search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Never hand out 0xffff as a mid
[Samba/gebeck_regimport.git] / source3 / libsmb / async_smb.c
blob1cbf4ae26f63b7a05176e14002d7f49bc384c5a2
1 /*
2 Unix SMB/CIFS implementation.
3 Infrastructure for async SMB client requests
4 Copyright (C) Volker Lendecke 2008
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21
22 /**
23 * Fetch an error out of a NBT packet
24 * @param[in] buf The SMB packet
25 * @retval The error, converted to NTSTATUS
26 */
27
28 NTSTATUS cli_pull_error(char *buf)
29 {
30 uint32_t flags2 = SVAL(buf, smb_flg2);
31
32 if (flags2 & FLAGS2_32_BIT_ERROR_CODES) {
33 return NT_STATUS(IVAL(buf, smb_rcls));
34 }
35
36 /* if the client uses dos errors, but there is no error,
37 we should return no error here, otherwise it looks
38 like an unknown bad NT_STATUS. jmcd */
39 if (CVAL(buf, smb_rcls) == 0)
40 return NT_STATUS_OK;
41
42 return NT_STATUS_DOS(CVAL(buf, smb_rcls), SVAL(buf,smb_err));
43 }
44
45 /**
46 * Compatibility helper for the sync APIs: Fake NTSTATUS in cli->inbuf
47 * @param[in] cli The client connection that just received an error
48 * @param[in] status The error to set on "cli"
49 */
50
51 void cli_set_error(struct cli_state *cli, NTSTATUS status)
52 {
53 uint32_t flags2 = SVAL(cli->inbuf, smb_flg2);
54
55 if (NT_STATUS_IS_DOS(status)) {
56 SSVAL(cli->inbuf, smb_flg2,
57 flags2 & ~FLAGS2_32_BIT_ERROR_CODES);
58 SCVAL(cli->inbuf, smb_rcls, NT_STATUS_DOS_CLASS(status));
59 SSVAL(cli->inbuf, smb_err, NT_STATUS_DOS_CODE(status));
60 return;
61 }
62
63 SSVAL(cli->inbuf, smb_flg2, flags2 | FLAGS2_32_BIT_ERROR_CODES);
64 SIVAL(cli->inbuf, smb_rcls, NT_STATUS_V(status));
65 return;
66 }
67
68 /**
69 * @brief Find the smb_cmd offset of the last command pushed
70 * @param[in] buf The buffer we're building up
71 * @retval Where can we put our next andx cmd?
72 *
73 * While chaining requests, the "next" request we're looking at needs to put
74 * its SMB_Command before the data the previous request already built up added
75 * to the chain. Find the offset to the place where we have to put our cmd.
76 */
77
78 static bool find_andx_cmd_ofs(uint8_t *buf, size_t *pofs)
79 {
80 uint8_t cmd;
81 size_t ofs;
82
83 cmd = CVAL(buf, smb_com);
84
85 SMB_ASSERT(is_andx_req(cmd));
86
87 ofs = smb_vwv0;
88
89 while (CVAL(buf, ofs) != 0xff) {
90
91 if (!is_andx_req(CVAL(buf, ofs))) {
92 return false;
93 }
94
95 /*
96 * ofs is from start of smb header, so add the 4 length
97 * bytes. The next cmd is right after the wct field.
98 */
99 ofs = SVAL(buf, ofs+2) + 4 + 1;
100
101 SMB_ASSERT(ofs+4 < talloc_get_size(buf));
102 }
103
104 *pofs = ofs;
105 return true;
106 }
107
108 /**
109 * @brief Do the smb chaining at a buffer level
110 * @param[in] poutbuf Pointer to the talloc'ed buffer to be modified
111 * @param[in] smb_command The command that we want to issue
112 * @param[in] wct How many words?
113 * @param[in] vwv The words, already in network order
114 * @param[in] bytes_alignment How shall we align "bytes"?
115 * @param[in] num_bytes How many bytes?
116 * @param[in] bytes The data the request ships
117 *
118 * smb_splice_chain() adds the vwv and bytes to the request already present in
119 * *poutbuf.
120 */
121
122 bool smb_splice_chain(uint8_t **poutbuf, uint8_t smb_command,
123 uint8_t wct, const uint16_t *vwv,
124 size_t bytes_alignment,
125 uint32_t num_bytes, const uint8_t *bytes)
126 {
127 uint8_t *outbuf;
128 size_t old_size, new_size;
129 size_t ofs;
130 size_t chain_padding = 0;
131 size_t bytes_padding = 0;
132 bool first_request;
133
134 old_size = talloc_get_size(*poutbuf);
135
136 /*
137 * old_size == smb_wct means we're pushing the first request in for
138 * libsmb/
139 */
140
141 first_request = (old_size == smb_wct);
142
143 if (!first_request && ((old_size % 4) != 0)) {
144 /*
145 * Align the wct field of subsequent requests to a 4-byte
146 * boundary
147 */
148 chain_padding = 4 - (old_size % 4);
149 }
150
151 /*
152 * After the old request comes the new wct field (1 byte), the vwv's
153 * and the num_bytes field. After at we might need to align the bytes
154 * given to us to "bytes_alignment", increasing the num_bytes value.
155 */
156
157 new_size = old_size + chain_padding + 1 + wct * sizeof(uint16_t) + 2;
158
159 if ((bytes_alignment != 0) && ((new_size % bytes_alignment) != 0)) {
160 bytes_padding = bytes_alignment - (new_size % bytes_alignment);
161 }
162
163 new_size += bytes_padding + num_bytes;
164
165 if ((smb_command != SMBwriteX) && (new_size > 0xffff)) {
166 DEBUG(1, ("splice_chain: %u bytes won't fit\n",
167 (unsigned)new_size));
168 return false;
169 }
170
171 outbuf = TALLOC_REALLOC_ARRAY(NULL, *poutbuf, uint8_t, new_size);
172 if (outbuf == NULL) {
173 DEBUG(0, ("talloc failed\n"));
174 return false;
175 }
176 *poutbuf = outbuf;
177
178 if (first_request) {
179 SCVAL(outbuf, smb_com, smb_command);
180 } else {
181 size_t andx_cmd_ofs;
182
183 if (!find_andx_cmd_ofs(outbuf, &andx_cmd_ofs)) {
184 DEBUG(1, ("invalid command chain\n"));
185 *poutbuf = TALLOC_REALLOC_ARRAY(
186 NULL, *poutbuf, uint8_t, old_size);
187 return false;
188 }
189
190 if (chain_padding != 0) {
191 memset(outbuf + old_size, 0, chain_padding);
192 old_size += chain_padding;
193 }
194
195 SCVAL(outbuf, andx_cmd_ofs, smb_command);
196 SSVAL(outbuf, andx_cmd_ofs + 2, old_size - 4);
197 }
198
199 ofs = old_size;
200
201 /*
202 * Push the chained request:
203 *
204 * wct field
205 */
206
207 SCVAL(outbuf, ofs, wct);
208 ofs += 1;
209
210 /*
211 * vwv array
212 */
213
214 memcpy(outbuf + ofs, vwv, sizeof(uint16_t) * wct);
215 ofs += sizeof(uint16_t) * wct;
216
217 /*
218 * bcc (byte count)
219 */
220
221 SSVAL(outbuf, ofs, num_bytes + bytes_padding);
222 ofs += sizeof(uint16_t);
223
224 /*
225 * padding
226 */
227
228 if (bytes_padding != 0) {
229 memset(outbuf + ofs, 0, bytes_padding);
230 ofs += bytes_padding;
231 }
232
233 /*
234 * The bytes field
235 */
236
237 memcpy(outbuf + ofs, bytes, num_bytes);
238
239 return true;
240 }
241
242 /**
243 * Figure out if there is an andx command behind the current one
244 * @param[in] buf The smb buffer to look at
245 * @param[in] ofs The offset to the wct field that is followed by the cmd
246 * @retval Is there a command following?
247 */
248
249 static bool have_andx_command(const char *buf, uint16_t ofs)
250 {
251 uint8_t wct;
252 size_t buflen = talloc_get_size(buf);
253
254 if ((ofs == buflen-1) || (ofs == buflen)) {
255 return false;
256 }
257
258 wct = CVAL(buf, ofs);
259 if (wct < 2) {
260 /*
261 * Not enough space for the command and a following pointer
262 */
263 return false;
264 }
265 return (CVAL(buf, ofs+1) != 0xff);
266 }
267
268 #define MAX_SMB_IOV 5
269
270 struct cli_smb_state {
271 struct tevent_context *ev;
272 struct cli_state *cli;
273 uint8_t header[smb_wct+1]; /* Space for the header including the wct */
274
275 /*
276 * For normal requests, cli_smb_req_send chooses a mid. Secondary
277 * trans requests need to use the mid of the primary request, so we
278 * need a place to store it. Assume it's set if != 0.
279 */
280 uint16_t mid;
281
282 uint16_t *vwv;
283 uint8_t bytecount_buf[2];
284
285 struct iovec iov[MAX_SMB_IOV+3];
286 int iov_count;
287
288 uint8_t *inbuf;
289 uint32_t seqnum;
290 int chain_num;
291 struct tevent_req **chained_requests;
292 };
293
294 static uint16_t cli_alloc_mid(struct cli_state *cli)
295 {
296 int num_pending = talloc_array_length(cli->pending);
297 uint16_t result;
298
299 while (true) {
300 int i;
301
302 result = cli->mid++;
303 if ((result == 0) || (result == 0xffff)) {
304 continue;
305 }
306
307 for (i=0; i<num_pending; i++) {
308 if (result == cli_smb_req_mid(cli->pending[i])) {
309 break;
310 }
311 }
312
313 if (i == num_pending) {
314 return result;
315 }
316 }
317 }
318
319 void cli_smb_req_unset_pending(struct tevent_req *req)
320 {
321 struct cli_smb_state *state = tevent_req_data(
322 req, struct cli_smb_state);
323 struct cli_state *cli = state->cli;
324 int num_pending = talloc_array_length(cli->pending);
325 int i;
326
327 if (num_pending == 1) {
328 /*
329 * The pending read_smb tevent_req is a child of
330 * cli->pending. So if nothing is pending anymore, we need to
331 * delete the socket read fde.
332 */
333 TALLOC_FREE(cli->pending);
334 return;
335 }
336
337 for (i=0; i<num_pending; i++) {
338 if (req == cli->pending[i]) {
339 break;
340 }
341 }
342 if (i == num_pending) {
343 /*
344 * Something's seriously broken. Just returning here is the
345 * right thing nevertheless, the point of this routine is to
346 * remove ourselves from cli->pending.
347 */
348 return;
349 }
350
351 /*
352 * Remove ourselves from the cli->pending array
353 */
354 if (num_pending > 1) {
355 cli->pending[i] = cli->pending[num_pending-1];
356 }
357
358 /*
359 * No NULL check here, we're shrinking by sizeof(void *), and
360 * talloc_realloc just adjusts the size for this.
361 */
362 cli->pending = talloc_realloc(NULL, cli->pending, struct tevent_req *,
363 num_pending - 1);
364 return;
365 }
366
367 static int cli_smb_req_destructor(struct tevent_req *req)
368 {
369 cli_smb_req_unset_pending(req);
370 return 0;
371 }
372
373 static void cli_smb_received(struct tevent_req *subreq);
374
375 bool cli_smb_req_set_pending(struct tevent_req *req)
376 {
377 struct cli_smb_state *state = tevent_req_data(
378 req, struct cli_smb_state);
379 struct cli_state *cli;
380 struct tevent_req **pending;
381 int num_pending;
382 struct tevent_req *subreq;
383
384 cli = state->cli;
385 num_pending = talloc_array_length(cli->pending);
386
387 pending = talloc_realloc(cli, cli->pending, struct tevent_req *,
388 num_pending+1);
389 if (pending == NULL) {
390 return false;
391 }
392 pending[num_pending] = req;
393 cli->pending = pending;
394 talloc_set_destructor(req, cli_smb_req_destructor);
395
396 if (num_pending > 0) {
397 return true;
398 }
399
400 /*
401 * We're the first ones, add the read_smb request that waits for the
402 * answer from the server
403 */
404 subreq = read_smb_send(cli->pending, state->ev, cli->fd);
405 if (subreq == NULL) {
406 cli_smb_req_unset_pending(req);
407 return false;
408 }
409 tevent_req_set_callback(subreq, cli_smb_received, cli);
410 return true;
411 }
412
413 /*
414 * Fetch a smb request's mid. Only valid after the request has been sent by
415 * cli_smb_req_send().
416 */
417 uint16_t cli_smb_req_mid(struct tevent_req *req)
418 {
419 struct cli_smb_state *state = tevent_req_data(
420 req, struct cli_smb_state);
421 return SVAL(state->header, smb_mid);
422 }
423
424 void cli_smb_req_set_mid(struct tevent_req *req, uint16_t mid)
425 {
426 struct cli_smb_state *state = tevent_req_data(
427 req, struct cli_smb_state);
428 state->mid = mid;
429 }
430
431 static size_t iov_len(const struct iovec *iov, int count)
432 {
433 size_t result = 0;
434 int i;
435 for (i=0; i<count; i++) {
436 result += iov[i].iov_len;
437 }
438 return result;
439 }
440
441 static uint8_t *iov_concat(TALLOC_CTX *mem_ctx, const struct iovec *iov,
442 int count)
443 {
444 size_t len = iov_len(iov, count);
445 size_t copied;
446 uint8_t *buf;
447 int i;
448
449 buf = talloc_array(mem_ctx, uint8_t, len);
450 if (buf == NULL) {
451 return NULL;
452 }
453 copied = 0;
454 for (i=0; i<count; i++) {
455 memcpy(buf+copied, iov[i].iov_base, iov[i].iov_len);
456 copied += iov[i].iov_len;
457 }
458 return buf;
459 }
460
461 struct tevent_req *cli_smb_req_create(TALLOC_CTX *mem_ctx,
462 struct event_context *ev,
463 struct cli_state *cli,
464 uint8_t smb_command,
465 uint8_t additional_flags,
466 uint8_t wct, uint16_t *vwv,
467 int iov_count,
468 struct iovec *bytes_iov)
469 {
470 struct tevent_req *result;
471 struct cli_smb_state *state;
472
473 if (iov_count > MAX_SMB_IOV) {
474 /*
475 * Should not happen :-)
476 */
477 return NULL;
478 }
479
480 result = tevent_req_create(mem_ctx, &state, struct cli_smb_state);
481 if (result == NULL) {
482 return NULL;
483 }
484 state->ev = ev;
485 state->cli = cli;
486 state->mid = 0; /* Set to auto-choose in cli_smb_req_send */
487 state->chain_num = 0;
488 state->chained_requests = NULL;
489
490 cli_setup_packet_buf(cli, (char *)state->header);
491 SCVAL(state->header, smb_com, smb_command);
492 SSVAL(state->header, smb_tid, cli->cnum);
493 SCVAL(state->header, smb_wct, wct);
494
495 state->vwv = vwv;
496
497 SSVAL(state->bytecount_buf, 0, iov_len(bytes_iov, iov_count));
498
499 state->iov[0].iov_base = state->header;
500 state->iov[0].iov_len = sizeof(state->header);
501 state->iov[1].iov_base = state->vwv;
502 state->iov[1].iov_len = wct * sizeof(uint16_t);
503 state->iov[2].iov_base = state->bytecount_buf;
504 state->iov[2].iov_len = sizeof(uint16_t);
505
506 if (iov_count != 0) {
507 memcpy(&state->iov[3], bytes_iov,
508 iov_count * sizeof(*bytes_iov));
509 }
510 state->iov_count = iov_count + 3;
511
512 return result;
513 }
514
515 static bool cli_signv(struct cli_state *cli, struct iovec *iov, int count,
516 uint32_t *seqnum)
517 {
518 uint8_t *buf;
519
520 /*
521 * Obvious optimization: Make cli_calculate_sign_mac work with struct
522 * iovec directly. MD5Update would do that just fine.
523 */
524
525 if ((count <= 0) || (iov[0].iov_len < smb_wct)) {
526 return false;
527 }
528
529 buf = iov_concat(talloc_tos(), iov, count);
530 if (buf == NULL) {
531 return false;
532 }
533
534 cli_calculate_sign_mac(cli, (char *)buf, seqnum);
535 memcpy(iov[0].iov_base, buf, iov[0].iov_len);
536
537 TALLOC_FREE(buf);
538 return true;
539 }
540
541 static void cli_smb_sent(struct tevent_req *subreq);
542
543 static bool cli_smb_req_iov_send(struct tevent_req *req,
544 struct cli_smb_state *state,
545 struct iovec *iov, int iov_count)
546 {
547 struct tevent_req *subreq;
548
549 if (iov[0].iov_len < smb_wct) {
550 return false;
551 }
552
553 if (state->mid != 0) {
554 SSVAL(iov[0].iov_base, smb_mid, state->mid);
555 } else {
556 SSVAL(iov[0].iov_base, smb_mid, cli_alloc_mid(state->cli));
557 }
558
559 smb_setlen((char *)iov[0].iov_base, iov_len(iov, iov_count) - 4);
560
561 if (!cli_signv(state->cli, iov, iov_count, &state->seqnum)) {
562 return false;
563 }
564
565 if (cli_encryption_on(state->cli)) {
566 NTSTATUS status;
567 char *buf, *enc_buf;
568
569 buf = (char *)iov_concat(talloc_tos(), iov, iov_count);
570 if (buf == NULL) {
571 return false;
572 }
573 status = cli_encrypt_message(state->cli, (char *)buf,
574 &enc_buf);
575 TALLOC_FREE(buf);
576 if (!NT_STATUS_IS_OK(status)) {
577 DEBUG(0, ("Error in encrypting client message: %s\n",
578 nt_errstr(status)));
579 return false;
580 }
581 buf = (char *)talloc_memdup(state, enc_buf,
582 smb_len(enc_buf)+4);
583 SAFE_FREE(enc_buf);
584 if (buf == NULL) {
585 return false;
586 }
587 iov[0].iov_base = buf;
588 iov[0].iov_len = talloc_get_size(buf);
589 subreq = writev_send(state, state->ev, state->cli->outgoing,
590 state->cli->fd, iov, 1);
591 } else {
592 subreq = writev_send(state, state->ev, state->cli->outgoing,
593 state->cli->fd, iov, iov_count);
594 }
595 if (subreq == NULL) {
596 return false;
597 }
598 tevent_req_set_callback(subreq, cli_smb_sent, req);
599 return true;
600 }
601
602 bool cli_smb_req_send(struct tevent_req *req)
603 {
604 struct cli_smb_state *state = tevent_req_data(
605 req, struct cli_smb_state);
606
607 return cli_smb_req_iov_send(req, state, state->iov, state->iov_count);
608 }
609
610 struct tevent_req *cli_smb_send(TALLOC_CTX *mem_ctx,
611 struct event_context *ev,
612 struct cli_state *cli,
613 uint8_t smb_command,
614 uint8_t additional_flags,
615 uint8_t wct, uint16_t *vwv,
616 uint32_t num_bytes,
617 const uint8_t *bytes)
618 {
619 struct tevent_req *req;
620 struct iovec iov;
621
622 iov.iov_base = CONST_DISCARD(char *, bytes);
623 iov.iov_len = num_bytes;
624
625 req = cli_smb_req_create(mem_ctx, ev, cli, smb_command,
626 additional_flags, wct, vwv, 1, &iov);
627 if (req == NULL) {
628 return NULL;
629 }
630 if (!cli_smb_req_send(req)) {
631 TALLOC_FREE(req);
632 }
633 return req;
634 }
635
636 static void cli_smb_sent(struct tevent_req *subreq)
637 {
638 struct tevent_req *req = tevent_req_callback_data(
639 subreq, struct tevent_req);
640 struct cli_smb_state *state = tevent_req_data(
641 req, struct cli_smb_state);
642 ssize_t nwritten;
643 int err;
644
645 nwritten = writev_recv(subreq, &err);
646 TALLOC_FREE(subreq);
647 if (nwritten == -1) {
648 tevent_req_nterror(req, map_nt_error_from_unix(err));
649 return;
650 }
651
652 switch (CVAL(state->header, smb_com)) {
653 case SMBtranss:
654 case SMBtranss2:
655 case SMBnttranss:
656 case SMBntcancel:
657 state->inbuf = NULL;
658 tevent_req_done(req);
659 return;
660 case SMBlockingX:
661 if ((CVAL(state->header, smb_wct) == 8) &&
662 (CVAL(state->vwv+3, 0) == LOCKING_ANDX_OPLOCK_RELEASE)) {
663 state->inbuf = NULL;
664 tevent_req_done(req);
665 return;
666 }
667 }
668
669 if (!cli_smb_req_set_pending(req)) {
670 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
671 return;
672 }
673 }
674
675 static void cli_smb_received(struct tevent_req *subreq)
676 {
677 struct cli_state *cli = tevent_req_callback_data(
678 subreq, struct cli_state);
679 struct tevent_req *req;
680 struct cli_smb_state *state;
681 struct tevent_context *ev;
682 NTSTATUS status;
683 uint8_t *inbuf;
684 ssize_t received;
685 int num_pending;
686 int i, err;
687 uint16_t mid;
688
689 received = read_smb_recv(subreq, talloc_tos(), &inbuf, &err);
690 TALLOC_FREE(subreq);
691 if (received == -1) {
692 status = map_nt_error_from_unix(err);
693 goto fail;
694 }
695
696 if ((IVAL(inbuf, 4) != 0x424d53ff) /* 0xFF"SMB" */
697 && (SVAL(inbuf, 4) != 0x45ff)) /* 0xFF"E" */ {
698 DEBUG(10, ("Got non-SMB PDU\n"));
699 status = NT_STATUS_INVALID_NETWORK_RESPONSE;
700 goto fail;
701 }
702
703 if (cli_encryption_on(cli) && (CVAL(inbuf, 0) == 0)) {
704 uint16_t enc_ctx_num;
705
706 status = get_enc_ctx_num(inbuf, &enc_ctx_num);
707 if (!NT_STATUS_IS_OK(status)) {
708 DEBUG(10, ("get_enc_ctx_num returned %s\n",
709 nt_errstr(status)));
710 goto fail;
711 }
712
713 if (enc_ctx_num != cli->trans_enc_state->enc_ctx_num) {
714 DEBUG(10, ("wrong enc_ctx %d, expected %d\n",
715 enc_ctx_num,
716 cli->trans_enc_state->enc_ctx_num));
717 status = NT_STATUS_INVALID_HANDLE;
718 goto fail;
719 }
720
721 status = common_decrypt_buffer(cli->trans_enc_state,
722 (char *)inbuf);
723 if (!NT_STATUS_IS_OK(status)) {
724 DEBUG(10, ("common_decrypt_buffer returned %s\n",
725 nt_errstr(status)));
726 goto fail;
727 }
728 }
729
730 mid = SVAL(inbuf, smb_mid);
731 num_pending = talloc_array_length(cli->pending);
732
733 for (i=0; i<num_pending; i++) {
734 if (mid == cli_smb_req_mid(cli->pending[i])) {
735 break;
736 }
737 }
738 if (i == num_pending) {
739 /* Dump unexpected reply */
740 TALLOC_FREE(inbuf);
741 goto done;
742 }
743
744 req = cli->pending[i];
745 state = tevent_req_data(req, struct cli_smb_state);
746 ev = state->ev;
747
748 if (!cli_check_sign_mac(cli, (char *)inbuf, state->seqnum+1)) {
749 DEBUG(10, ("cli_check_sign_mac failed\n"));
750 TALLOC_FREE(inbuf);
751 status = NT_STATUS_ACCESS_DENIED;
752 goto fail;
753 }
754
755 if (state->chained_requests == NULL) {
756 state->inbuf = talloc_move(state, &inbuf);
757 talloc_set_destructor(req, NULL);
758 cli_smb_req_destructor(req);
759 tevent_req_done(req);
760 } else {
761 struct tevent_req **chain = talloc_move(
762 talloc_tos(), &state->chained_requests);
763 int num_chained = talloc_array_length(chain);
764
765 for (i=0; i<num_chained; i++) {
766 state = tevent_req_data(chain[i], struct
767 cli_smb_state);
768 state->inbuf = inbuf;
769 state->chain_num = i;
770 tevent_req_done(chain[i]);
771 }
772 TALLOC_FREE(inbuf);
773 TALLOC_FREE(chain);
774 }
775 done:
776 if (talloc_array_length(cli->pending) > 0) {
777 /*
778 * Set up another read request for the other pending cli_smb
779 * requests
780 */
781 state = tevent_req_data(cli->pending[0], struct cli_smb_state);
782 subreq = read_smb_send(cli->pending, state->ev, cli->fd);
783 if (subreq == NULL) {
784 status = NT_STATUS_NO_MEMORY;
785 goto fail;
786 }
787 tevent_req_set_callback(subreq, cli_smb_received, cli);
788 }
789 return;
790 fail:
791 /*
792 * Cancel all pending requests. We don't do a for-loop walking
793 * cli->pending because that array changes in
794 * cli_smb_req_destructor().
795 */
796 while (talloc_array_length(cli->pending) > 0) {
797 req = cli->pending[0];
798 talloc_set_destructor(req, NULL);
799 cli_smb_req_destructor(req);
800 tevent_req_nterror(req, status);
801 }
802 }
803
804 NTSTATUS cli_smb_recv(struct tevent_req *req, uint8_t min_wct,
805 uint8_t *pwct, uint16_t **pvwv,
806 uint32_t *pnum_bytes, uint8_t **pbytes)
807 {
808 struct cli_smb_state *state = tevent_req_data(
809 req, struct cli_smb_state);
810 NTSTATUS status = NT_STATUS_OK;
811 uint8_t cmd, wct;
812 uint16_t num_bytes;
813 size_t wct_ofs, bytes_offset;
814 int i;
815
816 if (tevent_req_is_nterror(req, &status)) {
817 return status;
818 }
819
820 if (state->inbuf == NULL) {
821 /* This was a request without a reply */
822 return NT_STATUS_OK;
823 }
824
825 wct_ofs = smb_wct;
826 cmd = CVAL(state->inbuf, smb_com);
827
828 for (i=0; i<state->chain_num; i++) {
829 if (i < state->chain_num-1) {
830 if (cmd == 0xff) {
831 return NT_STATUS_REQUEST_ABORTED;
832 }
833 if (!is_andx_req(cmd)) {
834 return NT_STATUS_INVALID_NETWORK_RESPONSE;
835 }
836 }
837
838 if (!have_andx_command((char *)state->inbuf, wct_ofs)) {
839 /*
840 * This request was not completed because a previous
841 * request in the chain had received an error.
842 */
843 return NT_STATUS_REQUEST_ABORTED;
844 }
845
846 wct_ofs = SVAL(state->inbuf, wct_ofs + 3);
847
848 /*
849 * Skip the all-present length field. No overflow, we've just
850 * put a 16-bit value into a size_t.
851 */
852 wct_ofs += 4;
853
854 if (wct_ofs+2 > talloc_get_size(state->inbuf)) {
855 return NT_STATUS_INVALID_NETWORK_RESPONSE;
856 }
857
858 cmd = CVAL(state->inbuf, wct_ofs + 1);
859 }
860
861 status = cli_pull_error((char *)state->inbuf);
862
863 if (!have_andx_command((char *)state->inbuf, wct_ofs)
864 && NT_STATUS_IS_ERR(status)) {
865 /*
866 * The last command takes the error code. All further commands
867 * down the requested chain will get a
868 * NT_STATUS_REQUEST_ABORTED.
869 */
870 return status;
871 }
872
873 wct = CVAL(state->inbuf, wct_ofs);
874 bytes_offset = wct_ofs + 1 + wct * sizeof(uint16_t);
875 num_bytes = SVAL(state->inbuf, bytes_offset);
876
877 if (wct < min_wct) {
878 return NT_STATUS_INVALID_NETWORK_RESPONSE;
879 }
880
881 /*
882 * wct_ofs is a 16-bit value plus 4, wct is a 8-bit value, num_bytes
883 * is a 16-bit value. So bytes_offset being size_t should be far from
884 * wrapping.
885 */
886 if ((bytes_offset + 2 > talloc_get_size(state->inbuf))
887 || (bytes_offset > 0xffff)) {
888 return NT_STATUS_INVALID_NETWORK_RESPONSE;
889 }
890
891 if (pwct != NULL) {
892 *pwct = wct;
893 }
894 if (pvwv != NULL) {
895 *pvwv = (uint16_t *)(state->inbuf + wct_ofs + 1);
896 }
897 if (pnum_bytes != NULL) {
898 *pnum_bytes = num_bytes;
899 }
900 if (pbytes != NULL) {
901 *pbytes = (uint8_t *)state->inbuf + bytes_offset + 2;
902 }
903
904 return NT_STATUS_OK;
905 }
906
907 size_t cli_smb_wct_ofs(struct tevent_req **reqs, int num_reqs)
908 {
909 size_t wct_ofs;
910 int i;
911
912 wct_ofs = smb_wct - 4;
913
914 for (i=0; i<num_reqs; i++) {
915 struct cli_smb_state *state;
916 state = tevent_req_data(reqs[i], struct cli_smb_state);
917 wct_ofs += iov_len(state->iov+1, state->iov_count-1);
918 wct_ofs = (wct_ofs + 3) & ~3;
919 }
920 return wct_ofs;
921 }
922
923 bool cli_smb_chain_send(struct tevent_req **reqs, int num_reqs)
924 {
925 struct cli_smb_state *first_state = tevent_req_data(
926 reqs[0], struct cli_smb_state);
927 struct cli_smb_state *last_state = tevent_req_data(
928 reqs[num_reqs-1], struct cli_smb_state);
929 struct cli_smb_state *state;
930 size_t wct_offset;
931 size_t chain_padding = 0;
932 int i, iovlen;
933 struct iovec *iov = NULL;
934 struct iovec *this_iov;
935
936 iovlen = 0;
937 for (i=0; i<num_reqs; i++) {
938 state = tevent_req_data(reqs[i], struct cli_smb_state);
939 iovlen += state->iov_count;
940 }
941
942 iov = talloc_array(last_state, struct iovec, iovlen);
943 if (iov == NULL) {
944 goto fail;
945 }
946
947 first_state->chained_requests = (struct tevent_req **)talloc_memdup(
948 last_state, reqs, sizeof(*reqs) * num_reqs);
949 if (first_state->chained_requests == NULL) {
950 goto fail;
951 }
952
953 wct_offset = smb_wct - 4;
954 this_iov = iov;
955
956 for (i=0; i<num_reqs; i++) {
957 size_t next_padding = 0;
958 uint16_t *vwv;
959
960 state = tevent_req_data(reqs[i], struct cli_smb_state);
961
962 if (i < num_reqs-1) {
963 if (!is_andx_req(CVAL(state->header, smb_com))
964 || CVAL(state->header, smb_wct) < 2) {
965 goto fail;
966 }
967 }
968
969 wct_offset += iov_len(state->iov+1, state->iov_count-1) + 1;
970 if ((wct_offset % 4) != 0) {
971 next_padding = 4 - (wct_offset % 4);
972 }
973 wct_offset += next_padding;
974 vwv = state->vwv;
975
976 if (i < num_reqs-1) {
977 struct cli_smb_state *next_state = tevent_req_data(
978 reqs[i+1], struct cli_smb_state);
979 SCVAL(vwv+0, 0, CVAL(next_state->header, smb_com));
980 SCVAL(vwv+0, 1, 0);
981 SSVAL(vwv+1, 0, wct_offset);
982 } else if (is_andx_req(CVAL(state->header, smb_com))) {
983 /* properly end the chain */
984 SCVAL(vwv+0, 0, 0xff);
985 SCVAL(vwv+0, 1, 0xff);
986 SSVAL(vwv+1, 0, 0);
987 }
988
989 if (i == 0) {
990 this_iov[0] = state->iov[0];
991 } else {
992 /*
993 * This one is a bit subtle. We have to add
994 * chain_padding bytes between the requests, and we
995 * have to also include the wct field of the
996 * subsequent requests. We use the subsequent header
997 * for the padding, it contains the wct field in its
998 * last byte.
999 */
1000 this_iov[0].iov_len = chain_padding+1;
1001 this_iov[0].iov_base = &state->header[
1002 sizeof(state->header) - this_iov[0].iov_len];
1003 memset(this_iov[0].iov_base, 0, this_iov[0].iov_len-1);
1004 }
1005 memcpy(this_iov+1, state->iov+1,
1006 sizeof(struct iovec) * (state->iov_count-1));
1007 this_iov += state->iov_count;
1008 chain_padding = next_padding;
1009 }
1010
1011 if (!cli_smb_req_iov_send(reqs[0], last_state, iov, iovlen)) {
1012 goto fail;
1013 }
1014 return true;
1015 fail:
1016 TALLOC_FREE(iov);
1017 return false;
1018 }
1019
1020 uint8_t *cli_smb_inbuf(struct tevent_req *req)
1021 {
1022 struct cli_smb_state *state = tevent_req_data(
1023 req, struct cli_smb_state);
1024 return state->inbuf;
1025 }
1026
1027 bool cli_has_async_calls(struct cli_state *cli)
1028 {
1029 return ((tevent_queue_length(cli->outgoing) != 0)
1030 || (talloc_array_length(cli->pending) != 0));
1031 }
reg import