search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
TALLOC_FREE early
[Samba/gebeck_regimport.git] / source3 / smbd / nttrans.c
blob12709f9e021861159482f95ea6783eb77f81a6ee
1 /*
2 Unix SMB/CIFS implementation.
3 SMB NT transaction handling
4 Copyright (C) Jeremy Allison 1994-2007
5 Copyright (C) Stefan (metze) Metzmacher 2003
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22
23 extern int max_send;
24 extern enum protocol_types Protocol;
25 extern struct current_user current_user;
26
27 static const char *known_nt_pipes[] = {
28 "\\LANMAN",
29 "\\srvsvc",
30 "\\samr",
31 "\\wkssvc",
32 "\\NETLOGON",
33 "\\ntlsa",
34 "\\ntsvcs",
35 "\\lsass",
36 "\\lsarpc",
37 "\\winreg",
38 "\\initshutdown",
39 "\\spoolss",
40 "\\netdfs",
41 "\\rpcecho",
42 "\\svcctl",
43 "\\eventlog",
44 "\\unixinfo",
45 NULL
46 };
47
48 static char *nttrans_realloc(char **ptr, size_t size)
49 {
50 if (ptr==NULL) {
51 smb_panic("nttrans_realloc() called with NULL ptr");
52 }
53
54 *ptr = (char *)SMB_REALLOC(*ptr, size);
55 if(*ptr == NULL) {
56 return NULL;
57 }
58 memset(*ptr,'\0',size);
59 return *ptr;
60 }
61
62 /****************************************************************************
63 Send the required number of replies back.
64 We assume all fields other than the data fields are
65 set correctly for the type of call.
66 HACK ! Always assumes smb_setup field is zero.
67 ****************************************************************************/
68
69 void send_nt_replies(struct smb_request *req, NTSTATUS nt_error,
70 char *params, int paramsize,
71 char *pdata, int datasize)
72 {
73 int data_to_send = datasize;
74 int params_to_send = paramsize;
75 int useable_space;
76 char *pp = params;
77 char *pd = pdata;
78 int params_sent_thistime, data_sent_thistime, total_sent_thistime;
79 int alignment_offset = 3;
80 int data_alignment_offset = 0;
81
82 /*
83 * If there genuinely are no parameters or data to send just send
84 * the empty packet.
85 */
86
87 if(params_to_send == 0 && data_to_send == 0) {
88 reply_outbuf(req, 18, 0);
89 show_msg((char *)req->outbuf);
90 return;
91 }
92
93 /*
94 * When sending params and data ensure that both are nicely aligned.
95 * Only do this alignment when there is also data to send - else
96 * can cause NT redirector problems.
97 */
98
99 if (((params_to_send % 4) != 0) && (data_to_send != 0)) {
100 data_alignment_offset = 4 - (params_to_send % 4);
101 }
102
103 /*
104 * Space is bufsize minus Netbios over TCP header minus SMB header.
105 * The alignment_offset is to align the param bytes on a four byte
106 * boundary (2 bytes for data len, one byte pad).
107 * NT needs this to work correctly.
108 */
109
110 useable_space = max_send - (smb_size
111 + 2 * 18 /* wct */
112 + alignment_offset
113 + data_alignment_offset);
114
115 /*
116 * useable_space can never be more than max_send minus the
117 * alignment offset.
118 */
119
120 useable_space = MIN(useable_space,
121 max_send - (alignment_offset+data_alignment_offset));
122
123
124 while (params_to_send || data_to_send) {
125
126 /*
127 * Calculate whether we will totally or partially fill this packet.
128 */
129
130 total_sent_thistime = params_to_send + data_to_send +
131 alignment_offset + data_alignment_offset;
132
133 /*
134 * We can never send more than useable_space.
135 */
136
137 total_sent_thistime = MIN(total_sent_thistime, useable_space);
138
139 reply_outbuf(req, 18, total_sent_thistime);
140
141 /*
142 * Set total params and data to be sent.
143 */
144
145 SIVAL(req->outbuf,smb_ntr_TotalParameterCount,paramsize);
146 SIVAL(req->outbuf,smb_ntr_TotalDataCount,datasize);
147
148 /*
149 * Calculate how many parameters and data we can fit into
150 * this packet. Parameters get precedence.
151 */
152
153 params_sent_thistime = MIN(params_to_send,useable_space);
154 data_sent_thistime = useable_space - params_sent_thistime;
155 data_sent_thistime = MIN(data_sent_thistime,data_to_send);
156
157 SIVAL(req->outbuf, smb_ntr_ParameterCount,
158 params_sent_thistime);
159
160 if(params_sent_thistime == 0) {
161 SIVAL(req->outbuf,smb_ntr_ParameterOffset,0);
162 SIVAL(req->outbuf,smb_ntr_ParameterDisplacement,0);
163 } else {
164 /*
165 * smb_ntr_ParameterOffset is the offset from the start of the SMB header to the
166 * parameter bytes, however the first 4 bytes of outbuf are
167 * the Netbios over TCP header. Thus use smb_base() to subtract
168 * them from the calculation.
169 */
170
171 SIVAL(req->outbuf,smb_ntr_ParameterOffset,
172 ((smb_buf(req->outbuf)+alignment_offset)
173 - smb_base(req->outbuf)));
174 /*
175 * Absolute displacement of param bytes sent in this packet.
176 */
177
178 SIVAL(req->outbuf, smb_ntr_ParameterDisplacement,
179 pp - params);
180 }
181
182 /*
183 * Deal with the data portion.
184 */
185
186 SIVAL(req->outbuf, smb_ntr_DataCount, data_sent_thistime);
187
188 if(data_sent_thistime == 0) {
189 SIVAL(req->outbuf,smb_ntr_DataOffset,0);
190 SIVAL(req->outbuf,smb_ntr_DataDisplacement, 0);
191 } else {
192 /*
193 * The offset of the data bytes is the offset of the
194 * parameter bytes plus the number of parameters being sent this time.
195 */
196
197 SIVAL(req->outbuf, smb_ntr_DataOffset,
198 ((smb_buf(req->outbuf)+alignment_offset) -
199 smb_base(req->outbuf))
200 + params_sent_thistime + data_alignment_offset);
201 SIVAL(req->outbuf,smb_ntr_DataDisplacement, pd - pdata);
202 }
203
204 /*
205 * Copy the param bytes into the packet.
206 */
207
208 if(params_sent_thistime) {
209 if (alignment_offset != 0) {
210 memset(smb_buf(req->outbuf), 0,
211 alignment_offset);
212 }
213 memcpy((smb_buf(req->outbuf)+alignment_offset), pp,
214 params_sent_thistime);
215 }
216
217 /*
218 * Copy in the data bytes
219 */
220
221 if(data_sent_thistime) {
222 if (data_alignment_offset != 0) {
223 memset((smb_buf(req->outbuf)+alignment_offset+
224 params_sent_thistime), 0,
225 data_alignment_offset);
226 }
227 memcpy(smb_buf(req->outbuf)+alignment_offset
228 +params_sent_thistime+data_alignment_offset,
229 pd,data_sent_thistime);
230 }
231
232 DEBUG(9,("nt_rep: params_sent_thistime = %d, data_sent_thistime = %d, useable_space = %d\n",
233 params_sent_thistime, data_sent_thistime, useable_space));
234 DEBUG(9,("nt_rep: params_to_send = %d, data_to_send = %d, paramsize = %d, datasize = %d\n",
235 params_to_send, data_to_send, paramsize, datasize));
236
237 if (NT_STATUS_V(nt_error)) {
238 error_packet_set((char *)req->outbuf,
239 0, 0, nt_error,
240 __LINE__,__FILE__);
241 }
242
243 /* Send the packet */
244 show_msg((char *)req->outbuf);
245 if (!send_smb(smbd_server_fd(),(char *)req->outbuf)) {
246 exit_server_cleanly("send_nt_replies: send_smb failed.");
247 }
248
249 TALLOC_FREE(req->outbuf);
250
251 pp += params_sent_thistime;
252 pd += data_sent_thistime;
253
254 params_to_send -= params_sent_thistime;
255 data_to_send -= data_sent_thistime;
256
257 /*
258 * Sanity check
259 */
260
261 if(params_to_send < 0 || data_to_send < 0) {
262 DEBUG(0,("send_nt_replies failed sanity check pts = %d, dts = %d\n!!!",
263 params_to_send, data_to_send));
264 return;
265 }
266 }
267 }
268
269 /****************************************************************************
270 Is it an NTFS stream name ?
271 ****************************************************************************/
272
273 bool is_ntfs_stream_name(const char *fname)
274 {
275 if (lp_posix_pathnames()) {
276 return False;
277 }
278 return (strchr_m(fname, ':') != NULL) ? True : False;
279 }
280
281 struct case_semantics_state {
282 connection_struct *conn;
283 bool case_sensitive;
284 bool case_preserve;
285 bool short_case_preserve;
286 };
287
288 /****************************************************************************
289 Restore case semantics.
290 ****************************************************************************/
291 static int restore_case_semantics(struct case_semantics_state *state)
292 {
293 state->conn->case_sensitive = state->case_sensitive;
294 state->conn->case_preserve = state->case_preserve;
295 state->conn->short_case_preserve = state->short_case_preserve;
296 return 0;
297 }
298
299 /****************************************************************************
300 Save case semantics.
301 ****************************************************************************/
302 static struct case_semantics_state *set_posix_case_semantics(TALLOC_CTX *mem_ctx,
303 connection_struct *conn)
304 {
305 struct case_semantics_state *result;
306
307 if (!(result = talloc(mem_ctx, struct case_semantics_state))) {
308 DEBUG(0, ("talloc failed\n"));
309 return NULL;
310 }
311
312 result->conn = conn;
313 result->case_sensitive = conn->case_sensitive;
314 result->case_preserve = conn->case_preserve;
315 result->short_case_preserve = conn->short_case_preserve;
316
317 /* Set to POSIX. */
318 conn->case_sensitive = True;
319 conn->case_preserve = True;
320 conn->short_case_preserve = True;
321
322 talloc_set_destructor(result, restore_case_semantics);
323
324 return result;
325 }
326
327 /****************************************************************************
328 Reply to an NT create and X call on a pipe
329 ****************************************************************************/
330
331 static void nt_open_pipe(char *fname, connection_struct *conn,
332 struct smb_request *req, int *ppnum)
333 {
334 smb_np_struct *p = NULL;
335 int i;
336
337 DEBUG(4,("nt_open_pipe: Opening pipe %s.\n", fname));
338
339 /* See if it is one we want to handle. */
340
341 if (lp_disable_spoolss() && strequal(fname, "\\spoolss")) {
342 reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND,
343 ERRDOS, ERRbadpipe);
344 return;
345 }
346
347 for( i = 0; known_nt_pipes[i]; i++ ) {
348 if( strequal(fname,known_nt_pipes[i])) {
349 break;
350 }
351 }
352
353 if ( known_nt_pipes[i] == NULL ) {
354 reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND,
355 ERRDOS, ERRbadpipe);
356 return;
357 }
358
359 /* Strip \\ off the name. */
360 fname++;
361
362 DEBUG(3,("nt_open_pipe: Known pipe %s opening.\n", fname));
363
364 p = open_rpc_pipe_p(fname, conn, req->vuid);
365 if (!p) {
366 reply_doserror(req, ERRSRV, ERRnofids);
367 return;
368 }
369
370 /* TODO: Add pipe to db */
371
372 if ( !store_pipe_opendb( p ) ) {
373 DEBUG(3,("nt_open_pipe: failed to store %s pipe open.\n", fname));
374 }
375
376 *ppnum = p->pnum;
377 return;
378 }
379
380 /****************************************************************************
381 Reply to an NT create and X call for pipes.
382 ****************************************************************************/
383
384 static void do_ntcreate_pipe_open(connection_struct *conn,
385 struct smb_request *req)
386 {
387 char *fname = NULL;
388 int pnum = -1;
389 char *p = NULL;
390 uint32 flags = IVAL(req->inbuf,smb_ntcreate_Flags);
391 TALLOC_CTX *ctx = talloc_tos();
392
393 srvstr_pull_buf_talloc(ctx, (char *)req->inbuf, req->flags2, &fname,
394 smb_buf(req->inbuf), STR_TERMINATE);
395
396 if (!fname) {
397 reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND,
398 ERRDOS, ERRbadpipe);
399 return;
400 }
401 nt_open_pipe(fname, conn, req, &pnum);
402
403 if (req->outbuf) {
404 /* error reply */
405 return;
406 }
407
408 /*
409 * Deal with pipe return.
410 */
411
412 if (flags & EXTENDED_RESPONSE_REQUIRED) {
413 /* This is very strange. We
414 * return 50 words, but only set
415 * the wcnt to 42 ? It's definately
416 * what happens on the wire....
417 */
418 reply_outbuf(req, 50, 0);
419 SCVAL(req->outbuf,smb_wct,42);
420 } else {
421 reply_outbuf(req, 34, 0);
422 }
423
424 p = (char *)req->outbuf + smb_vwv2;
425 p++;
426 SSVAL(p,0,pnum);
427 p += 2;
428 SIVAL(p,0,FILE_WAS_OPENED);
429 p += 4;
430 p += 32;
431 SIVAL(p,0,FILE_ATTRIBUTE_NORMAL); /* File Attributes. */
432 p += 20;
433 /* File type. */
434 SSVAL(p,0,FILE_TYPE_MESSAGE_MODE_PIPE);
435 /* Device state. */
436 SSVAL(p,2, 0x5FF); /* ? */
437 p += 4;
438
439 if (flags & EXTENDED_RESPONSE_REQUIRED) {
440 p += 25;
441 SIVAL(p,0,FILE_GENERIC_ALL);
442 /*
443 * For pipes W2K3 seems to return
444 * 0x12019B next.
445 * This is ((FILE_GENERIC_READ|FILE_GENERIC_WRITE) & ~FILE_APPEND_DATA)
446 */
447 SIVAL(p,4,(FILE_GENERIC_READ|FILE_GENERIC_WRITE)&~FILE_APPEND_DATA);
448 }
449
450 DEBUG(5,("do_ntcreate_pipe_open: open pipe = %s\n", fname));
451
452 chain_reply(req);
453 }
454
455 /****************************************************************************
456 Reply to an NT create and X call for a quota file.
457 ****************************************************************************/
458
459 static void reply_ntcreate_and_X_quota(connection_struct *conn,
460 struct smb_request *req,
461 enum FAKE_FILE_TYPE fake_file_type,
462 const char *fname)
463 {
464 char *p;
465 uint32 desired_access = IVAL(req->inbuf,smb_ntcreate_DesiredAccess);
466 files_struct *fsp;
467 NTSTATUS status;
468
469 status = open_fake_file(conn, fake_file_type, fname, desired_access,
470 &fsp);
471
472 if (!NT_STATUS_IS_OK(status)) {
473 reply_nterror(req, status);
474 return;
475 }
476
477 reply_outbuf(req, 34, 0);
478
479 p = (char *)req->outbuf + smb_vwv2;
480
481 /* SCVAL(p,0,NO_OPLOCK_RETURN); */
482 p++;
483 SSVAL(p,0,fsp->fnum);
484
485 DEBUG(5,("reply_ntcreate_and_X_quota: fnum = %d, open name = %s\n", fsp->fnum, fsp->fsp_name));
486
487 chain_reply(req);
488 }
489
490 /****************************************************************************
491 Reply to an NT create and X call.
492 ****************************************************************************/
493
494 void reply_ntcreate_and_X(connection_struct *conn,
495 struct smb_request *req)
496 {
497 char *fname = NULL;
498 uint32 flags;
499 uint32 access_mask;
500 uint32 file_attributes;
501 uint32 share_access;
502 uint32 create_disposition;
503 uint32 create_options;
504 uint16 root_dir_fid;
505 SMB_BIG_UINT allocation_size;
506 /* Breakout the oplock request bits so we can set the
507 reply bits separately. */
508 int oplock_request = 0;
509 uint32 fattr=0;
510 SMB_OFF_T file_len = 0;
511 SMB_STRUCT_STAT sbuf;
512 int info = 0;
513 files_struct *fsp = NULL;
514 char *p = NULL;
515 struct timespec c_timespec;
516 struct timespec a_timespec;
517 struct timespec m_timespec;
518 bool extended_oplock_granted = False;
519 NTSTATUS status;
520 struct case_semantics_state *case_state = NULL;
521 TALLOC_CTX *ctx = talloc_tos();
522
523 START_PROFILE(SMBntcreateX);
524
525 if (req->wct < 24) {
526 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
527 return;
528 }
529
530 flags = IVAL(req->inbuf,smb_ntcreate_Flags);
531 access_mask = IVAL(req->inbuf,smb_ntcreate_DesiredAccess);
532 file_attributes = IVAL(req->inbuf,smb_ntcreate_FileAttributes);
533 share_access = IVAL(req->inbuf,smb_ntcreate_ShareAccess);
534 create_disposition = IVAL(req->inbuf,smb_ntcreate_CreateDisposition);
535 create_options = IVAL(req->inbuf,smb_ntcreate_CreateOptions);
536 root_dir_fid = (uint16)IVAL(req->inbuf,smb_ntcreate_RootDirectoryFid);
537
538 allocation_size = (SMB_BIG_UINT)IVAL(req->inbuf,smb_ntcreate_AllocationSize);
539 #ifdef LARGE_SMB_OFF_T
540 allocation_size |= (((SMB_BIG_UINT)IVAL(req->inbuf,smb_ntcreate_AllocationSize + 4)) << 32);
541 #endif
542
543 srvstr_get_path(ctx, (char *)req->inbuf, req->flags2, &fname,
544 smb_buf(req->inbuf), 0, STR_TERMINATE, &status);
545
546 if (!NT_STATUS_IS_OK(status)) {
547 reply_nterror(req, status);
548 END_PROFILE(SMBntcreateX);
549 return;
550 }
551
552 DEBUG(10,("reply_ntcreate_and_X: flags = 0x%x, access_mask = 0x%x "
553 "file_attributes = 0x%x, share_access = 0x%x, "
554 "create_disposition = 0x%x create_options = 0x%x "
555 "root_dir_fid = 0x%x, fname = %s\n",
556 (unsigned int)flags,
557 (unsigned int)access_mask,
558 (unsigned int)file_attributes,
559 (unsigned int)share_access,
560 (unsigned int)create_disposition,
561 (unsigned int)create_options,
562 (unsigned int)root_dir_fid,
563 fname));
564
565 /*
566 * If it's an IPC, use the pipe handler.
567 */
568
569 if (IS_IPC(conn)) {
570 if (lp_nt_pipe_support()) {
571 do_ntcreate_pipe_open(conn, req);
572 END_PROFILE(SMBntcreateX);
573 return;
574 } else {
575 reply_doserror(req, ERRDOS, ERRnoaccess);
576 END_PROFILE(SMBntcreateX);
577 return;
578 }
579 }
580
581 if (create_options & FILE_OPEN_BY_FILE_ID) {
582 reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
583 END_PROFILE(SMBntcreateX);
584 return;
585 }
586
587 /*
588 * Get the file name.
589 */
590
591 if (root_dir_fid != 0) {
592 /*
593 * This filename is relative to a directory fid.
594 */
595 char *parent_fname = NULL;
596 char *tmp;
597 files_struct *dir_fsp = file_fsp(root_dir_fid);
598
599 if(!dir_fsp) {
600 reply_doserror(req, ERRDOS, ERRbadfid);
601 END_PROFILE(SMBntcreateX);
602 return;
603 }
604
605 if(!dir_fsp->is_directory) {
606
607 /*
608 * Check to see if this is a mac fork of some kind.
609 */
610
611 if( is_ntfs_stream_name(fname)) {
612 reply_nterror(
613 req, NT_STATUS_OBJECT_PATH_NOT_FOUND);
614 END_PROFILE(SMBntcreateX);
615 return;
616 }
617
618 /*
619 we need to handle the case when we get a
620 relative open relative to a file and the
621 pathname is blank - this is a reopen!
622 (hint from demyn plantenberg)
623 */
624
625 reply_doserror(req, ERRDOS, ERRbadfid);
626 END_PROFILE(SMBntcreateX);
627 return;
628 }
629
630 if (ISDOT(dir_fsp->fsp_name)) {
631 /*
632 * We're at the toplevel dir, the final file name
633 * must not contain ./, as this is filtered out
634 * normally by srvstr_get_path and unix_convert
635 * explicitly rejects paths containing ./.
636 */
637 parent_fname = talloc_strdup(ctx,"");
638 if (!parent_fname) {
639 reply_nterror(req, NT_STATUS_NO_MEMORY);
640 END_PROFILE(SMBntcreateX);
641 return;
642 }
643 } else {
644 size_t dir_name_len = strlen(dir_fsp->fsp_name);
645
646 /*
647 * Copy in the base directory name.
648 */
649
650 parent_fname = TALLOC_ARRAY(ctx, char, dir_name_len+2);
651 if (!parent_fname) {
652 reply_nterror(req, NT_STATUS_NO_MEMORY);
653 END_PROFILE(SMBntcreateX);
654 return;
655 }
656 memcpy(parent_fname, dir_fsp->fsp_name,
657 dir_name_len+1);
658
659 /*
660 * Ensure it ends in a '/'.
661 * We used TALLOC_SIZE +2 to add space for the '/'.
662 */
663
664 if(dir_name_len
665 && (parent_fname[dir_name_len-1] != '\\')
666 && (parent_fname[dir_name_len-1] != '/')) {
667 parent_fname[dir_name_len] = '/';
668 parent_fname[dir_name_len+1] = '\0';
669 }
670 }
671
672 tmp = talloc_asprintf(ctx, "%s%s", parent_fname, fname);
673 if (tmp == NULL) {
674 reply_nterror(req, NT_STATUS_NO_MEMORY);
675 END_PROFILE(SMBntcreateX);
676 return;
677 }
678 TALLOC_FREE(fname);
679 fname = tmp;
680 } else {
681 /*
682 * Check to see if this is a mac fork of some kind.
683 */
684
685 if( is_ntfs_stream_name(fname)) {
686 enum FAKE_FILE_TYPE fake_file_type = is_fake_file(fname);
687 if (fake_file_type!=FAKE_FILE_TYPE_NONE) {
688 /*
689 * Here we go! support for changing the disk quotas --metze
690 *
691 * We need to fake up to open this MAGIC QUOTA file
692 * and return a valid FID.
693 *
694 * w2k close this file directly after openening
695 * xp also tries a QUERY_FILE_INFO on the file and then close it
696 */
697 reply_ntcreate_and_X_quota(conn, req,
698 fake_file_type, fname);
699 } else {
700 reply_nterror(req, NT_STATUS_OBJECT_PATH_NOT_FOUND);
701 }
702 END_PROFILE(SMBntcreateX);
703 return;
704 }
705 }
706
707 /*
708 * Now contruct the smb_open_mode value from the filename,
709 * desired access and the share access.
710 */
711 status = resolve_dfspath(ctx, conn,
712 req->flags2 & FLAGS2_DFS_PATHNAMES,
713 fname,
714 &fname);
715 if (!NT_STATUS_IS_OK(status)) {
716 if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
717 reply_botherror(req, NT_STATUS_PATH_NOT_COVERED,
718 ERRSRV, ERRbadpath);
719 }
720 else {
721 reply_nterror(req, status);
722 }
723 END_PROFILE(SMBntcreateX);
724 return;
725 }
726
727 oplock_request = (flags & REQUEST_OPLOCK) ? EXCLUSIVE_OPLOCK : 0;
728 if (oplock_request) {
729 oplock_request |= (flags & REQUEST_BATCH_OPLOCK) ? BATCH_OPLOCK : 0;
730 }
731
732 /*
733 * Ordinary file or directory.
734 */
735
736 /*
737 * Check if POSIX semantics are wanted.
738 */
739
740 if (file_attributes & FILE_FLAG_POSIX_SEMANTICS) {
741 case_state = set_posix_case_semantics(NULL, conn);
742 file_attributes &= ~FILE_FLAG_POSIX_SEMANTICS;
743 }
744
745 status = unix_convert(ctx, conn, fname, False, &fname, NULL, &sbuf);
746 if (!NT_STATUS_IS_OK(status)) {
747 TALLOC_FREE(case_state);
748 reply_nterror(req, status);
749 END_PROFILE(SMBntcreateX);
750 return;
751 }
752 /* All file access must go through check_name() */
753 status = check_name(conn, fname);
754 if (!NT_STATUS_IS_OK(status)) {
755 TALLOC_FREE(case_state);
756 reply_nterror(req, status);
757 END_PROFILE(SMBntcreateX);
758 return;
759 }
760
761 /* This is the correct thing to do (check every time) but can_delete is
762 expensive (it may have to read the parent directory permissions). So
763 for now we're not doing it unless we have a strong hint the client
764 is really going to delete this file. If the client is forcing FILE_CREATE
765 let the filesystem take care of the permissions. */
766
767 /* Setting FILE_SHARE_DELETE is the hint. */
768
769 if (lp_acl_check_permissions(SNUM(conn))
770 && (create_disposition != FILE_CREATE)
771 && (share_access & FILE_SHARE_DELETE)
772 && (access_mask & DELETE_ACCESS)) {
773 if (((dos_mode(conn, fname, &sbuf) & FILE_ATTRIBUTE_READONLY)
774 && !lp_delete_readonly(SNUM(conn))) ||
775 !can_delete_file_in_directory(conn, fname)) {
776 TALLOC_FREE(case_state);
777 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
778 END_PROFILE(SMBntcreateX);
779 return;
780 }
781 }
782
783 #if 0
784 /* We need to support SeSecurityPrivilege for this. */
785 if ((access_mask & SEC_RIGHT_SYSTEM_SECURITY) &&
786 !user_has_privileges(current_user.nt_user_token,
787 &se_security)) {
788 TALLOC_FREE(case_state);
789 END_PROFILE(SMBntcreateX);
790 return ERROR_NT(NT_STATUS_PRIVILEGE_NOT_HELD);
791 }
792 #endif
793
794 /*
795 * If it's a request for a directory open, deal with it separately.
796 */
797
798 if(create_options & FILE_DIRECTORY_FILE) {
799
800 /* Can't open a temp directory. IFS kit test. */
801 if (file_attributes & FILE_ATTRIBUTE_TEMPORARY) {
802 TALLOC_FREE(case_state);
803 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
804 END_PROFILE(SMBntcreateX);
805 return;
806 }
807
808 oplock_request = 0;
809 status = open_directory(conn, req, fname, &sbuf,
810 access_mask,
811 share_access,
812 create_disposition,
813 create_options,
814 file_attributes,
815 &info, &fsp);
816
817 } else {
818
819 /*
820 * Ordinary file case.
821 */
822
823 /* NB. We have a potential bug here. If we
824 * cause an oplock break to ourselves, then we
825 * could end up processing filename related
826 * SMB requests whilst we await the oplock
827 * break response. As we may have changed the
828 * filename case semantics to be POSIX-like,
829 * this could mean a filename request could
830 * fail when it should succeed. This is a rare
831 * condition, but eventually we must arrange
832 * to restore the correct case semantics
833 * before issuing an oplock break request to
834 * our client. JRA. */
835
836 status = open_file_ntcreate(conn, req, fname, &sbuf,
837 access_mask,
838 share_access,
839 create_disposition,
840 create_options,
841 file_attributes,
842 oplock_request,
843 &info, &fsp);
844
845 /* We cheat here. There are two cases we
846 * care about. One is a directory rename,
847 * where the NT client will attempt to
848 * open the source directory for
849 * DELETE access. Note that when the
850 * NT client does this it does *not*
851 * set the directory bit in the
852 * request packet. This is translated
853 * into a read/write open
854 * request. POSIX states that any open
855 * for write request on a directory
856 * will generate an EISDIR error, so
857 * we can catch this here and open a
858 * pseudo handle that is flagged as a
859 * directory. The second is an open
860 * for a permissions read only, which
861 * we handle in the open_file_stat case. JRA.
862 */
863
864 if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_IS_A_DIRECTORY)) {
865
866 /*
867 * Fail the open if it was explicitly a non-directory
868 * file.
869 */
870
871 if (create_options & FILE_NON_DIRECTORY_FILE) {
872 TALLOC_FREE(case_state);
873 reply_force_nterror(req,
874 NT_STATUS_FILE_IS_A_DIRECTORY);
875 END_PROFILE(SMBntcreateX);
876 return;
877 }
878
879 oplock_request = 0;
880 status = open_directory(conn, req, fname,
881 &sbuf,
882 access_mask,
883 share_access,
884 create_disposition,
885 create_options,
886 file_attributes,
887 &info, &fsp);
888 }
889 }
890
891 TALLOC_FREE(case_state);
892
893 if (!NT_STATUS_IS_OK(status)) {
894 if (open_was_deferred(req->mid)) {
895 /* We have re-scheduled this call. */
896 END_PROFILE(SMBntcreateX);
897 return;
898 }
899 reply_openerror(req, status);
900 END_PROFILE(SMBntcreateX);
901 return;
902 }
903
904 file_len = sbuf.st_size;
905 fattr = dos_mode(conn,fname,&sbuf);
906 if(fattr == 0) {
907 fattr = FILE_ATTRIBUTE_NORMAL;
908 }
909 if (!fsp->is_directory && (fattr & aDIR)) {
910 close_file(fsp,ERROR_CLOSE);
911 reply_doserror(req, ERRDOS, ERRnoaccess);
912 END_PROFILE(SMBntcreateX);
913 return;
914 }
915
916 /* Save the requested allocation size. */
917 if ((info == FILE_WAS_CREATED) || (info == FILE_WAS_OVERWRITTEN)) {
918 if (allocation_size && (allocation_size > (SMB_BIG_UINT)file_len)) {
919 fsp->initial_allocation_size = smb_roundup(fsp->conn, allocation_size);
920 if (fsp->is_directory) {
921 close_file(fsp,ERROR_CLOSE);
922 /* Can't set allocation size on a directory. */
923 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
924 END_PROFILE(SMBntcreateX);
925 return;
926 }
927 if (vfs_allocate_file_space(fsp, fsp->initial_allocation_size) == -1) {
928 close_file(fsp,ERROR_CLOSE);
929 reply_nterror(req, NT_STATUS_DISK_FULL);
930 END_PROFILE(SMBntcreateX);
931 return;
932 }
933 } else {
934 fsp->initial_allocation_size = smb_roundup(fsp->conn,(SMB_BIG_UINT)file_len);
935 }
936 }
937
938 /*
939 * If the caller set the extended oplock request bit
940 * and we granted one (by whatever means) - set the
941 * correct bit for extended oplock reply.
942 */
943
944 if (oplock_request && lp_fake_oplocks(SNUM(conn))) {
945 extended_oplock_granted = True;
946 }
947
948 if(oplock_request && EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type)) {
949 extended_oplock_granted = True;
950 }
951
952 if (flags & EXTENDED_RESPONSE_REQUIRED) {
953 /* This is very strange. We
954 * return 50 words, but only set
955 * the wcnt to 42 ? It's definately
956 * what happens on the wire....
957 */
958 reply_outbuf(req, 50, 0);
959 SCVAL(req->outbuf,smb_wct,42);
960 } else {
961 reply_outbuf(req, 34, 0);
962 }
963
964 p = (char *)req->outbuf + smb_vwv2;
965
966 /*
967 * Currently as we don't support level II oplocks we just report
968 * exclusive & batch here.
969 */
970
971 if (extended_oplock_granted) {
972 if (flags & REQUEST_BATCH_OPLOCK) {
973 SCVAL(p,0, BATCH_OPLOCK_RETURN);
974 } else {
975 SCVAL(p,0, EXCLUSIVE_OPLOCK_RETURN);
976 }
977 } else if (fsp->oplock_type == LEVEL_II_OPLOCK) {
978 SCVAL(p,0, LEVEL_II_OPLOCK_RETURN);
979 } else {
980 SCVAL(p,0,NO_OPLOCK_RETURN);
981 }
982
983 p++;
984 SSVAL(p,0,fsp->fnum);
985 p += 2;
986 if ((create_disposition == FILE_SUPERSEDE) && (info == FILE_WAS_OVERWRITTEN)) {
987 SIVAL(p,0,FILE_WAS_SUPERSEDED);
988 } else {
989 SIVAL(p,0,info);
990 }
991 p += 4;
992
993 /* Create time. */
994 c_timespec = get_create_timespec(&sbuf,lp_fake_dir_create_times(SNUM(conn)));
995 a_timespec = get_atimespec(&sbuf);
996 m_timespec = get_mtimespec(&sbuf);
997
998 if (lp_dos_filetime_resolution(SNUM(conn))) {
999 dos_filetime_timespec(&c_timespec);
1000 dos_filetime_timespec(&a_timespec);
1001 dos_filetime_timespec(&m_timespec);
1002 }
1003
1004 put_long_date_timespec(p, c_timespec); /* create time. */
1005 p += 8;
1006 put_long_date_timespec(p, a_timespec); /* access time */
1007 p += 8;
1008 put_long_date_timespec(p, m_timespec); /* write time */
1009 p += 8;
1010 put_long_date_timespec(p, m_timespec); /* change time */
1011 p += 8;
1012 SIVAL(p,0,fattr); /* File Attributes. */
1013 p += 4;
1014 SOFF_T(p, 0, get_allocation_size(conn,fsp,&sbuf));
1015 p += 8;
1016 SOFF_T(p,0,file_len);
1017 p += 8;
1018 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1019 SSVAL(p,2,0x7);
1020 }
1021 p += 4;
1022 SCVAL(p,0,fsp->is_directory ? 1 : 0);
1023
1024 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1025 uint32 perms = 0;
1026 p += 25;
1027 if (fsp->is_directory || can_write_to_file(conn, fname, &sbuf)) {
1028 perms = FILE_GENERIC_ALL;
1029 } else {
1030 perms = FILE_GENERIC_READ|FILE_EXECUTE;
1031 }
1032 SIVAL(p,0,perms);
1033 }
1034
1035 DEBUG(5,("reply_ntcreate_and_X: fnum = %d, open name = %s\n", fsp->fnum, fsp->fsp_name));
1036
1037 chain_reply(req);
1038 END_PROFILE(SMBntcreateX);
1039 return;
1040 }
1041
1042 /****************************************************************************
1043 Reply to a NT_TRANSACT_CREATE call to open a pipe.
1044 ****************************************************************************/
1045
1046 static void do_nt_transact_create_pipe(connection_struct *conn,
1047 struct smb_request *req,
1048 uint16 **ppsetup, uint32 setup_count,
1049 char **ppparams, uint32 parameter_count,
1050 char **ppdata, uint32 data_count)
1051 {
1052 char *fname = NULL;
1053 char *params = *ppparams;
1054 int pnum = -1;
1055 char *p = NULL;
1056 NTSTATUS status;
1057 size_t param_len;
1058 uint32 flags;
1059 TALLOC_CTX *ctx = talloc_tos();
1060
1061 /*
1062 * Ensure minimum number of parameters sent.
1063 */
1064
1065 if(parameter_count < 54) {
1066 DEBUG(0,("do_nt_transact_create_pipe - insufficient parameters (%u)\n", (unsigned int)parameter_count));
1067 reply_doserror(req, ERRDOS, ERRnoaccess);
1068 return;
1069 }
1070
1071 flags = IVAL(params,0);
1072
1073 srvstr_get_path(ctx, params, req->flags2, &fname, params+53,
1074 parameter_count-53, STR_TERMINATE,
1075 &status);
1076 if (!NT_STATUS_IS_OK(status)) {
1077 reply_nterror(req, status);
1078 return;
1079 }
1080
1081 nt_open_pipe(fname, conn, req, &pnum);
1082
1083 if (req->outbuf) {
1084 /* Error return */
1085 return;
1086 }
1087
1088 /* Realloc the size of parameters and data we will return */
1089 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1090 /* Extended response is 32 more byyes. */
1091 param_len = 101;
1092 } else {
1093 param_len = 69;
1094 }
1095 params = nttrans_realloc(ppparams, param_len);
1096 if(params == NULL) {
1097 reply_doserror(req, ERRDOS, ERRnomem);
1098 return;
1099 }
1100
1101 p = params;
1102 SCVAL(p,0,NO_OPLOCK_RETURN);
1103
1104 p += 2;
1105 SSVAL(p,0,pnum);
1106 p += 2;
1107 SIVAL(p,0,FILE_WAS_OPENED);
1108 p += 8;
1109
1110 p += 32;
1111 SIVAL(p,0,FILE_ATTRIBUTE_NORMAL); /* File Attributes. */
1112 p += 20;
1113 /* File type. */
1114 SSVAL(p,0,FILE_TYPE_MESSAGE_MODE_PIPE);
1115 /* Device state. */
1116 SSVAL(p,2, 0x5FF); /* ? */
1117 p += 4;
1118
1119 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1120 p += 25;
1121 SIVAL(p,0,FILE_GENERIC_ALL);
1122 /*
1123 * For pipes W2K3 seems to return
1124 * 0x12019B next.
1125 * This is ((FILE_GENERIC_READ|FILE_GENERIC_WRITE) & ~FILE_APPEND_DATA)
1126 */
1127 SIVAL(p,4,(FILE_GENERIC_READ|FILE_GENERIC_WRITE)&~FILE_APPEND_DATA);
1128 }
1129
1130 DEBUG(5,("do_nt_transact_create_pipe: open name = %s\n", fname));
1131
1132 /* Send the required number of replies */
1133 send_nt_replies(req, NT_STATUS_OK, params, param_len, *ppdata, 0);
1134
1135 return;
1136 }
1137
1138 /****************************************************************************
1139 Internal fn to set security descriptors.
1140 ****************************************************************************/
1141
1142 static NTSTATUS set_sd(files_struct *fsp, char *data, uint32 sd_len, uint32 security_info_sent)
1143 {
1144 prs_struct pd;
1145 SEC_DESC *psd = NULL;
1146 TALLOC_CTX *mem_ctx;
1147 NTSTATUS status;
1148
1149 if (sd_len == 0 || !lp_nt_acl_support(SNUM(fsp->conn))) {
1150 return NT_STATUS_OK;
1151 }
1152
1153 /*
1154 * Init the parse struct we will unmarshall from.
1155 */
1156
1157 if ((mem_ctx = talloc_init("set_sd")) == NULL) {
1158 DEBUG(0,("set_sd: talloc_init failed.\n"));
1159 return NT_STATUS_NO_MEMORY;
1160 }
1161
1162 prs_init(&pd, 0, mem_ctx, UNMARSHALL);
1163
1164 /*
1165 * Setup the prs_struct to point at the memory we just
1166 * allocated.
1167 */
1168
1169 prs_give_memory( &pd, data, sd_len, False);
1170
1171 /*
1172 * Finally, unmarshall from the data buffer.
1173 */
1174
1175 if(!sec_io_desc( "sd data", &psd, &pd, 1)) {
1176 DEBUG(0,("set_sd: Error in unmarshalling security descriptor.\n"));
1177 /*
1178 * Return access denied for want of a better error message..
1179 */
1180 talloc_destroy(mem_ctx);
1181 return NT_STATUS_NO_MEMORY;
1182 }
1183
1184 if (psd->owner_sid==0) {
1185 security_info_sent &= ~OWNER_SECURITY_INFORMATION;
1186 }
1187 if (psd->group_sid==0) {
1188 security_info_sent &= ~GROUP_SECURITY_INFORMATION;
1189 }
1190 if (psd->sacl==0) {
1191 security_info_sent &= ~SACL_SECURITY_INFORMATION;
1192 }
1193 if (psd->dacl==0) {
1194 security_info_sent &= ~DACL_SECURITY_INFORMATION;
1195 }
1196
1197 status = SMB_VFS_FSET_NT_ACL( fsp, fsp->fh->fd, security_info_sent, psd);
1198
1199 talloc_destroy(mem_ctx);
1200 return status;
1201 }
1202
1203 /****************************************************************************
1204 Read a list of EA names and data from an incoming data buffer. Create an ea_list with them.
1205 ****************************************************************************/
1206
1207 static struct ea_list *read_nttrans_ea_list(TALLOC_CTX *ctx, const char *pdata, size_t data_size)
1208 {
1209 struct ea_list *ea_list_head = NULL;
1210 size_t offset = 0;
1211
1212 if (data_size < 4) {
1213 return NULL;
1214 }
1215
1216 while (offset + 4 <= data_size) {
1217 size_t next_offset = IVAL(pdata,offset);
1218 struct ea_list *eal = read_ea_list_entry(ctx, pdata + offset + 4, data_size - offset - 4, NULL);
1219
1220 if (!eal) {
1221 return NULL;
1222 }
1223
1224 DLIST_ADD_END(ea_list_head, eal, struct ea_list *);
1225 if (next_offset == 0) {
1226 break;
1227 }
1228 offset += next_offset;
1229 }
1230
1231 return ea_list_head;
1232 }
1233
1234 /****************************************************************************
1235 Reply to a NT_TRANSACT_CREATE call (needs to process SD's).
1236 ****************************************************************************/
1237
1238 static void call_nt_transact_create(connection_struct *conn,
1239 struct smb_request *req,
1240 uint16 **ppsetup, uint32 setup_count,
1241 char **ppparams, uint32 parameter_count,
1242 char **ppdata, uint32 data_count,
1243 uint32 max_data_count)
1244 {
1245 char *fname = NULL;
1246 char *params = *ppparams;
1247 char *data = *ppdata;
1248 /* Breakout the oplock request bits so we can set the reply bits separately. */
1249 int oplock_request = 0;
1250 uint32 fattr=0;
1251 SMB_OFF_T file_len = 0;
1252 SMB_STRUCT_STAT sbuf;
1253 int info = 0;
1254 files_struct *fsp = NULL;
1255 char *p = NULL;
1256 bool extended_oplock_granted = False;
1257 uint32 flags;
1258 uint32 access_mask;
1259 uint32 file_attributes;
1260 uint32 share_access;
1261 uint32 create_disposition;
1262 uint32 create_options;
1263 uint32 sd_len;
1264 uint32 ea_len;
1265 uint16 root_dir_fid;
1266 struct timespec c_timespec;
1267 struct timespec a_timespec;
1268 struct timespec m_timespec;
1269 struct ea_list *ea_list = NULL;
1270 char *pdata = NULL;
1271 NTSTATUS status;
1272 size_t param_len;
1273 struct case_semantics_state *case_state = NULL;
1274 SMB_BIG_UINT allocation_size;
1275 TALLOC_CTX *ctx = talloc_tos();
1276
1277 DEBUG(5,("call_nt_transact_create\n"));
1278
1279 /*
1280 * If it's an IPC, use the pipe handler.
1281 */
1282
1283 if (IS_IPC(conn)) {
1284 if (lp_nt_pipe_support()) {
1285 do_nt_transact_create_pipe(
1286 conn, req,
1287 ppsetup, setup_count,
1288 ppparams, parameter_count,
1289 ppdata, data_count);
1290 return;
1291 } else {
1292 reply_doserror(req, ERRDOS, ERRnoaccess);
1293 return;
1294 }
1295 }
1296
1297 /*
1298 * Ensure minimum number of parameters sent.
1299 */
1300
1301 if(parameter_count < 54) {
1302 DEBUG(0,("call_nt_transact_create - insufficient parameters (%u)\n", (unsigned int)parameter_count));
1303 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1304 return;
1305 }
1306
1307 flags = IVAL(params,0);
1308 access_mask = IVAL(params,8);
1309 file_attributes = IVAL(params,20);
1310 share_access = IVAL(params,24);
1311 create_disposition = IVAL(params,28);
1312 create_options = IVAL(params,32);
1313 sd_len = IVAL(params,36);
1314 ea_len = IVAL(params,40);
1315 root_dir_fid = (uint16)IVAL(params,4);
1316 allocation_size = (SMB_BIG_UINT)IVAL(params,12);
1317 #ifdef LARGE_SMB_OFF_T
1318 allocation_size |= (((SMB_BIG_UINT)IVAL(params,16)) << 32);
1319 #endif
1320
1321 /* Ensure the data_len is correct for the sd and ea values given. */
1322 if ((ea_len + sd_len > data_count) ||
1323 (ea_len > data_count) || (sd_len > data_count) ||
1324 (ea_len + sd_len < ea_len) || (ea_len + sd_len < sd_len)) {
1325 DEBUG(10,("call_nt_transact_create - ea_len = %u, sd_len = %u, data_count = %u\n",
1326 (unsigned int)ea_len, (unsigned int)sd_len, (unsigned int)data_count ));
1327 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1328 return;
1329 }
1330
1331 if (ea_len) {
1332 if (!lp_ea_support(SNUM(conn))) {
1333 DEBUG(10,("call_nt_transact_create - ea_len = %u but EA's not supported.\n",
1334 (unsigned int)ea_len ));
1335 reply_nterror(req, NT_STATUS_EAS_NOT_SUPPORTED);
1336 return;
1337 }
1338
1339 if (ea_len < 10) {
1340 DEBUG(10,("call_nt_transact_create - ea_len = %u - too small (should be more than 10)\n",
1341 (unsigned int)ea_len ));
1342 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1343 return;
1344 }
1345 }
1346
1347 srvstr_get_path(ctx, params, req->flags2, &fname,
1348 params+53, parameter_count-53,
1349 STR_TERMINATE, &status);
1350 if (!NT_STATUS_IS_OK(status)) {
1351 reply_nterror(req, status);
1352 return;
1353 }
1354
1355 if (create_options & FILE_OPEN_BY_FILE_ID) {
1356 reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
1357 return;
1358 }
1359
1360 /*
1361 * Get the file name.
1362 */
1363
1364 if(root_dir_fid != 0) {
1365 /*
1366 * This filename is relative to a directory fid.
1367 */
1368 char *parent_fname = NULL;
1369 char *tmp;
1370 files_struct *dir_fsp = file_fsp(root_dir_fid);
1371
1372 if(!dir_fsp) {
1373 reply_doserror(req, ERRDOS, ERRbadfid);
1374 return;
1375 }
1376
1377 if(!dir_fsp->is_directory) {
1378
1379 /*
1380 * Check to see if this is a mac fork of some kind.
1381 */
1382
1383 if( is_ntfs_stream_name(fname)) {
1384 reply_nterror(req,
1385 NT_STATUS_OBJECT_PATH_NOT_FOUND);
1386 return;
1387 }
1388
1389 /*
1390 we need to handle the case when we get a
1391 relative open relative to a file and the
1392 pathname is blank - this is a reopen!
1393 (hint from demyn plantenberg)
1394 */
1395
1396 reply_doserror(req, ERRDOS, ERRbadfid);
1397 return;
1398 }
1399
1400 if (ISDOT(dir_fsp->fsp_name)) {
1401 /*
1402 * We're at the toplevel dir, the final file name
1403 * must not contain ./, as this is filtered out
1404 * normally by srvstr_get_path and unix_convert
1405 * explicitly rejects paths containing ./.
1406 */
1407 parent_fname = talloc_strdup(ctx,"");
1408 if (!parent_fname) {
1409 reply_nterror(req, NT_STATUS_NO_MEMORY);
1410 return;
1411 }
1412 } else {
1413 size_t dir_name_len = strlen(dir_fsp->fsp_name);
1414
1415 /*
1416 * Copy in the base directory name.
1417 */
1418
1419 parent_fname = TALLOC_ARRAY(ctx, char, dir_name_len+2);
1420 if (!fname) {
1421 reply_nterror(req, NT_STATUS_NO_MEMORY);
1422 return;
1423 }
1424 memcpy(parent_fname, dir_fsp->fsp_name,
1425 dir_name_len+1);
1426
1427 /*
1428 * Ensure it ends in a '/'.
1429 * We used TALLOC_SIZE +2 to add space for the '/'.
1430 */
1431
1432 if(dir_name_len
1433 && (parent_fname[dir_name_len-1] != '\\')
1434 && (parent_fname[dir_name_len-1] != '/')) {
1435 parent_fname[dir_name_len] = '/';
1436 parent_fname[dir_name_len+1] = '\0';
1437 }
1438 }
1439
1440 tmp = talloc_asprintf(ctx, "%s%s", parent_fname, fname);
1441 if (tmp == NULL) {
1442 reply_nterror(req, NT_STATUS_NO_MEMORY);
1443 END_PROFILE(SMBntcreateX);
1444 return;
1445 }
1446 TALLOC_FREE(fname);
1447 fname = tmp;
1448 } else {
1449 /*
1450 * Check to see if this is a mac fork of some kind.
1451 */
1452
1453 if( is_ntfs_stream_name(fname)) {
1454 reply_nterror(req, NT_STATUS_OBJECT_PATH_NOT_FOUND);
1455 return;
1456 }
1457 }
1458
1459 oplock_request = (flags & REQUEST_OPLOCK) ? EXCLUSIVE_OPLOCK : 0;
1460 if (oplock_request) {
1461 oplock_request |= (flags & REQUEST_BATCH_OPLOCK) ? BATCH_OPLOCK : 0;
1462 }
1463
1464 /*
1465 * Ordinary file or directory.
1466 */
1467
1468 /*
1469 * Check if POSIX semantics are wanted.
1470 */
1471
1472 if (file_attributes & FILE_FLAG_POSIX_SEMANTICS) {
1473 case_state = set_posix_case_semantics(NULL, conn);
1474 file_attributes &= ~FILE_FLAG_POSIX_SEMANTICS;
1475 }
1476
1477 status = resolve_dfspath(ctx, conn,
1478 req->flags2 & FLAGS2_DFS_PATHNAMES,
1479 fname,
1480 &fname);
1481 if (!NT_STATUS_IS_OK(status)) {
1482 TALLOC_FREE(case_state);
1483 if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
1484 reply_botherror(req, NT_STATUS_PATH_NOT_COVERED,
1485 ERRSRV, ERRbadpath);
1486 return;
1487 }
1488 reply_nterror(req, status);
1489 return;
1490 }
1491
1492 status = unix_convert(ctx, conn, fname, False, &fname, NULL, &sbuf);
1493 if (!NT_STATUS_IS_OK(status)) {
1494 TALLOC_FREE(case_state);
1495 reply_nterror(req, status);
1496 return;
1497 }
1498 /* All file access must go through check_name() */
1499 status = check_name(conn, fname);
1500 if (!NT_STATUS_IS_OK(status)) {
1501 TALLOC_FREE(case_state);
1502 reply_nterror(req, status);
1503 return;
1504 }
1505
1506 /* This is the correct thing to do (check every time) but can_delete is
1507 expensive (it may have to read the parent directory permissions). So
1508 for now we're not doing it unless we have a strong hint the client
1509 is really going to delete this file. If the client is forcing FILE_CREATE
1510 let the filesystem take care of the permissions. */
1511
1512 /* Setting FILE_SHARE_DELETE is the hint. */
1513
1514 if (lp_acl_check_permissions(SNUM(conn))
1515 && (create_disposition != FILE_CREATE)
1516 && (share_access & FILE_SHARE_DELETE)
1517 && (access_mask & DELETE_ACCESS)) {
1518 if (((dos_mode(conn, fname, &sbuf) & FILE_ATTRIBUTE_READONLY)
1519 && !lp_delete_readonly(SNUM(conn))) ||
1520 !can_delete_file_in_directory(conn, fname)) {
1521 TALLOC_FREE(case_state);
1522 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1523 return;
1524 }
1525 }
1526
1527 #if 0
1528 /* We need to support SeSecurityPrivilege for this. */
1529 if ((access_mask & SEC_RIGHT_SYSTEM_SECURITY) &&
1530 !user_has_privileges(current_user.nt_user_token,
1531 &se_security)) {
1532 TALLOC_FREE(case_state);
1533 reply_nterror(req, NT_STATUS_PRIVILEGE_NOT_HELD);
1534 return;
1535 }
1536 #endif
1537
1538 if (ea_len) {
1539 pdata = data + sd_len;
1540
1541 /* We have already checked that ea_len <= data_count here. */
1542 ea_list = read_nttrans_ea_list(talloc_tos(), pdata,
1543 ea_len);
1544 if (!ea_list ) {
1545 TALLOC_FREE(case_state);
1546 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1547 return;
1548 }
1549 }
1550
1551 /*
1552 * If it's a request for a directory open, deal with it separately.
1553 */
1554
1555 if(create_options & FILE_DIRECTORY_FILE) {
1556
1557 /* Can't open a temp directory. IFS kit test. */
1558 if (file_attributes & FILE_ATTRIBUTE_TEMPORARY) {
1559 TALLOC_FREE(case_state);
1560 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1561 return;
1562 }
1563
1564 /*
1565 * We will get a create directory here if the Win32
1566 * app specified a security descriptor in the
1567 * CreateDirectory() call.
1568 */
1569
1570 oplock_request = 0;
1571 status = open_directory(conn, req, fname, &sbuf,
1572 access_mask,
1573 share_access,
1574 create_disposition,
1575 create_options,
1576 file_attributes,
1577 &info, &fsp);
1578 } else {
1579
1580 /*
1581 * Ordinary file case.
1582 */
1583
1584 status = open_file_ntcreate(conn,req,fname,&sbuf,
1585 access_mask,
1586 share_access,
1587 create_disposition,
1588 create_options,
1589 file_attributes,
1590 oplock_request,
1591 &info, &fsp);
1592
1593 if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_IS_A_DIRECTORY)) {
1594
1595 /*
1596 * Fail the open if it was explicitly a non-directory file.
1597 */
1598
1599 if (create_options & FILE_NON_DIRECTORY_FILE) {
1600 TALLOC_FREE(case_state);
1601 reply_force_nterror(
1602 req,
1603 NT_STATUS_FILE_IS_A_DIRECTORY);
1604 return;
1605 }
1606
1607 oplock_request = 0;
1608 status = open_directory(conn, req, fname,
1609 &sbuf,
1610 access_mask,
1611 share_access,
1612 create_disposition,
1613 create_options,
1614 file_attributes,
1615 &info, &fsp);
1616 }
1617 }
1618
1619 TALLOC_FREE(case_state);
1620
1621 if(!NT_STATUS_IS_OK(status)) {
1622 if (open_was_deferred(req->mid)) {
1623 /* We have re-scheduled this call. */
1624 return;
1625 }
1626 reply_openerror(req, status);
1627 return;
1628 }
1629
1630 /*
1631 * According to the MS documentation, the only time the security
1632 * descriptor is applied to the opened file is iff we *created* the
1633 * file; an existing file stays the same.
1634 *
1635 * Also, it seems (from observation) that you can open the file with
1636 * any access mask but you can still write the sd. We need to override
1637 * the granted access before we call set_sd
1638 * Patch for bug #2242 from Tom Lackemann <cessnatomny@yahoo.com>.
1639 */
1640
1641 if (lp_nt_acl_support(SNUM(conn)) && sd_len && info == FILE_WAS_CREATED) {
1642 uint32 saved_access_mask = fsp->access_mask;
1643
1644 /* We have already checked that sd_len <= data_count here. */
1645
1646 fsp->access_mask = FILE_GENERIC_ALL;
1647
1648 status = set_sd( fsp, data, sd_len, ALL_SECURITY_INFORMATION);
1649 if (!NT_STATUS_IS_OK(status)) {
1650 close_file(fsp,ERROR_CLOSE);
1651 TALLOC_FREE(case_state);
1652 reply_nterror(req, status);
1653 return;
1654 }
1655 fsp->access_mask = saved_access_mask;
1656 }
1657
1658 if (ea_len && (info == FILE_WAS_CREATED)) {
1659 status = set_ea(conn, fsp, fname, ea_list);
1660 if (!NT_STATUS_IS_OK(status)) {
1661 close_file(fsp,ERROR_CLOSE);
1662 TALLOC_FREE(case_state);
1663 reply_nterror(req, status);
1664 return;
1665 }
1666 }
1667
1668 TALLOC_FREE(case_state);
1669
1670 file_len = sbuf.st_size;
1671 fattr = dos_mode(conn,fname,&sbuf);
1672 if(fattr == 0) {
1673 fattr = FILE_ATTRIBUTE_NORMAL;
1674 }
1675 if (!fsp->is_directory && (fattr & aDIR)) {
1676 close_file(fsp,ERROR_CLOSE);
1677 reply_doserror(req, ERRDOS, ERRnoaccess);
1678 return;
1679 }
1680
1681 /* Save the requested allocation size. */
1682 if ((info == FILE_WAS_CREATED) || (info == FILE_WAS_OVERWRITTEN)) {
1683 if (allocation_size && (allocation_size > file_len)) {
1684 fsp->initial_allocation_size = smb_roundup(fsp->conn, allocation_size);
1685 if (fsp->is_directory) {
1686 close_file(fsp,ERROR_CLOSE);
1687 /* Can't set allocation size on a directory. */
1688 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1689 return;
1690 }
1691 if (vfs_allocate_file_space(fsp, fsp->initial_allocation_size) == -1) {
1692 close_file(fsp,ERROR_CLOSE);
1693 reply_nterror(req, NT_STATUS_DISK_FULL);
1694 return;
1695 }
1696 } else {
1697 fsp->initial_allocation_size = smb_roundup(fsp->conn, (SMB_BIG_UINT)file_len);
1698 }
1699 }
1700
1701 /*
1702 * If the caller set the extended oplock request bit
1703 * and we granted one (by whatever means) - set the
1704 * correct bit for extended oplock reply.
1705 */
1706
1707 if (oplock_request && lp_fake_oplocks(SNUM(conn))) {
1708 extended_oplock_granted = True;
1709 }
1710
1711 if(oplock_request && EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type)) {
1712 extended_oplock_granted = True;
1713 }
1714
1715 /* Realloc the size of parameters and data we will return */
1716 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1717 /* Extended response is 32 more byyes. */
1718 param_len = 101;
1719 } else {
1720 param_len = 69;
1721 }
1722 params = nttrans_realloc(ppparams, param_len);
1723 if(params == NULL) {
1724 reply_doserror(req, ERRDOS, ERRnomem);
1725 return;
1726 }
1727
1728 p = params;
1729 if (extended_oplock_granted) {
1730 if (flags & REQUEST_BATCH_OPLOCK) {
1731 SCVAL(p,0, BATCH_OPLOCK_RETURN);
1732 } else {
1733 SCVAL(p,0, EXCLUSIVE_OPLOCK_RETURN);
1734 }
1735 } else if (fsp->oplock_type == LEVEL_II_OPLOCK) {
1736 SCVAL(p,0, LEVEL_II_OPLOCK_RETURN);
1737 } else {
1738 SCVAL(p,0,NO_OPLOCK_RETURN);
1739 }
1740
1741 p += 2;
1742 SSVAL(p,0,fsp->fnum);
1743 p += 2;
1744 if ((create_disposition == FILE_SUPERSEDE) && (info == FILE_WAS_OVERWRITTEN)) {
1745 SIVAL(p,0,FILE_WAS_SUPERSEDED);
1746 } else {
1747 SIVAL(p,0,info);
1748 }
1749 p += 8;
1750
1751 /* Create time. */
1752 c_timespec = get_create_timespec(&sbuf,lp_fake_dir_create_times(SNUM(conn)));
1753 a_timespec = get_atimespec(&sbuf);
1754 m_timespec = get_mtimespec(&sbuf);
1755
1756 if (lp_dos_filetime_resolution(SNUM(conn))) {
1757 dos_filetime_timespec(&c_timespec);
1758 dos_filetime_timespec(&a_timespec);
1759 dos_filetime_timespec(&m_timespec);
1760 }
1761
1762 put_long_date_timespec(p, c_timespec); /* create time. */
1763 p += 8;
1764 put_long_date_timespec(p, a_timespec); /* access time */
1765 p += 8;
1766 put_long_date_timespec(p, m_timespec); /* write time */
1767 p += 8;
1768 put_long_date_timespec(p, m_timespec); /* change time */
1769 p += 8;
1770 SIVAL(p,0,fattr); /* File Attributes. */
1771 p += 4;
1772 SOFF_T(p, 0, get_allocation_size(conn,fsp,&sbuf));
1773 p += 8;
1774 SOFF_T(p,0,file_len);
1775 p += 8;
1776 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1777 SSVAL(p,2,0x7);
1778 }
1779 p += 4;
1780 SCVAL(p,0,fsp->is_directory ? 1 : 0);
1781
1782 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1783 uint32 perms = 0;
1784 p += 25;
1785 if (fsp->is_directory || can_write_to_file(conn, fname, &sbuf)) {
1786 perms = FILE_GENERIC_ALL;
1787 } else {
1788 perms = FILE_GENERIC_READ|FILE_EXECUTE;
1789 }
1790 SIVAL(p,0,perms);
1791 }
1792
1793 DEBUG(5,("call_nt_transact_create: open name = %s\n", fname));
1794
1795 /* Send the required number of replies */
1796 send_nt_replies(req, NT_STATUS_OK, params, param_len, *ppdata, 0);
1797
1798 return;
1799 }
1800
1801 /****************************************************************************
1802 Reply to a NT CANCEL request.
1803 conn POINTER CAN BE NULL HERE !
1804 ****************************************************************************/
1805
1806 void reply_ntcancel(connection_struct *conn, struct smb_request *req)
1807 {
1808 /*
1809 * Go through and cancel any pending change notifies.
1810 */
1811
1812 START_PROFILE(SMBntcancel);
1813 remove_pending_change_notify_requests_by_mid(req->mid);
1814 remove_pending_lock_requests_by_mid(req->mid);
1815 srv_cancel_sign_response(req->mid);
1816
1817 DEBUG(3,("reply_ntcancel: cancel called on mid = %d.\n", req->mid));
1818
1819 END_PROFILE(SMBntcancel);
1820 return;
1821 }
1822
1823 /****************************************************************************
1824 Copy a file.
1825 ****************************************************************************/
1826
1827 static NTSTATUS copy_internals(TALLOC_CTX *ctx,
1828 connection_struct *conn,
1829 struct smb_request *req,
1830 const char *oldname_in,
1831 const char *newname_in,
1832 uint32 attrs)
1833 {
1834 SMB_STRUCT_STAT sbuf1, sbuf2;
1835 char *oldname = NULL;
1836 char *newname = NULL;
1837 char *last_component_oldname = NULL;
1838 char *last_component_newname = NULL;
1839 files_struct *fsp1,*fsp2;
1840 uint32 fattr;
1841 int info;
1842 SMB_OFF_T ret=-1;
1843 NTSTATUS status = NT_STATUS_OK;
1844
1845 ZERO_STRUCT(sbuf1);
1846 ZERO_STRUCT(sbuf2);
1847
1848 if (!CAN_WRITE(conn)) {
1849 return NT_STATUS_MEDIA_WRITE_PROTECTED;
1850 }
1851
1852 status = unix_convert(ctx, conn, oldname_in, False, &oldname,
1853 &last_component_oldname, &sbuf1);
1854 if (!NT_STATUS_IS_OK(status)) {
1855 return status;
1856 }
1857
1858 status = check_name(conn, oldname);
1859 if (!NT_STATUS_IS_OK(status)) {
1860 return status;
1861 }
1862
1863 /* Source must already exist. */
1864 if (!VALID_STAT(sbuf1)) {
1865 return NT_STATUS_OBJECT_NAME_NOT_FOUND;
1866 }
1867 /* Ensure attributes match. */
1868 fattr = dos_mode(conn,oldname,&sbuf1);
1869 if ((fattr & ~attrs) & (aHIDDEN | aSYSTEM)) {
1870 return NT_STATUS_NO_SUCH_FILE;
1871 }
1872
1873 status = unix_convert(ctx, conn, newname_in, False, &newname,
1874 &last_component_newname, &sbuf2);
1875 if (!NT_STATUS_IS_OK(status)) {
1876 return status;
1877 }
1878
1879 status = check_name(conn, newname);
1880 if (!NT_STATUS_IS_OK(status)) {
1881 return status;
1882 }
1883
1884 /* Disallow if newname already exists. */
1885 if (VALID_STAT(sbuf2)) {
1886 return NT_STATUS_OBJECT_NAME_COLLISION;
1887 }
1888
1889 /* No links from a directory. */
1890 if (S_ISDIR(sbuf1.st_mode)) {
1891 return NT_STATUS_FILE_IS_A_DIRECTORY;
1892 }
1893
1894 /* Ensure this is within the share. */
1895 status = check_reduced_name(conn, oldname);
1896 if (!NT_STATUS_IS_OK(status)) {
1897 return status;
1898 }
1899
1900 DEBUG(10,("copy_internals: doing file copy %s to %s\n",
1901 oldname, newname));
1902
1903 status = open_file_ntcreate(conn, req, oldname, &sbuf1,
1904 FILE_READ_DATA, /* Read-only. */
1905 FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,
1906 FILE_OPEN,
1907 0, /* No create options. */
1908 FILE_ATTRIBUTE_NORMAL,
1909 NO_OPLOCK,
1910 &info, &fsp1);
1911
1912 if (!NT_STATUS_IS_OK(status)) {
1913 return status;
1914 }
1915
1916 status = open_file_ntcreate(conn, req, newname, &sbuf2,
1917 FILE_WRITE_DATA, /* Read-only. */
1918 FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE,
1919 FILE_CREATE,
1920 0, /* No create options. */
1921 fattr,
1922 NO_OPLOCK,
1923 &info, &fsp2);
1924
1925 if (!NT_STATUS_IS_OK(status)) {
1926 close_file(fsp1,ERROR_CLOSE);
1927 return status;
1928 }
1929
1930 if (sbuf1.st_size) {
1931 ret = vfs_transfer_file(fsp1, fsp2, sbuf1.st_size);
1932 }
1933
1934 /*
1935 * As we are opening fsp1 read-only we only expect
1936 * an error on close on fsp2 if we are out of space.
1937 * Thus we don't look at the error return from the
1938 * close of fsp1.
1939 */
1940 close_file(fsp1,NORMAL_CLOSE);
1941
1942 /* Ensure the modtime is set correctly on the destination file. */
1943 fsp_set_pending_modtime(fsp2, get_mtimespec(&sbuf1));
1944
1945 status = close_file(fsp2,NORMAL_CLOSE);
1946
1947 /* Grrr. We have to do this as open_file_ntcreate adds aARCH when it
1948 creates the file. This isn't the correct thing to do in the copy
1949 case. JRA */
1950 file_set_dosmode(conn, newname, fattr, &sbuf2,
1951 parent_dirname(newname),false);
1952
1953 if (ret < (SMB_OFF_T)sbuf1.st_size) {
1954 return NT_STATUS_DISK_FULL;
1955 }
1956
1957 if (!NT_STATUS_IS_OK(status)) {
1958 DEBUG(3,("copy_internals: Error %s copy file %s to %s\n",
1959 nt_errstr(status), oldname, newname));
1960 }
1961 return status;
1962 }
1963
1964 /****************************************************************************
1965 Reply to a NT rename request.
1966 ****************************************************************************/
1967
1968 void reply_ntrename(connection_struct *conn, struct smb_request *req)
1969 {
1970 char *oldname = NULL;
1971 char *newname = NULL;
1972 char *p;
1973 NTSTATUS status;
1974 bool src_has_wcard = False;
1975 bool dest_has_wcard = False;
1976 uint32 attrs;
1977 uint16 rename_type;
1978 TALLOC_CTX *ctx = talloc_tos();
1979
1980 START_PROFILE(SMBntrename);
1981
1982 if (req->wct < 4) {
1983 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1984 END_PROFILE(SMBntrename);
1985 return;
1986 }
1987
1988 attrs = SVAL(req->inbuf,smb_vwv0);
1989 rename_type = SVAL(req->inbuf,smb_vwv1);
1990
1991 p = smb_buf(req->inbuf) + 1;
1992 p += srvstr_get_path_wcard(ctx, (char *)req->inbuf, req->flags2, &oldname, p,
1993 0, STR_TERMINATE, &status,
1994 &src_has_wcard);
1995 if (!NT_STATUS_IS_OK(status)) {
1996 reply_nterror(req, status);
1997 END_PROFILE(SMBntrename);
1998 return;
1999 }
2000
2001 if( is_ntfs_stream_name(oldname)) {
2002 /* Can't rename a stream. */
2003 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
2004 END_PROFILE(SMBntrename);
2005 return;
2006 }
2007
2008 if (ms_has_wild(oldname)) {
2009 reply_nterror(req, NT_STATUS_OBJECT_PATH_SYNTAX_BAD);
2010 END_PROFILE(SMBntrename);
2011 return;
2012 }
2013
2014 p++;
2015 p += srvstr_get_path_wcard(ctx, (char *)req->inbuf, req->flags2, &newname, p,
2016 0, STR_TERMINATE, &status,
2017 &dest_has_wcard);
2018 if (!NT_STATUS_IS_OK(status)) {
2019 reply_nterror(req, status);
2020 END_PROFILE(SMBntrename);
2021 return;
2022 }
2023
2024 status = resolve_dfspath(ctx, conn,
2025 req->flags2 & FLAGS2_DFS_PATHNAMES,
2026 oldname,
2027 &oldname);
2028 if (!NT_STATUS_IS_OK(status)) {
2029 if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
2030 reply_botherror(req, NT_STATUS_PATH_NOT_COVERED,
2031 ERRSRV, ERRbadpath);
2032 END_PROFILE(SMBntrename);
2033 return;
2034 }
2035 reply_nterror(req, status);
2036 END_PROFILE(SMBntrename);
2037 return;
2038 }
2039
2040 status = resolve_dfspath(ctx, conn,
2041 req->flags2 & FLAGS2_DFS_PATHNAMES,
2042 newname,
2043 &newname);
2044 if (!NT_STATUS_IS_OK(status)) {
2045 if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
2046 reply_botherror(req, NT_STATUS_PATH_NOT_COVERED,
2047 ERRSRV, ERRbadpath);
2048 END_PROFILE(SMBntrename);
2049 return;
2050 }
2051 reply_nterror(req, status);
2052 END_PROFILE(SMBntrename);
2053 return;
2054 }
2055
2056 DEBUG(3,("reply_ntrename : %s -> %s\n",oldname,newname));
2057
2058 switch(rename_type) {
2059 case RENAME_FLAG_RENAME:
2060 status = rename_internals(ctx, conn, req, oldname,
2061 newname, attrs, False, src_has_wcard,
2062 dest_has_wcard);
2063 break;
2064 case RENAME_FLAG_HARD_LINK:
2065 if (src_has_wcard || dest_has_wcard) {
2066 /* No wildcards. */
2067 status = NT_STATUS_OBJECT_PATH_SYNTAX_BAD;
2068 } else {
2069 status = hardlink_internals(ctx,
2070 conn,
2071 oldname,
2072 newname);
2073 }
2074 break;
2075 case RENAME_FLAG_COPY:
2076 if (src_has_wcard || dest_has_wcard) {
2077 /* No wildcards. */
2078 status = NT_STATUS_OBJECT_PATH_SYNTAX_BAD;
2079 } else {
2080 status = copy_internals(ctx, conn, req, oldname,
2081 newname, attrs);
2082 }
2083 break;
2084 case RENAME_FLAG_MOVE_CLUSTER_INFORMATION:
2085 status = NT_STATUS_INVALID_PARAMETER;
2086 break;
2087 default:
2088 status = NT_STATUS_ACCESS_DENIED; /* Default error. */
2089 break;
2090 }
2091
2092 if (!NT_STATUS_IS_OK(status)) {
2093 if (open_was_deferred(req->mid)) {
2094 /* We have re-scheduled this call. */
2095 END_PROFILE(SMBntrename);
2096 return;
2097 }
2098
2099 reply_nterror(req, status);
2100 END_PROFILE(SMBntrename);
2101 return;
2102 }
2103
2104 reply_outbuf(req, 0, 0);
2105
2106 END_PROFILE(SMBntrename);
2107 return;
2108 }
2109
2110 /****************************************************************************
2111 Reply to a notify change - queue the request and
2112 don't allow a directory to be opened.
2113 ****************************************************************************/
2114
2115 static void call_nt_transact_notify_change(connection_struct *conn,
2116 struct smb_request *req,
2117 uint16 **ppsetup,
2118 uint32 setup_count,
2119 char **ppparams,
2120 uint32 parameter_count,
2121 char **ppdata, uint32 data_count,
2122 uint32 max_data_count,
2123 uint32 max_param_count)
2124 {
2125 uint16 *setup = *ppsetup;
2126 files_struct *fsp;
2127 uint32 filter;
2128 NTSTATUS status;
2129 bool recursive;
2130
2131 if(setup_count < 6) {
2132 reply_doserror(req, ERRDOS, ERRbadfunc);
2133 return;
2134 }
2135
2136 fsp = file_fsp(SVAL(setup,4));
2137 filter = IVAL(setup, 0);
2138 recursive = (SVAL(setup, 6) != 0) ? True : False;
2139
2140 DEBUG(3,("call_nt_transact_notify_change\n"));
2141
2142 if(!fsp) {
2143 reply_doserror(req, ERRDOS, ERRbadfid);
2144 return;
2145 }
2146
2147 {
2148 char *filter_string;
2149
2150 if (!(filter_string = notify_filter_string(NULL, filter))) {
2151 reply_nterror(req,NT_STATUS_NO_MEMORY);
2152 return;
2153 }
2154
2155 DEBUG(3,("call_nt_transact_notify_change: notify change "
2156 "called on %s, filter = %s, recursive = %d\n",
2157 fsp->fsp_name, filter_string, recursive));
2158
2159 TALLOC_FREE(filter_string);
2160 }
2161
2162 if((!fsp->is_directory) || (conn != fsp->conn)) {
2163 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2164 return;
2165 }
2166
2167 if (fsp->notify == NULL) {
2168
2169 status = change_notify_create(fsp, filter, recursive);
2170
2171 if (!NT_STATUS_IS_OK(status)) {
2172 DEBUG(10, ("change_notify_create returned %s\n",
2173 nt_errstr(status)));
2174 reply_nterror(req, status);
2175 return;
2176 }
2177 }
2178
2179 if (fsp->notify->num_changes != 0) {
2180
2181 /*
2182 * We've got changes pending, respond immediately
2183 */
2184
2185 /*
2186 * TODO: write a torture test to check the filtering behaviour
2187 * here.
2188 */
2189
2190 change_notify_reply(req->inbuf, max_param_count, fsp->notify);
2191
2192 /*
2193 * change_notify_reply() above has independently sent its
2194 * results
2195 */
2196 return;
2197 }
2198
2199 /*
2200 * No changes pending, queue the request
2201 */
2202
2203 status = change_notify_add_request(req->inbuf, max_param_count, filter,
2204 recursive, fsp);
2205 if (!NT_STATUS_IS_OK(status)) {
2206 reply_nterror(req, status);
2207 }
2208 return;
2209 }
2210
2211 /****************************************************************************
2212 Reply to an NT transact rename command.
2213 ****************************************************************************/
2214
2215 static void call_nt_transact_rename(connection_struct *conn,
2216 struct smb_request *req,
2217 uint16 **ppsetup, uint32 setup_count,
2218 char **ppparams, uint32 parameter_count,
2219 char **ppdata, uint32 data_count,
2220 uint32 max_data_count)
2221 {
2222 char *params = *ppparams;
2223 char *new_name = NULL;
2224 files_struct *fsp = NULL;
2225 bool replace_if_exists = False;
2226 bool dest_has_wcard = False;
2227 NTSTATUS status;
2228 TALLOC_CTX *ctx = talloc_tos();
2229
2230 if(parameter_count < 5) {
2231 reply_doserror(req, ERRDOS, ERRbadfunc);
2232 return;
2233 }
2234
2235 fsp = file_fsp(SVAL(params, 0));
2236 replace_if_exists = (SVAL(params,2) & RENAME_REPLACE_IF_EXISTS) ? True : False;
2237 if (!check_fsp(conn, req, fsp, &current_user)) {
2238 return;
2239 }
2240 srvstr_get_path_wcard(ctx, params, req->flags2, &new_name, params+4,
2241 parameter_count - 4,
2242 STR_TERMINATE, &status, &dest_has_wcard);
2243 if (!NT_STATUS_IS_OK(status)) {
2244 reply_nterror(req, status);
2245 return;
2246 }
2247
2248 status = rename_internals(ctx,
2249 conn,
2250 req,
2251 fsp->fsp_name,
2252 new_name,
2253 0,
2254 replace_if_exists,
2255 False,
2256 dest_has_wcard);
2257
2258 if (!NT_STATUS_IS_OK(status)) {
2259 if (open_was_deferred(req->mid)) {
2260 /* We have re-scheduled this call. */
2261 return;
2262 }
2263 reply_nterror(req, status);
2264 return;
2265 }
2266
2267 /*
2268 * Rename was successful.
2269 */
2270 send_nt_replies(req, NT_STATUS_OK, NULL, 0, NULL, 0);
2271
2272 DEBUG(3,("nt transact rename from = %s, to = %s succeeded.\n",
2273 fsp->fsp_name, new_name));
2274
2275 return;
2276 }
2277
2278 /******************************************************************************
2279 Fake up a completely empty SD.
2280 *******************************************************************************/
2281
2282 static NTSTATUS get_null_nt_acl(TALLOC_CTX *mem_ctx, SEC_DESC **ppsd)
2283 {
2284 size_t sd_size;
2285
2286 *ppsd = make_standard_sec_desc( mem_ctx, &global_sid_World, &global_sid_World, NULL, &sd_size);
2287 if(!*ppsd) {
2288 DEBUG(0,("get_null_nt_acl: Unable to malloc space for security descriptor.\n"));
2289 return NT_STATUS_NO_MEMORY;
2290 }
2291
2292 return NT_STATUS_OK;
2293 }
2294
2295 /****************************************************************************
2296 Reply to query a security descriptor.
2297 ****************************************************************************/
2298
2299 static void call_nt_transact_query_security_desc(connection_struct *conn,
2300 struct smb_request *req,
2301 uint16 **ppsetup,
2302 uint32 setup_count,
2303 char **ppparams,
2304 uint32 parameter_count,
2305 char **ppdata,
2306 uint32 data_count,
2307 uint32 max_data_count)
2308 {
2309 char *params = *ppparams;
2310 char *data = *ppdata;
2311 prs_struct pd;
2312 SEC_DESC *psd = NULL;
2313 size_t sd_size;
2314 uint32 security_info_wanted;
2315 TALLOC_CTX *mem_ctx;
2316 files_struct *fsp = NULL;
2317 NTSTATUS status;
2318
2319 if(parameter_count < 8) {
2320 reply_doserror(req, ERRDOS, ERRbadfunc);
2321 return;
2322 }
2323
2324 fsp = file_fsp(SVAL(params,0));
2325 if(!fsp) {
2326 reply_doserror(req, ERRDOS, ERRbadfid);
2327 return;
2328 }
2329
2330 security_info_wanted = IVAL(params,4);
2331
2332 DEBUG(3,("call_nt_transact_query_security_desc: file = %s, info_wanted = 0x%x\n", fsp->fsp_name,
2333 (unsigned int)security_info_wanted ));
2334
2335 params = nttrans_realloc(ppparams, 4);
2336 if(params == NULL) {
2337 reply_doserror(req, ERRDOS, ERRnomem);
2338 return;
2339 }
2340
2341 if ((mem_ctx = talloc_init("call_nt_transact_query_security_desc")) == NULL) {
2342 DEBUG(0,("call_nt_transact_query_security_desc: talloc_init failed.\n"));
2343 reply_doserror(req, ERRDOS, ERRnomem);
2344 return;
2345 }
2346
2347 /*
2348 * Get the permissions to return.
2349 */
2350
2351 if (!lp_nt_acl_support(SNUM(conn))) {
2352 status = get_null_nt_acl(mem_ctx, &psd);
2353 } else {
2354 status = SMB_VFS_FGET_NT_ACL(fsp, fsp->fh->fd,
2355 security_info_wanted, &psd);
2356 }
2357
2358 if (!NT_STATUS_IS_OK(status)) {
2359 talloc_destroy(mem_ctx);
2360 reply_nterror(req, status);
2361 return;
2362 }
2363
2364 sd_size = sec_desc_size(psd);
2365
2366 DEBUG(3,("call_nt_transact_query_security_desc: sd_size = %lu.\n",(unsigned long)sd_size));
2367
2368 SIVAL(params,0,(uint32)sd_size);
2369
2370 if(max_data_count < sd_size) {
2371
2372 send_nt_replies(req, NT_STATUS_BUFFER_TOO_SMALL,
2373 params, 4, *ppdata, 0);
2374 talloc_destroy(mem_ctx);
2375 return;
2376 }
2377
2378 /*
2379 * Allocate the data we will point this at.
2380 */
2381
2382 data = nttrans_realloc(ppdata, sd_size);
2383 if(data == NULL) {
2384 talloc_destroy(mem_ctx);
2385 reply_doserror(req, ERRDOS, ERRnomem);
2386 return;
2387 }
2388
2389 /*
2390 * Init the parse struct we will marshall into.
2391 */
2392
2393 prs_init(&pd, 0, mem_ctx, MARSHALL);
2394
2395 /*
2396 * Setup the prs_struct to point at the memory we just
2397 * allocated.
2398 */
2399
2400 prs_give_memory( &pd, data, (uint32)sd_size, False);
2401
2402 /*
2403 * Finally, linearize into the outgoing buffer.
2404 */
2405
2406 if(!sec_io_desc( "sd data", &psd, &pd, 1)) {
2407 DEBUG(0,("call_nt_transact_query_security_desc: Error in marshalling \
2408 security descriptor.\n"));
2409 /*
2410 * Return access denied for want of a better error message..
2411 */
2412 talloc_destroy(mem_ctx);
2413 reply_unixerror(req, ERRDOS, ERRnoaccess);
2414 return;
2415 }
2416
2417 /*
2418 * Now we can delete the security descriptor.
2419 */
2420
2421 talloc_destroy(mem_ctx);
2422
2423 send_nt_replies(req, NT_STATUS_OK, params, 4, data, (int)sd_size);
2424 return;
2425 }
2426
2427 /****************************************************************************
2428 Reply to set a security descriptor. Map to UNIX perms or POSIX ACLs.
2429 ****************************************************************************/
2430
2431 static void call_nt_transact_set_security_desc(connection_struct *conn,
2432 struct smb_request *req,
2433 uint16 **ppsetup,
2434 uint32 setup_count,
2435 char **ppparams,
2436 uint32 parameter_count,
2437 char **ppdata,
2438 uint32 data_count,
2439 uint32 max_data_count)
2440 {
2441 char *params= *ppparams;
2442 char *data = *ppdata;
2443 files_struct *fsp = NULL;
2444 uint32 security_info_sent = 0;
2445 NTSTATUS nt_status;
2446
2447 if(parameter_count < 8) {
2448 reply_doserror(req, ERRDOS, ERRbadfunc);
2449 return;
2450 }
2451
2452 if((fsp = file_fsp(SVAL(params,0))) == NULL) {
2453 reply_doserror(req, ERRDOS, ERRbadfid);
2454 return;
2455 }
2456
2457 if(!lp_nt_acl_support(SNUM(conn))) {
2458 goto done;
2459 }
2460
2461 security_info_sent = IVAL(params,4);
2462
2463 DEBUG(3,("call_nt_transact_set_security_desc: file = %s, sent 0x%x\n", fsp->fsp_name,
2464 (unsigned int)security_info_sent ));
2465
2466 if (data_count == 0) {
2467 reply_doserror(req, ERRDOS, ERRnoaccess);
2468 return;
2469 }
2470
2471 if (!NT_STATUS_IS_OK(nt_status = set_sd( fsp, data, data_count, security_info_sent))) {
2472 reply_nterror(req, nt_status);
2473 return;
2474 }
2475
2476 done:
2477
2478 send_nt_replies(req, NT_STATUS_OK, NULL, 0, NULL, 0);
2479 return;
2480 }
2481
2482 /****************************************************************************
2483 Reply to NT IOCTL
2484 ****************************************************************************/
2485
2486 static void call_nt_transact_ioctl(connection_struct *conn,
2487 struct smb_request *req,
2488 uint16 **ppsetup, uint32 setup_count,
2489 char **ppparams, uint32 parameter_count,
2490 char **ppdata, uint32 data_count,
2491 uint32 max_data_count)
2492 {
2493 uint32 function;
2494 uint16 fidnum;
2495 files_struct *fsp;
2496 uint8 isFSctl;
2497 uint8 compfilter;
2498 static bool logged_message;
2499 char *pdata = *ppdata;
2500
2501 if (setup_count != 8) {
2502 DEBUG(3,("call_nt_transact_ioctl: invalid setup count %d\n", setup_count));
2503 reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
2504 return;
2505 }
2506
2507 function = IVAL(*ppsetup, 0);
2508 fidnum = SVAL(*ppsetup, 4);
2509 isFSctl = CVAL(*ppsetup, 6);
2510 compfilter = CVAL(*ppsetup, 7);
2511
2512 DEBUG(10,("call_nt_transact_ioctl: function[0x%08X] FID[0x%04X] isFSctl[0x%02X] compfilter[0x%02X]\n",
2513 function, fidnum, isFSctl, compfilter));
2514
2515 fsp=file_fsp(fidnum);
2516 /* this check is done in each implemented function case for now
2517 because I don't want to break anything... --metze
2518 FSP_BELONGS_CONN(fsp,conn);*/
2519
2520 switch (function) {
2521 case FSCTL_SET_SPARSE:
2522 /* pretend this succeeded - tho strictly we should
2523 mark the file sparse (if the local fs supports it)
2524 so we can know if we need to pre-allocate or not */
2525
2526 DEBUG(10,("FSCTL_SET_SPARSE: called on FID[0x%04X](but not implemented)\n", fidnum));
2527 send_nt_replies(req, NT_STATUS_OK, NULL, 0, NULL, 0);
2528 return;
2529
2530 case FSCTL_CREATE_OR_GET_OBJECT_ID:
2531 {
2532 unsigned char objid[16];
2533
2534 /* This should return the object-id on this file.
2535 * I think I'll make this be the inode+dev. JRA.
2536 */
2537
2538 DEBUG(10,("FSCTL_CREATE_OR_GET_OBJECT_ID: called on FID[0x%04X]\n",fidnum));
2539
2540 if (!fsp_belongs_conn(conn, req, fsp, &current_user)) {
2541 return;
2542 }
2543
2544 data_count = 64;
2545 pdata = nttrans_realloc(ppdata, data_count);
2546 if (pdata == NULL) {
2547 reply_nterror(req, NT_STATUS_NO_MEMORY);
2548 return;
2549 }
2550 push_file_id_16(pdata, &fsp->file_id);
2551 memcpy(pdata+16,create_volume_objectid(conn,objid),16);
2552 push_file_id_16(pdata+32, &fsp->file_id);
2553 send_nt_replies(req, NT_STATUS_OK, NULL, 0,
2554 pdata, data_count);
2555 return;
2556 }
2557
2558 case FSCTL_GET_REPARSE_POINT:
2559 /* pretend this fail - my winXP does it like this
2560 * --metze
2561 */
2562
2563 DEBUG(10,("FSCTL_GET_REPARSE_POINT: called on FID[0x%04X](but not implemented)\n",fidnum));
2564 reply_nterror(req, NT_STATUS_NOT_A_REPARSE_POINT);
2565 return;
2566
2567 case FSCTL_SET_REPARSE_POINT:
2568 /* pretend this fail - I'm assuming this because of the FSCTL_GET_REPARSE_POINT case.
2569 * --metze
2570 */
2571
2572 DEBUG(10,("FSCTL_SET_REPARSE_POINT: called on FID[0x%04X](but not implemented)\n",fidnum));
2573 reply_nterror(req, NT_STATUS_NOT_A_REPARSE_POINT);
2574 return;
2575
2576 case FSCTL_GET_SHADOW_COPY_DATA: /* don't know if this name is right...*/
2577 {
2578 /*
2579 * This is called to retrieve the number of Shadow Copies (a.k.a. snapshots)
2580 * and return their volume names. If max_data_count is 16, then it is just
2581 * asking for the number of volumes and length of the combined names.
2582 *
2583 * pdata is the data allocated by our caller, but that uses
2584 * total_data_count (which is 0 in our case) rather than max_data_count.
2585 * Allocate the correct amount and return the pointer to let
2586 * it be deallocated when we return.
2587 */
2588 SHADOW_COPY_DATA *shadow_data = NULL;
2589 TALLOC_CTX *shadow_mem_ctx = NULL;
2590 bool labels = False;
2591 uint32 labels_data_count = 0;
2592 uint32 i;
2593 char *cur_pdata;
2594
2595 if (!fsp_belongs_conn(conn, req, fsp, &current_user)) {
2596 return;
2597 }
2598
2599 if (max_data_count < 16) {
2600 DEBUG(0,("FSCTL_GET_SHADOW_COPY_DATA: max_data_count(%u) < 16 is invalid!\n",
2601 max_data_count));
2602 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2603 return;
2604 }
2605
2606 if (max_data_count > 16) {
2607 labels = True;
2608 }
2609
2610 shadow_mem_ctx = talloc_init("SHADOW_COPY_DATA");
2611 if (shadow_mem_ctx == NULL) {
2612 DEBUG(0,("talloc_init(SHADOW_COPY_DATA) failed!\n"));
2613 reply_nterror(req, NT_STATUS_NO_MEMORY);
2614 return;
2615 }
2616
2617 shadow_data = TALLOC_ZERO_P(shadow_mem_ctx,SHADOW_COPY_DATA);
2618 if (shadow_data == NULL) {
2619 DEBUG(0,("TALLOC_ZERO() failed!\n"));
2620 talloc_destroy(shadow_mem_ctx);
2621 reply_nterror(req, NT_STATUS_NO_MEMORY);
2622 return;
2623 }
2624
2625 shadow_data->mem_ctx = shadow_mem_ctx;
2626
2627 /*
2628 * Call the VFS routine to actually do the work.
2629 */
2630 if (SMB_VFS_GET_SHADOW_COPY_DATA(fsp, shadow_data, labels)!=0) {
2631 talloc_destroy(shadow_data->mem_ctx);
2632 if (errno == ENOSYS) {
2633 DEBUG(5,("FSCTL_GET_SHADOW_COPY_DATA: connectpath %s, not supported.\n",
2634 conn->connectpath));
2635 reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
2636 return;
2637 } else {
2638 DEBUG(0,("FSCTL_GET_SHADOW_COPY_DATA: connectpath %s, failed.\n",
2639 conn->connectpath));
2640 reply_nterror(req, NT_STATUS_UNSUCCESSFUL);
2641 return;
2642 }
2643 }
2644
2645 labels_data_count = (shadow_data->num_volumes*2*sizeof(SHADOW_COPY_LABEL))+2;
2646
2647 if (!labels) {
2648 data_count = 16;
2649 } else {
2650 data_count = 12+labels_data_count+4;
2651 }
2652
2653 if (max_data_count<data_count) {
2654 DEBUG(0,("FSCTL_GET_SHADOW_COPY_DATA: max_data_count(%u) too small (%u) bytes needed!\n",
2655 max_data_count,data_count));
2656 talloc_destroy(shadow_data->mem_ctx);
2657 reply_nterror(req, NT_STATUS_BUFFER_TOO_SMALL);
2658 return;
2659 }
2660
2661 pdata = nttrans_realloc(ppdata, data_count);
2662 if (pdata == NULL) {
2663 talloc_destroy(shadow_data->mem_ctx);
2664 reply_nterror(req, NT_STATUS_NO_MEMORY);
2665 return;
2666 }
2667
2668 cur_pdata = pdata;
2669
2670 /* num_volumes 4 bytes */
2671 SIVAL(pdata,0,shadow_data->num_volumes);
2672
2673 if (labels) {
2674 /* num_labels 4 bytes */
2675 SIVAL(pdata,4,shadow_data->num_volumes);
2676 }
2677
2678 /* needed_data_count 4 bytes */
2679 SIVAL(pdata,8,labels_data_count);
2680
2681 cur_pdata+=12;
2682
2683 DEBUG(10,("FSCTL_GET_SHADOW_COPY_DATA: %u volumes for path[%s].\n",
2684 shadow_data->num_volumes,fsp->fsp_name));
2685 if (labels && shadow_data->labels) {
2686 for (i=0;i<shadow_data->num_volumes;i++) {
2687 srvstr_push(pdata, req->flags2,
2688 cur_pdata, shadow_data->labels[i],
2689 2*sizeof(SHADOW_COPY_LABEL),
2690 STR_UNICODE|STR_TERMINATE);
2691 cur_pdata+=2*sizeof(SHADOW_COPY_LABEL);
2692 DEBUGADD(10,("Label[%u]: '%s'\n",i,shadow_data->labels[i]));
2693 }
2694 }
2695
2696 talloc_destroy(shadow_data->mem_ctx);
2697
2698 send_nt_replies(req, NT_STATUS_OK, NULL, 0,
2699 pdata, data_count);
2700
2701 return;
2702 }
2703
2704 case FSCTL_FIND_FILES_BY_SID: /* I hope this name is right */
2705 {
2706 /* pretend this succeeded -
2707 *
2708 * we have to send back a list with all files owned by this SID
2709 *
2710 * but I have to check that --metze
2711 */
2712 DOM_SID sid;
2713 uid_t uid;
2714 size_t sid_len = MIN(data_count-4,SID_MAX_SIZE);
2715
2716 DEBUG(10,("FSCTL_FIND_FILES_BY_SID: called on FID[0x%04X]\n",fidnum));
2717
2718 if (!fsp_belongs_conn(conn, req, fsp, &current_user)) {
2719 return;
2720 }
2721
2722 /* unknown 4 bytes: this is not the length of the sid :-( */
2723 /*unknown = IVAL(pdata,0);*/
2724
2725 sid_parse(pdata+4,sid_len,&sid);
2726 DEBUGADD(10,("for SID: %s\n",sid_string_static(&sid)));
2727
2728 if (!sid_to_uid(&sid, &uid)) {
2729 DEBUG(0,("sid_to_uid: failed, sid[%s] sid_len[%lu]\n",
2730 sid_string_static(&sid),(unsigned long)sid_len));
2731 uid = (-1);
2732 }
2733
2734 /* we can take a look at the find source :-)
2735 *
2736 * find ./ -uid $uid -name '*' is what we need here
2737 *
2738 *
2739 * and send 4bytes len and then NULL terminated unicode strings
2740 * for each file
2741 *
2742 * but I don't know how to deal with the paged results
2743 * (maybe we can hang the result anywhere in the fsp struct)
2744 *
2745 * we don't send all files at once
2746 * and at the next we should *not* start from the beginning,
2747 * so we have to cache the result
2748 *
2749 * --metze
2750 */
2751
2752 /* this works for now... */
2753 send_nt_replies(req, NT_STATUS_OK, NULL, 0, NULL, 0);
2754 return;
2755 }
2756 default:
2757 if (!logged_message) {
2758 logged_message = True; /* Only print this once... */
2759 DEBUG(0,("call_nt_transact_ioctl(0x%x): Currently not implemented.\n",
2760 function));
2761 }
2762 }
2763
2764 reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
2765 }
2766
2767
2768 #ifdef HAVE_SYS_QUOTAS
2769 /****************************************************************************
2770 Reply to get user quota
2771 ****************************************************************************/
2772
2773 static void call_nt_transact_get_user_quota(connection_struct *conn,
2774 struct smb_request *req,
2775 uint16 **ppsetup,
2776 uint32 setup_count,
2777 char **ppparams,
2778 uint32 parameter_count,
2779 char **ppdata,
2780 uint32 data_count,
2781 uint32 max_data_count)
2782 {
2783 NTSTATUS nt_status = NT_STATUS_OK;
2784 char *params = *ppparams;
2785 char *pdata = *ppdata;
2786 char *entry;
2787 int data_len=0,param_len=0;
2788 int qt_len=0;
2789 int entry_len = 0;
2790 files_struct *fsp = NULL;
2791 uint16 level = 0;
2792 size_t sid_len;
2793 DOM_SID sid;
2794 bool start_enum = True;
2795 SMB_NTQUOTA_STRUCT qt;
2796 SMB_NTQUOTA_LIST *tmp_list;
2797 SMB_NTQUOTA_HANDLE *qt_handle = NULL;
2798
2799 ZERO_STRUCT(qt);
2800
2801 /* access check */
2802 if (current_user.ut.uid != 0) {
2803 DEBUG(1,("get_user_quota: access_denied service [%s] user [%s]\n",
2804 lp_servicename(SNUM(conn)),conn->user));
2805 reply_doserror(req, ERRDOS, ERRnoaccess);
2806 return;
2807 }
2808
2809 /*
2810 * Ensure minimum number of parameters sent.
2811 */
2812
2813 if (parameter_count < 4) {
2814 DEBUG(0,("TRANSACT_GET_USER_QUOTA: requires %d >= 4 bytes parameters\n",parameter_count));
2815 reply_doserror(req, ERRDOS, ERRinvalidparam);
2816 return;
2817 }
2818
2819 /* maybe we can check the quota_fnum */
2820 fsp = file_fsp(SVAL(params,0));
2821 if (!CHECK_NTQUOTA_HANDLE_OK(fsp,conn)) {
2822 DEBUG(3,("TRANSACT_GET_USER_QUOTA: no valid QUOTA HANDLE\n"));
2823 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
2824 return;
2825 }
2826
2827 /* the NULL pointer checking for fsp->fake_file_handle->pd
2828 * is done by CHECK_NTQUOTA_HANDLE_OK()
2829 */
2830 qt_handle = (SMB_NTQUOTA_HANDLE *)fsp->fake_file_handle->pd;
2831
2832 level = SVAL(params,2);
2833
2834 /* unknown 12 bytes leading in params */
2835
2836 switch (level) {
2837 case TRANSACT_GET_USER_QUOTA_LIST_CONTINUE:
2838 /* seems that we should continue with the enum here --metze */
2839
2840 if (qt_handle->quota_list!=NULL &&
2841 qt_handle->tmp_list==NULL) {
2842
2843 /* free the list */
2844 free_ntquota_list(&(qt_handle->quota_list));
2845
2846 /* Realloc the size of parameters and data we will return */
2847 param_len = 4;
2848 params = nttrans_realloc(ppparams, param_len);
2849 if(params == NULL) {
2850 reply_doserror(req, ERRDOS, ERRnomem);
2851 return;
2852 }
2853
2854 data_len = 0;
2855 SIVAL(params,0,data_len);
2856
2857 break;
2858 }
2859
2860 start_enum = False;
2861
2862 case TRANSACT_GET_USER_QUOTA_LIST_START:
2863
2864 if (qt_handle->quota_list==NULL &&
2865 qt_handle->tmp_list==NULL) {
2866 start_enum = True;
2867 }
2868
2869 if (start_enum && vfs_get_user_ntquota_list(fsp,&(qt_handle->quota_list))!=0) {
2870 reply_doserror(req, ERRSRV, ERRerror);
2871 return;
2872 }
2873
2874 /* Realloc the size of parameters and data we will return */
2875 param_len = 4;
2876 params = nttrans_realloc(ppparams, param_len);
2877 if(params == NULL) {
2878 reply_doserror(req, ERRDOS, ERRnomem);
2879 return;
2880 }
2881
2882 /* we should not trust the value in max_data_count*/
2883 max_data_count = MIN(max_data_count,2048);
2884
2885 pdata = nttrans_realloc(ppdata, max_data_count);/* should be max data count from client*/
2886 if(pdata == NULL) {
2887 reply_doserror(req, ERRDOS, ERRnomem);
2888 return;
2889 }
2890
2891 entry = pdata;
2892
2893 /* set params Size of returned Quota Data 4 bytes*/
2894 /* but set it later when we know it */
2895
2896 /* for each entry push the data */
2897
2898 if (start_enum) {
2899 qt_handle->tmp_list = qt_handle->quota_list;
2900 }
2901
2902 tmp_list = qt_handle->tmp_list;
2903
2904 for (;((tmp_list!=NULL)&&((qt_len +40+SID_MAX_SIZE)<max_data_count));
2905 tmp_list=tmp_list->next,entry+=entry_len,qt_len+=entry_len) {
2906
2907 sid_len = sid_size(&tmp_list->quotas->sid);
2908 entry_len = 40 + sid_len;
2909
2910 /* nextoffset entry 4 bytes */
2911 SIVAL(entry,0,entry_len);
2912
2913 /* then the len of the SID 4 bytes */
2914 SIVAL(entry,4,sid_len);
2915
2916 /* unknown data 8 bytes SMB_BIG_UINT */
2917 SBIG_UINT(entry,8,(SMB_BIG_UINT)0); /* this is not 0 in windows...-metze*/
2918
2919 /* the used disk space 8 bytes SMB_BIG_UINT */
2920 SBIG_UINT(entry,16,tmp_list->quotas->usedspace);
2921
2922 /* the soft quotas 8 bytes SMB_BIG_UINT */
2923 SBIG_UINT(entry,24,tmp_list->quotas->softlim);
2924
2925 /* the hard quotas 8 bytes SMB_BIG_UINT */
2926 SBIG_UINT(entry,32,tmp_list->quotas->hardlim);
2927
2928 /* and now the SID */
2929 sid_linearize(entry+40, sid_len, &tmp_list->quotas->sid);
2930 }
2931
2932 qt_handle->tmp_list = tmp_list;
2933
2934 /* overwrite the offset of the last entry */
2935 SIVAL(entry-entry_len,0,0);
2936
2937 data_len = 4+qt_len;
2938 /* overwrite the params quota_data_len */
2939 SIVAL(params,0,data_len);
2940
2941 break;
2942
2943 case TRANSACT_GET_USER_QUOTA_FOR_SID:
2944
2945 /* unknown 4 bytes IVAL(pdata,0) */
2946
2947 if (data_count < 8) {
2948 DEBUG(0,("TRANSACT_GET_USER_QUOTA_FOR_SID: requires %d >= %d bytes data\n",data_count,8));
2949 reply_doserror(req, ERRDOS, ERRunknownlevel);
2950 return;
2951 }
2952
2953 sid_len = IVAL(pdata,4);
2954 /* Ensure this is less than 1mb. */
2955 if (sid_len > (1024*1024)) {
2956 reply_doserror(req, ERRDOS, ERRnomem);
2957 return;
2958 }
2959
2960 if (data_count < 8+sid_len) {
2961 DEBUG(0,("TRANSACT_GET_USER_QUOTA_FOR_SID: requires %d >= %lu bytes data\n",data_count,(unsigned long)(8+sid_len)));
2962 reply_doserror(req, ERRDOS, ERRunknownlevel);
2963 return;
2964 }
2965
2966 data_len = 4+40+sid_len;
2967
2968 if (max_data_count < data_len) {
2969 DEBUG(0,("TRANSACT_GET_USER_QUOTA_FOR_SID: max_data_count(%d) < data_len(%d)\n",
2970 max_data_count, data_len));
2971 param_len = 4;
2972 SIVAL(params,0,data_len);
2973 data_len = 0;
2974 nt_status = NT_STATUS_BUFFER_TOO_SMALL;
2975 break;
2976 }
2977
2978 sid_parse(pdata+8,sid_len,&sid);
2979
2980 if (vfs_get_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
2981 ZERO_STRUCT(qt);
2982 /*
2983 * we have to return zero's in all fields
2984 * instead of returning an error here
2985 * --metze
2986 */
2987 }
2988
2989 /* Realloc the size of parameters and data we will return */
2990 param_len = 4;
2991 params = nttrans_realloc(ppparams, param_len);
2992 if(params == NULL) {
2993 reply_doserror(req, ERRDOS, ERRnomem);
2994 return;
2995 }
2996
2997 pdata = nttrans_realloc(ppdata, data_len);
2998 if(pdata == NULL) {
2999 reply_doserror(req, ERRDOS, ERRnomem);
3000 return;
3001 }
3002
3003 entry = pdata;
3004
3005 /* set params Size of returned Quota Data 4 bytes*/
3006 SIVAL(params,0,data_len);
3007
3008 /* nextoffset entry 4 bytes */
3009 SIVAL(entry,0,0);
3010
3011 /* then the len of the SID 4 bytes */
3012 SIVAL(entry,4,sid_len);
3013
3014 /* unknown data 8 bytes SMB_BIG_UINT */
3015 SBIG_UINT(entry,8,(SMB_BIG_UINT)0); /* this is not 0 in windows...-mezte*/
3016
3017 /* the used disk space 8 bytes SMB_BIG_UINT */
3018 SBIG_UINT(entry,16,qt.usedspace);
3019
3020 /* the soft quotas 8 bytes SMB_BIG_UINT */
3021 SBIG_UINT(entry,24,qt.softlim);
3022
3023 /* the hard quotas 8 bytes SMB_BIG_UINT */
3024 SBIG_UINT(entry,32,qt.hardlim);
3025
3026 /* and now the SID */
3027 sid_linearize(entry+40, sid_len, &sid);
3028
3029 break;
3030
3031 default:
3032 DEBUG(0,("do_nt_transact_get_user_quota: fnum %d unknown level 0x%04hX\n",fsp->fnum,level));
3033 reply_doserror(req, ERRSRV, ERRerror);
3034 return;
3035 break;
3036 }
3037
3038 send_nt_replies(req, nt_status, params, param_len,
3039 pdata, data_len);
3040 }
3041
3042 /****************************************************************************
3043 Reply to set user quota
3044 ****************************************************************************/
3045
3046 static void call_nt_transact_set_user_quota(connection_struct *conn,
3047 struct smb_request *req,
3048 uint16 **ppsetup,
3049 uint32 setup_count,
3050 char **ppparams,
3051 uint32 parameter_count,
3052 char **ppdata,
3053 uint32 data_count,
3054 uint32 max_data_count)
3055 {
3056 char *params = *ppparams;
3057 char *pdata = *ppdata;
3058 int data_len=0,param_len=0;
3059 SMB_NTQUOTA_STRUCT qt;
3060 size_t sid_len;
3061 DOM_SID sid;
3062 files_struct *fsp = NULL;
3063
3064 ZERO_STRUCT(qt);
3065
3066 /* access check */
3067 if (current_user.ut.uid != 0) {
3068 DEBUG(1,("set_user_quota: access_denied service [%s] user [%s]\n",
3069 lp_servicename(SNUM(conn)),conn->user));
3070 reply_doserror(req, ERRDOS, ERRnoaccess);
3071 return;
3072 }
3073
3074 /*
3075 * Ensure minimum number of parameters sent.
3076 */
3077
3078 if (parameter_count < 2) {
3079 DEBUG(0,("TRANSACT_SET_USER_QUOTA: requires %d >= 2 bytes parameters\n",parameter_count));
3080 reply_doserror(req, ERRDOS, ERRinvalidparam);
3081 return;
3082 }
3083
3084 /* maybe we can check the quota_fnum */
3085 fsp = file_fsp(SVAL(params,0));
3086 if (!CHECK_NTQUOTA_HANDLE_OK(fsp,conn)) {
3087 DEBUG(3,("TRANSACT_GET_USER_QUOTA: no valid QUOTA HANDLE\n"));
3088 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
3089 return;
3090 }
3091
3092 if (data_count < 40) {
3093 DEBUG(0,("TRANSACT_SET_USER_QUOTA: requires %d >= %d bytes data\n",data_count,40));
3094 reply_doserror(req, ERRDOS, ERRunknownlevel);
3095 return;
3096 }
3097
3098 /* offset to next quota record.
3099 * 4 bytes IVAL(pdata,0)
3100 * unused here...
3101 */
3102
3103 /* sid len */
3104 sid_len = IVAL(pdata,4);
3105
3106 if (data_count < 40+sid_len) {
3107 DEBUG(0,("TRANSACT_SET_USER_QUOTA: requires %d >= %lu bytes data\n",data_count,(unsigned long)40+sid_len));
3108 reply_doserror(req, ERRDOS, ERRunknownlevel);
3109 return;
3110 }
3111
3112 /* unknown 8 bytes in pdata
3113 * maybe its the change time in NTTIME
3114 */
3115
3116 /* the used space 8 bytes (SMB_BIG_UINT)*/
3117 qt.usedspace = (SMB_BIG_UINT)IVAL(pdata,16);
3118 #ifdef LARGE_SMB_OFF_T
3119 qt.usedspace |= (((SMB_BIG_UINT)IVAL(pdata,20)) << 32);
3120 #else /* LARGE_SMB_OFF_T */
3121 if ((IVAL(pdata,20) != 0)&&
3122 ((qt.usedspace != 0xFFFFFFFF)||
3123 (IVAL(pdata,20)!=0xFFFFFFFF))) {
3124 /* more than 32 bits? */
3125 reply_doserror(req, ERRDOS, ERRunknownlevel);
3126 return;
3127 }
3128 #endif /* LARGE_SMB_OFF_T */
3129
3130 /* the soft quotas 8 bytes (SMB_BIG_UINT)*/
3131 qt.softlim = (SMB_BIG_UINT)IVAL(pdata,24);
3132 #ifdef LARGE_SMB_OFF_T
3133 qt.softlim |= (((SMB_BIG_UINT)IVAL(pdata,28)) << 32);
3134 #else /* LARGE_SMB_OFF_T */
3135 if ((IVAL(pdata,28) != 0)&&
3136 ((qt.softlim != 0xFFFFFFFF)||
3137 (IVAL(pdata,28)!=0xFFFFFFFF))) {
3138 /* more than 32 bits? */
3139 reply_doserror(req, ERRDOS, ERRunknownlevel);
3140 return;
3141 }
3142 #endif /* LARGE_SMB_OFF_T */
3143
3144 /* the hard quotas 8 bytes (SMB_BIG_UINT)*/
3145 qt.hardlim = (SMB_BIG_UINT)IVAL(pdata,32);
3146 #ifdef LARGE_SMB_OFF_T
3147 qt.hardlim |= (((SMB_BIG_UINT)IVAL(pdata,36)) << 32);
3148 #else /* LARGE_SMB_OFF_T */
3149 if ((IVAL(pdata,36) != 0)&&
3150 ((qt.hardlim != 0xFFFFFFFF)||
3151 (IVAL(pdata,36)!=0xFFFFFFFF))) {
3152 /* more than 32 bits? */
3153 reply_doserror(req, ERRDOS, ERRunknownlevel);
3154 return;
3155 }
3156 #endif /* LARGE_SMB_OFF_T */
3157
3158 sid_parse(pdata+40,sid_len,&sid);
3159 DEBUGADD(8,("SID: %s\n",sid_string_static(&sid)));
3160
3161 /* 44 unknown bytes left... */
3162
3163 if (vfs_set_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
3164 reply_doserror(req, ERRSRV, ERRerror);
3165 return;
3166 }
3167
3168 send_nt_replies(req, NT_STATUS_OK, params, param_len,
3169 pdata, data_len);
3170 }
3171 #endif /* HAVE_SYS_QUOTAS */
3172
3173 static void handle_nttrans(connection_struct *conn,
3174 struct trans_state *state,
3175 struct smb_request *req)
3176 {
3177 if (Protocol >= PROTOCOL_NT1) {
3178 req->flags2 |= 0x40; /* IS_LONG_NAME */
3179 SSVAL(req->inbuf,smb_flg2,req->flags2);
3180 }
3181
3182 /* Now we must call the relevant NT_TRANS function */
3183 switch(state->call) {
3184 case NT_TRANSACT_CREATE:
3185 {
3186 START_PROFILE(NT_transact_create);
3187 call_nt_transact_create(
3188 conn, req,
3189 &state->setup, state->setup_count,
3190 &state->param, state->total_param,
3191 &state->data, state->total_data,
3192 state->max_data_return);
3193 END_PROFILE(NT_transact_create);
3194 break;
3195 }
3196
3197 case NT_TRANSACT_IOCTL:
3198 {
3199 START_PROFILE(NT_transact_ioctl);
3200 call_nt_transact_ioctl(
3201 conn, req,
3202 &state->setup, state->setup_count,
3203 &state->param, state->total_param,
3204 &state->data, state->total_data,
3205 state->max_data_return);
3206 END_PROFILE(NT_transact_ioctl);
3207 break;
3208 }
3209
3210 case NT_TRANSACT_SET_SECURITY_DESC:
3211 {
3212 START_PROFILE(NT_transact_set_security_desc);
3213 call_nt_transact_set_security_desc(
3214 conn, req,
3215 &state->setup, state->setup_count,
3216 &state->param, state->total_param,
3217 &state->data, state->total_data,
3218 state->max_data_return);
3219 END_PROFILE(NT_transact_set_security_desc);
3220 break;
3221 }
3222
3223 case NT_TRANSACT_NOTIFY_CHANGE:
3224 {
3225 START_PROFILE(NT_transact_notify_change);
3226 call_nt_transact_notify_change(
3227 conn, req,
3228 &state->setup, state->setup_count,
3229 &state->param, state->total_param,
3230 &state->data, state->total_data,
3231 state->max_data_return,
3232 state->max_param_return);
3233 END_PROFILE(NT_transact_notify_change);
3234 break;
3235 }
3236
3237 case NT_TRANSACT_RENAME:
3238 {
3239 START_PROFILE(NT_transact_rename);
3240 call_nt_transact_rename(
3241 conn, req,
3242 &state->setup, state->setup_count,
3243 &state->param, state->total_param,
3244 &state->data, state->total_data,
3245 state->max_data_return);
3246 END_PROFILE(NT_transact_rename);
3247 break;
3248 }
3249
3250 case NT_TRANSACT_QUERY_SECURITY_DESC:
3251 {
3252 START_PROFILE(NT_transact_query_security_desc);
3253 call_nt_transact_query_security_desc(
3254 conn, req,
3255 &state->setup, state->setup_count,
3256 &state->param, state->total_param,
3257 &state->data, state->total_data,
3258 state->max_data_return);
3259 END_PROFILE(NT_transact_query_security_desc);
3260 break;
3261 }
3262
3263 #ifdef HAVE_SYS_QUOTAS
3264 case NT_TRANSACT_GET_USER_QUOTA:
3265 {
3266 START_PROFILE(NT_transact_get_user_quota);
3267 call_nt_transact_get_user_quota(
3268 conn, req,
3269 &state->setup, state->setup_count,
3270 &state->param, state->total_param,
3271 &state->data, state->total_data,
3272 state->max_data_return);
3273 END_PROFILE(NT_transact_get_user_quota);
3274 break;
3275 }
3276
3277 case NT_TRANSACT_SET_USER_QUOTA:
3278 {
3279 START_PROFILE(NT_transact_set_user_quota);
3280 call_nt_transact_set_user_quota(
3281 conn, req,
3282 &state->setup, state->setup_count,
3283 &state->param, state->total_param,
3284 &state->data, state->total_data,
3285 state->max_data_return);
3286 END_PROFILE(NT_transact_set_user_quota);
3287 break;
3288 }
3289 #endif /* HAVE_SYS_QUOTAS */
3290
3291 default:
3292 /* Error in request */
3293 DEBUG(0,("handle_nttrans: Unknown request %d in "
3294 "nttrans call\n", state->call));
3295 reply_doserror(req, ERRSRV, ERRerror);
3296 return;
3297 }
3298 return;
3299 }
3300
3301 /****************************************************************************
3302 Reply to a SMBNTtrans.
3303 ****************************************************************************/
3304
3305 void reply_nttrans(connection_struct *conn, struct smb_request *req)
3306 {
3307 uint32 pscnt;
3308 uint32 psoff;
3309 uint32 dscnt;
3310 uint32 dsoff;
3311 uint16 function_code;
3312 NTSTATUS result;
3313 struct trans_state *state;
3314 int size;
3315
3316 START_PROFILE(SMBnttrans);
3317
3318 if (req->wct < 19) {
3319 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
3320 END_PROFILE(SMBnttrans);
3321 return;
3322 }
3323
3324 size = smb_len(req->inbuf) + 4;
3325 pscnt = IVAL(req->inbuf,smb_nt_ParameterCount);
3326 psoff = IVAL(req->inbuf,smb_nt_ParameterOffset);
3327 dscnt = IVAL(req->inbuf,smb_nt_DataCount);
3328 dsoff = IVAL(req->inbuf,smb_nt_DataOffset);
3329 function_code = SVAL(req->inbuf, smb_nt_Function);
3330
3331 if (IS_IPC(conn) && (function_code != NT_TRANSACT_CREATE)) {
3332 reply_doserror(req, ERRSRV, ERRaccess);
3333 END_PROFILE(SMBnttrans);
3334 return;
3335 }
3336
3337 result = allow_new_trans(conn->pending_trans, req->mid);
3338 if (!NT_STATUS_IS_OK(result)) {
3339 DEBUG(2, ("Got invalid nttrans request: %s\n", nt_errstr(result)));
3340 reply_nterror(req, result);
3341 END_PROFILE(SMBnttrans);
3342 return;
3343 }
3344
3345 if ((state = TALLOC_P(conn->mem_ctx, struct trans_state)) == NULL) {
3346 reply_doserror(req, ERRSRV, ERRaccess);
3347 END_PROFILE(SMBnttrans);
3348 return;
3349 }
3350
3351 state->cmd = SMBnttrans;
3352
3353 state->mid = req->mid;
3354 state->vuid = req->vuid;
3355 state->total_data = IVAL(req->inbuf, smb_nt_TotalDataCount);
3356 state->data = NULL;
3357 state->total_param = IVAL(req->inbuf, smb_nt_TotalParameterCount);
3358 state->param = NULL;
3359 state->max_data_return = IVAL(req->inbuf,smb_nt_MaxDataCount);
3360 state->max_param_return = IVAL(req->inbuf,smb_nt_MaxParameterCount);
3361
3362 /* setup count is in *words* */
3363 state->setup_count = 2*CVAL(req->inbuf,smb_nt_SetupCount);
3364 state->setup = NULL;
3365 state->call = function_code;
3366
3367 /*
3368 * All nttrans messages we handle have smb_wct == 19 +
3369 * state->setup_count. Ensure this is so as a sanity check.
3370 */
3371
3372 if(req->wct != 19 + (state->setup_count/2)) {
3373 DEBUG(2,("Invalid smb_wct %d in nttrans call (should be %d)\n",
3374 req->wct, 19 + (state->setup_count/2)));
3375 goto bad_param;
3376 }
3377
3378 /* Don't allow more than 128mb for each value. */
3379 if ((state->total_data > (1024*1024*128)) ||
3380 (state->total_param > (1024*1024*128))) {
3381 reply_doserror(req, ERRDOS, ERRnomem);
3382 END_PROFILE(SMBnttrans);
3383 return;
3384 }
3385
3386 if ((dscnt > state->total_data) || (pscnt > state->total_param))
3387 goto bad_param;
3388
3389 if (state->total_data) {
3390 /* Can't use talloc here, the core routines do realloc on the
3391 * params and data. */
3392 if ((state->data = (char *)SMB_MALLOC(state->total_data)) == NULL) {
3393 DEBUG(0,("reply_nttrans: data malloc fail for %u "
3394 "bytes !\n", (unsigned int)state->total_data));
3395 TALLOC_FREE(state);
3396 reply_doserror(req, ERRDOS, ERRnomem);
3397 END_PROFILE(SMBnttrans);
3398 return;
3399 }
3400 if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt))
3401 goto bad_param;
3402 if ((smb_base(req->inbuf)+dsoff+dscnt
3403 > (char *)req->inbuf + size) ||
3404 (smb_base(req->inbuf)+dsoff+dscnt < smb_base(req->inbuf)))
3405 goto bad_param;
3406
3407 memcpy(state->data,smb_base(req->inbuf)+dsoff,dscnt);
3408 }
3409
3410 if (state->total_param) {
3411 /* Can't use talloc here, the core routines do realloc on the
3412 * params and data. */
3413 if ((state->param = (char *)SMB_MALLOC(state->total_param)) == NULL) {
3414 DEBUG(0,("reply_nttrans: param malloc fail for %u "
3415 "bytes !\n", (unsigned int)state->total_param));
3416 SAFE_FREE(state->data);
3417 TALLOC_FREE(state);
3418 reply_doserror(req, ERRDOS, ERRnomem);
3419 END_PROFILE(SMBnttrans);
3420 return;
3421 }
3422 if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt))
3423 goto bad_param;
3424 if ((smb_base(req->inbuf)+psoff+pscnt
3425 > (char *)req->inbuf + size) ||
3426 (smb_base(req->inbuf)+psoff+pscnt < smb_base(req->inbuf)))
3427 goto bad_param;
3428
3429 memcpy(state->param,smb_base(req->inbuf)+psoff,pscnt);
3430 }
3431
3432 state->received_data = dscnt;
3433 state->received_param = pscnt;
3434
3435 if(state->setup_count > 0) {
3436 DEBUG(10,("reply_nttrans: state->setup_count = %d\n",
3437 state->setup_count));
3438 state->setup = (uint16 *)TALLOC(state, state->setup_count);
3439 if (state->setup == NULL) {
3440 DEBUG(0,("reply_nttrans : Out of memory\n"));
3441 SAFE_FREE(state->data);
3442 SAFE_FREE(state->param);
3443 TALLOC_FREE(state);
3444 reply_doserror(req, ERRDOS, ERRnomem);
3445 END_PROFILE(SMBnttrans);
3446 return;
3447 }
3448
3449 if ((smb_nt_SetupStart + state->setup_count < smb_nt_SetupStart) ||
3450 (smb_nt_SetupStart + state->setup_count < state->setup_count)) {
3451 goto bad_param;
3452 }
3453 if (smb_nt_SetupStart + state->setup_count > size) {
3454 goto bad_param;
3455 }
3456
3457 memcpy( state->setup, &req->inbuf[smb_nt_SetupStart],
3458 state->setup_count);
3459 dump_data(10, (uint8 *)state->setup, state->setup_count);
3460 }
3461
3462 if ((state->received_data == state->total_data) &&
3463 (state->received_param == state->total_param)) {
3464 handle_nttrans(conn, state, req);
3465 SAFE_FREE(state->param);
3466 SAFE_FREE(state->data);
3467 TALLOC_FREE(state);
3468 END_PROFILE(SMBnttrans);
3469 return;
3470 }
3471
3472 DLIST_ADD(conn->pending_trans, state);
3473
3474 /* We need to send an interim response then receive the rest
3475 of the parameter/data bytes */
3476 reply_outbuf(req, 0, 0);
3477 show_msg((char *)req->outbuf);
3478 END_PROFILE(SMBnttrans);
3479 return;
3480
3481 bad_param:
3482
3483 DEBUG(0,("reply_nttrans: invalid trans parameters\n"));
3484 SAFE_FREE(state->data);
3485 SAFE_FREE(state->param);
3486 TALLOC_FREE(state);
3487 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
3488 END_PROFILE(SMBnttrans);
3489 return;
3490 }
3491
3492 /****************************************************************************
3493 Reply to a SMBnttranss
3494 ****************************************************************************/
3495
3496 void reply_nttranss(connection_struct *conn, struct smb_request *req)
3497 {
3498 unsigned int pcnt,poff,dcnt,doff,pdisp,ddisp;
3499 struct trans_state *state;
3500
3501 int size;
3502
3503 START_PROFILE(SMBnttranss);
3504
3505 show_msg((char *)req->inbuf);
3506
3507 if (req->wct < 18) {
3508 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
3509 END_PROFILE(SMBnttranss);
3510 return;
3511 }
3512
3513 for (state = conn->pending_trans; state != NULL;
3514 state = state->next) {
3515 if (state->mid == req->mid) {
3516 break;
3517 }
3518 }
3519
3520 if ((state == NULL) || (state->cmd != SMBnttrans)) {
3521 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
3522 END_PROFILE(SMBnttranss);
3523 return;
3524 }
3525
3526 /* Revise state->total_param and state->total_data in case they have
3527 changed downwards */
3528 if (IVAL(req->inbuf, smb_nts_TotalParameterCount)
3529 < state->total_param) {
3530 state->total_param = IVAL(req->inbuf,
3531 smb_nts_TotalParameterCount);
3532 }
3533 if (IVAL(req->inbuf, smb_nts_TotalDataCount) < state->total_data) {
3534 state->total_data = IVAL(req->inbuf, smb_nts_TotalDataCount);
3535 }
3536
3537 size = smb_len(req->inbuf) + 4;
3538
3539 pcnt = IVAL(req->inbuf,smb_nts_ParameterCount);
3540 poff = IVAL(req->inbuf, smb_nts_ParameterOffset);
3541 pdisp = IVAL(req->inbuf, smb_nts_ParameterDisplacement);
3542
3543 dcnt = IVAL(req->inbuf, smb_nts_DataCount);
3544 ddisp = IVAL(req->inbuf, smb_nts_DataDisplacement);
3545 doff = IVAL(req->inbuf, smb_nts_DataOffset);
3546
3547 state->received_param += pcnt;
3548 state->received_data += dcnt;
3549
3550 if ((state->received_data > state->total_data) ||
3551 (state->received_param > state->total_param))
3552 goto bad_param;
3553
3554 if (pcnt) {
3555 if (pdisp+pcnt > state->total_param)
3556 goto bad_param;
3557 if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt))
3558 goto bad_param;
3559 if (pdisp > state->total_param)
3560 goto bad_param;
3561 if ((smb_base(req->inbuf) + poff + pcnt
3562 > (char *)req->inbuf + size) ||
3563 (smb_base(req->inbuf) + poff + pcnt
3564 < smb_base(req->inbuf)))
3565 goto bad_param;
3566 if (state->param + pdisp < state->param)
3567 goto bad_param;
3568
3569 memcpy(state->param+pdisp, smb_base(req->inbuf)+poff,
3570 pcnt);
3571 }
3572
3573 if (dcnt) {
3574 if (ddisp+dcnt > state->total_data)
3575 goto bad_param;
3576 if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt))
3577 goto bad_param;
3578 if (ddisp > state->total_data)
3579 goto bad_param;
3580 if ((smb_base(req->inbuf) + doff + dcnt
3581 > (char *)req->inbuf + size) ||
3582 (smb_base(req->inbuf) + doff + dcnt
3583 < smb_base(req->inbuf)))
3584 goto bad_param;
3585 if (state->data + ddisp < state->data)
3586 goto bad_param;
3587
3588 memcpy(state->data+ddisp, smb_base(req->inbuf)+doff,
3589 dcnt);
3590 }
3591
3592 if ((state->received_param < state->total_param) ||
3593 (state->received_data < state->total_data)) {
3594 END_PROFILE(SMBnttranss);
3595 return;
3596 }
3597
3598 /*
3599 * construct_reply_common will copy smb_com from inbuf to
3600 * outbuf. SMBnttranss is wrong here.
3601 */
3602 SCVAL(req->inbuf,smb_com,SMBnttrans);
3603
3604 handle_nttrans(conn, state, req);
3605
3606 DLIST_REMOVE(conn->pending_trans, state);
3607 SAFE_FREE(state->data);
3608 SAFE_FREE(state->param);
3609 TALLOC_FREE(state);
3610 END_PROFILE(SMBnttranss);
3611 return;
3612
3613 bad_param:
3614
3615 DEBUG(0,("reply_nttranss: invalid trans parameters\n"));
3616 DLIST_REMOVE(conn->pending_trans, state);
3617 SAFE_FREE(state->data);
3618 SAFE_FREE(state->param);
3619 TALLOC_FREE(state);
3620 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
3621 END_PROFILE(SMBnttranss);
3622 return;
3623 }
reg import