATUS_NO_MEMORY;
356 }
357
358 /* Work out the remaining bytes. */
359 *p_unread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
360 *len_ret = newlen + 4;
361 return NT_STATUS_OK;
362 }
363
364 if (!valid_packet_size(len)) {
365 return NT_STATUS_INVALID_PARAMETER;
366 }
367
368 /*
369 * Not a valid writeX call. Just do the standard
370 * talloc and return.
371 */
372
373 *buffer = talloc_array(mem_ctx, char, len+4);
374
375 if (*buffer == NULL) {
376 DEBUG(0, ("Could not allocate inbuf of length %d\n",
377 (int)len+4));
378 return NT_STATUS_NO_MEMORY;
379 }
380
381 /* Copy in what we already read. */
382 memcpy(*buffer,
383 writeX_header,
384 4 + STANDARD_WRITE_AND_X_HEADER_SIZE);
385 toread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
386
387 if(toread > 0) {
388 status = read_packet_remainder(
389 sock,
390 (*buffer) + 4 + STANDARD_WRITE_AND_X_HEADER_SIZE,
391 timeout, toread);
392
393 if (!NT_STATUS_IS_OK(status)) {
394 DEBUG(10, ("receive_smb_raw_talloc_partial_read: %s\n",
395 nt_errstr(status)));
396 return status;
397 }
398 }
399
400 *len_ret = len + 4;
401 return NT_STATUS_OK;
402 }
403
404 static NTSTATUS receive_smb_raw_talloc(TALLOC_CTX *mem_ctx,
405 struct smbd_server_connection *sconn,
406 int sock,
407 char **buffer, unsigned int timeout,
408 size_t *p_unread, size_t *plen)
409 {
410 char lenbuf[4];
411 size_t len;
412 int min_recv_size = lp_min_receive_file_size();
413 NTSTATUS status;
414
415 *p_unread = 0;
416
417 status = read_smb_length_return_keepalive(sock, lenbuf, timeout,
418 &len);
419 if (!NT_STATUS_IS_OK(status)) {
420 return status;
421 }
422
423 if (CVAL(lenbuf,0) == 0 && min_recv_size &&
424 (smb_len_large(lenbuf) > /* Could be a UNIX large writeX. */
425 (min_recv_size + STANDARD_WRITE_AND_X_HEADER_SIZE)) &&
426 !srv_is_signing_active(sconn) &&
427 sconn->smb1.echo_handler.trusted_fde == NULL) {
428
429 return receive_smb_raw_talloc_partial_read(
430 mem_ctx, lenbuf, sconn, sock, buffer, timeout,
431 p_unread, plen);
432 }
433
434 if (!valid_packet_size(len)) {
435 return NT_STATUS_INVALID_PARAMETER;
436 }
437
438 /*
439 * The +4 here can't wrap, we've checked the length above already.
440 */
441
442 *buffer = talloc_array(mem_ctx, char, len+4);
443
444 if (*buffer == NULL) {
445 DEBUG(0, ("Could not allocate inbuf of length %d\n",
446 (int)len+4));
447 return NT_STATUS_NO_MEMORY;
448 }
449
450 memcpy(*buffer, lenbuf, sizeof(lenbuf));
451
452 status = read_packet_remainder(sock, (*buffer)+4, timeout, len);
453 if (!NT_STATUS_IS_OK(status)) {
454 return status;
455 }
456
457 *plen = len + 4;
458 return NT_STATUS_OK;
459 }
460
461 static NTSTATUS receive_smb_talloc(TALLOC_CTX *mem_ctx,
462 struct smbd_server_connection *sconn,
463 int sock,
464 char **buffer, unsigned int timeout,
465 size_t *p_unread, bool *p_encrypted,
466 size_t *p_len,
467 uint32_t *seqnum,
468 bool trusted_channel)
469 {
470 size_t len = 0;
471 NTSTATUS status;
472
473 *p_encrypted = false;
474
475 status = receive_smb_raw_talloc(mem_ctx, sconn, sock, buffer, timeout,
476 p_unread, &len);
477 if (!NT_STATUS_IS_OK(status)) {
478 DEBUG(NT_STATUS_EQUAL(status, NT_STATUS_END_OF_FILE)?5:1,
479 ("receive_smb_raw_talloc failed for client %s "
480 "read error = %s.\n",
481 tsocket_address_string(sconn->remote_address,
482 talloc_tos()),
483 nt_errstr(status)) );
484 return status;
485 }
486
487 if (is_encrypted_packet(sconn, (uint8_t *)*buffer)) {
488 status = srv_decrypt_buffer(sconn, *buffer);
489 if (!NT_STATUS_IS_OK(status)) {
490 DEBUG(0, ("receive_smb_talloc: SMB decryption failed on "
491 "incoming packet! Error %s\n",
492 nt_errstr(status) ));
493 return status;
494 }
495 *p_encrypted = true;
496 }
497
498 /* Check the incoming SMB signature. */
499 if (!srv_check_sign_mac(sconn, *buffer, seqnum, trusted_channel)) {
500 DEBUG(0, ("receive_smb: SMB Signature verification failed on "
501 "incoming packet!\n"));
502 return NT_STATUS_INVALID_NETWORK_RESPONSE;
503 }
504
505 *p_len = len;
506 return NT_STATUS_OK;
507 }
508
509 /*
510 * Initialize a struct smb_request from an inbuf
511 */
512
513 static bool init_smb_request(struct smb_request *req,
514 struct smbd_server_connection *sconn,
515 const uint8 *inbuf,
516 size_t unread_bytes, bool encrypted,
517 uint32_t seqnum)
518 {
519 struct smbXsrv_tcon *tcon;
520 NTSTATUS status;
521 NTTIME now;
522 size_t req_size = smb_len(inbuf) + 4;
523
524 /* Ensure we have at least smb_size bytes. */
525 if (req_size < smb_size) {
526 DEBUG(0,("init_smb_request: invalid request size %u\n",
527 (unsigned int)req_size ));
528 return false;
529 }
530
531 req->request_time = timeval_current();
532 now = timeval_to_nttime(&req->request_time);
533
534 req->cmd = CVAL(inbuf, smb_com);
535 req->flags2 = SVAL(inbuf, smb_flg2);
536 req->smbpid = SVAL(inbuf, smb_pid);
537 req->mid = (uint64_t)SVAL(inbuf, smb_mid);
538 req->seqnum = seqnum;
539 req->vuid = SVAL(inbuf, smb_uid);
540 req->tid = SVAL(inbuf, smb_tid);
541 req->wct = CVAL(inbuf, smb_wct);
542 req->vwv = (const uint16_t *)(inbuf+smb_vwv);
543 req->buflen = smb_buflen(inbuf);
544 req->buf = (const uint8_t *)smb_buf_const(inbuf);
545 req->unread_bytes = unread_bytes;
546 req->encrypted = encrypted;
547 req->sconn = sconn;
548 status = smb1srv_tcon_lookup(sconn->conn, req->tid, now, &tcon);
549 if (NT_STATUS_IS_OK(status)) {
550 req->conn = tcon->compat;
551 } else {
552 req->conn = NULL;
553 }
554 req->chain_fsp = NULL;
555 req->smb2req = NULL;
556 req->priv_paths = NULL;
557 req->chain = NULL;
558 smb_init_perfcount_data(&req->pcd);
559
560 /* Ensure we have at least wct words and 2 bytes of bcc. */
561 if (smb_size + req->wct*2 > req_size) {
562 DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n",
563 (unsigned int)req->wct,
564 (unsigned int)req_size));
565 return false;
566 }
567 /* Ensure bcc is correct. */
568 if (((const uint8_t *)smb_buf_const(inbuf)) + req->buflen > inbuf + req_size) {
569 DEBUG(0,("init_smb_request: invalid bcc number %u "
570 "(wct = %u, size %u)\n",
571 (unsigned int)req->buflen,
572 (unsigned int)req->wct,
573 (unsigned int)req_size));
574 return false;
575 }
576
577 req->outbuf = NULL;
578 return true;
579 }
580
581 static void process_smb(struct smbd_server_connection *conn,
582 uint8_t *inbuf, size_t nread, size_t unread_bytes,
583 uint32_t seqnum, bool encrypted,
584 struct smb_perfcount_data *deferred_pcd);
585
586 static void smbd_deferred_open_timer(struct event_context *ev,
587 struct timed_event *te,
588 struct timeval _tval,
589 void *private_data)
590 {
591 struct pending_message_list *msg = talloc_get_type(private_data,
592 struct pending_message_list);
593 struct smbd_server_connection *sconn = msg->sconn;
594 TALLOC_CTX *mem_ctx = talloc_tos();
595 uint64_t mid = (uint64_t)SVAL(msg->buf.data,smb_mid);
596 uint8_t *inbuf;
597
598 inbuf = (uint8_t *)talloc_memdup(mem_ctx, msg->buf.data,
599 msg->buf.length);
600 if (inbuf == NULL) {
601 exit_server("smbd_deferred_open_timer: talloc failed\n");
602 return;
603 }
604
605 /* We leave this message on the queue so the open code can
606 know this is a retry. */
607 DEBUG(5,("smbd_deferred_open_timer: trigger mid %llu.\n",
608 (unsigned long long)mid ));
609
610 /* Mark the message as processed so this is not
611 * re-processed in error. */
612 msg->processed = true;
613
614 process_smb(sconn, inbuf,
615 msg->buf.length, 0,
616 msg->seqnum, msg->encrypted, &msg->pcd);
617
618 /* If it's still there and was processed, remove it. */
619 msg = get_deferred_open_message_smb(sconn, mid);
620 if (msg && msg->processed) {
621 remove_deferred_open_message_smb(sconn, mid);
622 }
623 }
624
625 /****************************************************************************
626 Function to push a message onto the tail of a linked list of smb messages ready
627 for processing.
628 ****************************************************************************/
629
630 static bool push_queued_message(struct smb_request *req,
631 struct timeval request_time,
632 struct timeval end_time,
633 char *private_data, size_t private_len)
634 {
635 int msg_len = smb_len(req->inbuf) + 4;
636 struct pending_message_list *msg;
637
638 msg = talloc_zero(NULL, struct pending_message_list);
639
640 if(msg == NULL) {
641 DEBUG(0,("push_message: malloc fail (1)\n"));
642 return False;
643 }
644 msg->sconn = req->sconn;
645
646 msg->buf = data_blob_talloc(msg, req->inbuf, msg_len);
647 if(msg->buf.data == NULL) {
648 DEBUG(0,("push_message: malloc fail (2)\n"));
649 TALLOC_FREE(msg);
650 return False;
651 }
652
653 msg->request_time = request_time;
654 msg->seqnum = req->seqnum;
655 msg->encrypted = req->encrypted;
656 msg->processed = false;
657 SMB_PERFCOUNT_DEFER_OP(&req->pcd, &msg->pcd);
658
659 if (private_data) {
660 msg->private_data = data_blob_talloc(msg, private_data,
661 private_len);
662 if (msg->private_data.data == NULL) {
663 DEBUG(0,("push_message: malloc fail (3)\n"));
664 TALLOC_FREE(msg);
665 return False;
666 }
667 }
668
669 msg->te = tevent_add_timer(msg->sconn->ev_ctx,
670 msg,
671 end_time,
672 smbd_deferred_open_timer,
673 msg);
674 if (!msg->te) {
675 DEBUG(0,("push_message: event_add_timed failed\n"));
676 TALLOC_FREE(msg);
677 return false;
678 }
679
680 DLIST_ADD_END(req->sconn->deferred_open_queue, msg,
681 struct pending_message_list *);
682
683 DEBUG(10,("push_message: pushed message length %u on "
684 "deferred_open_queue\n", (unsigned int)msg_len));
685
686 return True;
687 }
688
689 /****************************************************************************
690 Function to delete a sharing violation open message by mid.
691 ****************************************************************************/
692
693 void remove_deferred_open_message_smb(struct smbd_server_connection *sconn,
694 uint64_t mid)
695 {
696 struct pending_message_list *pml;
697
698 if (sconn->using_smb2) {
699 remove_deferred_open_message_smb2(sconn, mid);
700 return;
701 }
702
703 for (pml = sconn->deferred_open_queue; pml; pml = pml->next) {
704 if (mid == (uint64_t)SVAL(pml->buf.data,smb_mid)) {
705 DEBUG(10,("remove_deferred_open_message_smb: "
706 "deleting mid %llu len %u\n",
707 (unsigned long long)mid,
708 (unsigned int)pml->buf.length ));
709 DLIST_REMOVE(sconn->deferred_open_queue, pml);
710 TALLOC_FREE(pml);
711 return;
712 }
713 }
714 }
715
716 /****************************************************************************
717 Move a sharing violation open retry message to the front of the list and
718 schedule it for immediate processing.
719 ****************************************************************************/
720
721 void schedule_deferred_open_message_smb(struct smbd_server_connection *sconn,
722 uint64_t mid)
723 {
724 struct pending_message_list *pml;
725 int i = 0;
726
727 if (sconn->using_smb2) {
728 schedule_deferred_open_message_smb2(sconn, mid);
729 return;
730 }
731
732 for (pml = sconn->deferred_open_queue; pml; pml = pml->next) {
733 uint64_t msg_mid = (uint64_t)SVAL(pml->buf.data,smb_mid);
734
735 DEBUG(10,("schedule_deferred_open_message_smb: [%d] "
736 "msg_mid = %llu\n",
737 i++,
738 (unsigned long long)msg_mid ));
739
740 if (mid == msg_mid) {
741 struct timed_event *te;
742
743 if (pml->processed) {
744 /* A processed message should not be
745 * rescheduled. */
746 DEBUG(0,("schedule_deferred_open_message_smb: LOGIC ERROR "
747 "message mid %llu was already processed\n",
748 (unsigned long long)msg_mid ));
749 continue;
750 }
751
752 DEBUG(10,("schedule_deferred_open_message_smb: "
753 "scheduling mid %llu\n",
754 (unsigned long long)mid ));
755
756 te = tevent_add_timer(pml->sconn->ev_ctx,
757 pml,
758 timeval_zero(),
759 smbd_deferred_open_timer,
760 pml);
761 if (!te) {
762 DEBUG(10,("schedule_deferred_open_message_smb: "
763 "event_add_timed() failed, "
764 "skipping mid %llu\n",
765 (unsigned long long)msg_mid ));
766 }
767
768 TALLOC_FREE(pml->te);
769 pml->te = te;
770 DLIST_PROMOTE(sconn->deferred_open_queue, pml);
771 return;
772 }
773 }
774
775 DEBUG(10,("schedule_deferred_open_message_smb: failed to "
776 "find message mid %llu\n",
777 (unsigned long long)mid ));
778 }
779
780 /****************************************************************************
781 Return true if this mid is on the deferred queue and was not yet processed.
782 ****************************************************************************/
783
784 bool open_was_deferred(struct smbd_server_connection *sconn, uint64_t mid)
785 {
786 struct pending_message_list *pml;
787
788 if (sconn->using_smb2) {
789 return open_was_deferred_smb2(sconn, mid);
790 }
791
792 for (pml = sconn->deferred_open_queue; pml; pml = pml->next) {
793 if (((uint64_t)SVAL(pml->buf.data,smb_mid)) == mid && !pml->processed) {
794 return True;
795 }
796 }
797 return False;
798 }
799
800 /****************************************************************************
801 Return the message queued by this mid.
802 ****************************************************************************/
803
804 static struct pending_message_list *get_deferred_open_message_smb(
805 struct smbd_server_connection *sconn, uint64_t mid)
806 {
807 struct pending_message_list *pml;
808
809 for (pml = sconn->deferred_open_queue; pml; pml = pml->next) {
810 if (((uint64_t)SVAL(pml->buf.data,smb_mid)) == mid) {
811 return pml;
812 }
813 }
814 return NULL;
815 }
816
817 /****************************************************************************
818 Get the state data queued by this mid.
819 ****************************************************************************/
820
821 bool get_deferred_open_message_state(struct smb_request *smbreq,
822 struct timeval *p_request_time,
823 void **pp_state)
824 {
825 struct pending_message_list *pml;
826
827 if (smbreq->sconn->using_smb2) {
828 return get_deferred_open_message_state_smb2(smbreq->smb2req,
829 p_request_time,
830 pp_state);
831 }
832
833 pml = get_deferred_open_message_smb(smbreq->sconn, smbreq->mid);
834 if (!pml) {
835 return false;
836 }
837 if (p_request_time) {
838 *p_request_time = pml->request_time;
839 }
840 if (pp_state) {
841 *pp_state = (void *)pml->private_data.data;
842 }
843 return true;
844 }
845
846 /****************************************************************************
847 Function to push a deferred open smb message onto a linked list of local smb
848 messages ready for processing.
849 ****************************************************************************/
850
851 bool push_deferred_open_message_smb(struct smb_request *req,
852 struct timeval request_time,
853 struct timeval timeout,
854 struct file_id id,
855 char *private_data, size_t priv_len)
856 {
857 struct timeval end_time;
858
859 if (req->smb2req) {
860 return push_deferred_open_message_smb2(req->smb2req,
861 request_time,
862 timeout,
863 id,
864 private_data,
865 priv_len);
866 }
867
868 if (req->unread_bytes) {
869 DEBUG(0,("push_deferred_open_message_smb: logic error ! "
870 "unread_bytes = %u\n",
871 (unsigned int)req->unread_bytes ));
872 smb_panic("push_deferred_open_message_smb: "
873 "logic error unread_bytes != 0" );
874 }
875
876 end_time = timeval_sum(&request_time, &timeout);
877
878 DEBUG(10,("push_deferred_open_message_smb: pushing message "
879 "len %u mid %llu timeout time [%u.%06u]\n",
880 (unsigned int) smb_len(req->inbuf)+4,
881 (unsigned long long)req->mid,
882 (unsigned int)end_time.tv_sec,
883 (unsigned int)end_time.tv_usec));
884
885 return push_queued_message(req, request_time, end_time,
886 private_data, priv_len);
887 }
888
889 static void smbd_sig_term_handler(struct tevent_context *ev,
890 struct tevent_signal *se,
891 int signum,
892 int count,
893 void *siginfo,
894 void *private_data)
895 {
896 exit_server_cleanly("termination signal");
897 }
898
899 void smbd_setup_sig_term_handler(struct smbd_server_connection *sconn)
900 {
901 struct tevent_signal *se;
902
903 se = tevent_add_signal(sconn->ev_ctx,
904 sconn,
905 SIGTERM, 0,
906 smbd_sig_term_handler,
907 sconn);
908 if (!se) {
909 exit_server("failed to setup SIGTERM handler");
910 }
911 }
912
913 static void smbd_sig_hup_handler(struct tevent_context *ev,
914 struct tevent_signal *se,
915 int signum,
916 int count,
917 void *siginfo,
918 void *private_data)
919 {
920 struct smbd_server_connection *sconn =
921 talloc_get_type_abort(private_data,
922 struct smbd_server_connection);
923
924 change_to_root_user();
925 DEBUG(1,("Reloading services after SIGHUP\n"));
926 reload_services(sconn, conn_snum_used, false);
927 }
928
929 void smbd_setup_sig_hup_handler(struct smbd_server_connection *sconn)
930 {
931 struct tevent_signal *se;
932
933 se = tevent_add_signal(sconn->ev_ctx,
934 sconn,
935 SIGHUP, 0,
936 smbd_sig_hup_handler,
937 sconn);
938 if (!se) {
939 exit_server("failed to setup SIGHUP handler");
940 }
941 }
942
943 static void smbd_conf_updated(struct messaging_context *msg,
944 void *private_data,
945 uint32_t msg_type,
946 struct server_id server_id,
947 DATA_BLOB *data)
948 {
949 struct smbd_server_connection *sconn =
950 talloc_get_type_abort(private_data,
951 struct smbd_server_connection);
952
953 DEBUG(10,("smbd_conf_updated: Got message saying smb.conf was "
954 "updated. Reloading.\n"));
955 change_to_root_user();
956 reload_services(sconn, conn_snum_used, false);
957 }
958
959 /*
960 * Only allow 5 outstanding trans requests. We're allocating memory, so
961 * prevent a DoS.
962 */
963
964 NTSTATUS allow_new_trans(struct trans_state *list, uint64_t mid)
965 {
966 int count = 0;
967 for (; list != NULL; list = list->next) {
968
969 if (list->mid == mid) {
970 return NT_STATUS_INVALID_PARAMETER;
971 }
972
973 count += 1;
974 }
975 if (count > 5) {
976 return NT_STATUS_INSUFFICIENT_RESOURCES;
977 }
978
979 return NT_STATUS_OK;
980 }
981
982 /*
983 These flags determine some of the permissions required to do an operation
984
985 Note that I don't set NEED_WRITE on some write operations because they
986 are used by some brain-dead clients when printing, and I don't want to
987 force write permissions on print services.
988 */
989 #define AS_USER (1<<0)
990 #define NEED_WRITE (1<<1) /* Must be paired with AS_USER */
991 #define TIME_INIT (1<<2)
992 #define CAN_IPC (1<<3) /* Must be paired with AS_USER */
993 #define AS_GUEST (1<<5) /* Must *NOT* be paired with AS_USER */
994 #define DO_CHDIR (1<<6)
995
996 /*
997 define a list of possible SMB messages and their corresponding
998 functions. Any message that has a NULL function is unimplemented -
999 please feel free to contribute implementations!
1000 */
1001 static const struct smb_message_struct {
1002 const char *name;
1003 void (*fn)(struct smb_request *req);
1004 int flags;
1005 } smb_messages[256] = {
1006
1007 /* 0x00 */ { "SMBmkdir",reply_mkdir,AS_USER | NEED_WRITE},
1008 /* 0x01 */ { "SMBrmdir",reply_rmdir,AS_USER | NEED_WRITE},
1009 /* 0x02 */ { "SMBopen",reply_open,AS_USER },
1010 /* 0x03 */ { "SMBcreate",reply_mknew,AS_USER},
1011 /* 0x04 */ { "SMBclose",reply_close,AS_USER | CAN_IPC },
1012 /* 0x05 */ { "SMBflush",reply_flush,AS_USER},
1013 /* 0x06 */ { "SMBunlink",reply_unlink,AS_USER | NEED_WRITE },
1014 /* 0x07 */ { "SMBmv",reply_mv,AS_USER | NEED_WRITE },
1015 /* 0x08 */ { "SMBgetatr",reply_getatr,AS_USER},
1016 /* 0x09 */ { "SMBsetatr",reply_setatr,AS_USER | NEED_WRITE},
1017 /* 0x0a */ { "SMBread",reply_read,AS_USER},
1018 /* 0x0b */ { "SMBwrite",reply_write,AS_USER | CAN_IPC },
1019 /* 0x0c */ { "SMBlock",reply_lock,AS_USER},
1020 /* 0x0d */ { "SMBunlock",reply_unlock,AS_USER},
1021 /* 0x0e */ { "SMBctemp",reply_ctemp,AS_USER },
1022 /* 0x0f */ { "SMBmknew",reply_mknew,AS_USER},
1023 /* 0x10 */ { "SMBcheckpath",reply_checkpath,AS_USER},
1024 /* 0x11 */ { "SMBexit",reply_exit,DO_CHDIR},
1025 /* 0x12 */ { "SMBlseek",reply_lseek,AS_USER},
1026 /* 0x13 */ { "SMBlockread",reply_lockread,AS_USER},
1027 /* 0x14 */ { "SMBwriteunlock",reply_writeunlock,AS_USER},
1028 /* 0x15 */ { NULL, NULL, 0 },
1029 /* 0x16 */ { NULL, NULL, 0 },
1030 /* 0x17 */ { NULL, NULL, 0 },
1031 /* 0x18 */ { NULL, NULL, 0 },
1032 /* 0x19 */ { NULL, NULL, 0 },
1033 /* 0x1a */ { "SMBreadbraw",reply_readbraw,AS_USER},
1034 /* 0x1b */ { "SMBreadBmpx",reply_readbmpx,AS_USER},
1035 /* 0x1c */ { "SMBreadBs",reply_readbs,AS_USER },
1036 /* 0x1d */ { "SMBwritebraw",reply_writebraw,AS_USER},
1037 /* 0x1e */ { "SMBwriteBmpx",reply_writebmpx,AS_USER},
1038 /* 0x1f */ { "SMBwriteBs",reply_writebs,AS_USER},
1039 /* 0x20 */ { "SMBwritec", NULL,0},
1040 /* 0x21 */ { NULL, NULL, 0 },
1041 /* 0x22 */ { "SMBsetattrE",reply_setattrE,AS_USER | NEED_WRITE },
1042 /* 0x23 */ { "SMBgetattrE",reply_getattrE,AS_USER },
1043 /* 0x24 */ { "SMBlockingX",reply_lockingX,AS_USER },
1044 /* 0x25 */ { "SMBtrans",reply_trans,AS_USER | CAN_IPC },
1045 /* 0x26 */ { "SMBtranss",reply_transs,AS_USER | CAN_IPC},
1046 /* 0x27 */ { "SMBioctl",reply_ioctl,0},
1047 /* 0x28 */ { "SMBioctls", NULL,AS_USER},
1048 /* 0x29 */ { "SMBcopy",reply_copy,AS_USER | NEED_WRITE },
1049 /* 0x2a */ { "SMBmove", NULL,AS_USER | NEED_WRITE },
1050 /* 0x2b */ { "SMBecho",reply_echo,0},
1051 /* 0x2c */ { "SMBwriteclose",reply_writeclose,AS_USER},
1052 /* 0x2d */ { "SMBopenX",reply_open_and_X,AS_USER | CAN_IPC },
1053 /* 0x2e */ { "SMBreadX",reply_read_and_X,AS_USER | CAN_IPC },
1054 /* 0x2f */ { "SMBwriteX",reply_write_and_X,AS_USER | CAN_IPC },
1055 /* 0x30 */ { NULL, NULL, 0 },
1056 /* 0x31 */ { NULL, NULL, 0 },
1057 /* 0x32 */ { "SMBtrans2",reply_trans2, AS_USER | CAN_IPC },
1058 /* 0x33 */ { "SMBtranss2",reply_transs2, AS_USER | CAN_IPC },
1059 /* 0x34 */ { "SMBfindclose",reply_findclose,AS_USER},
1060 /* 0x35 */ { "SMBfindnclose",reply_findnclose,AS_USER},
1061 /* 0x36 */ { NULL, NULL, 0 },
1062 /* 0x37 */ { NULL, NULL, 0 },
1063 /* 0x38 */ { NULL, NULL, 0 },
1064 /* 0x39 */ { NULL, NULL, 0 },
1065 /* 0x3a */ { NULL, NULL, 0 },
1066 /* 0x3b */ { NULL, NULL, 0 },
1067 /* 0x3c */ { NULL, NULL, 0 },
1068 /* 0x3d */ { NULL, NULL, 0 },
1069 /* 0x3e */ { NULL, NULL, 0 },
1070 /* 0x3f */ { NULL, NULL, 0 },
1071 /* 0x40 */ { NULL, NULL, 0 },
1072 /* 0x41 */ { NULL, NULL, 0 },
1073 /* 0x42 */ { NULL, NULL, 0 },
1074 /* 0x43 */ { NULL, NULL, 0 },
1075 /* 0x44 */ { NULL, NULL, 0 },
1076 /* 0x45 */ { NULL, NULL, 0 },
1077 /* 0x46 */ { NULL, NULL, 0 },
1078 /* 0x47 */ { NULL, NULL, 0 },
1079 /* 0x48 */ { NULL, NULL, 0 },
1080 /* 0x49 */ { NULL, NULL, 0 },
1081 /* 0x4a */ { NULL, NULL, 0 },
1082 /* 0x4b */ { NULL, NULL, 0 },
1083 /* 0x4c */ { NULL, NULL, 0 },
1084 /* 0x4d */ { NULL, NULL, 0 },
1085 /* 0x4e */ { NULL, NULL, 0 },
1086 /* 0x4f */ { NULL, NULL, 0 },
1087 /* 0x50 */ { NULL, NULL, 0 },
1088 /* 0x51 */ { NULL, NULL, 0 },
1089 /* 0x52 */ { NULL, NULL, 0 },
1090 /* 0x53 */ { NULL, NULL, 0 },
1091 /* 0x54 */ { NULL, NULL, 0 },
1092 /* 0x55 */ { NULL, NULL, 0 },
1093 /* 0x56 */ { NULL, NULL, 0 },
1094 /* 0x57 */ { NULL, NULL, 0 },
1095 /* 0x58 */ { NULL, NULL, 0 },
1096 /* 0x59 */ { NULL, NULL, 0 },
1097 /* 0x5a */ { NULL, NULL, 0 },
1098 /* 0x5b */ { NULL, NULL, 0 },
1099 /* 0x5c */ { NULL, NULL, 0 },
1100 /* 0x5d */ { NULL, NULL, 0 },
1101 /* 0x5e */ { NULL, NULL, 0 },
1102 /* 0x5f */ { NULL, NULL, 0 },
1103 /* 0x60 */ { NULL, NULL, 0 },
1104 /* 0x61 */ { NULL, NULL, 0 },
1105 /* 0x62 */ { NULL, NULL, 0 },
1106 /* 0x63 */ { NULL, NULL, 0 },
1107 /* 0x64 */ { NULL, NULL, 0 },
1108 /* 0x65 */ { NULL, NULL, 0 },
1109 /* 0x66 */ { NULL, NULL, 0 },
1110 /* 0x67 */ { NULL, NULL, 0 },
1111 /* 0x68 */ { NULL, NULL, 0 },
1112 /* 0x69 */ { NULL, NULL, 0 },
1113 /* 0x6a */ { NULL, NULL, 0 },
1114 /* 0x6b */ { NULL, NULL, 0 },
1115 /* 0x6c */ { NULL, NULL, 0 },
1116 /* 0x6d */ { NULL, NULL, 0 },
1117 /* 0x6e */ { NULL, NULL, 0 },
1118 /* 0x6f */ { NULL, NULL, 0 },
1119 /* 0x70 */ { "SMBtcon",reply_tcon,0},
1120 /* 0x71 */ { "SMBtdis",reply_tdis,DO_CHDIR},
1121 /* 0x72 */ { "SMBnegprot",reply_negprot,0},
1122 /* 0x73 */ { "SMBsesssetupX",reply_sesssetup_and_X,0},
1123 /* 0x74 */ { "SMBulogoffX",reply_ulogoffX, 0}, /* ulogoff doesn't give a valid TID */
1124 /* 0x75 */ { "SMBtconX",reply_tcon_and_X,0},
1125 /* 0x76 */ { NULL, NULL, 0 },
1126 /* 0x77 */ { NULL, NULL, 0 },
1127 /* 0x78 */ { NULL, NULL, 0 },
1128 /* 0x79 */ { NULL, NULL, 0 },
1129 /* 0x7a */ { NULL, NULL, 0 },
1130 /* 0x7b */ { NULL, NULL, 0 },
1131 /* 0x7c */ { NULL, NULL, 0 },
1132 /* 0x7d */ { NULL, NULL, 0 },
1133 /* 0x7e */ { NULL, NULL, 0 },
1134 /* 0x7f */ { NULL, NULL, 0 },
1135 /* 0x80 */ { "SMBdskattr",reply_dskattr,AS_USER},
1136 /* 0x81 */ { "SMBsearch",reply_search,AS_USER},
1137 /* 0x82 */ { "SMBffirst",reply_search,AS_USER},
1138 /* 0x83 */ { "SMBfunique",reply_search,AS_USER},
1139 /* 0x84 */ { "SMBfclose",reply_fclose,AS_USER},
1140 /* 0x85 */ { NULL, NULL, 0 },
1141 /* 0x86 */ { NULL, NULL, 0 },
1142 /* 0x87 */ { NULL, NULL, 0 },
1143 /* 0x88 */ { NULL, NULL, 0 },
1144 /* 0x89 */ { NULL, NULL, 0 },
1145 /* 0x8a */ { NULL, NULL, 0 },
1146 /* 0x8b */ { NULL, NULL, 0 },
1147 /* 0x8c */ { NULL, NULL, 0 },
1148 /* 0x8d */ { NULL, NULL, 0 },
1149 /* 0x8e */ { NULL, NULL, 0 },
1150 /* 0x8f */ { NULL, NULL, 0 },
1151 /* 0x90 */ { NULL, NULL, 0 },
1152 /* 0x91 */ { NULL, NULL, 0 },
1153 /* 0x92 */ { NULL, NULL, 0 },
1154 /* 0x93 */ { NULL, NULL, 0 },
1155 /* 0x94 */ { NULL, NULL, 0 },
1156 /* 0x95 */ { NULL, NULL, 0 },
1157 /* 0x96 */ { NULL, NULL, 0 },
1158 /* 0x97 */ { NULL, NULL, 0 },
1159 /* 0x98 */ { NULL, NULL, 0 },
1160 /* 0x99 */ { NULL, NULL, 0 },
1161 /* 0x9a */ { NULL, NULL, 0 },
1162 /* 0x9b */ { NULL, NULL, 0 },
1163 /* 0x9c */ { NULL, NULL, 0 },
1164 /* 0x9d */ { NULL, NULL, 0 },
1165 /* 0x9e */ { NULL, NULL, 0 },
1166 /* 0x9f */ { NULL, NULL, 0 },
1167 /* 0xa0 */ { "SMBnttrans",reply_nttrans, AS_USER | CAN_IPC },
1168 /* 0xa1 */ { "SMBnttranss",reply_nttranss, AS_USER | CAN_IPC },
1169 /* 0xa2 */ { "SMBntcreateX",reply_ntcreate_and_X, AS_USER | CAN_IPC },
1170 /* 0xa3 */ { NULL, NULL, 0 },
1171 /* 0xa4 */ { "SMBntcancel",reply_ntcancel, 0 },
1172 /* 0xa5 */ { "SMBntrename",reply_ntrename, AS_USER | NEED_WRITE },
1173 /* 0xa6 */ { NULL, NULL, 0 },
1174 /* 0xa7 */ { NULL, NULL, 0 },
1175 /* 0xa8 */ { NULL, NULL, 0 },
1176 /* 0xa9 */ { NULL, NULL, 0 },
1177 /* 0xaa */ { NULL, NULL, 0 },
1178 /* 0xab */ { NULL, NULL, 0 },
1179 /* 0xac */ { NULL, NULL, 0 },
1180 /* 0xad */ { NULL, NULL, 0 },
1181 /* 0xae */ { NULL, NULL, 0 },
1182 /* 0xaf */ { NULL, NULL, 0 },
1183 /* 0xb0 */ { NULL, NULL, 0 },
1184 /* 0xb1 */ { NULL, NULL, 0 },
1185 /* 0xb2 */ { NULL, NULL, 0 },
1186 /* 0xb3 */ { NULL, NULL, 0 },
1187 /* 0xb4 */ { NULL, NULL, 0 },
1188 /* 0xb5 */ { NULL, NULL, 0 },
1189 /* 0xb6 */ { NULL, NULL, 0 },
1190 /* 0xb7 */ { NULL, NULL, 0 },
1191 /* 0xb8 */ { NULL, NULL, 0 },
1192 /* 0xb9 */ { NULL, NULL, 0 },
1193 /* 0xba */ { NULL, NULL, 0 },
1194 /* 0xbb */ { NULL, NULL, 0 },
1195 /* 0xbc */ { NULL, NULL, 0 },
1196 /* 0xbd */ { NULL, NULL, 0 },
1197 /* 0xbe */ { NULL, NULL, 0 },
1198 /* 0xbf */ { NULL, NULL, 0 },
1199 /* 0xc0 */ { "SMBsplopen",reply_printopen,AS_USER},
1200 /* 0xc1 */ { "SMBsplwr",reply_printwrite,AS_USER},
1201 /* 0xc2 */ { "SMBsplclose",reply_printclose,AS_USER},
1202 /* 0xc3 */ { "SMBsplretq",reply_printqueue,AS_USER},
1203 /* 0xc4 */ { NULL, NULL, 0 },
1204 /* 0xc5 */ { NULL, NULL, 0 },
1205 /* 0xc6 */ { NULL, NULL, 0 },
1206 /* 0xc7 */ { NULL, NULL, 0 },
1207 /* 0xc8 */ { NULL, NULL, 0 },
1208 /* 0xc9 */ { NULL, NULL, 0 },
1209 /* 0xca */ { NULL, NULL, 0 },
1210 /* 0xcb */ { NULL, NULL, 0 },
1211 /* 0xcc */ { NULL, NULL, 0 },
1212 /* 0xcd */ { NULL, NULL, 0 },
1213 /* 0xce */ { NULL, NULL, 0 },
1214 /* 0xcf */ { NULL, NULL, 0 },
1215 /* 0xd0 */ { "SMBsends",reply_sends,AS_GUEST},
1216 /* 0xd1 */ { "SMBsendb", NULL,AS_GUEST},
1217 /* 0xd2 */ { "SMBfwdname", NULL,AS_GUEST},
1218 /* 0xd3 */ { "SMBcancelf", NULL,AS_GUEST},
1219 /* 0xd4 */ { "SMBgetmac", NULL,AS_GUEST},
1220 /* 0xd5 */ { "SMBsendstrt",reply_sendstrt,AS_GUEST},
1221 /* 0xd6 */ { "SMBsendend",reply_sendend,AS_GUEST},
1222 /* 0xd7 */ { "SMBsendtxt",reply_sendtxt,AS_GUEST},
1223 /* 0xd8 */ { NULL, NULL, 0 },
1224 /* 0xd9 */ { NULL, NULL, 0 },
1225 /* 0xda */ { NULL, NULL, 0 },
1226 /* 0xdb */ { NULL, NULL, 0 },
1227 /* 0xdc */ { NULL, NULL, 0 },
1228 /* 0xdd */ { NULL, NULL, 0 },
1229 /* 0xde */ { NULL, NULL, 0 },
1230 /* 0xdf */ { NULL, NULL, 0 },
1231 /* 0xe0 */ { NULL, NULL, 0 },
1232 /* 0xe1 */ { NULL, NULL, 0 },
1233 /* 0xe2 */ { NULL, NULL, 0 },
1234 /* 0xe3 */ { NULL, NULL, 0 },
1235 /* 0xe4 */ { NULL, NULL, 0 },
1236 /* 0xe5 */ { NULL, NULL, 0 },
1237 /* 0xe6 */ { NULL, NULL, 0 },
1238 /* 0xe7 */ { NULL, NULL, 0 },
1239 /* 0xe8 */ { NULL, NULL, 0 },
1240 /* 0xe9 */ { NULL, NULL, 0 },
1241 /* 0xea */ { NULL, NULL, 0 },
1242 /* 0xeb */ { NULL, NULL, 0 },
1243 /* 0xec */ { NULL, NULL, 0 },
1244 /* 0xed */ { NULL, NULL, 0 },
1245 /* 0xee */ { NULL, NULL, 0 },
1246 /* 0xef */ { NULL, NULL, 0 },
1247 /* 0xf0 */ { NULL, NULL, 0 },
1248 /* 0xf1 */ { NULL, NULL, 0 },
1249 /* 0xf2 */ { NULL, NULL, 0 },
1250 /* 0xf3 */ { NULL, NULL, 0 },
1251 /* 0xf4 */ { NULL, NULL, 0 },
1252 /* 0xf5 */ { NULL, NULL, 0 },
1253 /* 0xf6 */ { NULL, NULL, 0 },
1254 /* 0xf7 */ { NULL, NULL, 0 },
1255 /* 0xf8 */ { NULL, NULL, 0 },
1256 /* 0xf9 */ { NULL, NULL, 0 },
1257 /* 0xfa */ { NULL, NULL, 0 },
1258 /* 0xfb */ { NULL, NULL, 0 },
1259 /* 0xfc */ { NULL, NULL, 0 },
1260 /* 0xfd */ { NULL, NULL, 0 },
1261 /* 0xfe */ { NULL, NULL, 0 },
1262 /* 0xff */ { NULL, NULL, 0 }
1263
1264 };
1265
1266 /*******************************************************************
1267 allocate and initialize a reply packet
1268 ********************************************************************/
1269
1270 static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req,
1271 const char *inbuf, char **outbuf, uint8_t num_words,
1272 uint32_t num_bytes)
1273 {
1274 /*
1275 * Protect against integer wrap
1276 */
1277 if ((num_bytes > 0xffffff)
1278 || ((num_bytes + smb_size + num_words*2) > 0xffffff)) {
1279 char *msg;
1280 if (asprintf(&msg, "num_bytes too large: %u",
1281 (unsigned)num_bytes) == -1) {
1282 msg = discard_const_p(char, "num_bytes too large");
1283 }
1284 smb_panic(msg);
1285 }
1286
1287 *outbuf = talloc_array(mem_ctx, char,
1288 smb_size + num_words*2 + num_bytes);
1289 if (*outbuf == NULL) {
1290 return false;
1291 }
1292
1293 construct_reply_common(req, inbuf, *outbuf);
1294 srv_set_message(*outbuf, num_words, num_bytes, false);
1295 /*
1296 * Zero out the word area, the caller has to take care of the bcc area
1297 * himself
1298 */
1299 if (num_words != 0) {
1300 memset(*outbuf + smb_vwv0, 0, num_words*2);
1301 }
1302
1303 return true;
1304 }
1305
1306 void reply_outbuf(struct smb_request *req, uint8 num_words, uint32 num_bytes)
1307 {
1308 char *outbuf;
1309 if (!create_outbuf(req, req, (const char *)req->inbuf, &outbuf, num_words,
1310 num_bytes)) {
1311 smb_panic("could not allocate output buffer\n");
1312 }
1313 req->outbuf = (uint8_t *)outbuf;
1314 }
1315
1316
1317 /*******************************************************************
1318 Dump a packet to a file.
1319 ********************************************************************/
1320
1321 static void smb_dump(const char *name, int type, const char *data)
1322 {
1323 size_t len;
1324 int fd, i;
1325 char *fname = NULL;
1326 if (DEBUGLEVEL < 50) {
1327 return;
1328 }
1329
1330 len = smb_len_tcp(data)+4;
1331 for (i=1;i<100;i++) {
1332 fname = talloc_asprintf(talloc_tos(),
1333 "/tmp/%s.%d.%s",
1334 name,
1335 i,
1336 type ? "req" : "resp");
1337 if (fname == NULL) {
1338 return;
1339 }
1340 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
1341 if (fd != -1 || errno != EEXIST) break;
1342 TALLOC_FREE(fname);
1343 }
1344 if (fd != -1) {
1345 ssize_t ret = write(fd, data, len);
1346 if (ret != len)
1347 DEBUG(0,("smb_dump: problem: write returned %d\n", (int)ret ));
1348 close(fd);
1349 DEBUG(0,("created %s len %lu\n", fname, (unsigned long)len));
1350 }
1351 TALLOC_FREE(fname);
1352 }
1353
1354 /****************************************************************************
1355 Prepare everything for calling the actual request function, and potentially
1356 call the request function via the "new" interface.
1357
1358 Return False if the "legacy" function needs to be called, everything is
1359 prepared.
1360
1361 Return True if we're done.
1362
1363 I know this API sucks, but it is the one with the least code change I could
1364 find.
1365 ****************************************************************************/
1366
1367 static connection_struct *switch_message(uint8 type, struct smb_request *req)
1368 {
1369 int flags;
1370 uint64_t session_tag;
1371 connection_struct *conn = NULL;
1372 struct smbd_server_connection *sconn = req->sconn;
1373
1374 errno = 0;
1375
1376 if (smb_messages[type].fn == NULL) {
1377 DEBUG(0,("Unknown message type %d!\n",type));
1378 smb_dump("Unknown", 1, (const char *)req->inbuf);
1379 reply_unknown_new(req, type);
1380 return NULL;
1381 }
1382
1383 flags = smb_messages[type].flags;
1384
1385 /* In share mode security we must ignore the vuid. */
1386 session_tag = req->vuid;
1387 conn = req->conn;
1388
1389 DEBUG(3,("switch message %s (pid %d) conn 0x%lx\n", smb_fn_name(type),
1390 (int)getpid(), (unsigned long)conn));
1391
1392 smb_dump(smb_fn_name(type), 1, (const char *)req->inbuf);
1393
1394 /* Ensure this value is replaced in the incoming packet. */
1395 SSVAL(discard_const_p(uint8_t, req->inbuf),smb_uid,session_tag);
1396
1397 /*
1398 * Ensure the correct username is in current_user_info. This is a
1399 * really ugly bugfix for problems with multiple session_setup_and_X's
1400 * being done and allowing %U and %G substitutions to work correctly.
1401 * There is a reason this code is done here, don't move it unless you
1402 * know what you're doing... :-).
1403 * JRA.
1404 */
1405
1406 if (session_tag != sconn->smb1.sessions.last_session_tag) {
1407 struct user_struct *vuser = NULL;
1408
1409 sconn->smb1.sessions.last_session_tag = session_tag;
1410 if(session_tag != UID_FIELD_INVALID) {
1411 vuser = get_valid_user_struct(sconn, session_tag);
1412 if (vuser) {
1413 set_current_user_info(
1414 vuser->session_info->unix_info->sanitized_username,
1415 vuser->session_info->unix_info->unix_name,
1416 vuser->session_info->info->domain_name);
1417 }
1418 }
1419 }
1420
1421 /* Does this call need to be run as the connected user? */
1422 if (flags & AS_USER) {
1423
1424 /* Does this call need a valid tree connection? */
1425 if (!conn) {
1426 /*
1427 * Amazingly, the error code depends on the command
1428 * (from Samba4).
1429 */
1430 if (type == SMBntcreateX) {
1431 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
1432 } else {
1433 reply_nterror(req, NT_STATUS_NETWORK_NAME_DELETED);
1434 }
1435 return NULL;
1436 }
1437
1438 if (!change_to_user(conn,session_tag)) {
1439 DEBUG(0, ("Error: Could not change to user. Removing "
1440 "deferred open, mid=%llu.\n",
1441 (unsigned long long)req->mid));
1442 reply_force_doserror(req, ERRSRV, ERRbaduid);
1443 return conn;
1444 }
1445
1446 /* All NEED_WRITE and CAN_IPC flags must also have AS_USER. */
1447
1448 /* Does it need write permission? */
1449 if ((flags & NEED_WRITE) && !CAN_WRITE(conn)) {
1450 reply_nterror(req, NT_STATUS_MEDIA_WRITE_PROTECTED);
1451 return conn;
1452 }
1453
1454 /* IPC services are limited */
1455 if (IS_IPC(conn) && !(flags & CAN_IPC)) {
1456 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1457 return conn;
1458 }
1459 } else {
1460 /* This call needs to be run as root */
1461 change_to_root_user();
1462 }
1463
1464 /* load service specific parameters */
1465 if (conn) {
1466 if (req->encrypted) {
1467 conn->encrypted_tid = true;
1468 /* encrypted required from now on. */
1469 conn->encrypt_level = Required;
1470 } else if (ENCRYPTION_REQUIRED(conn)) {
1471 if (req->cmd != SMBtrans2 && req->cmd != SMBtranss2) {
1472 exit_server_cleanly("encryption required "
1473 "on connection");
1474 return conn;
1475 }
1476 }
1477
1478 if (!set_current_service(conn,SVAL(req->inbuf,smb_flg),
1479 (flags & (AS_USER|DO_CHDIR)
1480 ?True:False))) {
1481 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1482 return conn;
1483 }
1484 conn->num_smb_operations++;
1485 }
1486
1487 /*
1488 * Does this protocol need to be run as guest? (Only archane
1489 * messenger service requests have this...)
1490 */
1491 if (flags & AS_GUEST) {
1492 char *raddr;
1493 bool ok;
1494
1495 if (!change_to_guest()) {
1496 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1497 return conn;
1498 }
1499
1500 raddr = tsocket_address_inet_addr_string(sconn->remote_address,
1501 talloc_tos());
1502 if (raddr == NULL) {
1503 reply_nterror(req, NT_STATUS_NO_MEMORY);
1504 return conn;
1505 }
1506
1507 /*
1508 * Haven't we checked this in smbd_process already???
1509 */
1510
1511 ok = allow_access(lp_hostsdeny(-1), lp_hostsallow(-1),
1512 sconn->remote_hostname, raddr);
1513 TALLOC_FREE(raddr);
1514
1515 if (!ok) {
1516 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1517 return conn;
1518 }
1519 }
1520
1521 smb_messages[type].fn(req);
1522 return req->conn;
1523 }
1524
1525 /****************************************************************************
1526 Construct a reply to the incoming packet.
1527 ****************************************************************************/
1528
1529 static void construct_reply(struct smbd_server_connection *sconn,
1530 char *inbuf, int size, size_t unread_bytes,
1531 uint32_t seqnum, bool encrypted,
1532 struct smb_perfcount_data *deferred_pcd)
1533 {
1534 connection_struct *conn;
1535 struct smb_request *req;
1536
1537 if (!(req = talloc(talloc_tos(), struct smb_request))) {
1538 smb_panic("could not allocate smb_request");
1539 }
1540
1541 if (!init_smb_request(req, sconn, (uint8 *)inbuf, unread_bytes,
1542 encrypted, seqnum)) {
1543 exit_server_cleanly("Invalid SMB request");
1544 }
1545
1546 req->inbuf = (uint8_t *)talloc_move(req, &inbuf);
1547
1548 /* we popped this message off the queue - keep original perf data */
1549 if (deferred_pcd)
1550 req->pcd = *deferred_pcd;
1551 else {
1552 SMB_PERFCOUNT_START(&req->pcd);
1553 SMB_PERFCOUNT_SET_OP(&req->pcd, req->cmd);
1554 SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, size);
1555 }
1556
1557 conn = switch_message(req->cmd, req);
1558
1559 if (req->outbuf == NULL) {
1560 return;
1561 }
1562
1563 if (CVAL(req->outbuf,0) == 0) {
1564 show_msg((char *)req->outbuf);
1565 }
1566
1567 if (!srv_send_smb(req->sconn,
1568 (char *)req->outbuf,
1569 true, req->seqnum+1,
1570 IS_CONN_ENCRYPTED(conn)||req->encrypted,
1571 &req->pcd)) {
1572 exit_server_cleanly("construct_reply: srv_send_smb failed.");
1573 }
1574
1575 TALLOC_FREE(req);
1576
1577 return;
1578 }
1579
1580 static void construct_reply_chain(struct smbd_server_connection *sconn,
1581 char *inbuf, int size, uint32_t seqnum,
1582 bool encrypted,
1583 struct smb_perfcount_data *deferred_pcd)
1584 {
1585 struct smb_request **reqs = NULL;
1586 struct smb_request *req;
1587 unsigned num_reqs;
1588 bool ok;
1589
1590 ok = smb1_parse_chain(talloc_tos(), (uint8_t *)inbuf, sconn, encrypted,
1591 seqnum, &reqs, &num_reqs);
1592 if (!ok) {
1593 char errbuf[smb_size];
1594 error_packet(errbuf, 0, 0, NT_STATUS_INVALID_PARAMETER,
1595 __LINE__, __FILE__);
1596 if (!srv_send_smb(sconn, errbuf, true, seqnum, encrypted,
1597 NULL)) {
1598 exit_server_cleanly("construct_reply_chain: "
1599 "srv_send_smb failed.");
1600 }
1601 return;
1602 }
1603
1604 req = reqs[0];
1605 req->inbuf = (uint8_t *)talloc_move(reqs, &inbuf);
1606
1607 req->conn = switch_message(req->cmd, req);
1608
1609 if (req->outbuf == NULL) {
1610 /*
1611 * Request has suspended itself, will come
1612 * back here.
1613 */
1614 return;
1615 }
1616 smb_request_done(req);
1617 }
1618
1619 /*
1620 * To be called from an async SMB handler that is potentially chained
1621 * when it is finished for shipping.
1622 */
1623
1624 void smb_request_done(struct smb_request *req)
1625 {
1626 struct smb_request **reqs = NULL;
1627 struct smb_request *first_req;
1628 size_t i, num_reqs, next_index;
1629 NTSTATUS status;
1630
1631 if (req->chain == NULL) {
1632 first_req = req;
1633 goto shipit;
1634 }
1635
1636 reqs = req->chain;
1637 num_reqs = talloc_array_length(reqs);
1638
1639 for (i=0; i<num_reqs; i++) {
1640 if (reqs[i] == req) {
1641 break;
1642 }
1643 }
1644 if (i == num_reqs) {
1645 /*
1646 * Invalid chain, should not happen
1647 */
1648 status = NT_STATUS_INTERNAL_ERROR;
1649 goto error;
1650 }
1651 next_index = i+1;
1652
1653 while ((next_index < num_reqs) && (IVAL(req->outbuf, smb_rcls) == 0)) {
1654 struct smb_request *next = reqs[next_index];
1655 struct smbXsrv_tcon *tcon;
1656 NTTIME now = timeval_to_nttime(&req->request_time);
1657
1658 next->vuid = SVAL(req->outbuf, smb_uid);
1659 next->tid = SVAL(req->outbuf, smb_tid);
1660 status = smb1srv_tcon_lookup(req->sconn->conn, req->tid,
1661 now, &tcon);
1662 if (NT_STATUS_IS_OK(status)) {
1663 req->conn = tcon->compat;
1664 } else {
1665 req->conn = NULL;
1666 }
1667 next->chain_fsp = req->chain_fsp;
1668 next->inbuf = (uint8_t *)req->inbuf;
1669
1670 req = next;
1671 req->conn = switch_message(req->cmd, req);
1672
1673 if (req->outbuf == NULL) {
1674 /*
1675 * Request has suspended itself, will come
1676 * back here.
1677 */
1678 return;
1679 }
1680 next_index += 1;
1681 }
1682
1683 first_req = reqs[0];
1684
1685 for (i=1; i<next_index; i++) {
1686 bool ok;
1687
1688 ok = smb_splice_chain(&first_req->outbuf, reqs[i]->outbuf);
1689 if (!ok) {
1690 status = NT_STATUS_INTERNAL_ERROR;
1691 goto error;
1692 }
1693 }
1694
1695 SSVAL(first_req->outbuf, smb_uid, SVAL(req->outbuf, smb_uid));
1696 SSVAL(first_req->outbuf, smb_tid, SVAL(req->outbuf, smb_tid));
1697
1698 /*
1699 * This scary statement intends to set the
1700 * FLAGS2_32_BIT_ERROR_CODES flg2 field in first_req->outbuf
1701 * to the value last_req->outbuf carries
1702 */
1703 SSVAL(first_req->outbuf, smb_flg2,
1704 (SVAL(first_req->outbuf, smb_flg2) & ~FLAGS2_32_BIT_ERROR_CODES)
1705 |(SVAL(req->outbuf, smb_flg2) & FLAGS2_32_BIT_ERROR_CODES));
1706
1707 /*
1708 * Transfer the error codes from the subrequest to the main one
1709 */
1710 SSVAL(first_req->outbuf, smb_rcls, SVAL(req->outbuf, smb_rcls));
1711 SSVAL(first_req->outbuf, smb_err, SVAL(req->outbuf, smb_err));
1712
1713 _smb_setlen_large(
1714 first_req->outbuf, talloc_get_size(first_req->outbuf) - 4);
1715
1716 shipit:
1717 if (!srv_send_smb(first_req->sconn,
1718 (char *)first_req->outbuf,
1719 true, first_req->seqnum+1,
1720 IS_CONN_ENCRYPTED(req->conn)||first_req->encrypted,
1721 &first_req->pcd)) {
1722 exit_server_cleanly("construct_reply_chain: srv_send_smb "
1723 "failed.");
1724 }
1725 TALLOC_FREE(req); /* non-chained case */
1726 TALLOC_FREE(reqs); /* chained case */
1727 return;
1728
1729 error:
1730 {
1731 char errbuf[smb_size];
1732 error_packet(errbuf, 0, 0, status, __LINE__, __FILE__);
1733 if (!srv_send_smb(req->sconn, errbuf, true,
1734 req->seqnum+1, req->encrypted,
1735 NULL)) {
1736 exit_server_cleanly("construct_reply_chain: "
1737 "srv_send_smb failed.");
1738 }
1739 }
1740 TALLOC_FREE(req); /* non-chained case */
1741 TALLOC_FREE(reqs); /* chained case */
1742 }
1743
1744 /****************************************************************************
1745 Process an smb from the client
1746 ****************************************************************************/
1747 static void process_smb(struct smbd_server_connection *sconn,
1748 uint8_t *inbuf, size_t nread, size_t unread_bytes,
1749 uint32_t seqnum, bool encrypted,
1750 struct smb_perfcount_data *deferred_pcd)
1751 {
1752 int msg_type = CVAL(inbuf,0);
1753
1754 DO_PROFILE_INC(smb_count);
1755
1756 DEBUG( 6, ( "got message type 0x%x of len 0x%x\n", msg_type,
1757 smb_len(inbuf) ) );
1758 DEBUG(3, ("Transaction %d of length %d (%u toread)\n",
1759 sconn->trans_num, (int)nread, (unsigned int)unread_bytes));
1760
1761 if (msg_type != NBSSmessage) {
1762 /*
1763 * NetBIOS session request, keepalive, etc.
1764 */
1765 reply_special(sconn, (char *)inbuf, nread);
1766 goto done;
1767 }
1768
1769 if (sconn->using_smb2) {
1770 /* At this point we're not really using smb2,
1771 * we make the decision here.. */
1772 if (smbd_is_smb2_header(inbuf, nread)) {
1773 smbd_smb2_first_negprot(sconn, inbuf, nread);
1774 return;
1775 } else if (nread >= smb_size && valid_smb_header(sconn, inbuf)
1776 && CVAL(inbuf, smb_com) != 0x72) {
1777 /* This is a non-negprot SMB1 packet.
1778 Disable SMB2 from now on. */
1779 sconn->using_smb2 = false;
1780 }
1781 }
1782
1783 /* Make sure this is an SMB packet. smb_size contains NetBIOS header
1784 * so subtract 4 from it. */
1785 if ((nread < (smb_size - 4)) || !valid_smb_header(sconn, inbuf)) {
1786 DEBUG(2,("Non-SMB packet of length %d. Terminating server\n",
1787 smb_len(inbuf)));
1788
1789 /* special magic for immediate exit */
1790 if ((nread == 9) &&
1791 (IVAL(inbuf, 4) == 0x74697865) &&
1792 lp_parm_bool(-1, "smbd", "suicide mode", false)) {
1793 uint8_t exitcode = CVAL(inbuf, 8);
1794 DEBUG(1, ("Exiting immediately with code %d\n",
1795 (int)exitcode));
1796 exit(exitcode);
1797 }
1798
1799 exit_server_cleanly("Non-SMB packet");
1800 }
1801
1802 show_msg((char *)inbuf);
1803
1804 if ((unread_bytes == 0) && smb1_is_chain(inbuf)) {
1805 construct_reply_chain(sconn, (char *)inbuf, nread,
1806 seqnum, encrypted, deferred_pcd);
1807 } else {
1808 construct_reply(sconn, (char *)inbuf, nread, unread_bytes,
1809 seqnum, encrypted, deferred_pcd);
1810 }
1811
1812 sconn->trans_num++;
1813
1814 done:
1815 sconn->num_requests++;
1816
1817 /* The timeout_processing function isn't run nearly
1818 often enough to implement 'max log size' without
1819 overrunning the size of the file by many megabytes.
1820 This is especially true if we are running at debug
1821 level 10. Checking every 50 SMBs is a nice
1822 tradeoff of performance vs log file size overrun. */
1823
1824 if ((sconn->num_requests % 50) == 0 &&
1825 need_to_check_log_size()) {
1826 change_to_root_user();
1827 check_log_size();
1828 }
1829 }
1830
1831 /****************************************************************************
1832 Return a string containing the function name of a SMB command.
1833 ****************************************************************************/
1834
1835 const char *smb_fn_name(int type)
1836 {
1837 const char *unknown_name = "SMBunknown";
1838
1839 if (smb_messages[type].name == NULL)
1840 return(unknown_name);
1841
1842 return(smb_messages[type].name);
1843 }
1844
1845 /****************************************************************************
1846 Helper functions for contruct_reply.
1847 ****************************************************************************/
1848
1849 void add_to_common_flags2(uint32 v)
1850 {
1851 common_flags2 |= v;
1852 }
1853
1854 void remove_from_common_flags2(uint32 v)
1855 {
1856 common_flags2 &= ~v;
1857 }
1858
1859 static void construct_reply_common(struct smb_request *req, const char *inbuf,
1860 char *outbuf)
1861 {
1862 uint16_t in_flags2 = SVAL(inbuf,smb_flg2);
1863 uint16_t out_flags2 = common_flags2;
1864
1865 out_flags2 |= in_flags2 & FLAGS2_UNICODE_STRINGS;
1866 out_flags2 |= in_flags2 & FLAGS2_SMB_SECURITY_SIGNATURES;
1867 out_flags2 |= in_flags2 & FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED;
1868
1869 srv_set_message(outbuf,0,0,false);
1870
1871 SCVAL(outbuf, smb_com, req->cmd);
1872 SIVAL(outbuf,smb_rcls,0);
1873 SCVAL(outbuf,smb_flg, FLAG_REPLY | (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES));
1874 SSVAL(outbuf,smb_flg2, out_flags2);
1875 memset(outbuf+smb_pidhigh,'\0',(smb_tid-smb_pidhigh));
1876 memcpy(outbuf+smb_ss_field, inbuf+smb_ss_field, 8);
1877
1878 SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid));
1879 SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid));
1880 SSVAL(outbuf,smb_uid,SVAL(inbuf,smb_uid));
1881 SSVAL(outbuf,smb_mid,SVAL(inbuf,smb_mid));
1882 }
1883
1884 void construct_reply_common_req(struct smb_request *req, char *outbuf)
1885 {
1886 construct_reply_common(req, (const char *)req->inbuf, outbuf);
1887 }
1888
1889 /**
1890 * @brief Find the smb_cmd offset of the last command pushed
1891 * @param[in] buf The buffer we're building up
1892 * @retval Where can we put our next andx cmd?
1893 *
1894 * While chaining requests, the "next" request we're looking at needs to put
1895 * its SMB_Command before the data the previous request already built up added
1896 * to the chain. Find the offset to the place where we have to put our cmd.
1897 */
1898
1899 static bool find_andx_cmd_ofs(uint8_t *buf, size_t *pofs)
1900 {
1901 uint8_t cmd;
1902 size_t ofs;
1903
1904 cmd = CVAL(buf, smb_com);
1905
1906 if (!is_andx_req(cmd)) {
1907 return false;
1908 }
1909
1910 ofs = smb_vwv0;
1911
1912 while (CVAL(buf, ofs) != 0xff) {
1913
1914 if (!is_andx_req(CVAL(buf, ofs))) {
1915 return false;
1916 }
1917
1918 /*
1919 * ofs is from start of smb header, so add the 4 length
1920 * bytes. The next cmd is right after the wct field.
1921 */
1922 ofs = SVAL(buf, ofs+2) + 4 + 1;
1923
1924 if (ofs+4 >= talloc_get_size(buf)) {
1925 return false;
1926 }
1927 }
1928
1929 *pofs = ofs;
1930 return true;
1931 }
1932
1933 /**
1934 * @brief Do the smb chaining at a buffer level
1935 * @param[in] poutbuf Pointer to the talloc'ed buffer to be modified
1936 * @param[in] andx_buf Buffer to be appended
1937 */
1938
1939 static bool smb_splice_chain(uint8_t **poutbuf, const uint8_t *andx_buf)
1940 {
1941 uint8_t smb_command = CVAL(andx_buf, smb_com);
1942 uint8_t wct = CVAL(andx_buf, smb_wct);
1943 const uint16_t *vwv = (const uint16_t *)(andx_buf + smb_vwv);
1944 uint32_t num_bytes = smb_buflen(andx_buf);
1945 const uint8_t *bytes = (const uint8_t *)smb_buf_const(andx_buf);
1946
1947 uint8_t *outbuf;
1948 size_t old_size, new_size;
1949 size_t ofs;
1950 size_t chain_padding = 0;
1951 size_t andx_cmd_ofs;
1952
1953
1954 old_size = talloc_get_size(*poutbuf);
1955
1956 if ((old_size % 4) != 0) {
1957 /*
1958 * Align the wct field of subsequent requests to a 4-byte
1959 * boundary
1960 */
1961 chain_padding = 4 - (old_size % 4);
1962 }
1963
1964 /*
1965 * After the old request comes the new wct field (1 byte), the vwv's
1966 * and the num_bytes field.
1967 */
1968
1969 new_size = old_size + chain_padding + 1 + wct * sizeof(uint16_t) + 2;
1970 new_size += num_bytes;
1971
1972 if ((smb_command != SMBwriteX) && (new_size > 0xffff)) {
1973 DEBUG(1, ("smb_splice_chain: %u bytes won't fit\n",
1974 (unsigned)new_size));
1975 return false;
1976 }
1977
1978 outbuf = talloc_realloc(NULL, *poutbuf, uint8_t, new_size);
1979 if (outbuf == NULL) {
1980 DEBUG(0, ("talloc failed\n"));
1981 return false;
1982 }
1983 *poutbuf = outbuf;
1984
1985 if (!find_andx_cmd_ofs(outbuf, &andx_cmd_ofs)) {
1986 DEBUG(1, ("invalid command chain\n"));
1987 *poutbuf = talloc_realloc(NULL, *poutbuf, uint8_t, old_size);
1988 return false;
1989 }
1990
1991 if (chain_padding != 0) {
1992 memset(outbuf + old_size, 0, chain_padding);
1993 old_size += chain_padding;
1994 }
1995
1996 SCVAL(outbuf, andx_cmd_ofs, smb_command);
1997 SSVAL(outbuf, andx_cmd_ofs + 2, old_size - 4);
1998
1999 ofs = old_size;
2000
2001 /*
2002 * Push the chained request:
2003 *
2004 * wct field
2005 */
2006
2007 SCVAL(outbuf, ofs, wct);
2008 ofs += 1;
2009
2010 /*
2011 * vwv array
2012 */
2013
2014 memcpy(outbuf + ofs, vwv, sizeof(uint16_t) * wct);
2015
2016 /*
2017 * HACK ALERT
2018 *
2019 * Read&X has an offset into its data buffer at
2020 * vwv[6]. reply_read_andx has no idea anymore that it's
2021 * running from within a chain, so we have to fix up the
2022 * offset here.
2023 *
2024 * Although it looks disgusting at this place, I want to keep
2025 * it here. The alternative would be to push knowledge about
2026 * the andx chain down into read&x again.
2027 */
2028
2029 if (smb_command == SMBreadX) {
2030 uint8_t *bytes_addr;
2031
2032 if (wct < 7) {
2033 /*
2034 * Invalid read&x response
2035 */
2036 return false;
2037 }
2038
2039 bytes_addr = outbuf + ofs /* vwv start */
2040 + sizeof(uint16_t) * wct /* vwv array */
2041 + sizeof(uint16_t); /* bcc */
2042
2043 SSVAL(outbuf + ofs, 6 * sizeof(uint16_t),
2044 bytes_addr - outbuf - 4);
2045 }
2046
2047 ofs += sizeof(uint16_t) * wct;
2048
2049 /*
2050 * bcc (byte count)
2051 */
2052
2053 SSVAL(outbuf, ofs, num_bytes);
2054 ofs += sizeof(uint16_t);
2055
2056 /*
2057 * The bytes field
2058 */
2059
2060 memcpy(outbuf + ofs, bytes, num_bytes);
2061
2062 return true;
2063 }
2064
2065 bool smb1_is_chain(const uint8_t *buf)
2066 {
2067 uint8_t cmd, wct, andx_cmd;
2068
2069 cmd = CVAL(buf, smb_com);
2070 if (!is_andx_req(cmd)) {
2071 return false;
2072 }
2073 wct = CVAL(buf, smb_wct);
2074 if (wct < 2) {
2075 return false;
2076 }
2077 andx_cmd = CVAL(buf, smb_vwv);
2078 return (andx_cmd != 0xFF);
2079 }
2080
2081 bool smb1_walk_chain(const uint8_t *buf,
2082 bool (*fn)(uint8_t cmd,
2083 uint8_t wct, const uint16_t *vwv,
2084 uint16_t num_bytes, const uint8_t *bytes,
2085 void *private_data),
2086 void *private_data)
2087 {
2088 size_t smblen = smb_len(buf);
2089 const char *smb_buf = smb_base(buf);
2090 uint8_t cmd, chain_cmd;
2091 uint8_t wct;
2092 const uint16_t *vwv;
2093 uint16_t num_bytes;
2094 const uint8_t *bytes;
2095
2096 cmd = CVAL(buf, smb_com);
2097 wct = CVAL(buf, smb_wct);
2098 vwv = (const uint16_t *)(buf + smb_vwv);
2099 num_bytes = smb_buflen(buf);
2100 bytes = (uint8_t *)smb_buf_const(buf);
2101
2102 if (!fn(cmd, wct, vwv, num_bytes, bytes, private_data)) {
2103 return false;
2104 }
2105
2106 if (!is_andx_req(cmd)) {
2107 return true;
2108 }
2109 if (wct < 2) {
2110 return false;
2111 }
2112
2113 chain_cmd = CVAL(vwv, 0);
2114
2115 while (chain_cmd != 0xff) {
2116 uint32_t chain_offset; /* uint32_t to avoid overflow */
2117 size_t length_needed;
2118 ptrdiff_t vwv_offset;
2119
2120 chain_offset = SVAL(vwv+1, 0);
2121
2122 /*
2123 * Check if the client tries to fool us. The chain
2124 * offset needs to point beyond the current request in
2125 * the chain, it needs to strictly grow. Otherwise we
2126 * might be tricked into an endless loop always
2127 * processing the same request over and over again. We
2128 * used to assume that vwv and the byte buffer array
2129 * in a chain are always attached, but OS/2 the
2130 * Write&X/Read&X chain puts the Read&X vwv array
2131 * right behind the Write&X vwv chain. The Write&X bcc
2132 * array is put behind the Read&X vwv array. So now we
2133 * check whether the chain offset points strictly
2134 * behind the previous vwv array. req->buf points
2135 * right after the vwv array of the previous
2136 * request. See
2137 * https://bugzilla.samba.org/show_bug.cgi?id=8360 for
2138 * more information.
2139 */
2140
2141 vwv_offset = ((const char *)vwv - smb_buf);
2142 if (chain_offset <= vwv_offset) {
2143 return false;
2144 }
2145
2146 /*
2147 * Next check: Make sure the chain offset does not
2148 * point beyond the overall smb request length.
2149 */
2150
2151 length_needed = chain_offset+1; /* wct */
2152 if (length_needed > smblen) {
2153 return false;
2154 }
2155
2156 /*
2157 * Now comes the pointer magic. Goal here is to set up
2158 * vwv and buf correctly again. The chain offset (the
2159 * former vwv[1]) points at the new wct field.
2160 */
2161
2162 wct = CVAL(smb_buf, chain_offset);
2163
2164 if (is_andx_req(chain_cmd) && (wct < 2)) {
2165 return false;
2166 }
2167
2168 /*
2169 * Next consistency check: Make the new vwv array fits
2170 * in the overall smb request.
2171 */
2172
2173 length_needed += (wct+1)*sizeof(uint16_t); /* vwv+buflen */
2174 if (length_needed > smblen) {
2175 return false;
2176 }
2177 vwv = (const uint16_t *)(smb_buf + chain_offset + 1);
2178
2179 /*
2180 * Now grab the new byte buffer....
2181 */
2182
2183 num_bytes = SVAL(vwv+wct, 0);
2184
2185 /*
2186 * .. and check that it fits.
2187 */
2188
2189 length_needed += num_bytes;
2190 if (length_needed > smblen) {
2191 return false;
2192 }
2193 bytes = (const uint8_t *)(vwv+wct+1);
2194
2195 if (!fn(chain_cmd, wct, vwv, num_bytes, bytes, private_data)) {
2196 return false;
2197 }
2198
2199 if (!is_andx_req(chain_cmd)) {
2200 return true;
2201 }
2202 chain_cmd = CVAL(vwv, 0);
2203 }
2204 return true;
2205 }
2206
2207 static bool smb1_chain_length_cb(uint8_t cmd,
2208 uint8_t wct, const uint16_t *vwv,
2209 uint16_t num_bytes, const uint8_t *bytes,
2210 void *private_data)
2211 {
2212 unsigned *count = (unsigned *)private_data;
2213 *count += 1;
2214 return true;
2215 }
2216
2217 unsigned smb1_chain_length(const uint8_t *buf)
2218 {
2219 unsigned count = 0;
2220
2221 if (!smb1_walk_chain(buf, smb1_chain_length_cb, &count)) {
2222 return 0;
2223 }
2224 return count;
2225 }
2226
2227 struct smb1_parse_chain_state {
2228 TALLOC_CTX *mem_ctx;
2229 const uint8_t *buf;
2230 struct smbd_server_connection *sconn;
2231 bool encrypted;
2232 uint32_t seqnum;
2233
2234 struct smb_request **reqs;
2235 unsigned num_reqs;
2236 };
2237
2238 static bool smb1_parse_chain_cb(uint8_t cmd,
2239 uint8_t wct, const uint16_t *vwv,
2240 uint16_t num_bytes, const uint8_t *bytes,
2241 void *private_data)
2242 {
2243 struct smb1_parse_chain_state *state =
2244 (struct smb1_parse_chain_state *)private_data;
2245 struct smb_request **reqs;
2246 struct smb_request *req;
2247 bool ok;
2248
2249 reqs = talloc_realloc(state->mem_ctx, state->reqs,
2250 struct smb_request *, state->num_reqs+1);
2251 if (reqs == NULL) {
2252 return false;
2253 }
2254 state->reqs = reqs;
2255
2256 req = talloc(reqs, struct smb_request);
2257 if (req == NULL) {
2258 return false;
2259 }
2260
2261 ok = init_smb_request(req, state->sconn, state->buf, 0,
2262 state->encrypted, state->seqnum);
2263 if (!ok) {
2264 return false;
2265 }
2266 req->cmd = cmd;
2267 req->wct = wct;
2268 req->vwv = vwv;
2269 req->buflen = num_bytes;
2270 req->buf = bytes;
2271
2272 reqs[state->num_reqs] = req;
2273 state->num_reqs += 1;
2274 return true;
2275 }
2276
2277 bool smb1_parse_chain(TALLOC_CTX *mem_ctx, const uint8_t *buf,
2278 struct smbd_server_connection *sconn,
2279 bool encrypted, uint32_t seqnum,
2280 struct smb_request ***reqs, unsigned *num_reqs)
2281 {
2282 struct smb1_parse_chain_state state;
2283 unsigned i;
2284
2285 state.mem_ctx = mem_ctx;
2286 state.buf = buf;
2287 state.sconn = sconn;
2288 state.encrypted = encrypted;
2289 state.seqnum = seqnum;
2290 state.reqs = NULL;
2291 state.num_reqs = 0;
2292
2293 if (!smb1_walk_chain(buf, smb1_parse_chain_cb, &state)) {
2294 TALLOC_FREE(state.reqs);
2295 return false;
2296 }
2297 for (i=0; i<state.num_reqs; i++) {
2298 state.reqs[i]->chain = state.reqs;
2299 }
2300 *reqs = state.reqs;
2301 *num_reqs = state.num_reqs;
2302 return true;
2303 }
2304
2305 /****************************************************************************
2306 Check if services need reloading.
2307 ****************************************************************************/
2308
2309 static void check_reload(struct smbd_server_connection *sconn, time_t t)
2310 {
2311
2312 if (last_smb_conf_reload_time == 0) {
2313 last_smb_conf_reload_time = t;
2314 }
2315
2316 if (t >= last_smb_conf_reload_time+SMBD_RELOAD_CHECK) {
2317 reload_services(sconn, conn_snum_used, true);
2318 last_smb_conf_reload_time = t;
2319 }
2320 }
2321
2322 static bool fd_is_readable(int fd)
2323 {
2324 int ret, revents;
2325
2326 ret = poll_one_fd(fd, POLLIN|POLLHUP, 0, &revents);
2327
2328 return ((ret > 0) && ((revents & (POLLIN|POLLHUP|POLLERR)) != 0));
2329
2330 }
2331
2332 static void smbd_server_connection_write_handler(
2333 struct smbd_server_connection *sconn)
2334 {
2335 /* TODO: make write nonblocking */
2336 }
2337
2338 static void smbd_server_connection_read_handler(
2339 struct smbd_server_connection *sconn, int fd)
2340 {
2341 uint8_t *inbuf = NULL;
2342 size_t inbuf_len = 0;
2343 size_t unread_bytes = 0;
2344 bool encrypted = false;
2345 TALLOC_CTX *mem_ctx = talloc_tos();
2346 NTSTATUS status;
2347 uint32_t seqnum;
2348
2349 bool from_client;
2350
2351 if (lp_async_smb_echo_handler()
2352 && fd_is_readable(sconn->smb1.echo_handler.trusted_fd)) {
2353 /*
2354 * This is the super-ugly hack to prefer the packets
2355 * forwarded by the echo handler over the ones by the
2356 * client directly
2357 */
2358 fd = sconn->smb1.echo_handler.trusted_fd;
2359 }
2360
2361 from_client = (sconn->sock == fd);
2362
2363 if (from_client) {
2364 smbd_lock_socket(sconn);
2365
2366 if (!fd_is_readable(fd)) {
2367 DEBUG(10,("the echo listener was faster\n"));
2368 smbd_unlock_socket(sconn);
2369 return;
2370 }
2371 }
2372
2373 /* TODO: make this completely nonblocking */
2374 status = receive_smb_talloc(mem_ctx, sconn, fd,
2375 (char **)(void *)&inbuf,
2376 0, /* timeout */
2377 &unread_bytes,
2378 &encrypted,
2379 &inbuf_len, &seqnum,
2380 false /* trusted channel */);
2381
2382 if (from_client) {
2383 smbd_unlock_socket(sconn);
2384 }
2385
2386 if (NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
2387 goto process;
2388 }
2389 if (NT_STATUS_IS_ERR(status)) {
2390 exit_server_cleanly("failed to receive smb request");
2391 }
2392 if (!NT_STATUS_IS_OK(status)) {
2393 return;
2394 }
2395
2396 process:
2397 process_smb(sconn, inbuf, inbuf_len, unread_bytes,
2398 seqnum, encrypted, NULL);
2399 }
2400
2401 static void smbd_server_connection_handler(struct event_context *ev,
2402 struct fd_event *fde,
2403 uint16_t flags,
2404 void *private_data)
2405 {
2406 struct smbd_server_connection *conn = talloc_get_type(private_data,
2407 struct smbd_server_connection);
2408
2409 if (flags & EVENT_FD_WRITE) {
2410 smbd_server_connection_write_handler(conn);
2411 return;
2412 }
2413 if (flags & EVENT_FD_READ) {
2414 smbd_server_connection_read_handler(conn, conn->sock);
2415 return;
2416 }
2417 }
2418
2419 static void smbd_server_echo_handler(struct event_context *ev,
2420 struct fd_event *fde,
2421 uint16_t flags,
2422 void *private_data)
2423 {
2424 struct smbd_server_connection *conn = talloc_get_type(private_data,
2425 struct smbd_server_connection);
2426
2427 if (flags & EVENT_FD_WRITE) {
2428 smbd_server_connection_write_handler(conn);
2429 return;
2430 }
2431 if (flags & EVENT_FD_READ) {
2432 smbd_server_connection_read_handler(
2433 conn, conn->smb1.echo_handler.trusted_fd);
2434 return;
2435 }
2436 }
2437
2438 #ifdef CLUSTER_SUPPORT
2439 /****************************************************************************
2440 received when we should release a specific IP
2441 ****************************************************************************/
2442 static void release_ip(const char *ip, void *priv)
2443 {
2444 const char *addr = (const char *)priv;
2445 const char *p = addr;
2446
2447 if (strncmp("::ffff:", addr, 7) == 0) {
2448 p = addr + 7;
2449 }
2450
2451 DEBUG(10, ("Got release IP message for %s, "
2452 "our address is %s\n", ip, p));
2453
2454 if ((strcmp(p, ip) == 0) || ((p != addr) && strcmp(addr, ip) == 0)) {
2455 /* we can't afford to do a clean exit - that involves
2456 database writes, which would potentially mean we
2457 are still running after the failover has finished -
2458 we have to get rid of this process ID straight
2459 away */
2460 DEBUG(0,("Got release IP message for our IP %s - exiting immediately\n",
2461 ip));
2462 /* note we must exit with non-zero status so the unclean handler gets
2463 called in the parent, so that the brl database is tickled */
2464 _exit(1);
2465 }
2466 }
2467
2468 static int client_get_tcp_info(int sock, struct sockaddr_storage *server,
2469 struct sockaddr_storage *client)
2470 {
2471 socklen_t length;
2472 length = sizeof(*server);
2473 if (getsockname(sock, (struct sockaddr *)server, &length) != 0) {
2474 return -1;
2475 }
2476 length = sizeof(*client);
2477 if (getpeername(sock, (struct sockaddr *)client, &length) != 0) {
2478 return -1;
2479 }
2480 return 0;
2481 }
2482 #endif
2483
2484 /*
2485 * Send keepalive packets to our client
2486 */
2487 static bool keepalive_fn(const struct timeval *now, void *private_data)
2488 {
2489 struct smbd_server_connection *sconn = talloc_get_type_abort(
2490 private_data, struct smbd_server_connection);
2491 bool ret;
2492
2493 if (sconn->using_smb2) {
2494 /* Don't do keepalives on an SMB2 connection. */
2495 return false;
2496 }
2497
2498 smbd_lock_socket(sconn);
2499 ret = send_keepalive(sconn->sock);
2500 smbd_unlock_socket(sconn);
2501
2502 if (!ret) {
2503 char addr[INET6_ADDRSTRLEN];
2504 /*
2505 * Try and give an error message saying what
2506 * client failed.
2507 */
2508 DEBUG(0, ("send_keepalive failed for client %s. "
2509 "Error %s - exiting\n",
2510 get_peer_addr(sconn->sock, addr, sizeof(addr)),
2511 strerror(errno)));
2512 return False;
2513 }
2514 return True;
2515 }
2516
2517 /*
2518 * Do the recurring check if we're idle
2519 */
2520 static bool deadtime_fn(const struct timeval *now, void *private_data)
2521 {
2522 struct smbd_server_connection *sconn =
2523 (struct smbd_server_connection *)private_data;
2524
2525 if ((conn_num_open(sconn) == 0)
2526 || (conn_idle_all(sconn, now->tv_sec))) {
2527 DEBUG( 2, ( "Closing idle connection\n" ) );
2528 messaging_send(sconn->msg_ctx,
2529 messaging_server_id(sconn->msg_ctx),
2530 MSG_SHUTDOWN, &data_blob_null);
2531 return False;
2532 }
2533
2534 return True;
2535 }
2536
2537 /*
2538 * Do the recurring log file and smb.conf reload checks.
2539 */
2540
2541 static bool housekeeping_fn(const struct timeval *now, void *private_data)
2542 {
2543 struct smbd_server_connection *sconn = talloc_get_type_abort(
2544 private_data, struct smbd_server_connection);
2545
2546 DEBUG(5, ("housekeeping\n"));
2547
2548 change_to_root_user();
2549
2550 /* update printer queue caches if necessary */
2551 update_monitored_printq_cache(sconn->msg_ctx);
2552
2553 /* check if we need to reload services */
2554 check_reload(sconn, time_mono(NULL));
2555
2556 /* Change machine password if neccessary. */
2557 attempt_machine_password_change();
2558
2559 /*
2560 * Force a log file check.
2561 */
2562 force_check_log_size();
2563 check_log_size();
2564 return true;
2565 }
2566
2567 /*
2568 * Read an smb packet in the echo handler child, giving the parent
2569 * smbd one second to react once the socket becomes readable.
2570 */
2571
2572 struct smbd_echo_read_state {
2573 struct tevent_context *ev;
2574 struct smbd_server_connection *sconn;
2575
2576 char *buf;
2577 size_t buflen;
2578 uint32_t seqnum;
2579 };
2580
2581 static void smbd_echo_read_readable(struct tevent_req *subreq);
2582 static void smbd_echo_read_waited(struct tevent_req *subreq);
2583
2584 static struct tevent_req *smbd_echo_read_send(
2585 TALLOC_CTX *mem_ctx, struct tevent_context *ev,
2586 struct smbd_server_connection *sconn)
2587 {
2588 struct tevent_req *req, *subreq;
2589 struct smbd_echo_read_state *state;
2590
2591 req = tevent_req_create(mem_ctx, &state,
2592 struct smbd_echo_read_state);
2593 if (req == NULL) {
2594 return NULL;
2595 }
2596 state->ev = ev;
2597 state->sconn = sconn;
2598
2599 subreq = wait_for_read_send(state, ev, sconn->sock);
2600 if (tevent_req_nomem(subreq, req)) {
2601 return tevent_req_post(req, ev);
2602 }
2603 tevent_req_set_callback(subreq, smbd_echo_read_readable, req);
2604 return req;
2605 }
2606
2607 static void smbd_echo_read_readable(struct tevent_req *subreq)
2608 {
2609 struct tevent_req *req = tevent_req_callback_data(
2610 subreq, struct tevent_req);
2611 struct smbd_echo_read_state *state = tevent_req_data(
2612 req, struct smbd_echo_read_state);
2613 bool ok;
2614 int err;
2615
2616 ok = wait_for_read_recv(subreq, &err);
2617 TALLOC_FREE(subreq);
2618 if (!ok) {
2619 tevent_req_nterror(req, map_nt_error_from_unix(err));
2620 return;
2621 }
2622
2623 /*
2624 * Give the parent smbd one second to step in
2625 */
2626
2627 subreq = tevent_wakeup_send(
2628 state, state->ev, timeval_current_ofs(1, 0));
2629 if (tevent_req_nomem(subreq, req)) {
2630 return;
2631 }
2632 tevent_req_set_callback(subreq, smbd_echo_read_waited, req);
2633 }
2634
2635 static void smbd_echo_read_waited(struct tevent_req *subreq)
2636 {
2637 struct tevent_req *req = tevent_req_callback_data(
2638 subreq, struct tevent_req);
2639 struct smbd_echo_read_state *state = tevent_req_data(
2640 req, struct smbd_echo_read_state);
2641 struct smbd_server_connection *sconn = state->sconn;
2642 bool ok;
2643 NTSTATUS status;
2644 size_t unread = 0;
2645 bool encrypted;
2646
2647 ok = tevent_wakeup_recv(subreq);
2648 TALLOC_FREE(subreq);
2649 if (!ok) {
2650 tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
2651 return;
2652 }
2653
2654 ok = smbd_lock_socket_internal(sconn);
2655 if (!ok) {
2656 tevent_req_nterror(req, map_nt_error_from_unix(errno));
2657 DEBUG(0, ("%s: failed to lock socket\n", __location__));
2658 return;
2659 }
2660
2661 if (!fd_is_readable(sconn->sock)) {
2662 DEBUG(10,("echo_handler[%d] the parent smbd was faster\n",
2663 (int)getpid()));
2664
2665 ok = smbd_unlock_socket_internal(sconn);
2666 if (!ok) {
2667 tevent_req_nterror(req, map_nt_error_from_unix(errno));
2668 DEBUG(1, ("%s: failed to unlock socket\n",
2669 __location__));
2670 return;
2671 }
2672
2673 subreq = wait_for_read_send(state, state->ev, sconn->sock);
2674 if (tevent_req_nomem(subreq, req)) {
2675 return;
2676 }
2677 tevent_req_set_callback(subreq, smbd_echo_read_readable, req);
2678 return;
2679 }
2680
2681 status = receive_smb_talloc(state, sconn, sconn->sock, &state->buf,
2682 0 /* timeout */,
2683 &unread,
2684 &encrypted,
2685 &state->buflen,
2686 &state->seqnum,
2687 false /* trusted_channel*/);
2688
2689 if (tevent_req_nterror(req, status)) {
2690 tevent_req_nterror(req, status);
2691 DEBUG(1, ("echo_handler[%d]: receive_smb_raw_talloc failed: %s\n",
2692 (int)getpid(), nt_errstr(status)));
2693 return;
2694 }
2695
2696 ok = smbd_unlock_socket_internal(sconn);
2697 if (!ok) {
2698 tevent_req_nterror(req, map_nt_error_from_unix(errno));
2699 DEBUG(1, ("%s: failed to unlock socket\n", __location__));
2700 return;
2701 }
2702 tevent_req_done(req);
2703 }
2704
2705 static NTSTATUS smbd_echo_read_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
2706 char **pbuf, size_t *pbuflen, uint32_t *pseqnum)
2707 {
2708 struct smbd_echo_read_state *state = tevent_req_data(
2709 req, struct smbd_echo_read_state);
2710 NTSTATUS status;
2711
2712 if (tevent_req_is_nterror(req, &status)) {
2713 return status;
2714 }
2715 *pbuf = talloc_move(mem_ctx, &state->buf);
2716 *pbuflen = state->buflen;
2717 *pseqnum = state->seqnum;
2718 return NT_STATUS_OK;
2719 }
2720
2721 struct smbd_echo_state {
2722 struct tevent_context *ev;
2723 struct iovec *pending;
2724 struct smbd_server_connection *sconn;
2725 int parent_pipe;
2726
2727 struct tevent_fd *parent_fde;
2728
2729 struct tevent_req *write_req;
2730 };
2731
2732 static void smbd_echo_writer_done(struct tevent_req *req);
2733
2734 static void smbd_echo_activate_writer(struct smbd_echo_state *state)
2735 {
2736 int num_pending;
2737
2738 if (state->write_req != NULL) {
2739 return;
2740 }
2741
2742 num_pending = talloc_array_length(state->pending);
2743 if (num_pending == 0) {
2744 return;
2745 }
2746
2747 state->write_req = writev_send(state, state->ev, NULL,
2748 state->parent_pipe, false,
2749 state->pending, num_pending);
2750 if (state->write_req == NULL) {
2751 DEBUG(1, ("writev_send failed\n"));
2752 exit(1);
2753 }
2754
2755 talloc_steal(state->write_req, state->pending);
2756 state->pending = NULL;
2757
2758 tevent_req_set_callback(state->write_req, smbd_echo_writer_done,
2759 state);
2760 }
2761
2762 static void smbd_echo_writer_done(struct tevent_req *req)
2763 {
2764 struct smbd_echo_state *state = tevent_req_callback_data(
2765 req, struct smbd_echo_state);
2766 ssize_t written;
2767 int err;
2768
2769 written = writev_recv(req, &err);
2770 TALLOC_FREE(req);
2771 state->write_req = NULL;
2772 if (written == -1) {
2773 DEBUG(1, ("writev to parent failed: %s\n", strerror(err)));
2774 exit(1);
2775 }
2776 DEBUG(10,("echo_handler[%d]: forwarded pdu to main\n", (int)getpid()));
2777 smbd_echo_activate_writer(state);
2778 }
2779
2780 static bool smbd_echo_reply(struct smbd_echo_state *state,
2781 uint8_t *inbuf, size_t inbuf_len,
2782 uint32_t seqnum)
2783 {
2784 struct smb_request req;
2785 uint16_t num_replies;
2786 char *outbuf;
2787 bool ok;
2788
2789 if ((inbuf_len == 4) && (CVAL(inbuf, 0) == NBSSkeepalive)) {
2790 DEBUG(10, ("Got netbios keepalive\n"));
2791 /*
2792 * Just swallow it
2793 */
2794 return true;
2795 }
2796
2797 if (inbuf_len < smb_size) {
2798 DEBUG(10, ("Got short packet: %d bytes\n", (int)inbuf_len));
2799 return false;
2800 }
2801 if (!valid_smb_header(state->sconn, inbuf)) {
2802 DEBUG(10, ("Got invalid SMB header\n"));
2803 return false;
2804 }
2805
2806 if (!init_smb_request(&req, state->sconn, inbuf, 0, false,
2807 seqnum)) {
2808 return false;
2809 }
2810 req.inbuf = inbuf;
2811
2812 DEBUG(10, ("smbecho handler got cmd %d (%s)\n", (int)req.cmd,
2813 smb_messages[req.cmd].name
2814 ? smb_messages[req.cmd].name : "unknown"));
2815
2816 if (req.cmd != SMBecho) {
2817 return false;
2818 }
2819 if (req.wct < 1) {
2820 return false;
2821 }
2822
2823 num_replies = SVAL(req.vwv+0, 0);
2824 if (num_replies != 1) {
2825 /* Not a Windows "Hey, you're still there?" request */
2826 return false;
2827 }
2828
2829 if (!create_outbuf(talloc_tos(), &req, (const char *)req.inbuf, &outbuf,
2830 1, req.buflen)) {
2831 DEBUG(10, ("create_outbuf failed\n"));
2832 return false;
2833 }
2834 req.outbuf = (uint8_t *)outbuf;
2835
2836 SSVAL(req.outbuf, smb_vwv0, num_replies);
2837
2838 if (req.buflen > 0) {
2839 memcpy(smb_buf(req.outbuf), req.buf, req.buflen);
2840 }
2841
2842 ok = srv_send_smb(req.sconn,
2843 (char *)outbuf,
2844 true, seqnum+1,
2845 false, &req.pcd);
2846 TALLOC_FREE(outbuf);
2847 if (!ok) {
2848 exit(1);
2849 }
2850
2851 return true;
2852 }
2853
2854 static void smbd_echo_exit(struct tevent_context *ev,
2855 struct tevent_fd *fde, uint16_t flags,
2856 void *private_data)
2857 {
2858 DEBUG(2, ("smbd_echo_exit: lost connection to parent\n"));
2859 exit(0);
2860 }
2861
2862 static void smbd_echo_got_packet(struct tevent_req *req);
2863
2864 static void smbd_echo_loop(struct smbd_server_connection *sconn,
2865 int parent_pipe)
2866 {
2867 struct smbd_echo_state *state;
2868 struct tevent_req *read_req;
2869
2870 state = talloc_zero(sconn, struct smbd_echo_state);
2871 if (state == NULL) {
2872 DEBUG(1, ("talloc failed\n"));
2873 return;
2874 }
2875 state->sconn = sconn;
2876 state->parent_pipe = parent_pipe;
2877 state->ev = s3_tevent_context_init(state);
2878 if (state->ev == NULL) {
2879 DEBUG(1, ("tevent_context_init failed\n"));
2880 TALLOC_FREE(state);
2881 return;
2882 }
2883 state->parent_fde = tevent_add_fd(state->ev, state, parent_pipe,
2884 TEVENT_FD_READ, smbd_echo_exit,
2885 state);
2886 if (state->parent_fde == NULL) {
2887 DEBUG(1, ("tevent_add_fd failed\n"));
2888 TALLOC_FREE(state);
2889 return;
2890 }
2891
2892 read_req = smbd_echo_read_send(state, state->ev, sconn);
2893 if (read_req == NULL) {
2894 DEBUG(1, ("smbd_echo_read_send failed\n"));
2895 TALLOC_FREE(state);
2896 return;
2897 }
2898 tevent_req_set_callback(read_req, smbd_echo_got_packet, state);
2899
2900 while (true) {
2901 if (tevent_loop_once(state->ev) == -1) {
2902 DEBUG(1, ("tevent_loop_once failed: %s\n",
2903 strerror(errno)));
2904 break;
2905 }
2906 }
2907 TALLOC_FREE(state);
2908 }
2909
2910 static void smbd_echo_got_packet(struct tevent_req *req)
2911 {
2912 struct smbd_echo_state *state = tevent_req_callback_data(
2913 req, struct smbd_echo_state);
2914 NTSTATUS status;
2915 char *buf = NULL;
2916 size_t buflen = 0;
2917 uint32_t seqnum = 0;
2918 bool reply;
2919
2920 status = smbd_echo_read_recv(req, state, &buf, &buflen, &seqnum);
2921 TALLOC_FREE(req);
2922 if (!NT_STATUS_IS_OK(status)) {
2923 DEBUG(1, ("smbd_echo_read_recv returned %s\n",
2924 nt_errstr(status)));
2925 exit(1);
2926 }
2927
2928 reply = smbd_echo_reply(state, (uint8_t *)buf, buflen, seqnum);
2929 if (!reply) {
2930 size_t num_pending;
2931 struct iovec *tmp;
2932 struct iovec *iov;
2933
2934 num_pending = talloc_array_length(state->pending);
2935 tmp = talloc_realloc(state, state->pending, struct iovec,
2936 num_pending+1);
2937 if (tmp == NULL) {
2938 DEBUG(1, ("talloc_realloc failed\n"));
2939 exit(1);
2940 }
2941 state->pending = tmp;
2942
2943 if (buflen >= smb_size) {
2944 /*
2945 * place the seqnum in the packet so that the main process
2946 * can reply with signing
2947 */
2948 SIVAL(buf, smb_ss_field, seqnum);
2949 SIVAL(buf, smb_ss_field+4, NT_STATUS_V(NT_STATUS_OK));
2950 }
2951
2952 iov = &state->pending[num_pending];
2953 iov->iov_base = buf;
2954 iov->iov_len = buflen;
2955
2956 DEBUG(10,("echo_handler[%d]: forward to main\n",
2957 (int)getpid()));
2958 smbd_echo_activate_writer(state);
2959 }
2960
2961 req = smbd_echo_read_send(state, state->ev, state->sconn);
2962 if (req == NULL) {
2963 DEBUG(1, ("smbd_echo_read_send failed\n"));
2964 exit(1);
2965 }
2966 tevent_req_set_callback(req, smbd_echo_got_packet, state);
2967 }
2968
2969
2970 /*
2971 * Handle SMBecho requests in a forked child process
2972 */
2973 bool fork_echo_handler(struct smbd_server_connection *sconn)
2974 {
2975 int listener_pipe[2];
2976 int res;
2977 pid_t child;
2978
2979 res = pipe(listener_pipe);
2980 if (res == -1) {
2981 DEBUG(1, ("pipe() failed: %s\n", strerror(errno)));
2982 return false;
2983 }
2984 sconn->smb1.echo_handler.socket_lock_fd = create_unlink_tmp(lp_lockdir());
2985 if (sconn->smb1.echo_handler.socket_lock_fd == -1) {
2986 DEBUG(1, ("Could not create lock fd: %s\n", strerror(errno)));
2987 goto fail;
2988 }
2989
2990 child = fork();
2991 if (child == 0) {
2992 NTSTATUS status;
2993
2994 close(listener_pipe[0]);
2995 set_blocking(listener_pipe[1], false);
2996
2997 status = reinit_after_fork(sconn->msg_ctx,
2998 sconn->ev_ctx,
2999 false);
3000 if (!NT_STATUS_IS_OK(status)) {
3001 DEBUG(1, ("reinit_after_fork failed: %s\n",
3002 nt_errstr(status)));
3003 exit(1);
3004 }
3005 smbd_echo_loop(sconn, listener_pipe[1]);
3006 exit(0);
3007 }
3008 close(listener_pipe[1]);
3009 listener_pipe[1] = -1;
3010 sconn->smb1.echo_handler.trusted_fd = listener_pipe[0];
3011
3012 DEBUG(10,("fork_echo_handler: main[%d] echo_child[%d]\n", (int)getpid(), child));
3013
3014 /*
3015 * Without smb signing this is the same as the normal smbd
3016 * listener. This needs to change once signing comes in.
3017 */
3018 sconn->smb1.echo_handler.trusted_fde = tevent_add_fd(sconn->ev_ctx,
3019 sconn,
3020 sconn->smb1.echo_handler.trusted_fd,
3021 TEVENT_FD_READ,
3022 smbd_server_echo_handler,
3023 sconn);
3024 if (sconn->smb1.echo_handler.trusted_fde == NULL) {
3025 DEBUG(1, ("event_add_fd failed\n"));
3026 goto fail;
3027 }
3028
3029 return true;
3030
3031 fail:
3032 if (listener_pipe[0] != -1) {
3033 close(listener_pipe[0]);
3034 }
3035 if (listener_pipe[1] != -1) {
3036 close(listener_pipe[1]);
3037 }
3038 sconn->smb1.echo_handler.trusted_fd = -1;
3039 if (sconn->smb1.echo_handler.socket_lock_fd != -1) {
3040 close(sconn->smb1.echo_handler.socket_lock_fd);
3041 }
3042 sconn->smb1.echo_handler.trusted_fd = -1;
3043 sconn->smb1.echo_handler.socket_lock_fd = -1;
3044 return false;
3045 }
3046
3047 #if CLUSTER_SUPPORT
3048
3049 static NTSTATUS smbd_register_ips(struct smbd_server_connection *sconn,
3050 struct sockaddr_storage *srv,
3051 struct sockaddr_storage *clnt)
3052 {
3053 struct ctdbd_connection *cconn;
3054 char tmp_addr[INET6_ADDRSTRLEN];
3055 char *addr;
3056
3057 cconn = messaging_ctdbd_connection();
3058 if (cconn == NULL) {
3059 return NT_STATUS_NO_MEMORY;
3060 }
3061
3062 if (client_socket_addr(sconn->sock, tmp_addr, sizeof(tmp_addr)) == NULL) {
3063 return NT_STATUS_NO_MEMORY;
3064 }
3065 addr = talloc_strdup(cconn, tmp_addr);
3066 if (addr == NULL) {
3067 return NT_STATUS_NO_MEMORY;
3068 }
3069 return ctdbd_register_ips(cconn, srv, clnt, release_ip, addr);
3070 }
3071
3072 #endif
3073
3074 static bool uid_in_use(const struct user_struct *user, uid_t uid)
3075 {
3076 while (user) {
3077 if (user->session_info &&
3078 (user->session_info->unix_token->uid == uid)) {
3079 return true;
3080 }
3081 user = user->next;
3082 }
3083 return false;
3084 }
3085
3086 static bool gid_in_use(const struct user_struct *user, gid_t gid)
3087 {
3088 while (user) {
3089 if (user->session_info != NULL) {
3090 int i;
3091 struct security_unix_token *utok;
3092
3093 utok = user->session_info->unix_token;
3094 if (utok->gid == gid) {
3095 return true;
3096 }
3097 for(i=0; i<utok->ngroups; i++) {
3098 if (utok->groups[i] == gid) {
3099 return true;
3100 }
3101 }
3102 }
3103 user = user->next;
3104 }
3105 return false;
3106 }
3107
3108 static bool sid_in_use(const struct user_struct *user,
3109 const struct dom_sid *psid)
3110 {
3111 while (user) {
3112 struct security_token *tok;
3113
3114 if (user->session_info == NULL) {
3115 continue;
3116 }
3117 tok = user->session_info->security_token;
3118 if (tok == NULL) {
3119 /*
3120 * Not sure session_info->security_token can
3121 * ever be NULL. This check might be not
3122 * necessary.
3123 */
3124 continue;
3125 }
3126 if (security_token_has_sid(tok, psid)) {
3127 return true;
3128 }
3129 user = user->next;
3130 }
3131 return false;
3132 }
3133
3134 static bool id_in_use(const struct user_struct *user,
3135 const struct id_cache_ref *id)
3136 {
3137 switch(id->type) {
3138 case UID:
3139 return uid_in_use(user, id->id.uid);
3140 case GID:
3141 return gid_in_use(user, id->id.gid);
3142 case SID:
3143 return sid_in_use(user, &id->id.sid);
3144 default:
3145 break;
3146 }
3147 return false;
3148 }
3149
3150 static void smbd_id_cache_kill(struct messaging_context *msg_ctx,
3151 void *private_data,
3152 uint32_t msg_type,
3153 struct server_id server_id,
3154 DATA_BLOB* data)
3155 {
3156 const char *msg = (data && data->data)
3157 ? (const char *)data->data : "<NULL>";
3158 struct id_cache_ref id;
3159 struct smbd_server_connection *sconn =
3160 talloc_get_type_abort(private_data,
3161 struct smbd_server_connection);
3162
3163 if (!id_cache_ref_parse(msg, &id)) {
3164 DEBUG(0, ("Invalid ?ID: %s\n", msg));
3165 return;
3166 }
3167
3168 if (id_in_use(sconn->users, &id)) {
3169 exit_server_cleanly(msg);
3170 }
3171 id_cache_delete_from_cache(&id);
3172 }
3173
3174 NTSTATUS smbXsrv_connection_init_tables(struct smbXsrv_connection *conn,
3175 enum protocol_types protocol)
3176 {
3177 NTSTATUS status;
3178
3179 set_Protocol(protocol);
3180 conn->protocol = protocol;
3181
3182 if (protocol >= PROTOCOL_SMB2_02) {
3183 status = smb2srv_session_table_init(conn);
3184 if (!NT_STATUS_IS_OK(status)) {
3185 return status;
3186 }
3187 } else {
3188 status = smb1srv_session_table_init(conn);
3189 if (!NT_STATUS_IS_OK(status)) {
3190 return status;
3191 }
3192
3193 status = smb1srv_tcon_table_init(conn);
3194 if (!NT_STATUS_IS_OK(status)) {
3195 return status;
3196 }
3197 }
3198
3199 return NT_STATUS_OK;
3200 }
3201
3202 static void smbd_tevent_trace_callback(enum tevent_trace_point point,
3203 void *private_data)
3204 {
3205 struct smbXsrv_connection *conn =
3206 talloc_get_type_abort(private_data,
3207 struct smbXsrv_connection);
3208
3209 switch (point) {
3210 case TEVENT_TRACE_BEFORE_WAIT:
3211 /*
3212 * This just removes compiler warning
3213 * without profile support
3214 */
3215 conn->smbd_idle_profstamp = 0;
3216 START_PROFILE_STAMP(smbd_idle, conn->smbd_idle_profstamp);
3217 break;
3218 case TEVENT_TRACE_AFTER_WAIT:
3219 END_PROFILE_STAMP(smbd_idle, conn->smbd_idle_profstamp);
3220 break;
3221 }
3222 }
3223
3224 /****************************************************************************
3225 Process commands from the client
3226 ****************************************************************************/
3227
3228 void smbd_process(struct tevent_context *ev_ctx,
3229 struct messaging_context *msg_ctx,
3230 int sock_fd,
3231 bool interactive)
3232 {
3233 TALLOC_CTX *frame = talloc_stackframe();
3234 struct smbXsrv_connection *conn;
3235 struct smbd_server_connection *sconn;
3236 struct sockaddr_storage ss;
3237 struct sockaddr *sa = NULL;
3238 socklen_t sa_socklen;
3239 struct tsocket_address *local_address = NULL;
3240 struct tsocket_address *remote_address = NULL;
3241 const char *locaddr = NULL;
3242 const char *remaddr = NULL;
3243 char *rhost;
3244 int ret;
3245
3246 conn = talloc_zero(ev_ctx, struct smbXsrv_connection);
3247 if (conn == NULL) {
3248 DEBUG(0,("talloc_zero(struct smbXsrv_connection)\n"));
3249 exit_server_cleanly("talloc_zero(struct smbXsrv_connection).\n");
3250 }
3251
3252 conn->ev_ctx = ev_ctx;
3253 conn->msg_ctx = msg_ctx;
3254
3255 sconn = talloc_zero(conn, struct smbd_server_connection);
3256 if (!sconn) {
3257 exit_server("failed to create smbd_server_connection");
3258 }
3259
3260 conn->sconn = sconn;
3261 sconn->conn = conn;
3262
3263 /*
3264 * TODO: remove this...:-)
3265 */
3266 global_smbXsrv_connection = conn;
3267
3268 sconn->ev_ctx = ev_ctx;
3269 sconn->msg_ctx = msg_ctx;
3270 sconn->sock = sock_fd;
3271 sconn->smb1.echo_handler.trusted_fd = -1;
3272 sconn->smb1.echo_handler.socket_lock_fd = -1;
3273
3274 if (!interactive) {
3275 smbd_setup_sig_term_handler(sconn);
3276 smbd_setup_sig_hup_handler(sconn);
3277
3278 if (!serverid_register(messaging_server_id(msg_ctx),
3279 FLAG_MSG_GENERAL|FLAG_MSG_SMBD
3280 |FLAG_MSG_DBWRAP
3281 |FLAG_MSG_PRINT_GENERAL)) {
3282 exit_server_cleanly("Could not register myself in "
3283 "serverid.tdb");
3284 }
3285 }
3286
3287 if (lp_srv_maxprotocol() >= PROTOCOL_SMB2_02) {
3288 /*
3289 * We're not making the decision here,
3290 * we're just allowing the client
3291 * to decide between SMB1 and SMB2
3292 * with the first negprot
3293 * packet.
3294 */
3295 sconn->using_smb2 = true;
3296 }
3297
3298 /* Ensure child is set to blocking mode */
3299 set_blocking(sconn->sock,True);
3300
3301 set_socket_options(sconn->sock, "SO_KEEPALIVE");
3302 set_socket_options(sconn->sock, lp_socket_options());
3303
3304 sa = (struct sockaddr *)(void *)&ss;
3305 sa_socklen = sizeof(ss);
3306 ret = getpeername(sconn->sock, sa, &sa_socklen);
3307 if (ret != 0) {
3308 int level = (errno == ENOTCONN)?2:0;
3309 DEBUG(level,("getpeername() failed - %s\n", strerror(errno)));
3310 exit_server_cleanly("getpeername() failed.\n");
3311 }
3312 ret = tsocket_address_bsd_from_sockaddr(sconn,
3313 sa, sa_socklen,
3314 &remote_address);
3315 if (ret != 0) {
3316 DEBUG(0,("%s: tsocket_address_bsd_from_sockaddr remote failed - %s\n",
3317 __location__, strerror(errno)));
3318 exit_server_cleanly("tsocket_address_bsd_from_sockaddr remote failed.\n");
3319 }
3320
3321 sa = (struct sockaddr *)(void *)&ss;
3322 sa_socklen = sizeof(ss);
3323 ret = getsockname(sconn->sock, sa, &sa_socklen);
3324 if (ret != 0) {
3325 int level = (errno == ENOTCONN)?2:0;
3326 DEBUG(level,("getsockname() failed - %s\n", strerror(errno)));
3327 exit_server_cleanly("getsockname() failed.\n");
3328 }
3329 ret = tsocket_address_bsd_from_sockaddr(sconn,
3330 sa, sa_socklen,
3331 &local_address);
3332 if (ret != 0) {
3333 DEBUG(0,("%s: tsocket_address_bsd_from_sockaddr remote failed - %s\n",
3334 __location__, strerror(errno)));
3335 exit_server_cleanly("tsocket_address_bsd_from_sockaddr remote failed.\n");
3336 }
3337
3338 sconn->local_address = local_address;
3339 sconn->remote_address = remote_address;
3340
3341 if (tsocket_address_is_inet(local_address, "ip")) {
3342 locaddr = tsocket_address_inet_addr_string(
3343 sconn->local_address,
3344 talloc_tos());
3345 if (locaddr == NULL) {
3346 DEBUG(0,("%s: tsocket_address_inet_addr_string local failed - %s\n",
3347 __location__, strerror(errno)));
3348 exit_server_cleanly("tsocket_address_inet_addr_string local failed.\n");
3349 }
3350 } else {
3351 locaddr = "0.0.0.0";
3352 }
3353
3354 if (tsocket_address_is_inet(remote_address, "ip")) {
3355 remaddr = tsocket_address_inet_addr_string(
3356 sconn->remote_address,
3357 talloc_tos());
3358 if (remaddr == NULL) {
3359 DEBUG(0,("%s: tsocket_address_inet_addr_string remote failed - %s\n",
3360 __location__, strerror(errno)));
3361 exit_server_cleanly("tsocket_address_inet_addr_string remote failed.\n");
3362 }
3363 } else {
3364 remaddr = "0.0.0.0";
3365 }
3366
3367 /* this is needed so that we get decent entries
3368 in smbstatus for port 445 connects */
3369 set_remote_machine_name(remaddr, false);
3370 reload_services(sconn, conn_snum_used, true);
3371
3372 /*
3373 * Before the first packet, check the global hosts allow/ hosts deny
3374 * parameters before doing any parsing of packets passed to us by the
3375 * client. This prevents attacks on our parsing code from hosts not in
3376 * the hosts allow list.
3377 */
3378
3379 ret = get_remote_hostname(remote_address,
3380 &rhost,
3381 talloc_tos());
3382 if (ret < 0) {
3383 DEBUG(0,("%s: get_remote_hostname failed - %s\n",
3384 __location__, strerror(errno)));
3385 exit_server_cleanly("get_remote_hostname failed.\n");
3386 }
3387 if (strequal(rhost, "UNKNOWN")) {
3388 rhost = talloc_strdup(talloc_tos(), remaddr);
3389 }
3390 sconn->remote_hostname = talloc_move(sconn, &rhost);
3391
3392 sub_set_socket_ids(remaddr,
3393 sconn->remote_hostname,
3394 locaddr);
3395
3396 if (!allow_access(lp_hostsdeny(-1), lp_hostsallow(-1),
3397 sconn->remote_hostname,
3398 remaddr)) {
3399 /*
3400 * send a negative session response "not listening on calling
3401 * name"
3402 */
3403 unsigned char buf[5] = {0x83, 0, 0, 1, 0x81};
3404 DEBUG( 1, ("Connection denied from %s to %s\n",
3405 tsocket_address_string(remote_address, talloc_tos()),
3406 tsocket_address_string(local_address, talloc_tos())));
3407 (void)srv_send_smb(sconn,(char *)buf, false,
3408 0, false, NULL);
3409 exit_server_cleanly("connection denied");
3410 }
3411
3412 DEBUG(10, ("Connection allowed from %s to %s\n",
3413 tsocket_address_string(remote_address, talloc_tos()),
3414 tsocket_address_string(local_address, talloc_tos())));
3415
3416 if (lp_preload_modules()) {
3417 smb_load_modules(lp_preload_modules());
3418 }
3419
3420 smb_perfcount_init();
3421
3422 if (!init_account_policy()) {
3423 exit_server("Could not open account policy tdb.\n");
3424 }
3425
3426 if (*lp_rootdir()) {
3427 if (chroot(lp_rootdir()) != 0) {
3428 DEBUG(0,("Failed to change root to %s\n", lp_rootdir()));
3429 exit_server("Failed to chroot()");
3430 }
3431 if (chdir("/") == -1) {
3432 DEBUG(0,("Failed to chdir to / on chroot to %s\n", lp_rootdir()));
3433 exit_server("Failed to chroot()");
3434 }
3435 DEBUG(0,("Changed root to %s\n", lp_rootdir()));
3436 }
3437
3438 if (!srv_init_signing(sconn)) {
3439 exit_server("Failed to init smb_signing");
3440 }
3441
3442 if (!file_init(sconn)) {
3443 exit_server("file_init() failed");
3444 }
3445
3446 /* Setup oplocks */
3447 if (!init_oplocks(sconn))
3448 exit_server("Failed to init oplocks");
3449
3450 /* register our message handlers */
3451 messaging_register(sconn->msg_ctx, sconn,
3452 MSG_SMB_FORCE_TDIS, msg_force_tdis);
3453 messaging_register(sconn->msg_ctx, sconn,
3454 MSG_SMB_CLOSE_FILE, msg_close_file);
3455 messaging_register(sconn->msg_ctx, sconn,
3456 MSG_SMB_FILE_RENAME, msg_file_was_renamed);
3457
3458 id_cache_register_msgs(sconn->msg_ctx);
3459 messaging_deregister(sconn->msg_ctx, ID_CACHE_KILL, NULL);
3460 messaging_register(sconn->msg_ctx, sconn,
3461 ID_CACHE_KILL, smbd_id_cache_kill);
3462
3463 messaging_deregister(sconn->msg_ctx,
3464 MSG_SMB_CONF_UPDATED, sconn->ev_ctx);
3465 messaging_register(sconn->msg_ctx, sconn,
3466 MSG_SMB_CONF_UPDATED, smbd_conf_updated);
3467
3468 /*
3469 * Use the default MSG_DEBUG handler to avoid rebroadcasting
3470 * MSGs to all child processes
3471 */
3472 messaging_deregister(sconn->msg_ctx,
3473 MSG_DEBUG, NULL);
3474 messaging_register(sconn->msg_ctx, NULL,
3475 MSG_DEBUG, debug_message);
3476
3477 if ((lp_keepalive() != 0)
3478 && !(event_add_idle(ev_ctx, NULL,
3479 timeval_set(lp_keepalive(), 0),
3480 "keepalive", keepalive_fn,
3481 sconn))) {
3482 DEBUG(0, ("Could not add keepalive event\n"));
3483 exit(1);
3484 }
3485
3486 if (!(event_add_idle(ev_ctx, NULL,
3487 timeval_set(IDLE_CLOSED_TIMEOUT, 0),
3488 "deadtime", deadtime_fn, sconn))) {
3489 DEBUG(0, ("Could not add deadtime event\n"));
3490 exit(1);
3491 }
3492
3493 if (!(event_add_idle(ev_ctx, NULL,
3494 timeval_set(SMBD_HOUSEKEEPING_INTERVAL, 0),
3495 "housekeeping", housekeeping_fn, sconn))) {
3496 DEBUG(0, ("Could not add housekeeping event\n"));
3497 exit(1);
3498 }
3499
3500 #ifdef CLUSTER_SUPPORT
3501
3502 if (lp_clustering()) {
3503 /*
3504 * We need to tell ctdb about our client's TCP
3505 * connection, so that for failover ctdbd can send
3506 * tickle acks, triggering a reconnection by the
3507 * client.
3508 */
3509
3510 struct sockaddr_storage srv, clnt;
3511
3512 if (client_get_tcp_info(sconn->sock, &srv, &clnt) == 0) {
3513 NTSTATUS status;
3514 status = smbd_register_ips(sconn, &srv, &clnt);
3515 if (!NT_STATUS_IS_OK(status)) {
3516 DEBUG(0, ("ctdbd_register_ips failed: %s\n",
3517 nt_errstr(status)));
3518 }
3519 } else
3520 {
3521 DEBUG(0,("Unable to get tcp info for "
3522 "CTDB_CONTROL_TCP_CLIENT: %s\n",
3523 strerror(errno)));
3524 }
3525 }
3526
3527 #endif
3528
3529 sconn->nbt.got_session = false;
3530
3531 sconn->smb1.negprot.max_recv = MIN(lp_max_xmit(),BUFFER_SIZE);
3532
3533 sconn->smb1.sessions.done_sesssetup = false;
3534 sconn->smb1.sessions.max_send = BUFFER_SIZE;
3535 sconn->smb1.sessions.last_session_tag = UID_FIELD_INVALID;
3536
3537 if (!init_dptrs(sconn)) {
3538 exit_server("init_dptrs() failed");
3539 }
3540
3541 sconn->smb1.fde = event_add_fd(ev_ctx,
3542 sconn,
3543 sconn->sock,
3544 EVENT_FD_READ,
3545 smbd_server_connection_handler,
3546 sconn);
3547 if (!sconn->smb1.fde) {
3548 exit_server("failed to create smbd_server_connection fde");
3549 }
3550
3551 sconn->conn->local_address = sconn->local_address;
3552 sconn->conn->remote_address = sconn->remote_address;
3553 sconn->conn->remote_hostname = sconn->remote_hostname;
3554 sconn->conn->protocol = PROTOCOL_NONE;
3555
3556 TALLOC_FREE(frame);
3557
3558 tevent_set_trace_callback(ev_ctx, smbd_tevent_trace_callback, conn);
3559
3560 while (True) {
3561 frame = talloc_stackframe_pool(8192);
3562
3563 errno = 0;
3564 if (tevent_loop_once(ev_ctx) == -1) {
3565 if (errno != EINTR) {
3566 DEBUG(3, ("tevent_loop_once failed: %s,"
3567 " exiting\n", strerror(errno) ));
3568 break;
3569 }
3570 }
3571
3572 TALLOC_FREE(frame);
3573 }
3574
3575 exit_server_cleanly(NULL);
3576 }
3577
3578 bool req_is_in_chain(struct smb_request *req)
3579 {
3580 if (req->vwv != (const uint16_t *)(req->inbuf+smb_vwv)) {
3581 /*
3582 * We're right now handling a subsequent request, so we must
3583 * be in a chain
3584 */
3585 return true;
3586 }
3587
3588 if (!is_andx_req(req->cmd)) {
3589 return false;
3590 }
3591
3592 if (req->wct < 2) {
3593 /*
3594 * Okay, an illegal request, but definitely not chained :-)
3595 */
3596 return false;
3597 }
3598
3599 return (CVAL(req->vwv+0, 0) != 0xFF);
3600 }
reg import