search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:libsmb: use HDR_* defines in cli_pull_raw_error()
[Samba/gebeck_regimport.git] / source3 / libsmb / async_smb.c
blob76f7781d5239292fe8d1dd7c820a828cd7ce9295
1 /*
2 Unix SMB/CIFS implementation.
3 Infrastructure for async SMB client requests
4 Copyright (C) Volker Lendecke 2008
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21 #include "libsmb/libsmb.h"
22 #include "../lib/async_req/async_sock.h"
23 #include "../lib/util/tevent_ntstatus.h"
24 #include "../lib/util/tevent_unix.h"
25 #include "async_smb.h"
26 #include "../libcli/smb/smb_seal.h"
27 #include "libsmb/nmblib.h"
28 #include "../libcli/smb/read_smb.h"
29
30 static NTSTATUS cli_pull_raw_error(const uint8_t *buf)
31 {
32 const uint8_t *hdr = buf + NBT_HDR_SIZE;
33 uint32_t flags2 = SVAL(hdr, HDR_FLG2);
34 NTSTATUS status = NT_STATUS(IVAL(hdr, HDR_RCLS));
35
36 if (NT_STATUS_IS_OK(status)) {
37 return NT_STATUS_OK;
38 }
39
40 if (flags2 & FLAGS2_32_BIT_ERROR_CODES) {
41 return status;
42 }
43
44 return NT_STATUS_DOS(CVAL(hdr, HDR_RCLS), SVAL(hdr, HDR_ERR));
45 }
46
47 /**
48 * Figure out if there is an andx command behind the current one
49 * @param[in] buf The smb buffer to look at
50 * @param[in] ofs The offset to the wct field that is followed by the cmd
51 * @retval Is there a command following?
52 */
53
54 static bool have_andx_command(const char *buf, uint16_t ofs)
55 {
56 uint8_t wct;
57 size_t buflen = talloc_get_size(buf);
58
59 if ((ofs == buflen-1) || (ofs == buflen)) {
60 return false;
61 }
62
63 wct = CVAL(buf, ofs);
64 if (wct < 2) {
65 /*
66 * Not enough space for the command and a following pointer
67 */
68 return false;
69 }
70 return (CVAL(buf, ofs+1) != 0xff);
71 }
72
73 #define MAX_SMB_IOV 5
74
75 struct cli_smb_state {
76 struct tevent_context *ev;
77 struct cli_state *cli;
78 uint8_t header[smb_wct+1]; /* Space for the header including the wct */
79
80 /*
81 * For normal requests, cli_smb_req_send chooses a mid. Secondary
82 * trans requests need to use the mid of the primary request, so we
83 * need a place to store it. Assume it's set if != 0.
84 */
85 uint16_t mid;
86
87 uint16_t *vwv;
88 uint8_t bytecount_buf[2];
89
90 struct iovec iov[MAX_SMB_IOV+3];
91 int iov_count;
92
93 uint8_t *inbuf;
94 uint32_t seqnum;
95 int chain_num;
96 int chain_length;
97 struct tevent_req **chained_requests;
98
99 bool one_way;
100 };
101
102 static uint16_t cli_alloc_mid(struct cli_state *cli)
103 {
104 int num_pending = talloc_array_length(cli->conn.pending);
105 uint16_t result;
106
107 while (true) {
108 int i;
109
110 result = cli->conn.smb1.mid++;
111 if ((result == 0) || (result == 0xffff)) {
112 continue;
113 }
114
115 for (i=0; i<num_pending; i++) {
116 if (result == cli_smb_req_mid(cli->conn.pending[i])) {
117 break;
118 }
119 }
120
121 if (i == num_pending) {
122 return result;
123 }
124 }
125 }
126
127 void cli_smb_req_unset_pending(struct tevent_req *req)
128 {
129 struct cli_smb_state *state = tevent_req_data(
130 req, struct cli_smb_state);
131 struct cli_state *cli = state->cli;
132 int num_pending = talloc_array_length(cli->conn.pending);
133 int i;
134
135 if (state->mid != 0) {
136 /*
137 * This is a [nt]trans[2] request which waits
138 * for more than one reply.
139 */
140 return;
141 }
142
143 talloc_set_destructor(req, NULL);
144
145 if (num_pending == 1) {
146 /*
147 * The pending read_smb tevent_req is a child of
148 * cli->pending. So if nothing is pending anymore, we need to
149 * delete the socket read fde.
150 */
151 TALLOC_FREE(cli->conn.pending);
152 cli->conn.read_smb_req = NULL;
153 return;
154 }
155
156 for (i=0; i<num_pending; i++) {
157 if (req == cli->conn.pending[i]) {
158 break;
159 }
160 }
161 if (i == num_pending) {
162 /*
163 * Something's seriously broken. Just returning here is the
164 * right thing nevertheless, the point of this routine is to
165 * remove ourselves from cli->conn.pending.
166 */
167 return;
168 }
169
170 /*
171 * Remove ourselves from the cli->conn.pending array
172 */
173 for (; i < (num_pending - 1); i++) {
174 cli->conn.pending[i] = cli->conn.pending[i+1];
175 }
176
177 /*
178 * No NULL check here, we're shrinking by sizeof(void *), and
179 * talloc_realloc just adjusts the size for this.
180 */
181 cli->conn.pending = talloc_realloc(NULL, cli->conn.pending,
182 struct tevent_req *,
183 num_pending - 1);
184 return;
185 }
186
187 static int cli_smb_req_destructor(struct tevent_req *req)
188 {
189 struct cli_smb_state *state = tevent_req_data(
190 req, struct cli_smb_state);
191 /*
192 * Make sure we really remove it from
193 * the pending array on destruction.
194 */
195 state->mid = 0;
196 cli_smb_req_unset_pending(req);
197 return 0;
198 }
199
200 static bool cli_state_receive_next(struct cli_state *cli);
201 static void cli_state_notify_pending(struct cli_state *cli, NTSTATUS status);
202
203 bool cli_smb_req_set_pending(struct tevent_req *req)
204 {
205 struct cli_smb_state *state = tevent_req_data(
206 req, struct cli_smb_state);
207 struct cli_state *cli;
208 struct tevent_req **pending;
209 int num_pending;
210
211 cli = state->cli;
212 num_pending = talloc_array_length(cli->conn.pending);
213
214 pending = talloc_realloc(cli, cli->conn.pending, struct tevent_req *,
215 num_pending+1);
216 if (pending == NULL) {
217 return false;
218 }
219 pending[num_pending] = req;
220 cli->conn.pending = pending;
221 talloc_set_destructor(req, cli_smb_req_destructor);
222
223 if (!cli_state_receive_next(cli)) {
224 /*
225 * the caller should notify the current request
226 *
227 * And all other pending requests get notified
228 * by cli_state_notify_pending().
229 */
230 cli_smb_req_unset_pending(req);
231 cli_state_notify_pending(cli, NT_STATUS_NO_MEMORY);
232 return false;
233 }
234
235 return true;
236 }
237
238 static void cli_smb_received(struct tevent_req *subreq);
239 static NTSTATUS cli_state_dispatch_smb1(struct cli_state *cli,
240 TALLOC_CTX *frame,
241 uint8_t *inbuf);
242
243 static bool cli_state_receive_next(struct cli_state *cli)
244 {
245 size_t num_pending = talloc_array_length(cli->conn.pending);
246 struct tevent_req *req;
247 struct cli_smb_state *state;
248
249 if (cli->conn.read_smb_req != NULL) {
250 return true;
251 }
252
253 if (num_pending == 0) {
254 return true;
255 }
256
257 req = cli->conn.pending[0];
258 state = tevent_req_data(req, struct cli_smb_state);
259
260 cli->conn.dispatch_incoming = cli_state_dispatch_smb1;
261
262 /*
263 * We're the first ones, add the read_smb request that waits for the
264 * answer from the server
265 */
266 cli->conn.read_smb_req = read_smb_send(cli->conn.pending, state->ev,
267 cli->conn.fd);
268 if (cli->conn.read_smb_req == NULL) {
269 return false;
270 }
271 tevent_req_set_callback(cli->conn.read_smb_req, cli_smb_received, cli);
272 return true;
273 }
274
275 static void cli_state_notify_pending(struct cli_state *cli, NTSTATUS status)
276 {
277 cli_state_disconnect(cli);
278
279 /*
280 * Cancel all pending requests. We do not do a for-loop walking
281 * cli->conn.pending because that array changes in
282 * cli_smb_req_destructor().
283 */
284 while (talloc_array_length(cli->conn.pending) > 0) {
285 struct tevent_req *req;
286 struct cli_smb_state *state;
287
288 req = cli->conn.pending[0];
289 state = tevent_req_data(req, struct cli_smb_state);
290
291 /*
292 * We're dead. No point waiting for trans2
293 * replies.
294 */
295 state->mid = 0;
296
297 cli_smb_req_unset_pending(req);
298
299 /*
300 * we need to defer the callback, because we may notify more
301 * then one caller.
302 */
303 tevent_req_defer_callback(req, state->ev);
304 tevent_req_nterror(req, status);
305 }
306 }
307
308 /*
309 * Fetch a smb request's mid. Only valid after the request has been sent by
310 * cli_smb_req_send().
311 */
312 uint16_t cli_smb_req_mid(struct tevent_req *req)
313 {
314 struct cli_smb_state *state = tevent_req_data(
315 req, struct cli_smb_state);
316
317 if (state->mid != 0) {
318 return state->mid;
319 }
320
321 return SVAL(state->header, smb_mid);
322 }
323
324 void cli_smb_req_set_mid(struct tevent_req *req, uint16_t mid)
325 {
326 struct cli_smb_state *state = tevent_req_data(
327 req, struct cli_smb_state);
328 state->mid = mid;
329 }
330
331 uint32_t cli_smb_req_seqnum(struct tevent_req *req)
332 {
333 struct cli_smb_state *state = tevent_req_data(
334 req, struct cli_smb_state);
335 return state->seqnum;
336 }
337
338 void cli_smb_req_set_seqnum(struct tevent_req *req, uint32_t seqnum)
339 {
340 struct cli_smb_state *state = tevent_req_data(
341 req, struct cli_smb_state);
342 state->seqnum = seqnum;
343 }
344
345 static size_t iov_len(const struct iovec *iov, int count)
346 {
347 size_t result = 0;
348 int i;
349 for (i=0; i<count; i++) {
350 result += iov[i].iov_len;
351 }
352 return result;
353 }
354
355 static uint8_t *iov_concat(TALLOC_CTX *mem_ctx, const struct iovec *iov,
356 int count)
357 {
358 size_t len = iov_len(iov, count);
359 size_t copied;
360 uint8_t *buf;
361 int i;
362
363 buf = talloc_array(mem_ctx, uint8_t, len);
364 if (buf == NULL) {
365 return NULL;
366 }
367 copied = 0;
368 for (i=0; i<count; i++) {
369 memcpy(buf+copied, iov[i].iov_base, iov[i].iov_len);
370 copied += iov[i].iov_len;
371 }
372 return buf;
373 }
374
375 struct tevent_req *cli_smb_req_create(TALLOC_CTX *mem_ctx,
376 struct event_context *ev,
377 struct cli_state *cli,
378 uint8_t smb_command,
379 uint8_t additional_flags,
380 uint8_t wct, uint16_t *vwv,
381 int iov_count,
382 struct iovec *bytes_iov)
383 {
384 struct tevent_req *result;
385 struct cli_smb_state *state;
386 struct timeval endtime;
387
388 if (iov_count > MAX_SMB_IOV) {
389 /*
390 * Should not happen :-)
391 */
392 return NULL;
393 }
394
395 result = tevent_req_create(mem_ctx, &state, struct cli_smb_state);
396 if (result == NULL) {
397 return NULL;
398 }
399 state->ev = ev;
400 state->cli = cli;
401 state->mid = 0; /* Set to auto-choose in cli_smb_req_send */
402 state->chain_num = 0;
403 state->chained_requests = NULL;
404
405 cli_setup_packet_buf(cli, (char *)state->header);
406 SCVAL(state->header, smb_com, smb_command);
407 SSVAL(state->header, smb_tid, cli->smb1.tid);
408 SCVAL(state->header, smb_wct, wct);
409
410 state->vwv = vwv;
411
412 SSVAL(state->bytecount_buf, 0, iov_len(bytes_iov, iov_count));
413
414 state->iov[0].iov_base = (void *)state->header;
415 state->iov[0].iov_len = sizeof(state->header);
416 state->iov[1].iov_base = (void *)state->vwv;
417 state->iov[1].iov_len = wct * sizeof(uint16_t);
418 state->iov[2].iov_base = (void *)state->bytecount_buf;
419 state->iov[2].iov_len = sizeof(uint16_t);
420
421 if (iov_count != 0) {
422 memcpy(&state->iov[3], bytes_iov,
423 iov_count * sizeof(*bytes_iov));
424 }
425 state->iov_count = iov_count + 3;
426
427 if (cli->timeout) {
428 endtime = timeval_current_ofs_msec(cli->timeout);
429 if (!tevent_req_set_endtime(result, ev, endtime)) {
430 return result;
431 }
432 }
433
434 switch (smb_command) {
435 case SMBtranss:
436 case SMBtranss2:
437 case SMBnttranss:
438 case SMBntcancel:
439 state->one_way = true;
440 break;
441 case SMBlockingX:
442 if ((wct == 8) &&
443 (CVAL(vwv+3, 0) == LOCKING_ANDX_OPLOCK_RELEASE)) {
444 state->one_way = true;
445 }
446 break;
447 }
448
449 return result;
450 }
451
452 static NTSTATUS cli_signv(struct cli_state *cli, struct iovec *iov, int count,
453 uint32_t *seqnum)
454 {
455 uint8_t *buf;
456
457 /*
458 * Obvious optimization: Make cli_calculate_sign_mac work with struct
459 * iovec directly. MD5Update would do that just fine.
460 */
461
462 if ((count <= 0) || (iov[0].iov_len < smb_wct)) {
463 return NT_STATUS_INVALID_PARAMETER;
464 }
465
466 buf = iov_concat(talloc_tos(), iov, count);
467 if (buf == NULL) {
468 return NT_STATUS_NO_MEMORY;
469 }
470
471 cli_calculate_sign_mac(cli, (char *)buf, seqnum);
472 memcpy(iov[0].iov_base, buf, iov[0].iov_len);
473
474 TALLOC_FREE(buf);
475 return NT_STATUS_OK;
476 }
477
478 static void cli_smb_sent(struct tevent_req *subreq);
479
480 static NTSTATUS cli_smb_req_iov_send(struct tevent_req *req,
481 struct cli_smb_state *state,
482 struct iovec *iov, int iov_count)
483 {
484 struct tevent_req *subreq;
485 NTSTATUS status;
486
487 if (!cli_state_is_connected(state->cli)) {
488 return NT_STATUS_CONNECTION_DISCONNECTED;
489 }
490
491 if (iov[0].iov_len < smb_wct) {
492 return NT_STATUS_INVALID_PARAMETER;
493 }
494
495 if (state->mid != 0) {
496 SSVAL(iov[0].iov_base, smb_mid, state->mid);
497 } else {
498 uint16_t mid = cli_alloc_mid(state->cli);
499 SSVAL(iov[0].iov_base, smb_mid, mid);
500 }
501
502 smb_setlen((char *)iov[0].iov_base, iov_len(iov, iov_count) - 4);
503
504 status = cli_signv(state->cli, iov, iov_count, &state->seqnum);
505
506 if (!NT_STATUS_IS_OK(status)) {
507 return status;
508 }
509
510 if (cli_state_encryption_on(state->cli)) {
511 char *buf, *enc_buf;
512
513 buf = (char *)iov_concat(talloc_tos(), iov, iov_count);
514 if (buf == NULL) {
515 return NT_STATUS_NO_MEMORY;
516 }
517 status = common_encrypt_buffer(state->cli->trans_enc_state,
518 (char *)buf, &enc_buf);
519 TALLOC_FREE(buf);
520 if (!NT_STATUS_IS_OK(status)) {
521 DEBUG(0, ("Error in encrypting client message: %s\n",
522 nt_errstr(status)));
523 return status;
524 }
525 buf = (char *)talloc_memdup(state, enc_buf,
526 smb_len(enc_buf)+4);
527 SAFE_FREE(enc_buf);
528 if (buf == NULL) {
529 return NT_STATUS_NO_MEMORY;
530 }
531 iov[0].iov_base = (void *)buf;
532 iov[0].iov_len = talloc_get_size(buf);
533 iov_count = 1;
534 }
535 subreq = writev_send(state, state->ev, state->cli->conn.outgoing,
536 state->cli->conn.fd, false, iov, iov_count);
537 if (subreq == NULL) {
538 return NT_STATUS_NO_MEMORY;
539 }
540 tevent_req_set_callback(subreq, cli_smb_sent, req);
541 return NT_STATUS_OK;
542 }
543
544 NTSTATUS cli_smb_req_send(struct tevent_req *req)
545 {
546 struct cli_smb_state *state = tevent_req_data(
547 req, struct cli_smb_state);
548
549 if (!tevent_req_is_in_progress(req)) {
550 return NT_STATUS_INTERNAL_ERROR;
551 }
552
553 return cli_smb_req_iov_send(req, state, state->iov, state->iov_count);
554 }
555
556 struct tevent_req *cli_smb_send(TALLOC_CTX *mem_ctx,
557 struct event_context *ev,
558 struct cli_state *cli,
559 uint8_t smb_command,
560 uint8_t additional_flags,
561 uint8_t wct, uint16_t *vwv,
562 uint32_t num_bytes,
563 const uint8_t *bytes)
564 {
565 struct tevent_req *req;
566 struct iovec iov;
567 NTSTATUS status;
568
569 iov.iov_base = discard_const_p(void, bytes);
570 iov.iov_len = num_bytes;
571
572 req = cli_smb_req_create(mem_ctx, ev, cli, smb_command,
573 additional_flags, wct, vwv, 1, &iov);
574 if (req == NULL) {
575 return NULL;
576 }
577 if (!tevent_req_is_in_progress(req)) {
578 return tevent_req_post(req, ev);
579 }
580 status = cli_smb_req_send(req);
581 if (!NT_STATUS_IS_OK(status)) {
582 tevent_req_nterror(req, status);
583 return tevent_req_post(req, ev);
584 }
585 return req;
586 }
587
588 static void cli_smb_sent(struct tevent_req *subreq)
589 {
590 struct tevent_req *req = tevent_req_callback_data(
591 subreq, struct tevent_req);
592 struct cli_smb_state *state = tevent_req_data(
593 req, struct cli_smb_state);
594 ssize_t nwritten;
595 int err;
596
597 nwritten = writev_recv(subreq, &err);
598 TALLOC_FREE(subreq);
599 if (nwritten == -1) {
600 NTSTATUS status = map_nt_error_from_unix(err);
601 cli_state_notify_pending(state->cli, status);
602 return;
603 }
604
605 if (state->one_way) {
606 state->inbuf = NULL;
607 tevent_req_done(req);
608 return;
609 }
610
611 if (!cli_smb_req_set_pending(req)) {
612 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
613 return;
614 }
615 }
616
617 static void cli_smb_received(struct tevent_req *subreq)
618 {
619 struct cli_state *cli = tevent_req_callback_data(
620 subreq, struct cli_state);
621 TALLOC_CTX *frame = talloc_stackframe();
622 NTSTATUS status;
623 uint8_t *inbuf;
624 ssize_t received;
625 int err;
626
627 if (subreq != cli->conn.read_smb_req) {
628 DEBUG(1, ("Internal error: cli_smb_received called with "
629 "unexpected subreq\n"));
630 status = NT_STATUS_INTERNAL_ERROR;
631 cli_state_notify_pending(cli, status);
632 TALLOC_FREE(frame);
633 return;
634 }
635
636 received = read_smb_recv(subreq, frame, &inbuf, &err);
637 TALLOC_FREE(subreq);
638 cli->conn.read_smb_req = NULL;
639 if (received == -1) {
640 status = map_nt_error_from_unix(err);
641 cli_state_notify_pending(cli, status);
642 TALLOC_FREE(frame);
643 return;
644 }
645
646 status = cli->conn.dispatch_incoming(cli, frame, inbuf);
647 TALLOC_FREE(frame);
648 if (NT_STATUS_IS_OK(status)) {
649 /*
650 * We should not do any more processing
651 * as the dispatch function called
652 * tevent_req_done().
653 */
654 return;
655 } else if (!NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
656 /*
657 * We got an error, so notify all pending requests
658 */
659 cli_state_notify_pending(cli, status);
660 return;
661 }
662
663 /*
664 * We got NT_STATUS_RETRY, so we may ask for a
665 * next incoming pdu.
666 */
667 if (!cli_state_receive_next(cli)) {
668 cli_state_notify_pending(cli, NT_STATUS_NO_MEMORY);
669 }
670 }
671
672 static NTSTATUS cli_state_dispatch_smb1(struct cli_state *cli,
673 TALLOC_CTX *frame,
674 uint8_t *inbuf)
675 {
676 struct tevent_req *req;
677 struct cli_smb_state *state;
678 NTSTATUS status;
679 int num_pending;
680 int i;
681 uint16_t mid;
682 bool oplock_break;
683
684 if ((IVAL(inbuf, 4) != 0x424d53ff) /* 0xFF"SMB" */
685 && (SVAL(inbuf, 4) != 0x45ff)) /* 0xFF"E" */ {
686 DEBUG(10, ("Got non-SMB PDU\n"));
687 return NT_STATUS_INVALID_NETWORK_RESPONSE;
688 }
689
690 if (cli_state_encryption_on(cli) && (CVAL(inbuf, 0) == 0)) {
691 uint16_t enc_ctx_num;
692
693 status = get_enc_ctx_num(inbuf, &enc_ctx_num);
694 if (!NT_STATUS_IS_OK(status)) {
695 DEBUG(10, ("get_enc_ctx_num returned %s\n",
696 nt_errstr(status)));
697 return status;
698 }
699
700 if (enc_ctx_num != cli->trans_enc_state->enc_ctx_num) {
701 DEBUG(10, ("wrong enc_ctx %d, expected %d\n",
702 enc_ctx_num,
703 cli->trans_enc_state->enc_ctx_num));
704 return NT_STATUS_INVALID_HANDLE;
705 }
706
707 status = common_decrypt_buffer(cli->trans_enc_state,
708 (char *)inbuf);
709 if (!NT_STATUS_IS_OK(status)) {
710 DEBUG(10, ("common_decrypt_buffer returned %s\n",
711 nt_errstr(status)));
712 return status;
713 }
714 }
715
716 mid = SVAL(inbuf, smb_mid);
717 num_pending = talloc_array_length(cli->conn.pending);
718
719 for (i=0; i<num_pending; i++) {
720 if (mid == cli_smb_req_mid(cli->conn.pending[i])) {
721 break;
722 }
723 }
724 if (i == num_pending) {
725 /* Dump unexpected reply */
726 return NT_STATUS_RETRY;
727 }
728
729 oplock_break = false;
730
731 if (mid == 0xffff) {
732 /*
733 * Paranoia checks that this is really an oplock break request.
734 */
735 oplock_break = (smb_len(inbuf) == 51); /* hdr + 8 words */
736 oplock_break &= ((CVAL(inbuf, smb_flg) & FLAG_REPLY) == 0);
737 oplock_break &= (CVAL(inbuf, smb_com) == SMBlockingX);
738 oplock_break &= (SVAL(inbuf, smb_vwv6) == 0);
739 oplock_break &= (SVAL(inbuf, smb_vwv7) == 0);
740
741 if (!oplock_break) {
742 /* Dump unexpected reply */
743 return NT_STATUS_RETRY;
744 }
745 }
746
747 req = cli->conn.pending[i];
748 state = tevent_req_data(req, struct cli_smb_state);
749
750 if (!oplock_break /* oplock breaks are not signed */
751 && !cli_check_sign_mac(cli, (char *)inbuf, state->seqnum+1)) {
752 DEBUG(10, ("cli_check_sign_mac failed\n"));
753 return NT_STATUS_ACCESS_DENIED;
754 }
755
756 if (state->chained_requests != NULL) {
757 struct tevent_req **chain = talloc_move(frame,
758 &state->chained_requests);
759 int num_chained = talloc_array_length(chain);
760
761 /*
762 * We steal the inbuf to the chain,
763 * so that it will stay until all
764 * requests of the chain are finished.
765 *
766 * Each requests in the chain will
767 * hold a talloc reference to the chain.
768 * This way we do not expose the talloc_reference()
769 * behavior to the callers.
770 */
771 talloc_steal(chain, inbuf);
772
773 for (i=0; i<num_chained; i++) {
774 struct tevent_req **ref;
775
776 req = chain[i];
777 state = tevent_req_data(req, struct cli_smb_state);
778
779 cli_smb_req_unset_pending(req);
780
781 /*
782 * as we finish multiple requests here
783 * we need to defer the callbacks as
784 * they could destroy our current stack state.
785 */
786 tevent_req_defer_callback(req, state->ev);
787
788 ref = talloc_reference(state, chain);
789 if (tevent_req_nomem(ref, req)) {
790 continue;
791 }
792
793 state->inbuf = inbuf;
794 state->chain_num = i;
795 state->chain_length = num_chained;
796
797 tevent_req_done(req);
798 }
799
800 return NT_STATUS_RETRY;
801 }
802
803 cli_smb_req_unset_pending(req);
804
805 state->inbuf = talloc_move(state, &inbuf);
806 state->chain_num = 0;
807 state->chain_length = 1;
808
809 if (talloc_array_length(cli->conn.pending) == 0) {
810 tevent_req_done(req);
811 return NT_STATUS_OK;
812 }
813
814 tevent_req_defer_callback(req, state->ev);
815 tevent_req_done(req);
816 return NT_STATUS_RETRY;
817 }
818
819 NTSTATUS cli_smb_recv(struct tevent_req *req,
820 TALLOC_CTX *mem_ctx, uint8_t **pinbuf,
821 uint8_t min_wct, uint8_t *pwct, uint16_t **pvwv,
822 uint32_t *pnum_bytes, uint8_t **pbytes)
823 {
824 struct cli_smb_state *state = tevent_req_data(
825 req, struct cli_smb_state);
826 NTSTATUS status = NT_STATUS_OK;
827 uint8_t cmd, wct;
828 uint16_t num_bytes;
829 size_t wct_ofs, bytes_offset;
830 int i;
831
832 if (tevent_req_is_nterror(req, &status)) {
833 return status;
834 }
835
836 if (state->inbuf == NULL) {
837 if (min_wct != 0) {
838 return NT_STATUS_INVALID_NETWORK_RESPONSE;
839 }
840 if (pinbuf) {
841 *pinbuf = NULL;
842 }
843 if (pwct) {
844 *pwct = 0;
845 }
846 if (pvwv) {
847 *pvwv = NULL;
848 }
849 if (pnum_bytes) {
850 *pnum_bytes = 0;
851 }
852 if (pbytes) {
853 *pbytes = NULL;
854 }
855 /* This was a request without a reply */
856 return NT_STATUS_OK;
857 }
858
859 wct_ofs = smb_wct;
860 cmd = CVAL(state->inbuf, smb_com);
861
862 for (i=0; i<state->chain_num; i++) {
863 if (i < state->chain_num-1) {
864 if (cmd == 0xff) {
865 return NT_STATUS_REQUEST_ABORTED;
866 }
867 if (!is_andx_req(cmd)) {
868 return NT_STATUS_INVALID_NETWORK_RESPONSE;
869 }
870 }
871
872 if (!have_andx_command((char *)state->inbuf, wct_ofs)) {
873 /*
874 * This request was not completed because a previous
875 * request in the chain had received an error.
876 */
877 return NT_STATUS_REQUEST_ABORTED;
878 }
879
880 wct_ofs = SVAL(state->inbuf, wct_ofs + 3);
881
882 /*
883 * Skip the all-present length field. No overflow, we've just
884 * put a 16-bit value into a size_t.
885 */
886 wct_ofs += 4;
887
888 if (wct_ofs+2 > talloc_get_size(state->inbuf)) {
889 return NT_STATUS_INVALID_NETWORK_RESPONSE;
890 }
891
892 cmd = CVAL(state->inbuf, wct_ofs + 1);
893 }
894
895 state->cli->raw_status = cli_pull_raw_error(state->inbuf);
896 if (NT_STATUS_IS_DOS(state->cli->raw_status)) {
897 uint8_t eclass = NT_STATUS_DOS_CLASS(state->cli->raw_status);
898 uint16_t ecode = NT_STATUS_DOS_CODE(state->cli->raw_status);
899 /*
900 * TODO: is it really a good idea to do a mapping here?
901 *
902 * The old cli_pull_error() also does it, so I do not change
903 * the behavior yet.
904 */
905 status = dos_to_ntstatus(eclass, ecode);
906 } else {
907 status = state->cli->raw_status;
908 }
909
910 if (!have_andx_command((char *)state->inbuf, wct_ofs)) {
911
912 if ((cmd == SMBsesssetupX)
913 && NT_STATUS_EQUAL(
914 status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
915 /*
916 * NT_STATUS_MORE_PROCESSING_REQUIRED is a
917 * valid return code for session setup
918 */
919 goto no_err;
920 }
921
922 if (NT_STATUS_IS_ERR(status)) {
923 /*
924 * The last command takes the error code. All
925 * further commands down the requested chain
926 * will get a NT_STATUS_REQUEST_ABORTED.
927 */
928 return status;
929 }
930 }
931
932 no_err:
933
934 wct = CVAL(state->inbuf, wct_ofs);
935 bytes_offset = wct_ofs + 1 + wct * sizeof(uint16_t);
936 num_bytes = SVAL(state->inbuf, bytes_offset);
937
938 if (wct < min_wct) {
939 return NT_STATUS_INVALID_NETWORK_RESPONSE;
940 }
941
942 /*
943 * wct_ofs is a 16-bit value plus 4, wct is a 8-bit value, num_bytes
944 * is a 16-bit value. So bytes_offset being size_t should be far from
945 * wrapping.
946 */
947 if ((bytes_offset + 2 > talloc_get_size(state->inbuf))
948 || (bytes_offset > 0xffff)) {
949 return NT_STATUS_INVALID_NETWORK_RESPONSE;
950 }
951
952 if (pwct != NULL) {
953 *pwct = wct;
954 }
955 if (pvwv != NULL) {
956 *pvwv = (uint16_t *)(state->inbuf + wct_ofs + 1);
957 }
958 if (pnum_bytes != NULL) {
959 *pnum_bytes = num_bytes;
960 }
961 if (pbytes != NULL) {
962 *pbytes = (uint8_t *)state->inbuf + bytes_offset + 2;
963 }
964 if ((mem_ctx != NULL) && (pinbuf != NULL)) {
965 if (state->chain_num == state->chain_length-1) {
966 *pinbuf = talloc_move(mem_ctx, &state->inbuf);
967 } else {
968 *pinbuf = state->inbuf;
969 }
970 }
971
972 return status;
973 }
974
975 size_t cli_smb_wct_ofs(struct tevent_req **reqs, int num_reqs)
976 {
977 size_t wct_ofs;
978 int i;
979
980 wct_ofs = smb_wct - 4;
981
982 for (i=0; i<num_reqs; i++) {
983 struct cli_smb_state *state;
984 state = tevent_req_data(reqs[i], struct cli_smb_state);
985 wct_ofs += iov_len(state->iov+1, state->iov_count-1);
986 wct_ofs = (wct_ofs + 3) & ~3;
987 }
988 return wct_ofs;
989 }
990
991 NTSTATUS cli_smb_chain_send(struct tevent_req **reqs, int num_reqs)
992 {
993 struct cli_smb_state *first_state = tevent_req_data(
994 reqs[0], struct cli_smb_state);
995 struct cli_smb_state *last_state = tevent_req_data(
996 reqs[num_reqs-1], struct cli_smb_state);
997 struct cli_smb_state *state;
998 size_t wct_offset;
999 size_t chain_padding = 0;
1000 int i, iovlen;
1001 struct iovec *iov = NULL;
1002 struct iovec *this_iov;
1003 NTSTATUS status;
1004
1005 iovlen = 0;
1006 for (i=0; i<num_reqs; i++) {
1007 if (!tevent_req_is_in_progress(reqs[i])) {
1008 return NT_STATUS_INTERNAL_ERROR;
1009 }
1010
1011 state = tevent_req_data(reqs[i], struct cli_smb_state);
1012 iovlen += state->iov_count;
1013 }
1014
1015 iov = talloc_array(last_state, struct iovec, iovlen);
1016 if (iov == NULL) {
1017 return NT_STATUS_NO_MEMORY;
1018 }
1019
1020 first_state->chained_requests = (struct tevent_req **)talloc_memdup(
1021 last_state, reqs, sizeof(*reqs) * num_reqs);
1022 if (first_state->chained_requests == NULL) {
1023 TALLOC_FREE(iov);
1024 return NT_STATUS_NO_MEMORY;
1025 }
1026
1027 wct_offset = smb_wct - 4;
1028 this_iov = iov;
1029
1030 for (i=0; i<num_reqs; i++) {
1031 size_t next_padding = 0;
1032 uint16_t *vwv;
1033
1034 state = tevent_req_data(reqs[i], struct cli_smb_state);
1035
1036 if (i < num_reqs-1) {
1037 if (!is_andx_req(CVAL(state->header, smb_com))
1038 || CVAL(state->header, smb_wct) < 2) {
1039 TALLOC_FREE(iov);
1040 TALLOC_FREE(first_state->chained_requests);
1041 return NT_STATUS_INVALID_PARAMETER;
1042 }
1043 }
1044
1045 wct_offset += iov_len(state->iov+1, state->iov_count-1) + 1;
1046 if ((wct_offset % 4) != 0) {
1047 next_padding = 4 - (wct_offset % 4);
1048 }
1049 wct_offset += next_padding;
1050 vwv = state->vwv;
1051
1052 if (i < num_reqs-1) {
1053 struct cli_smb_state *next_state = tevent_req_data(
1054 reqs[i+1], struct cli_smb_state);
1055 SCVAL(vwv+0, 0, CVAL(next_state->header, smb_com));
1056 SCVAL(vwv+0, 1, 0);
1057 SSVAL(vwv+1, 0, wct_offset);
1058 } else if (is_andx_req(CVAL(state->header, smb_com))) {
1059 /* properly end the chain */
1060 SCVAL(vwv+0, 0, 0xff);
1061 SCVAL(vwv+0, 1, 0xff);
1062 SSVAL(vwv+1, 0, 0);
1063 }
1064
1065 if (i == 0) {
1066 this_iov[0] = state->iov[0];
1067 } else {
1068 /*
1069 * This one is a bit subtle. We have to add
1070 * chain_padding bytes between the requests, and we
1071 * have to also include the wct field of the
1072 * subsequent requests. We use the subsequent header
1073 * for the padding, it contains the wct field in its
1074 * last byte.
1075 */
1076 this_iov[0].iov_len = chain_padding+1;
1077 this_iov[0].iov_base = (void *)&state->header[
1078 sizeof(state->header) - this_iov[0].iov_len];
1079 memset(this_iov[0].iov_base, 0, this_iov[0].iov_len-1);
1080 }
1081 memcpy(this_iov+1, state->iov+1,
1082 sizeof(struct iovec) * (state->iov_count-1));
1083 this_iov += state->iov_count;
1084 chain_padding = next_padding;
1085 }
1086
1087 status = cli_smb_req_iov_send(reqs[0], last_state, iov, iovlen);
1088 if (!NT_STATUS_IS_OK(status)) {
1089 TALLOC_FREE(iov);
1090 TALLOC_FREE(first_state->chained_requests);
1091 return status;
1092 }
1093
1094 return NT_STATUS_OK;
1095 }
1096
1097 bool cli_has_async_calls(struct cli_state *cli)
1098 {
1099 return ((tevent_queue_length(cli->conn.outgoing) != 0)
1100 || (talloc_array_length(cli->conn.pending) != 0));
1101 }
reg import