search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3-waf: Set HAVE_GSSAPI if gssapi libs were found
[Samba/gebeck_regimport.git] / source3 / smbd / process.c
blobc8497577a448020a5e17093015841b0d123023b1
1 /*
2 Unix SMB/CIFS implementation.
3 process incoming packets - main loop
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Volker Lendecke 2005-2007
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "smbd/globals.h"
23 #include "../librpc/gen_ndr/srv_dfs.h"
24 #include "../librpc/gen_ndr/srv_dssetup.h"
25 #include "../librpc/gen_ndr/srv_echo.h"
26 #include "../librpc/gen_ndr/srv_eventlog.h"
27 #include "../librpc/gen_ndr/srv_initshutdown.h"
28 #include "../librpc/gen_ndr/srv_lsa.h"
29 #include "../librpc/gen_ndr/srv_netlogon.h"
30 #include "../librpc/gen_ndr/srv_ntsvcs.h"
31 #include "../librpc/gen_ndr/srv_samr.h"
32 #include "../librpc/gen_ndr/srv_spoolss.h"
33 #include "../librpc/gen_ndr/srv_srvsvc.h"
34 #include "../librpc/gen_ndr/srv_svcctl.h"
35 #include "../librpc/gen_ndr/srv_winreg.h"
36 #include "../librpc/gen_ndr/srv_wkssvc.h"
37 #include "librpc/gen_ndr/messaging.h"
38
39 extern bool global_machine_password_needs_changing;
40
41 static void construct_reply_common(struct smb_request *req, const char *inbuf,
42 char *outbuf);
43 static struct pending_message_list *get_deferred_open_message_smb(uint64_t mid);
44
45 static bool smbd_lock_socket_internal(struct smbd_server_connection *sconn)
46 {
47 bool ok;
48
49 if (smbd_server_conn->smb1.echo_handler.socket_lock_fd == -1) {
50 return true;
51 }
52
53 smbd_server_conn->smb1.echo_handler.ref_count++;
54
55 if (smbd_server_conn->smb1.echo_handler.ref_count > 1) {
56 return true;
57 }
58
59 DEBUG(10,("pid[%d] wait for socket lock\n", (int)sys_getpid()));
60
61 ok = fcntl_lock(smbd_server_conn->smb1.echo_handler.socket_lock_fd,
62 SMB_F_SETLKW, 0, 0, F_WRLCK);
63 if (!ok) {
64 return false;
65 }
66
67 DEBUG(10,("pid[%d] got for socket lock\n", (int)sys_getpid()));
68
69 return true;
70 }
71
72 void smbd_lock_socket(struct smbd_server_connection *sconn)
73 {
74 if (!smbd_lock_socket_internal(sconn)) {
75 exit_server_cleanly("failed to lock socket");
76 }
77 }
78
79 static bool smbd_unlock_socket_internal(struct smbd_server_connection *sconn)
80 {
81 bool ok;
82
83 if (smbd_server_conn->smb1.echo_handler.socket_lock_fd == -1) {
84 return true;
85 }
86
87 smbd_server_conn->smb1.echo_handler.ref_count--;
88
89 if (smbd_server_conn->smb1.echo_handler.ref_count > 0) {
90 return true;
91 }
92
93 ok = fcntl_lock(smbd_server_conn->smb1.echo_handler.socket_lock_fd,
94 SMB_F_SETLKW, 0, 0, F_UNLCK);
95 if (!ok) {
96 return false;
97 }
98
99 DEBUG(10,("pid[%d] unlocked socket\n", (int)sys_getpid()));
100
101 return true;
102 }
103
104 void smbd_unlock_socket(struct smbd_server_connection *sconn)
105 {
106 if (!smbd_unlock_socket_internal(sconn)) {
107 exit_server_cleanly("failed to unlock socket");
108 }
109 }
110
111 /* Accessor function for smb_read_error for smbd functions. */
112
113 /****************************************************************************
114 Send an smb to a fd.
115 ****************************************************************************/
116
117 bool srv_send_smb(int fd, char *buffer,
118 bool do_signing, uint32_t seqnum,
119 bool do_encrypt,
120 struct smb_perfcount_data *pcd)
121 {
122 size_t len = 0;
123 size_t nwritten=0;
124 ssize_t ret;
125 char *buf_out = buffer;
126
127 smbd_lock_socket(smbd_server_conn);
128
129 if (do_signing) {
130 /* Sign the outgoing packet if required. */
131 srv_calculate_sign_mac(smbd_server_conn, buf_out, seqnum);
132 }
133
134 if (do_encrypt) {
135 NTSTATUS status = srv_encrypt_buffer(buffer, &buf_out);
136 if (!NT_STATUS_IS_OK(status)) {
137 DEBUG(0, ("send_smb: SMB encryption failed "
138 "on outgoing packet! Error %s\n",
139 nt_errstr(status) ));
140 goto out;
141 }
142 }
143
144 len = smb_len(buf_out) + 4;
145
146 ret = write_data(fd,buf_out+nwritten,len - nwritten);
147 if (ret <= 0) {
148 DEBUG(0,("pid[%d] Error writing %d bytes to client. %d. (%s)\n",
149 (int)sys_getpid(), (int)len,(int)ret, strerror(errno) ));
150 srv_free_enc_buffer(buf_out);
151 goto out;
152 }
153
154 SMB_PERFCOUNT_SET_MSGLEN_OUT(pcd, len);
155 srv_free_enc_buffer(buf_out);
156 out:
157 SMB_PERFCOUNT_END(pcd);
158
159 smbd_unlock_socket(smbd_server_conn);
160 return true;
161 }
162
163 /*******************************************************************
164 Setup the word count and byte count for a smb message.
165 ********************************************************************/
166
167 int srv_set_message(char *buf,
168 int num_words,
169 int num_bytes,
170 bool zero)
171 {
172 if (zero && (num_words || num_bytes)) {
173 memset(buf + smb_size,'\0',num_words*2 + num_bytes);
174 }
175 SCVAL(buf,smb_wct,num_words);
176 SSVAL(buf,smb_vwv + num_words*SIZEOFWORD,num_bytes);
177 smb_setlen(buf,(smb_size + num_words*2 + num_bytes - 4));
178 return (smb_size + num_words*2 + num_bytes);
179 }
180
181 static bool valid_smb_header(const uint8_t *inbuf)
182 {
183 if (is_encrypted_packet(inbuf)) {
184 return true;
185 }
186 /*
187 * This used to be (strncmp(smb_base(inbuf),"\377SMB",4) == 0)
188 * but it just looks weird to call strncmp for this one.
189 */
190 return (IVAL(smb_base(inbuf), 0) == 0x424D53FF);
191 }
192
193 /* Socket functions for smbd packet processing. */
194
195 static bool valid_packet_size(size_t len)
196 {
197 /*
198 * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
199 * of header. Don't print the error if this fits.... JRA.
200 */
201
202 if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
203 DEBUG(0,("Invalid packet length! (%lu bytes).\n",
204 (unsigned long)len));
205 return false;
206 }
207 return true;
208 }
209
210 static NTSTATUS read_packet_remainder(int fd, char *buffer,
211 unsigned int timeout, ssize_t len)
212 {
213 if (len <= 0) {
214 return NT_STATUS_OK;
215 }
216
217 return read_fd_with_timeout(fd, buffer, len, len, timeout, NULL);
218 }
219
220 /****************************************************************************
221 Attempt a zerocopy writeX read. We know here that len > smb_size-4
222 ****************************************************************************/
223
224 /*
225 * Unfortunately, earlier versions of smbclient/libsmbclient
226 * don't send this "standard" writeX header. I've fixed this
227 * for 3.2 but we'll use the old method with earlier versions.
228 * Windows and CIFSFS at least use this standard size. Not
229 * sure about MacOSX.
230 */
231
232 #define STANDARD_WRITE_AND_X_HEADER_SIZE (smb_size - 4 + /* basic header */ \
233 (2*14) + /* word count (including bcc) */ \
234 1 /* pad byte */)
235
236 static NTSTATUS receive_smb_raw_talloc_partial_read(TALLOC_CTX *mem_ctx,
237 const char lenbuf[4],
238 int fd, char **buffer,
239 unsigned int timeout,
240 size_t *p_unread,
241 size_t *len_ret)
242 {
243 /* Size of a WRITEX call (+4 byte len). */
244 char writeX_header[4 + STANDARD_WRITE_AND_X_HEADER_SIZE];
245 ssize_t len = smb_len_large(lenbuf); /* Could be a UNIX large writeX. */
246 ssize_t toread;
247 NTSTATUS status;
248
249 memcpy(writeX_header, lenbuf, 4);
250
251 status = read_fd_with_timeout(
252 fd, writeX_header + 4,
253 STANDARD_WRITE_AND_X_HEADER_SIZE,
254 STANDARD_WRITE_AND_X_HEADER_SIZE,
255 timeout, NULL);
256
257 if (!NT_STATUS_IS_OK(status)) {
258 return status;
259 }
260
261 /*
262 * Ok - now try and see if this is a possible
263 * valid writeX call.
264 */
265
266 if (is_valid_writeX_buffer((uint8_t *)writeX_header)) {
267 /*
268 * If the data offset is beyond what
269 * we've read, drain the extra bytes.
270 */
271 uint16_t doff = SVAL(writeX_header,smb_vwv11);
272 ssize_t newlen;
273
274 if (doff > STANDARD_WRITE_AND_X_HEADER_SIZE) {
275 size_t drain = doff - STANDARD_WRITE_AND_X_HEADER_SIZE;
276 if (drain_socket(smbd_server_fd(), drain) != drain) {
277 smb_panic("receive_smb_raw_talloc_partial_read:"
278 " failed to drain pending bytes");
279 }
280 } else {
281 doff = STANDARD_WRITE_AND_X_HEADER_SIZE;
282 }
283
284 /* Spoof down the length and null out the bcc. */
285 set_message_bcc(writeX_header, 0);
286 newlen = smb_len(writeX_header);
287
288 /* Copy the header we've written. */
289
290 *buffer = (char *)TALLOC_MEMDUP(mem_ctx,
291 writeX_header,
292 sizeof(writeX_header));
293
294 if (*buffer == NULL) {
295 DEBUG(0, ("Could not allocate inbuf of length %d\n",
296 (int)sizeof(writeX_header)));
297 return NT_STATUS_NO_MEMORY;
298 }
299
300 /* Work out the remaining bytes. */
301 *p_unread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
302 *len_ret = newlen + 4;
303 return NT_STATUS_OK;
304 }
305
306 if (!valid_packet_size(len)) {
307 return NT_STATUS_INVALID_PARAMETER;
308 }
309
310 /*
311 * Not a valid writeX call. Just do the standard
312 * talloc and return.
313 */
314
315 *buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
316
317 if (*buffer == NULL) {
318 DEBUG(0, ("Could not allocate inbuf of length %d\n",
319 (int)len+4));
320 return NT_STATUS_NO_MEMORY;
321 }
322
323 /* Copy in what we already read. */
324 memcpy(*buffer,
325 writeX_header,
326 4 + STANDARD_WRITE_AND_X_HEADER_SIZE);
327 toread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
328
329 if(toread > 0) {
330 status = read_packet_remainder(
331 fd, (*buffer) + 4 + STANDARD_WRITE_AND_X_HEADER_SIZE,
332 timeout, toread);
333
334 if (!NT_STATUS_IS_OK(status)) {
335 DEBUG(10, ("receive_smb_raw_talloc_partial_read: %s\n",
336 nt_errstr(status)));
337 return status;
338 }
339 }
340
341 *len_ret = len + 4;
342 return NT_STATUS_OK;
343 }
344
345 static NTSTATUS receive_smb_raw_talloc(TALLOC_CTX *mem_ctx, int fd,
346 char **buffer, unsigned int timeout,
347 size_t *p_unread, size_t *plen)
348 {
349 char lenbuf[4];
350 size_t len;
351 int min_recv_size = lp_min_receive_file_size();
352 NTSTATUS status;
353
354 *p_unread = 0;
355
356 status = read_smb_length_return_keepalive(fd, lenbuf, timeout, &len);
357 if (!NT_STATUS_IS_OK(status)) {
358 DEBUG(10, ("receive_smb_raw: %s\n", nt_errstr(status)));
359 return status;
360 }
361
362 if (CVAL(lenbuf,0) == 0 && min_recv_size &&
363 (smb_len_large(lenbuf) > /* Could be a UNIX large writeX. */
364 (min_recv_size + STANDARD_WRITE_AND_X_HEADER_SIZE)) &&
365 !srv_is_signing_active(smbd_server_conn) &&
366 smbd_server_conn->smb1.echo_handler.trusted_fde == NULL) {
367
368 return receive_smb_raw_talloc_partial_read(
369 mem_ctx, lenbuf, fd, buffer, timeout, p_unread, plen);
370 }
371
372 if (!valid_packet_size(len)) {
373 return NT_STATUS_INVALID_PARAMETER;
374 }
375
376 /*
377 * The +4 here can't wrap, we've checked the length above already.
378 */
379
380 *buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
381
382 if (*buffer == NULL) {
383 DEBUG(0, ("Could not allocate inbuf of length %d\n",
384 (int)len+4));
385 return NT_STATUS_NO_MEMORY;
386 }
387
388 memcpy(*buffer, lenbuf, sizeof(lenbuf));
389
390 status = read_packet_remainder(fd, (*buffer)+4, timeout, len);
391 if (!NT_STATUS_IS_OK(status)) {
392 return status;
393 }
394
395 *plen = len + 4;
396 return NT_STATUS_OK;
397 }
398
399 static NTSTATUS receive_smb_talloc(TALLOC_CTX *mem_ctx, int fd,
400 char **buffer, unsigned int timeout,
401 size_t *p_unread, bool *p_encrypted,
402 size_t *p_len,
403 uint32_t *seqnum,
404 bool trusted_channel)
405 {
406 size_t len = 0;
407 NTSTATUS status;
408
409 *p_encrypted = false;
410
411 status = receive_smb_raw_talloc(mem_ctx, fd, buffer, timeout,
412 p_unread, &len);
413 if (!NT_STATUS_IS_OK(status)) {
414 return status;
415 }
416
417 if (is_encrypted_packet((uint8_t *)*buffer)) {
418 status = srv_decrypt_buffer(*buffer);
419 if (!NT_STATUS_IS_OK(status)) {
420 DEBUG(0, ("receive_smb_talloc: SMB decryption failed on "
421 "incoming packet! Error %s\n",
422 nt_errstr(status) ));
423 return status;
424 }
425 *p_encrypted = true;
426 }
427
428 /* Check the incoming SMB signature. */
429 if (!srv_check_sign_mac(smbd_server_conn, *buffer, seqnum, trusted_channel)) {
430 DEBUG(0, ("receive_smb: SMB Signature verification failed on "
431 "incoming packet!\n"));
432 return NT_STATUS_INVALID_NETWORK_RESPONSE;
433 }
434
435 *p_len = len;
436 return NT_STATUS_OK;
437 }
438
439 /*
440 * Initialize a struct smb_request from an inbuf
441 */
442
443 static bool init_smb_request(struct smb_request *req, const uint8 *inbuf,
444 size_t unread_bytes, bool encrypted,
445 uint32_t seqnum)
446 {
447 struct smbd_server_connection *sconn = smbd_server_conn;
448 size_t req_size = smb_len(inbuf) + 4;
449 /* Ensure we have at least smb_size bytes. */
450 if (req_size < smb_size) {
451 DEBUG(0,("init_smb_request: invalid request size %u\n",
452 (unsigned int)req_size ));
453 return false;
454 }
455 req->cmd = CVAL(inbuf, smb_com);
456 req->flags2 = SVAL(inbuf, smb_flg2);
457 req->smbpid = SVAL(inbuf, smb_pid);
458 req->mid = (uint64_t)SVAL(inbuf, smb_mid);
459 req->seqnum = seqnum;
460 req->vuid = SVAL(inbuf, smb_uid);
461 req->tid = SVAL(inbuf, smb_tid);
462 req->wct = CVAL(inbuf, smb_wct);
463 req->vwv = (uint16_t *)(inbuf+smb_vwv);
464 req->buflen = smb_buflen(inbuf);
465 req->buf = (const uint8_t *)smb_buf(inbuf);
466 req->unread_bytes = unread_bytes;
467 req->encrypted = encrypted;
468 req->conn = conn_find(sconn,req->tid);
469 req->chain_fsp = NULL;
470 req->chain_outbuf = NULL;
471 req->done = false;
472 req->smb2req = NULL;
473 smb_init_perfcount_data(&req->pcd);
474
475 /* Ensure we have at least wct words and 2 bytes of bcc. */
476 if (smb_size + req->wct*2 > req_size) {
477 DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n",
478 (unsigned int)req->wct,
479 (unsigned int)req_size));
480 return false;
481 }
482 /* Ensure bcc is correct. */
483 if (((uint8 *)smb_buf(inbuf)) + req->buflen > inbuf + req_size) {
484 DEBUG(0,("init_smb_request: invalid bcc number %u "
485 "(wct = %u, size %u)\n",
486 (unsigned int)req->buflen,
487 (unsigned int)req->wct,
488 (unsigned int)req_size));
489 return false;
490 }
491
492 req->outbuf = NULL;
493 return true;
494 }
495
496 static void process_smb(struct smbd_server_connection *conn,
497 uint8_t *inbuf, size_t nread, size_t unread_bytes,
498 uint32_t seqnum, bool encrypted,
499 struct smb_perfcount_data *deferred_pcd);
500
501 static void smbd_deferred_open_timer(struct event_context *ev,
502 struct timed_event *te,
503 struct timeval _tval,
504 void *private_data)
505 {
506 struct pending_message_list *msg = talloc_get_type(private_data,
507 struct pending_message_list);
508 TALLOC_CTX *mem_ctx = talloc_tos();
509 uint64_t mid = (uint64_t)SVAL(msg->buf.data,smb_mid);
510 uint8_t *inbuf;
511
512 inbuf = (uint8_t *)talloc_memdup(mem_ctx, msg->buf.data,
513 msg->buf.length);
514 if (inbuf == NULL) {
515 exit_server("smbd_deferred_open_timer: talloc failed\n");
516 return;
517 }
518
519 /* We leave this message on the queue so the open code can
520 know this is a retry. */
521 DEBUG(5,("smbd_deferred_open_timer: trigger mid %llu.\n",
522 (unsigned long long)mid ));
523
524 /* Mark the message as processed so this is not
525 * re-processed in error. */
526 msg->processed = true;
527
528 process_smb(smbd_server_conn, inbuf,
529 msg->buf.length, 0,
530 msg->seqnum, msg->encrypted, &msg->pcd);
531
532 /* If it's still there and was processed, remove it. */
533 msg = get_deferred_open_message_smb(mid);
534 if (msg && msg->processed) {
535 remove_deferred_open_message_smb(mid);
536 }
537 }
538
539 /****************************************************************************
540 Function to push a message onto the tail of a linked list of smb messages ready
541 for processing.
542 ****************************************************************************/
543
544 static bool push_queued_message(struct smb_request *req,
545 struct timeval request_time,
546 struct timeval end_time,
547 char *private_data, size_t private_len)
548 {
549 int msg_len = smb_len(req->inbuf) + 4;
550 struct pending_message_list *msg;
551
552 msg = TALLOC_ZERO_P(NULL, struct pending_message_list);
553
554 if(msg == NULL) {
555 DEBUG(0,("push_message: malloc fail (1)\n"));
556 return False;
557 }
558
559 msg->buf = data_blob_talloc(msg, req->inbuf, msg_len);
560 if(msg->buf.data == NULL) {
561 DEBUG(0,("push_message: malloc fail (2)\n"));
562 TALLOC_FREE(msg);
563 return False;
564 }
565
566 msg->request_time = request_time;
567 msg->seqnum = req->seqnum;
568 msg->encrypted = req->encrypted;
569 msg->processed = false;
570 SMB_PERFCOUNT_DEFER_OP(&req->pcd, &msg->pcd);
571
572 if (private_data) {
573 msg->private_data = data_blob_talloc(msg, private_data,
574 private_len);
575 if (msg->private_data.data == NULL) {
576 DEBUG(0,("push_message: malloc fail (3)\n"));
577 TALLOC_FREE(msg);
578 return False;
579 }
580 }
581
582 msg->te = event_add_timed(smbd_event_context(),
583 msg,
584 end_time,
585 smbd_deferred_open_timer,
586 msg);
587 if (!msg->te) {
588 DEBUG(0,("push_message: event_add_timed failed\n"));
589 TALLOC_FREE(msg);
590 return false;
591 }
592
593 DLIST_ADD_END(deferred_open_queue, msg, struct pending_message_list *);
594
595 DEBUG(10,("push_message: pushed message length %u on "
596 "deferred_open_queue\n", (unsigned int)msg_len));
597
598 return True;
599 }
600
601 /****************************************************************************
602 Function to delete a sharing violation open message by mid.
603 ****************************************************************************/
604
605 void remove_deferred_open_message_smb(uint64_t mid)
606 {
607 struct pending_message_list *pml;
608
609 if (smbd_server_conn->allow_smb2) {
610 remove_deferred_open_message_smb2(mid);
611 return;
612 }
613
614 for (pml = deferred_open_queue; pml; pml = pml->next) {
615 if (mid == (uint64_t)SVAL(pml->buf.data,smb_mid)) {
616 DEBUG(10,("remove_deferred_open_message_smb: "
617 "deleting mid %llu len %u\n",
618 (unsigned long long)mid,
619 (unsigned int)pml->buf.length ));
620 DLIST_REMOVE(deferred_open_queue, pml);
621 TALLOC_FREE(pml);
622 return;
623 }
624 }
625 }
626
627 /****************************************************************************
628 Move a sharing violation open retry message to the front of the list and
629 schedule it for immediate processing.
630 ****************************************************************************/
631
632 void schedule_deferred_open_message_smb(uint64_t mid)
633 {
634 struct pending_message_list *pml;
635 int i = 0;
636
637 if (smbd_server_conn->allow_smb2) {
638 schedule_deferred_open_message_smb2(mid);
639 return;
640 }
641
642 for (pml = deferred_open_queue; pml; pml = pml->next) {
643 uint64_t msg_mid = (uint64_t)SVAL(pml->buf.data,smb_mid);
644
645 DEBUG(10,("schedule_deferred_open_message_smb: [%d] "
646 "msg_mid = %llu\n",
647 i++,
648 (unsigned long long)msg_mid ));
649
650 if (mid == msg_mid) {
651 struct timed_event *te;
652
653 if (pml->processed) {
654 /* A processed message should not be
655 * rescheduled. */
656 DEBUG(0,("schedule_deferred_open_message_smb: LOGIC ERROR "
657 "message mid %llu was already processed\n",
658 (unsigned long long)msg_mid ));
659 continue;
660 }
661
662 DEBUG(10,("schedule_deferred_open_message_smb: "
663 "scheduling mid %llu\n",
664 (unsigned long long)mid ));
665
666 te = event_add_timed(smbd_event_context(),
667 pml,
668 timeval_zero(),
669 smbd_deferred_open_timer,
670 pml);
671 if (!te) {
672 DEBUG(10,("schedule_deferred_open_message_smb: "
673 "event_add_timed() failed, "
674 "skipping mid %llu\n",
675 (unsigned long long)msg_mid ));
676 }
677
678 TALLOC_FREE(pml->te);
679 pml->te = te;
680 DLIST_PROMOTE(deferred_open_queue, pml);
681 return;
682 }
683 }
684
685 DEBUG(10,("schedule_deferred_open_message_smb: failed to "
686 "find message mid %llu\n",
687 (unsigned long long)mid ));
688 }
689
690 /****************************************************************************
691 Return true if this mid is on the deferred queue and was not yet processed.
692 ****************************************************************************/
693
694 bool open_was_deferred(uint64_t mid)
695 {
696 struct pending_message_list *pml;
697
698 if (smbd_server_conn->allow_smb2) {
699 return open_was_deferred_smb2(mid);
700 }
701
702 for (pml = deferred_open_queue; pml; pml = pml->next) {
703 if (((uint64_t)SVAL(pml->buf.data,smb_mid)) == mid && !pml->processed) {
704 return True;
705 }
706 }
707 return False;
708 }
709
710 /****************************************************************************
711 Return the message queued by this mid.
712 ****************************************************************************/
713
714 static struct pending_message_list *get_deferred_open_message_smb(uint64_t mid)
715 {
716 struct pending_message_list *pml;
717
718 for (pml = deferred_open_queue; pml; pml = pml->next) {
719 if (((uint64_t)SVAL(pml->buf.data,smb_mid)) == mid) {
720 return pml;
721 }
722 }
723 return NULL;
724 }
725
726 /****************************************************************************
727 Get the state data queued by this mid.
728 ****************************************************************************/
729
730 bool get_deferred_open_message_state(struct smb_request *smbreq,
731 struct timeval *p_request_time,
732 void **pp_state)
733 {
734 struct pending_message_list *pml;
735
736 if (smbd_server_conn->allow_smb2) {
737 return get_deferred_open_message_state_smb2(smbreq->smb2req,
738 p_request_time,
739 pp_state);
740 }
741
742 pml = get_deferred_open_message_smb(smbreq->mid);
743 if (!pml) {
744 return false;
745 }
746 if (p_request_time) {
747 *p_request_time = pml->request_time;
748 }
749 if (pp_state) {
750 *pp_state = (void *)pml->private_data.data;
751 }
752 return true;
753 }
754
755 /****************************************************************************
756 Function to push a deferred open smb message onto a linked list of local smb
757 messages ready for processing.
758 ****************************************************************************/
759
760 bool push_deferred_open_message_smb(struct smb_request *req,
761 struct timeval request_time,
762 struct timeval timeout,
763 struct file_id id,
764 char *private_data, size_t priv_len)
765 {
766 struct timeval end_time;
767
768 if (req->smb2req) {
769 return push_deferred_open_message_smb2(req->smb2req,
770 request_time,
771 timeout,
772 id,
773 private_data,
774 priv_len);
775 }
776
777 if (req->unread_bytes) {
778 DEBUG(0,("push_deferred_open_message_smb: logic error ! "
779 "unread_bytes = %u\n",
780 (unsigned int)req->unread_bytes ));
781 smb_panic("push_deferred_open_message_smb: "
782 "logic error unread_bytes != 0" );
783 }
784
785 end_time = timeval_sum(&request_time, &timeout);
786
787 DEBUG(10,("push_deferred_open_message_smb: pushing message "
788 "len %u mid %llu timeout time [%u.%06u]\n",
789 (unsigned int) smb_len(req->inbuf)+4,
790 (unsigned long long)req->mid,
791 (unsigned int)end_time.tv_sec,
792 (unsigned int)end_time.tv_usec));
793
794 return push_queued_message(req, request_time, end_time,
795 private_data, priv_len);
796 }
797
798 struct idle_event {
799 struct timed_event *te;
800 struct timeval interval;
801 char *name;
802 bool (*handler)(const struct timeval *now, void *private_data);
803 void *private_data;
804 };
805
806 static void smbd_idle_event_handler(struct event_context *ctx,
807 struct timed_event *te,
808 struct timeval now,
809 void *private_data)
810 {
811 struct idle_event *event =
812 talloc_get_type_abort(private_data, struct idle_event);
813
814 TALLOC_FREE(event->te);
815
816 DEBUG(10,("smbd_idle_event_handler: %s %p called\n",
817 event->name, event->te));
818
819 if (!event->handler(&now, event->private_data)) {
820 DEBUG(10,("smbd_idle_event_handler: %s %p stopped\n",
821 event->name, event->te));
822 /* Don't repeat, delete ourselves */
823 TALLOC_FREE(event);
824 return;
825 }
826
827 DEBUG(10,("smbd_idle_event_handler: %s %p rescheduled\n",
828 event->name, event->te));
829
830 event->te = event_add_timed(ctx, event,
831 timeval_sum(&now, &event->interval),
832 smbd_idle_event_handler, event);
833
834 /* We can't do much but fail here. */
835 SMB_ASSERT(event->te != NULL);
836 }
837
838 struct idle_event *event_add_idle(struct event_context *event_ctx,
839 TALLOC_CTX *mem_ctx,
840 struct timeval interval,
841 const char *name,
842 bool (*handler)(const struct timeval *now,
843 void *private_data),
844 void *private_data)
845 {
846 struct idle_event *result;
847 struct timeval now = timeval_current();
848
849 result = TALLOC_P(mem_ctx, struct idle_event);
850 if (result == NULL) {
851 DEBUG(0, ("talloc failed\n"));
852 return NULL;
853 }
854
855 result->interval = interval;
856 result->handler = handler;
857 result->private_data = private_data;
858
859 if (!(result->name = talloc_asprintf(result, "idle_evt(%s)", name))) {
860 DEBUG(0, ("talloc failed\n"));
861 TALLOC_FREE(result);
862 return NULL;
863 }
864
865 result->te = event_add_timed(event_ctx, result,
866 timeval_sum(&now, &interval),
867 smbd_idle_event_handler, result);
868 if (result->te == NULL) {
869 DEBUG(0, ("event_add_timed failed\n"));
870 TALLOC_FREE(result);
871 return NULL;
872 }
873
874 DEBUG(10,("event_add_idle: %s %p\n", result->name, result->te));
875 return result;
876 }
877
878 static void smbd_sig_term_handler(struct tevent_context *ev,
879 struct tevent_signal *se,
880 int signum,
881 int count,
882 void *siginfo,
883 void *private_data)
884 {
885 exit_server_cleanly("termination signal");
886 }
887
888 void smbd_setup_sig_term_handler(void)
889 {
890 struct tevent_signal *se;
891
892 se = tevent_add_signal(smbd_event_context(),
893 smbd_event_context(),
894 SIGTERM, 0,
895 smbd_sig_term_handler,
896 NULL);
897 if (!se) {
898 exit_server("failed to setup SIGTERM handler");
899 }
900 }
901
902 static void smbd_sig_hup_handler(struct tevent_context *ev,
903 struct tevent_signal *se,
904 int signum,
905 int count,
906 void *siginfo,
907 void *private_data)
908 {
909 change_to_root_user();
910 DEBUG(1,("Reloading services after SIGHUP\n"));
911 reload_services(False);
912 }
913
914 void smbd_setup_sig_hup_handler(void)
915 {
916 struct tevent_signal *se;
917
918 se = tevent_add_signal(smbd_event_context(),
919 smbd_event_context(),
920 SIGHUP, 0,
921 smbd_sig_hup_handler,
922 NULL);
923 if (!se) {
924 exit_server("failed to setup SIGHUP handler");
925 }
926 }
927
928 static NTSTATUS smbd_server_connection_loop_once(struct smbd_server_connection *conn)
929 {
930 fd_set r_fds, w_fds;
931 int selrtn;
932 struct timeval to;
933 int maxfd = 0;
934
935 to.tv_sec = SMBD_SELECT_TIMEOUT;
936 to.tv_usec = 0;
937
938 /*
939 * Setup the select fd sets.
940 */
941
942 FD_ZERO(&r_fds);
943 FD_ZERO(&w_fds);
944
945 /*
946 * Are there any timed events waiting ? If so, ensure we don't
947 * select for longer than it would take to wait for them.
948 */
949
950 {
951 struct timeval now;
952 GetTimeOfDay(&now);
953
954 event_add_to_select_args(smbd_event_context(), &now,
955 &r_fds, &w_fds, &to, &maxfd);
956 }
957
958 /* Process a signal and timed events now... */
959 if (run_events(smbd_event_context(), 0, NULL, NULL)) {
960 return NT_STATUS_RETRY;
961 }
962
963 {
964 int sav;
965 START_PROFILE(smbd_idle);
966
967 selrtn = sys_select(maxfd+1,&r_fds,&w_fds,NULL,&to);
968 sav = errno;
969
970 END_PROFILE(smbd_idle);
971 errno = sav;
972 }
973
974 if (run_events(smbd_event_context(), selrtn, &r_fds, &w_fds)) {
975 return NT_STATUS_RETRY;
976 }
977
978 /* Check if error */
979 if (selrtn == -1) {
980 /* something is wrong. Maybe the socket is dead? */
981 return map_nt_error_from_unix(errno);
982 }
983
984 /* Did we timeout ? */
985 if (selrtn == 0) {
986 return NT_STATUS_RETRY;
987 }
988
989 /* should not be reached */
990 return NT_STATUS_INTERNAL_ERROR;
991 }
992
993 /*
994 * Only allow 5 outstanding trans requests. We're allocating memory, so
995 * prevent a DoS.
996 */
997
998 NTSTATUS allow_new_trans(struct trans_state *list, uint64_t mid)
999 {
1000 int count = 0;
1001 for (; list != NULL; list = list->next) {
1002
1003 if (list->mid == mid) {
1004 return NT_STATUS_INVALID_PARAMETER;
1005 }
1006
1007 count += 1;
1008 }
1009 if (count > 5) {
1010 return NT_STATUS_INSUFFICIENT_RESOURCES;
1011 }
1012
1013 return NT_STATUS_OK;
1014 }
1015
1016 /*
1017 These flags determine some of the permissions required to do an operation
1018
1019 Note that I don't set NEED_WRITE on some write operations because they
1020 are used by some brain-dead clients when printing, and I don't want to
1021 force write permissions on print services.
1022 */
1023 #define AS_USER (1<<0)
1024 #define NEED_WRITE (1<<1) /* Must be paired with AS_USER */
1025 #define TIME_INIT (1<<2)
1026 #define CAN_IPC (1<<3) /* Must be paired with AS_USER */
1027 #define AS_GUEST (1<<5) /* Must *NOT* be paired with AS_USER */
1028 #define DO_CHDIR (1<<6)
1029
1030 /*
1031 define a list of possible SMB messages and their corresponding
1032 functions. Any message that has a NULL function is unimplemented -
1033 please feel free to contribute implementations!
1034 */
1035 static const struct smb_message_struct {
1036 const char *name;
1037 void (*fn)(struct smb_request *req);
1038 int flags;
1039 } smb_messages[256] = {
1040
1041 /* 0x00 */ { "SMBmkdir",reply_mkdir,AS_USER | NEED_WRITE},
1042 /* 0x01 */ { "SMBrmdir",reply_rmdir,AS_USER | NEED_WRITE},
1043 /* 0x02 */ { "SMBopen",reply_open,AS_USER },
1044 /* 0x03 */ { "SMBcreate",reply_mknew,AS_USER},
1045 /* 0x04 */ { "SMBclose",reply_close,AS_USER | CAN_IPC },
1046 /* 0x05 */ { "SMBflush",reply_flush,AS_USER},
1047 /* 0x06 */ { "SMBunlink",reply_unlink,AS_USER | NEED_WRITE },
1048 /* 0x07 */ { "SMBmv",reply_mv,AS_USER | NEED_WRITE },
1049 /* 0x08 */ { "SMBgetatr",reply_getatr,AS_USER},
1050 /* 0x09 */ { "SMBsetatr",reply_setatr,AS_USER | NEED_WRITE},
1051 /* 0x0a */ { "SMBread",reply_read,AS_USER},
1052 /* 0x0b */ { "SMBwrite",reply_write,AS_USER | CAN_IPC },
1053 /* 0x0c */ { "SMBlock",reply_lock,AS_USER},
1054 /* 0x0d */ { "SMBunlock",reply_unlock,AS_USER},
1055 /* 0x0e */ { "SMBctemp",reply_ctemp,AS_USER },
1056 /* 0x0f */ { "SMBmknew",reply_mknew,AS_USER},
1057 /* 0x10 */ { "SMBcheckpath",reply_checkpath,AS_USER},
1058 /* 0x11 */ { "SMBexit",reply_exit,DO_CHDIR},
1059 /* 0x12 */ { "SMBlseek",reply_lseek,AS_USER},
1060 /* 0x13 */ { "SMBlockread",reply_lockread,AS_USER},
1061 /* 0x14 */ { "SMBwriteunlock",reply_writeunlock,AS_USER},
1062 /* 0x15 */ { NULL, NULL, 0 },
1063 /* 0x16 */ { NULL, NULL, 0 },
1064 /* 0x17 */ { NULL, NULL, 0 },
1065 /* 0x18 */ { NULL, NULL, 0 },
1066 /* 0x19 */ { NULL, NULL, 0 },
1067 /* 0x1a */ { "SMBreadbraw",reply_readbraw,AS_USER},
1068 /* 0x1b */ { "SMBreadBmpx",reply_readbmpx,AS_USER},
1069 /* 0x1c */ { "SMBreadBs",reply_readbs,AS_USER },
1070 /* 0x1d */ { "SMBwritebraw",reply_writebraw,AS_USER},
1071 /* 0x1e */ { "SMBwriteBmpx",reply_writebmpx,AS_USER},
1072 /* 0x1f */ { "SMBwriteBs",reply_writebs,AS_USER},
1073 /* 0x20 */ { "SMBwritec", NULL,0},
1074 /* 0x21 */ { NULL, NULL, 0 },
1075 /* 0x22 */ { "SMBsetattrE",reply_setattrE,AS_USER | NEED_WRITE },
1076 /* 0x23 */ { "SMBgetattrE",reply_getattrE,AS_USER },
1077 /* 0x24 */ { "SMBlockingX",reply_lockingX,AS_USER },
1078 /* 0x25 */ { "SMBtrans",reply_trans,AS_USER | CAN_IPC },
1079 /* 0x26 */ { "SMBtranss",reply_transs,AS_USER | CAN_IPC},
1080 /* 0x27 */ { "SMBioctl",reply_ioctl,0},
1081 /* 0x28 */ { "SMBioctls", NULL,AS_USER},
1082 /* 0x29 */ { "SMBcopy",reply_copy,AS_USER | NEED_WRITE },
1083 /* 0x2a */ { "SMBmove", NULL,AS_USER | NEED_WRITE },
1084 /* 0x2b */ { "SMBecho",reply_echo,0},
1085 /* 0x2c */ { "SMBwriteclose",reply_writeclose,AS_USER},
1086 /* 0x2d */ { "SMBopenX",reply_open_and_X,AS_USER | CAN_IPC },
1087 /* 0x2e */ { "SMBreadX",reply_read_and_X,AS_USER | CAN_IPC },
1088 /* 0x2f */ { "SMBwriteX",reply_write_and_X,AS_USER | CAN_IPC },
1089 /* 0x30 */ { NULL, NULL, 0 },
1090 /* 0x31 */ { NULL, NULL, 0 },
1091 /* 0x32 */ { "SMBtrans2",reply_trans2, AS_USER | CAN_IPC },
1092 /* 0x33 */ { "SMBtranss2",reply_transs2, AS_USER | CAN_IPC },
1093 /* 0x34 */ { "SMBfindclose",reply_findclose,AS_USER},
1094 /* 0x35 */ { "SMBfindnclose",reply_findnclose,AS_USER},
1095 /* 0x36 */ { NULL, NULL, 0 },
1096 /* 0x37 */ { NULL, NULL, 0 },
1097 /* 0x38 */ { NULL, NULL, 0 },
1098 /* 0x39 */ { NULL, NULL, 0 },
1099 /* 0x3a */ { NULL, NULL, 0 },
1100 /* 0x3b */ { NULL, NULL, 0 },
1101 /* 0x3c */ { NULL, NULL, 0 },
1102 /* 0x3d */ { NULL, NULL, 0 },
1103 /* 0x3e */ { NULL, NULL, 0 },
1104 /* 0x3f */ { NULL, NULL, 0 },
1105 /* 0x40 */ { NULL, NULL, 0 },
1106 /* 0x41 */ { NULL, NULL, 0 },
1107 /* 0x42 */ { NULL, NULL, 0 },
1108 /* 0x43 */ { NULL, NULL, 0 },
1109 /* 0x44 */ { NULL, NULL, 0 },
1110 /* 0x45 */ { NULL, NULL, 0 },
1111 /* 0x46 */ { NULL, NULL, 0 },
1112 /* 0x47 */ { NULL, NULL, 0 },
1113 /* 0x48 */ { NULL, NULL, 0 },
1114 /* 0x49 */ { NULL, NULL, 0 },
1115 /* 0x4a */ { NULL, NULL, 0 },
1116 /* 0x4b */ { NULL, NULL, 0 },
1117 /* 0x4c */ { NULL, NULL, 0 },
1118 /* 0x4d */ { NULL, NULL, 0 },
1119 /* 0x4e */ { NULL, NULL, 0 },
1120 /* 0x4f */ { NULL, NULL, 0 },
1121 /* 0x50 */ { NULL, NULL, 0 },
1122 /* 0x51 */ { NULL, NULL, 0 },
1123 /* 0x52 */ { NULL, NULL, 0 },
1124 /* 0x53 */ { NULL, NULL, 0 },
1125 /* 0x54 */ { NULL, NULL, 0 },
1126 /* 0x55 */ { NULL, NULL, 0 },
1127 /* 0x56 */ { NULL, NULL, 0 },
1128 /* 0x57 */ { NULL, NULL, 0 },
1129 /* 0x58 */ { NULL, NULL, 0 },
1130 /* 0x59 */ { NULL, NULL, 0 },
1131 /* 0x5a */ { NULL, NULL, 0 },
1132 /* 0x5b */ { NULL, NULL, 0 },
1133 /* 0x5c */ { NULL, NULL, 0 },
1134 /* 0x5d */ { NULL, NULL, 0 },
1135 /* 0x5e */ { NULL, NULL, 0 },
1136 /* 0x5f */ { NULL, NULL, 0 },
1137 /* 0x60 */ { NULL, NULL, 0 },
1138 /* 0x61 */ { NULL, NULL, 0 },
1139 /* 0x62 */ { NULL, NULL, 0 },
1140 /* 0x63 */ { NULL, NULL, 0 },
1141 /* 0x64 */ { NULL, NULL, 0 },
1142 /* 0x65 */ { NULL, NULL, 0 },
1143 /* 0x66 */ { NULL, NULL, 0 },
1144 /* 0x67 */ { NULL, NULL, 0 },
1145 /* 0x68 */ { NULL, NULL, 0 },
1146 /* 0x69 */ { NULL, NULL, 0 },
1147 /* 0x6a */ { NULL, NULL, 0 },
1148 /* 0x6b */ { NULL, NULL, 0 },
1149 /* 0x6c */ { NULL, NULL, 0 },
1150 /* 0x6d */ { NULL, NULL, 0 },
1151 /* 0x6e */ { NULL, NULL, 0 },
1152 /* 0x6f */ { NULL, NULL, 0 },
1153 /* 0x70 */ { "SMBtcon",reply_tcon,0},
1154 /* 0x71 */ { "SMBtdis",reply_tdis,DO_CHDIR},
1155 /* 0x72 */ { "SMBnegprot",reply_negprot,0},
1156 /* 0x73 */ { "SMBsesssetupX",reply_sesssetup_and_X,0},
1157 /* 0x74 */ { "SMBulogoffX",reply_ulogoffX, 0}, /* ulogoff doesn't give a valid TID */
1158 /* 0x75 */ { "SMBtconX",reply_tcon_and_X,0},
1159 /* 0x76 */ { NULL, NULL, 0 },
1160 /* 0x77 */ { NULL, NULL, 0 },
1161 /* 0x78 */ { NULL, NULL, 0 },
1162 /* 0x79 */ { NULL, NULL, 0 },
1163 /* 0x7a */ { NULL, NULL, 0 },
1164 /* 0x7b */ { NULL, NULL, 0 },
1165 /* 0x7c */ { NULL, NULL, 0 },
1166 /* 0x7d */ { NULL, NULL, 0 },
1167 /* 0x7e */ { NULL, NULL, 0 },
1168 /* 0x7f */ { NULL, NULL, 0 },
1169 /* 0x80 */ { "SMBdskattr",reply_dskattr,AS_USER},
1170 /* 0x81 */ { "SMBsearch",reply_search,AS_USER},
1171 /* 0x82 */ { "SMBffirst",reply_search,AS_USER},
1172 /* 0x83 */ { "SMBfunique",reply_search,AS_USER},
1173 /* 0x84 */ { "SMBfclose",reply_fclose,AS_USER},
1174 /* 0x85 */ { NULL, NULL, 0 },
1175 /* 0x86 */ { NULL, NULL, 0 },
1176 /* 0x87 */ { NULL, NULL, 0 },
1177 /* 0x88 */ { NULL, NULL, 0 },
1178 /* 0x89 */ { NULL, NULL, 0 },
1179 /* 0x8a */ { NULL, NULL, 0 },
1180 /* 0x8b */ { NULL, NULL, 0 },
1181 /* 0x8c */ { NULL, NULL, 0 },
1182 /* 0x8d */ { NULL, NULL, 0 },
1183 /* 0x8e */ { NULL, NULL, 0 },
1184 /* 0x8f */ { NULL, NULL, 0 },
1185 /* 0x90 */ { NULL, NULL, 0 },
1186 /* 0x91 */ { NULL, NULL, 0 },
1187 /* 0x92 */ { NULL, NULL, 0 },
1188 /* 0x93 */ { NULL, NULL, 0 },
1189 /* 0x94 */ { NULL, NULL, 0 },
1190 /* 0x95 */ { NULL, NULL, 0 },
1191 /* 0x96 */ { NULL, NULL, 0 },
1192 /* 0x97 */ { NULL, NULL, 0 },
1193 /* 0x98 */ { NULL, NULL, 0 },
1194 /* 0x99 */ { NULL, NULL, 0 },
1195 /* 0x9a */ { NULL, NULL, 0 },
1196 /* 0x9b */ { NULL, NULL, 0 },
1197 /* 0x9c */ { NULL, NULL, 0 },
1198 /* 0x9d */ { NULL, NULL, 0 },
1199 /* 0x9e */ { NULL, NULL, 0 },
1200 /* 0x9f */ { NULL, NULL, 0 },
1201 /* 0xa0 */ { "SMBnttrans",reply_nttrans, AS_USER | CAN_IPC },
1202 /* 0xa1 */ { "SMBnttranss",reply_nttranss, AS_USER | CAN_IPC },
1203 /* 0xa2 */ { "SMBntcreateX",reply_ntcreate_and_X, AS_USER | CAN_IPC },
1204 /* 0xa3 */ { NULL, NULL, 0 },
1205 /* 0xa4 */ { "SMBntcancel",reply_ntcancel, 0 },
1206 /* 0xa5 */ { "SMBntrename",reply_ntrename, AS_USER | NEED_WRITE },
1207 /* 0xa6 */ { NULL, NULL, 0 },
1208 /* 0xa7 */ { NULL, NULL, 0 },
1209 /* 0xa8 */ { NULL, NULL, 0 },
1210 /* 0xa9 */ { NULL, NULL, 0 },
1211 /* 0xaa */ { NULL, NULL, 0 },
1212 /* 0xab */ { NULL, NULL, 0 },
1213 /* 0xac */ { NULL, NULL, 0 },
1214 /* 0xad */ { NULL, NULL, 0 },
1215 /* 0xae */ { NULL, NULL, 0 },
1216 /* 0xaf */ { NULL, NULL, 0 },
1217 /* 0xb0 */ { NULL, NULL, 0 },
1218 /* 0xb1 */ { NULL, NULL, 0 },
1219 /* 0xb2 */ { NULL, NULL, 0 },
1220 /* 0xb3 */ { NULL, NULL, 0 },
1221 /* 0xb4 */ { NULL, NULL, 0 },
1222 /* 0xb5 */ { NULL, NULL, 0 },
1223 /* 0xb6 */ { NULL, NULL, 0 },
1224 /* 0xb7 */ { NULL, NULL, 0 },
1225 /* 0xb8 */ { NULL, NULL, 0 },
1226 /* 0xb9 */ { NULL, NULL, 0 },
1227 /* 0xba */ { NULL, NULL, 0 },
1228 /* 0xbb */ { NULL, NULL, 0 },
1229 /* 0xbc */ { NULL, NULL, 0 },
1230 /* 0xbd */ { NULL, NULL, 0 },
1231 /* 0xbe */ { NULL, NULL, 0 },
1232 /* 0xbf */ { NULL, NULL, 0 },
1233 /* 0xc0 */ { "SMBsplopen",reply_printopen,AS_USER},
1234 /* 0xc1 */ { "SMBsplwr",reply_printwrite,AS_USER},
1235 /* 0xc2 */ { "SMBsplclose",reply_printclose,AS_USER},
1236 /* 0xc3 */ { "SMBsplretq",reply_printqueue,AS_USER},
1237 /* 0xc4 */ { NULL, NULL, 0 },
1238 /* 0xc5 */ { NULL, NULL, 0 },
1239 /* 0xc6 */ { NULL, NULL, 0 },
1240 /* 0xc7 */ { NULL, NULL, 0 },
1241 /* 0xc8 */ { NULL, NULL, 0 },
1242 /* 0xc9 */ { NULL, NULL, 0 },
1243 /* 0xca */ { NULL, NULL, 0 },
1244 /* 0xcb */ { NULL, NULL, 0 },
1245 /* 0xcc */ { NULL, NULL, 0 },
1246 /* 0xcd */ { NULL, NULL, 0 },
1247 /* 0xce */ { NULL, NULL, 0 },
1248 /* 0xcf */ { NULL, NULL, 0 },
1249 /* 0xd0 */ { "SMBsends",reply_sends,AS_GUEST},
1250 /* 0xd1 */ { "SMBsendb", NULL,AS_GUEST},
1251 /* 0xd2 */ { "SMBfwdname", NULL,AS_GUEST},
1252 /* 0xd3 */ { "SMBcancelf", NULL,AS_GUEST},
1253 /* 0xd4 */ { "SMBgetmac", NULL,AS_GUEST},
1254 /* 0xd5 */ { "SMBsendstrt",reply_sendstrt,AS_GUEST},
1255 /* 0xd6 */ { "SMBsendend",reply_sendend,AS_GUEST},
1256 /* 0xd7 */ { "SMBsendtxt",reply_sendtxt,AS_GUEST},
1257 /* 0xd8 */ { NULL, NULL, 0 },
1258 /* 0xd9 */ { NULL, NULL, 0 },
1259 /* 0xda */ { NULL, NULL, 0 },
1260 /* 0xdb */ { NULL, NULL, 0 },
1261 /* 0xdc */ { NULL, NULL, 0 },
1262 /* 0xdd */ { NULL, NULL, 0 },
1263 /* 0xde */ { NULL, NULL, 0 },
1264 /* 0xdf */ { NULL, NULL, 0 },
1265 /* 0xe0 */ { NULL, NULL, 0 },
1266 /* 0xe1 */ { NULL, NULL, 0 },
1267 /* 0xe2 */ { NULL, NULL, 0 },
1268 /* 0xe3 */ { NULL, NULL, 0 },
1269 /* 0xe4 */ { NULL, NULL, 0 },
1270 /* 0xe5 */ { NULL, NULL, 0 },
1271 /* 0xe6 */ { NULL, NULL, 0 },
1272 /* 0xe7 */ { NULL, NULL, 0 },
1273 /* 0xe8 */ { NULL, NULL, 0 },
1274 /* 0xe9 */ { NULL, NULL, 0 },
1275 /* 0xea */ { NULL, NULL, 0 },
1276 /* 0xeb */ { NULL, NULL, 0 },
1277 /* 0xec */ { NULL, NULL, 0 },
1278 /* 0xed */ { NULL, NULL, 0 },
1279 /* 0xee */ { NULL, NULL, 0 },
1280 /* 0xef */ { NULL, NULL, 0 },
1281 /* 0xf0 */ { NULL, NULL, 0 },
1282 /* 0xf1 */ { NULL, NULL, 0 },
1283 /* 0xf2 */ { NULL, NULL, 0 },
1284 /* 0xf3 */ { NULL, NULL, 0 },
1285 /* 0xf4 */ { NULL, NULL, 0 },
1286 /* 0xf5 */ { NULL, NULL, 0 },
1287 /* 0xf6 */ { NULL, NULL, 0 },
1288 /* 0xf7 */ { NULL, NULL, 0 },
1289 /* 0xf8 */ { NULL, NULL, 0 },
1290 /* 0xf9 */ { NULL, NULL, 0 },
1291 /* 0xfa */ { NULL, NULL, 0 },
1292 /* 0xfb */ { NULL, NULL, 0 },
1293 /* 0xfc */ { NULL, NULL, 0 },
1294 /* 0xfd */ { NULL, NULL, 0 },
1295 /* 0xfe */ { NULL, NULL, 0 },
1296 /* 0xff */ { NULL, NULL, 0 }
1297
1298 };
1299
1300 /*******************************************************************
1301 allocate and initialize a reply packet
1302 ********************************************************************/
1303
1304 static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req,
1305 const char *inbuf, char **outbuf, uint8_t num_words,
1306 uint32_t num_bytes)
1307 {
1308 /*
1309 * Protect against integer wrap
1310 */
1311 if ((num_bytes > 0xffffff)
1312 || ((num_bytes + smb_size + num_words*2) > 0xffffff)) {
1313 char *msg;
1314 if (asprintf(&msg, "num_bytes too large: %u",
1315 (unsigned)num_bytes) == -1) {
1316 msg = CONST_DISCARD(char *, "num_bytes too large");
1317 }
1318 smb_panic(msg);
1319 }
1320
1321 *outbuf = TALLOC_ARRAY(mem_ctx, char,
1322 smb_size + num_words*2 + num_bytes);
1323 if (*outbuf == NULL) {
1324 return false;
1325 }
1326
1327 construct_reply_common(req, inbuf, *outbuf);
1328 srv_set_message(*outbuf, num_words, num_bytes, false);
1329 /*
1330 * Zero out the word area, the caller has to take care of the bcc area
1331 * himself
1332 */
1333 if (num_words != 0) {
1334 memset(*outbuf + smb_vwv0, 0, num_words*2);
1335 }
1336
1337 return true;
1338 }
1339
1340 void reply_outbuf(struct smb_request *req, uint8 num_words, uint32 num_bytes)
1341 {
1342 char *outbuf;
1343 if (!create_outbuf(req, req, (char *)req->inbuf, &outbuf, num_words,
1344 num_bytes)) {
1345 smb_panic("could not allocate output buffer\n");
1346 }
1347 req->outbuf = (uint8_t *)outbuf;
1348 }
1349
1350
1351 /*******************************************************************
1352 Dump a packet to a file.
1353 ********************************************************************/
1354
1355 static void smb_dump(const char *name, int type, const char *data, ssize_t len)
1356 {
1357 int fd, i;
1358 char *fname = NULL;
1359 if (DEBUGLEVEL < 50) {
1360 return;
1361 }
1362
1363 if (len < 4) len = smb_len(data)+4;
1364 for (i=1;i<100;i++) {
1365 if (asprintf(&fname, "/tmp/%s.%d.%s", name, i,
1366 type ? "req" : "resp") == -1) {
1367 return;
1368 }
1369 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
1370 if (fd != -1 || errno != EEXIST) break;
1371 }
1372 if (fd != -1) {
1373 ssize_t ret = write(fd, data, len);
1374 if (ret != len)
1375 DEBUG(0,("smb_dump: problem: write returned %d\n", (int)ret ));
1376 close(fd);
1377 DEBUG(0,("created %s len %lu\n", fname, (unsigned long)len));
1378 }
1379 SAFE_FREE(fname);
1380 }
1381
1382 /****************************************************************************
1383 Prepare everything for calling the actual request function, and potentially
1384 call the request function via the "new" interface.
1385
1386 Return False if the "legacy" function needs to be called, everything is
1387 prepared.
1388
1389 Return True if we're done.
1390
1391 I know this API sucks, but it is the one with the least code change I could
1392 find.
1393 ****************************************************************************/
1394
1395 static connection_struct *switch_message(uint8 type, struct smb_request *req, int size)
1396 {
1397 int flags;
1398 uint16 session_tag;
1399 connection_struct *conn = NULL;
1400 struct smbd_server_connection *sconn = smbd_server_conn;
1401
1402 errno = 0;
1403
1404 /* Make sure this is an SMB packet. smb_size contains NetBIOS header
1405 * so subtract 4 from it. */
1406 if (!valid_smb_header(req->inbuf)
1407 || (size < (smb_size - 4))) {
1408 DEBUG(2,("Non-SMB packet of length %d. Terminating server\n",
1409 smb_len(req->inbuf)));
1410 exit_server_cleanly("Non-SMB packet");
1411 }
1412
1413 if (smb_messages[type].fn == NULL) {
1414 DEBUG(0,("Unknown message type %d!\n",type));
1415 smb_dump("Unknown", 1, (char *)req->inbuf, size);
1416 reply_unknown_new(req, type);
1417 return NULL;
1418 }
1419
1420 flags = smb_messages[type].flags;
1421
1422 /* In share mode security we must ignore the vuid. */
1423 session_tag = (lp_security() == SEC_SHARE)
1424 ? UID_FIELD_INVALID : req->vuid;
1425 conn = req->conn;
1426
1427 DEBUG(3,("switch message %s (pid %d) conn 0x%lx\n", smb_fn_name(type),
1428 (int)sys_getpid(), (unsigned long)conn));
1429
1430 smb_dump(smb_fn_name(type), 1, (char *)req->inbuf, size);
1431
1432 /* Ensure this value is replaced in the incoming packet. */
1433 SSVAL(req->inbuf,smb_uid,session_tag);
1434
1435 /*
1436 * Ensure the correct username is in current_user_info. This is a
1437 * really ugly bugfix for problems with multiple session_setup_and_X's
1438 * being done and allowing %U and %G substitutions to work correctly.
1439 * There is a reason this code is done here, don't move it unless you
1440 * know what you're doing... :-).
1441 * JRA.
1442 */
1443
1444 if (session_tag != sconn->smb1.sessions.last_session_tag) {
1445 user_struct *vuser = NULL;
1446
1447 sconn->smb1.sessions.last_session_tag = session_tag;
1448 if(session_tag != UID_FIELD_INVALID) {
1449 vuser = get_valid_user_struct(sconn, session_tag);
1450 if (vuser) {
1451 set_current_user_info(
1452 vuser->server_info->sanitized_username,
1453 vuser->server_info->unix_name,
1454 vuser->server_info->info3->base.domain.string);
1455 }
1456 }
1457 }
1458
1459 /* Does this call need to be run as the connected user? */
1460 if (flags & AS_USER) {
1461
1462 /* Does this call need a valid tree connection? */
1463 if (!conn) {
1464 /*
1465 * Amazingly, the error code depends on the command
1466 * (from Samba4).
1467 */
1468 if (type == SMBntcreateX) {
1469 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
1470 } else {
1471 reply_nterror(req, NT_STATUS_NETWORK_NAME_DELETED);
1472 }
1473 return NULL;
1474 }
1475
1476 if (!change_to_user(conn,session_tag)) {
1477 DEBUG(0, ("Error: Could not change to user. Removing "
1478 "deferred open, mid=%llu.\n",
1479 (unsigned long long)req->mid));
1480 reply_force_doserror(req, ERRSRV, ERRbaduid);
1481 return conn;
1482 }
1483
1484 /* All NEED_WRITE and CAN_IPC flags must also have AS_USER. */
1485
1486 /* Does it need write permission? */
1487 if ((flags & NEED_WRITE) && !CAN_WRITE(conn)) {
1488 reply_nterror(req, NT_STATUS_MEDIA_WRITE_PROTECTED);
1489 return conn;
1490 }
1491
1492 /* IPC services are limited */
1493 if (IS_IPC(conn) && !(flags & CAN_IPC)) {
1494 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1495 return conn;
1496 }
1497 } else {
1498 /* This call needs to be run as root */
1499 change_to_root_user();
1500 }
1501
1502 /* load service specific parameters */
1503 if (conn) {
1504 if (req->encrypted) {
1505 conn->encrypted_tid = true;
1506 /* encrypted required from now on. */
1507 conn->encrypt_level = Required;
1508 } else if (ENCRYPTION_REQUIRED(conn)) {
1509 if (req->cmd != SMBtrans2 && req->cmd != SMBtranss2) {
1510 exit_server_cleanly("encryption required "
1511 "on connection");
1512 return conn;
1513 }
1514 }
1515
1516 if (!set_current_service(conn,SVAL(req->inbuf,smb_flg),
1517 (flags & (AS_USER|DO_CHDIR)
1518 ?True:False))) {
1519 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1520 return conn;
1521 }
1522 conn->num_smb_operations++;
1523 }
1524
1525 /* does this protocol need to be run as guest? */
1526 if ((flags & AS_GUEST)
1527 && (!change_to_guest() ||
1528 !check_access(smbd_server_fd(), lp_hostsallow(-1),
1529 lp_hostsdeny(-1)))) {
1530 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1531 return conn;
1532 }
1533
1534 smb_messages[type].fn(req);
1535 return req->conn;
1536 }
1537
1538 /****************************************************************************
1539 Construct a reply to the incoming packet.
1540 ****************************************************************************/
1541
1542 static void construct_reply(char *inbuf, int size, size_t unread_bytes,
1543 uint32_t seqnum, bool encrypted,
1544 struct smb_perfcount_data *deferred_pcd)
1545 {
1546 connection_struct *conn;
1547 struct smb_request *req;
1548
1549 if (!(req = talloc(talloc_tos(), struct smb_request))) {
1550 smb_panic("could not allocate smb_request");
1551 }
1552
1553 if (!init_smb_request(req, (uint8 *)inbuf, unread_bytes, encrypted,
1554 seqnum)) {
1555 exit_server_cleanly("Invalid SMB request");
1556 }
1557
1558 req->inbuf = (uint8_t *)talloc_move(req, &inbuf);
1559
1560 /* we popped this message off the queue - keep original perf data */
1561 if (deferred_pcd)
1562 req->pcd = *deferred_pcd;
1563 else {
1564 SMB_PERFCOUNT_START(&req->pcd);
1565 SMB_PERFCOUNT_SET_OP(&req->pcd, req->cmd);
1566 SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, size);
1567 }
1568
1569 conn = switch_message(req->cmd, req, size);
1570
1571 if (req->unread_bytes) {
1572 /* writeX failed. drain socket. */
1573 if (drain_socket(smbd_server_fd(), req->unread_bytes) !=
1574 req->unread_bytes) {
1575 smb_panic("failed to drain pending bytes");
1576 }
1577 req->unread_bytes = 0;
1578 }
1579
1580 if (req->done) {
1581 TALLOC_FREE(req);
1582 return;
1583 }
1584
1585 if (req->outbuf == NULL) {
1586 return;
1587 }
1588
1589 if (CVAL(req->outbuf,0) == 0) {
1590 show_msg((char *)req->outbuf);
1591 }
1592
1593 if (!srv_send_smb(smbd_server_fd(),
1594 (char *)req->outbuf,
1595 true, req->seqnum+1,
1596 IS_CONN_ENCRYPTED(conn)||req->encrypted,
1597 &req->pcd)) {
1598 exit_server_cleanly("construct_reply: srv_send_smb failed.");
1599 }
1600
1601 TALLOC_FREE(req);
1602
1603 return;
1604 }
1605
1606 /****************************************************************************
1607 Process an smb from the client
1608 ****************************************************************************/
1609 static void process_smb(struct smbd_server_connection *conn,
1610 uint8_t *inbuf, size_t nread, size_t unread_bytes,
1611 uint32_t seqnum, bool encrypted,
1612 struct smb_perfcount_data *deferred_pcd)
1613 {
1614 int msg_type = CVAL(inbuf,0);
1615
1616 DO_PROFILE_INC(smb_count);
1617
1618 DEBUG( 6, ( "got message type 0x%x of len 0x%x\n", msg_type,
1619 smb_len(inbuf) ) );
1620 DEBUG( 3, ( "Transaction %d of length %d (%u toread)\n", trans_num,
1621 (int)nread,
1622 (unsigned int)unread_bytes ));
1623
1624 if (msg_type != 0) {
1625 /*
1626 * NetBIOS session request, keepalive, etc.
1627 */
1628 reply_special((char *)inbuf);
1629 goto done;
1630 }
1631
1632 if (smbd_server_conn->allow_smb2) {
1633 if (smbd_is_smb2_header(inbuf, nread)) {
1634 smbd_smb2_first_negprot(smbd_server_conn, inbuf, nread);
1635 return;
1636 } else if (nread >= smb_size && valid_smb_header(inbuf)
1637 && CVAL(inbuf, smb_com) != 0x72) {
1638 /* This is a non-negprot SMB1 packet.
1639 Disable SMB2 from now on. */
1640 smbd_server_conn->allow_smb2 = false;
1641 }
1642 }
1643
1644 show_msg((char *)inbuf);
1645
1646 construct_reply((char *)inbuf,nread,unread_bytes,seqnum,encrypted,deferred_pcd);
1647 trans_num++;
1648
1649 done:
1650 conn->smb1.num_requests++;
1651
1652 /* The timeout_processing function isn't run nearly
1653 often enough to implement 'max log size' without
1654 overrunning the size of the file by many megabytes.
1655 This is especially true if we are running at debug
1656 level 10. Checking every 50 SMBs is a nice
1657 tradeoff of performance vs log file size overrun. */
1658
1659 if ((conn->smb1.num_requests % 50) == 0 &&
1660 need_to_check_log_size()) {
1661 change_to_root_user();
1662 check_log_size();
1663 }
1664 }
1665
1666 /****************************************************************************
1667 Return a string containing the function name of a SMB command.
1668 ****************************************************************************/
1669
1670 const char *smb_fn_name(int type)
1671 {
1672 const char *unknown_name = "SMBunknown";
1673
1674 if (smb_messages[type].name == NULL)
1675 return(unknown_name);
1676
1677 return(smb_messages[type].name);
1678 }
1679
1680 /****************************************************************************
1681 Helper functions for contruct_reply.
1682 ****************************************************************************/
1683
1684 void add_to_common_flags2(uint32 v)
1685 {
1686 common_flags2 |= v;
1687 }
1688
1689 void remove_from_common_flags2(uint32 v)
1690 {
1691 common_flags2 &= ~v;
1692 }
1693
1694 static void construct_reply_common(struct smb_request *req, const char *inbuf,
1695 char *outbuf)
1696 {
1697 srv_set_message(outbuf,0,0,false);
1698
1699 SCVAL(outbuf, smb_com, req->cmd);
1700 SIVAL(outbuf,smb_rcls,0);
1701 SCVAL(outbuf,smb_flg, FLAG_REPLY | (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES));
1702 SSVAL(outbuf,smb_flg2,
1703 (SVAL(inbuf,smb_flg2) & FLAGS2_UNICODE_STRINGS) |
1704 common_flags2);
1705 memset(outbuf+smb_pidhigh,'\0',(smb_tid-smb_pidhigh));
1706
1707 SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid));
1708 SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid));
1709 SSVAL(outbuf,smb_uid,SVAL(inbuf,smb_uid));
1710 SSVAL(outbuf,smb_mid,SVAL(inbuf,smb_mid));
1711 }
1712
1713 void construct_reply_common_req(struct smb_request *req, char *outbuf)
1714 {
1715 construct_reply_common(req, (char *)req->inbuf, outbuf);
1716 }
1717
1718 /*
1719 * How many bytes have we already accumulated up to the current wct field
1720 * offset?
1721 */
1722
1723 size_t req_wct_ofs(struct smb_request *req)
1724 {
1725 size_t buf_size;
1726
1727 if (req->chain_outbuf == NULL) {
1728 return smb_wct - 4;
1729 }
1730 buf_size = talloc_get_size(req->chain_outbuf);
1731 if ((buf_size % 4) != 0) {
1732 buf_size += (4 - (buf_size % 4));
1733 }
1734 return buf_size - 4;
1735 }
1736
1737 /*
1738 * Hack around reply_nterror & friends not being aware of chained requests,
1739 * generating illegal (i.e. wct==0) chain replies.
1740 */
1741
1742 static void fixup_chain_error_packet(struct smb_request *req)
1743 {
1744 uint8_t *outbuf = req->outbuf;
1745 req->outbuf = NULL;
1746 reply_outbuf(req, 2, 0);
1747 memcpy(req->outbuf, outbuf, smb_wct);
1748 TALLOC_FREE(outbuf);
1749 SCVAL(req->outbuf, smb_vwv0, 0xff);
1750 }
1751
1752 /**
1753 * @brief Find the smb_cmd offset of the last command pushed
1754 * @param[in] buf The buffer we're building up
1755 * @retval Where can we put our next andx cmd?
1756 *
1757 * While chaining requests, the "next" request we're looking at needs to put
1758 * its SMB_Command before the data the previous request already built up added
1759 * to the chain. Find the offset to the place where we have to put our cmd.
1760 */
1761
1762 static bool find_andx_cmd_ofs(uint8_t *buf, size_t *pofs)
1763 {
1764 uint8_t cmd;
1765 size_t ofs;
1766
1767 cmd = CVAL(buf, smb_com);
1768
1769 SMB_ASSERT(is_andx_req(cmd));
1770
1771 ofs = smb_vwv0;
1772
1773 while (CVAL(buf, ofs) != 0xff) {
1774
1775 if (!is_andx_req(CVAL(buf, ofs))) {
1776 return false;
1777 }
1778
1779 /*
1780 * ofs is from start of smb header, so add the 4 length
1781 * bytes. The next cmd is right after the wct field.
1782 */
1783 ofs = SVAL(buf, ofs+2) + 4 + 1;
1784
1785 SMB_ASSERT(ofs+4 < talloc_get_size(buf));
1786 }
1787
1788 *pofs = ofs;
1789 return true;
1790 }
1791
1792 /**
1793 * @brief Do the smb chaining at a buffer level
1794 * @param[in] poutbuf Pointer to the talloc'ed buffer to be modified
1795 * @param[in] smb_command The command that we want to issue
1796 * @param[in] wct How many words?
1797 * @param[in] vwv The words, already in network order
1798 * @param[in] bytes_alignment How shall we align "bytes"?
1799 * @param[in] num_bytes How many bytes?
1800 * @param[in] bytes The data the request ships
1801 *
1802 * smb_splice_chain() adds the vwv and bytes to the request already present in
1803 * *poutbuf.
1804 */
1805
1806 static bool smb_splice_chain(uint8_t **poutbuf, uint8_t smb_command,
1807 uint8_t wct, const uint16_t *vwv,
1808 size_t bytes_alignment,
1809 uint32_t num_bytes, const uint8_t *bytes)
1810 {
1811 uint8_t *outbuf;
1812 size_t old_size, new_size;
1813 size_t ofs;
1814 size_t chain_padding = 0;
1815 size_t bytes_padding = 0;
1816 bool first_request;
1817
1818 old_size = talloc_get_size(*poutbuf);
1819
1820 /*
1821 * old_size == smb_wct means we're pushing the first request in for
1822 * libsmb/
1823 */
1824
1825 first_request = (old_size == smb_wct);
1826
1827 if (!first_request && ((old_size % 4) != 0)) {
1828 /*
1829 * Align the wct field of subsequent requests to a 4-byte
1830 * boundary
1831 */
1832 chain_padding = 4 - (old_size % 4);
1833 }
1834
1835 /*
1836 * After the old request comes the new wct field (1 byte), the vwv's
1837 * and the num_bytes field. After at we might need to align the bytes
1838 * given to us to "bytes_alignment", increasing the num_bytes value.
1839 */
1840
1841 new_size = old_size + chain_padding + 1 + wct * sizeof(uint16_t) + 2;
1842
1843 if ((bytes_alignment != 0) && ((new_size % bytes_alignment) != 0)) {
1844 bytes_padding = bytes_alignment - (new_size % bytes_alignment);
1845 }
1846
1847 new_size += bytes_padding + num_bytes;
1848
1849 if ((smb_command != SMBwriteX) && (new_size > 0xffff)) {
1850 DEBUG(1, ("splice_chain: %u bytes won't fit\n",
1851 (unsigned)new_size));
1852 return false;
1853 }
1854
1855 outbuf = TALLOC_REALLOC_ARRAY(NULL, *poutbuf, uint8_t, new_size);
1856 if (outbuf == NULL) {
1857 DEBUG(0, ("talloc failed\n"));
1858 return false;
1859 }
1860 *poutbuf = outbuf;
1861
1862 if (first_request) {
1863 SCVAL(outbuf, smb_com, smb_command);
1864 } else {
1865 size_t andx_cmd_ofs;
1866
1867 if (!find_andx_cmd_ofs(outbuf, &andx_cmd_ofs)) {
1868 DEBUG(1, ("invalid command chain\n"));
1869 *poutbuf = TALLOC_REALLOC_ARRAY(
1870 NULL, *poutbuf, uint8_t, old_size);
1871 return false;
1872 }
1873
1874 if (chain_padding != 0) {
1875 memset(outbuf + old_size, 0, chain_padding);
1876 old_size += chain_padding;
1877 }
1878
1879 SCVAL(outbuf, andx_cmd_ofs, smb_command);
1880 SSVAL(outbuf, andx_cmd_ofs + 2, old_size - 4);
1881 }
1882
1883 ofs = old_size;
1884
1885 /*
1886 * Push the chained request:
1887 *
1888 * wct field
1889 */
1890
1891 SCVAL(outbuf, ofs, wct);
1892 ofs += 1;
1893
1894 /*
1895 * vwv array
1896 */
1897
1898 memcpy(outbuf + ofs, vwv, sizeof(uint16_t) * wct);
1899 ofs += sizeof(uint16_t) * wct;
1900
1901 /*
1902 * bcc (byte count)
1903 */
1904
1905 SSVAL(outbuf, ofs, num_bytes + bytes_padding);
1906 ofs += sizeof(uint16_t);
1907
1908 /*
1909 * padding
1910 */
1911
1912 if (bytes_padding != 0) {
1913 memset(outbuf + ofs, 0, bytes_padding);
1914 ofs += bytes_padding;
1915 }
1916
1917 /*
1918 * The bytes field
1919 */
1920
1921 memcpy(outbuf + ofs, bytes, num_bytes);
1922
1923 return true;
1924 }
1925
1926 /****************************************************************************
1927 Construct a chained reply and add it to the already made reply
1928 ****************************************************************************/
1929
1930 void chain_reply(struct smb_request *req)
1931 {
1932 size_t smblen = smb_len(req->inbuf);
1933 size_t already_used, length_needed;
1934 uint8_t chain_cmd;
1935 uint32_t chain_offset; /* uint32_t to avoid overflow */
1936
1937 uint8_t wct;
1938 uint16_t *vwv;
1939 uint16_t buflen;
1940 uint8_t *buf;
1941
1942 if (IVAL(req->outbuf, smb_rcls) != 0) {
1943 fixup_chain_error_packet(req);
1944 }
1945
1946 /*
1947 * Any of the AndX requests and replies have at least a wct of
1948 * 2. vwv[0] is the next command, vwv[1] is the offset from the
1949 * beginning of the SMB header to the next wct field.
1950 *
1951 * None of the AndX requests put anything valuable in vwv[0] and [1],
1952 * so we can overwrite it here to form the chain.
1953 */
1954
1955 if ((req->wct < 2) || (CVAL(req->outbuf, smb_wct) < 2)) {
1956 if (req->chain_outbuf == NULL) {
1957 req->chain_outbuf = TALLOC_REALLOC_ARRAY(
1958 req, req->outbuf, uint8_t,
1959 smb_len(req->outbuf) + 4);
1960 if (req->chain_outbuf == NULL) {
1961 smb_panic("talloc failed");
1962 }
1963 }
1964 req->outbuf = NULL;
1965 goto error;
1966 }
1967
1968 /*
1969 * Here we assume that this is the end of the chain. For that we need
1970 * to set "next command" to 0xff and the offset to 0. If we later find
1971 * more commands in the chain, this will be overwritten again.
1972 */
1973
1974 SCVAL(req->outbuf, smb_vwv0, 0xff);
1975 SCVAL(req->outbuf, smb_vwv0+1, 0);
1976 SSVAL(req->outbuf, smb_vwv1, 0);
1977
1978 if (req->chain_outbuf == NULL) {
1979 /*
1980 * In req->chain_outbuf we collect all the replies. Start the
1981 * chain by copying in the first reply.
1982 *
1983 * We do the realloc because later on we depend on
1984 * talloc_get_size to determine the length of
1985 * chain_outbuf. The reply_xxx routines might have
1986 * over-allocated (reply_pipe_read_and_X used to be such an
1987 * example).
1988 */
1989 req->chain_outbuf = TALLOC_REALLOC_ARRAY(
1990 req, req->outbuf, uint8_t, smb_len(req->outbuf) + 4);
1991 if (req->chain_outbuf == NULL) {
1992 smb_panic("talloc failed");
1993 }
1994 req->outbuf = NULL;
1995 } else {
1996 /*
1997 * Update smb headers where subsequent chained commands
1998 * may have updated them.
1999 */
2000 SCVAL(req->chain_outbuf, smb_tid, CVAL(req->outbuf, smb_tid));
2001 SCVAL(req->chain_outbuf, smb_uid, CVAL(req->outbuf, smb_uid));
2002
2003 if (!smb_splice_chain(&req->chain_outbuf,
2004 CVAL(req->outbuf, smb_com),
2005 CVAL(req->outbuf, smb_wct),
2006 (uint16_t *)(req->outbuf + smb_vwv),
2007 0, smb_buflen(req->outbuf),
2008 (uint8_t *)smb_buf(req->outbuf))) {
2009 goto error;
2010 }
2011 TALLOC_FREE(req->outbuf);
2012 }
2013
2014 /*
2015 * We use the old request's vwv field to grab the next chained command
2016 * and offset into the chained fields.
2017 */
2018
2019 chain_cmd = CVAL(req->vwv+0, 0);
2020 chain_offset = SVAL(req->vwv+1, 0);
2021
2022 if (chain_cmd == 0xff) {
2023 /*
2024 * End of chain, no more requests from the client. So ship the
2025 * replies.
2026 */
2027 smb_setlen((char *)(req->chain_outbuf),
2028 talloc_get_size(req->chain_outbuf) - 4);
2029
2030 if (!srv_send_smb(smbd_server_fd(), (char *)req->chain_outbuf,
2031 true, req->seqnum+1,
2032 IS_CONN_ENCRYPTED(req->conn)
2033 ||req->encrypted,
2034 &req->pcd)) {
2035 exit_server_cleanly("chain_reply: srv_send_smb "
2036 "failed.");
2037 }
2038 TALLOC_FREE(req->chain_outbuf);
2039 req->done = true;
2040 return;
2041 }
2042
2043 /* add a new perfcounter for this element of chain */
2044 SMB_PERFCOUNT_ADD(&req->pcd);
2045 SMB_PERFCOUNT_SET_OP(&req->pcd, chain_cmd);
2046 SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, smblen);
2047
2048 /*
2049 * Check if the client tries to fool us. The request so far uses the
2050 * space to the end of the byte buffer in the request just
2051 * processed. The chain_offset can't point into that area. If that was
2052 * the case, we could end up with an endless processing of the chain,
2053 * we would always handle the same request.
2054 */
2055
2056 already_used = PTR_DIFF(req->buf+req->buflen, smb_base(req->inbuf));
2057 if (chain_offset < already_used) {
2058 goto error;
2059 }
2060
2061 /*
2062 * Next check: Make sure the chain offset does not point beyond the
2063 * overall smb request length.
2064 */
2065
2066 length_needed = chain_offset+1; /* wct */
2067 if (length_needed > smblen) {
2068 goto error;
2069 }
2070
2071 /*
2072 * Now comes the pointer magic. Goal here is to set up req->vwv and
2073 * req->buf correctly again to be able to call the subsequent
2074 * switch_message(). The chain offset (the former vwv[1]) points at
2075 * the new wct field.
2076 */
2077
2078 wct = CVAL(smb_base(req->inbuf), chain_offset);
2079
2080 /*
2081 * Next consistency check: Make the new vwv array fits in the overall
2082 * smb request.
2083 */
2084
2085 length_needed += (wct+1)*sizeof(uint16_t); /* vwv+buflen */
2086 if (length_needed > smblen) {
2087 goto error;
2088 }
2089 vwv = (uint16_t *)(smb_base(req->inbuf) + chain_offset + 1);
2090
2091 /*
2092 * Now grab the new byte buffer....
2093 */
2094
2095 buflen = SVAL(vwv+wct, 0);
2096
2097 /*
2098 * .. and check that it fits.
2099 */
2100
2101 length_needed += buflen;
2102 if (length_needed > smblen) {
2103 goto error;
2104 }
2105 buf = (uint8_t *)(vwv+wct+1);
2106
2107 req->cmd = chain_cmd;
2108 req->wct = wct;
2109 req->vwv = vwv;
2110 req->buflen = buflen;
2111 req->buf = buf;
2112
2113 switch_message(chain_cmd, req, smblen);
2114
2115 if (req->outbuf == NULL) {
2116 /*
2117 * This happens if the chained command has suspended itself or
2118 * if it has called srv_send_smb() itself.
2119 */
2120 return;
2121 }
2122
2123 /*
2124 * We end up here if the chained command was not itself chained or
2125 * suspended, but for example a close() command. We now need to splice
2126 * the chained commands' outbuf into the already built up chain_outbuf
2127 * and ship the result.
2128 */
2129 goto done;
2130
2131 error:
2132 /*
2133 * We end up here if there's any error in the chain syntax. Report a
2134 * DOS error, just like Windows does.
2135 */
2136 reply_force_doserror(req, ERRSRV, ERRerror);
2137 fixup_chain_error_packet(req);
2138
2139 done:
2140 /*
2141 * This scary statement intends to set the
2142 * FLAGS2_32_BIT_ERROR_CODES flg2 field in req->chain_outbuf
2143 * to the value req->outbuf carries
2144 */
2145 SSVAL(req->chain_outbuf, smb_flg2,
2146 (SVAL(req->chain_outbuf, smb_flg2) & ~FLAGS2_32_BIT_ERROR_CODES)
2147 | (SVAL(req->outbuf, smb_flg2) & FLAGS2_32_BIT_ERROR_CODES));
2148
2149 /*
2150 * Transfer the error codes from the subrequest to the main one
2151 */
2152 SSVAL(req->chain_outbuf, smb_rcls, SVAL(req->outbuf, smb_rcls));
2153 SSVAL(req->chain_outbuf, smb_err, SVAL(req->outbuf, smb_err));
2154
2155 if (!smb_splice_chain(&req->chain_outbuf,
2156 CVAL(req->outbuf, smb_com),
2157 CVAL(req->outbuf, smb_wct),
2158 (uint16_t *)(req->outbuf + smb_vwv),
2159 0, smb_buflen(req->outbuf),
2160 (uint8_t *)smb_buf(req->outbuf))) {
2161 exit_server_cleanly("chain_reply: smb_splice_chain failed\n");
2162 }
2163 TALLOC_FREE(req->outbuf);
2164
2165 smb_setlen((char *)(req->chain_outbuf),
2166 talloc_get_size(req->chain_outbuf) - 4);
2167
2168 show_msg((char *)(req->chain_outbuf));
2169
2170 if (!srv_send_smb(smbd_server_fd(), (char *)req->chain_outbuf,
2171 true, req->seqnum+1,
2172 IS_CONN_ENCRYPTED(req->conn)||req->encrypted,
2173 &req->pcd)) {
2174 exit_server_cleanly("construct_reply: srv_send_smb failed.");
2175 }
2176 TALLOC_FREE(req->chain_outbuf);
2177 req->done = true;
2178 }
2179
2180 /****************************************************************************
2181 Check if services need reloading.
2182 ****************************************************************************/
2183
2184 void check_reload(time_t t)
2185 {
2186 time_t printcap_cache_time = (time_t)lp_printcap_cache_time();
2187
2188 if(last_smb_conf_reload_time == 0) {
2189 last_smb_conf_reload_time = t;
2190 /* Our printing subsystem might not be ready at smbd start up.
2191 Then no printer is available till the first printers check
2192 is performed. A lower initial interval circumvents this. */
2193 if ( printcap_cache_time > 60 )
2194 last_printer_reload_time = t - printcap_cache_time + 60;
2195 else
2196 last_printer_reload_time = t;
2197 }
2198
2199 if (mypid != getpid()) { /* First time or fork happened meanwhile */
2200 /* randomize over 60 second the printcap reload to avoid all
2201 * process hitting cupsd at the same time */
2202 int time_range = 60;
2203
2204 last_printer_reload_time += random() % time_range;
2205 mypid = getpid();
2206 }
2207
2208 if (t >= last_smb_conf_reload_time+SMBD_RELOAD_CHECK) {
2209 reload_services(True);
2210 last_smb_conf_reload_time = t;
2211 }
2212
2213 /* 'printcap cache time = 0' disable the feature */
2214
2215 if ( printcap_cache_time != 0 )
2216 {
2217 /* see if it's time to reload or if the clock has been set back */
2218
2219 if ( (t >= last_printer_reload_time+printcap_cache_time)
2220 || (t-last_printer_reload_time < 0) )
2221 {
2222 DEBUG( 3,( "Printcap cache time expired.\n"));
2223 reload_printers();
2224 last_printer_reload_time = t;
2225 }
2226 }
2227 }
2228
2229 static bool fd_is_readable(int fd)
2230 {
2231 fd_set fds;
2232 struct timeval timeout = {0, };
2233 int ret;
2234
2235 FD_ZERO(&fds);
2236 FD_SET(fd, &fds);
2237
2238 ret = sys_select(fd+1, &fds, NULL, NULL, &timeout);
2239 if (ret == -1) {
2240 return false;
2241 }
2242 return FD_ISSET(fd, &fds);
2243 }
2244
2245 static void smbd_server_connection_write_handler(struct smbd_server_connection *conn)
2246 {
2247 /* TODO: make write nonblocking */
2248 }
2249
2250 static void smbd_server_connection_read_handler(
2251 struct smbd_server_connection *conn, int fd)
2252 {
2253 uint8_t *inbuf = NULL;
2254 size_t inbuf_len = 0;
2255 size_t unread_bytes = 0;
2256 bool encrypted = false;
2257 TALLOC_CTX *mem_ctx = talloc_tos();
2258 NTSTATUS status;
2259 uint32_t seqnum;
2260
2261 bool from_client = (smbd_server_fd() == fd)?true:false;
2262
2263 if (from_client) {
2264 smbd_lock_socket(conn);
2265
2266 if (!fd_is_readable(smbd_server_fd())) {
2267 DEBUG(10,("the echo listener was faster\n"));
2268 smbd_unlock_socket(conn);
2269 return;
2270 }
2271
2272 /* TODO: make this completely nonblocking */
2273 status = receive_smb_talloc(mem_ctx, fd,
2274 (char **)(void *)&inbuf,
2275 0, /* timeout */
2276 &unread_bytes,
2277 &encrypted,
2278 &inbuf_len, &seqnum,
2279 false /* trusted channel */);
2280 smbd_unlock_socket(conn);
2281 } else {
2282 /* TODO: make this completely nonblocking */
2283 status = receive_smb_talloc(mem_ctx, fd,
2284 (char **)(void *)&inbuf,
2285 0, /* timeout */
2286 &unread_bytes,
2287 &encrypted,
2288 &inbuf_len, &seqnum,
2289 true /* trusted channel */);
2290 }
2291
2292 if (NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
2293 goto process;
2294 }
2295 if (NT_STATUS_IS_ERR(status)) {
2296 exit_server_cleanly("failed to receive smb request");
2297 }
2298 if (!NT_STATUS_IS_OK(status)) {
2299 return;
2300 }
2301
2302 process:
2303 process_smb(conn, inbuf, inbuf_len, unread_bytes,
2304 seqnum, encrypted, NULL);
2305 }
2306
2307 static void smbd_server_connection_handler(struct event_context *ev,
2308 struct fd_event *fde,
2309 uint16_t flags,
2310 void *private_data)
2311 {
2312 struct smbd_server_connection *conn = talloc_get_type(private_data,
2313 struct smbd_server_connection);
2314
2315 if (flags & EVENT_FD_WRITE) {
2316 smbd_server_connection_write_handler(conn);
2317 } else if (flags & EVENT_FD_READ) {
2318 smbd_server_connection_read_handler(conn, smbd_server_fd());
2319 }
2320 }
2321
2322 static void smbd_server_echo_handler(struct event_context *ev,
2323 struct fd_event *fde,
2324 uint16_t flags,
2325 void *private_data)
2326 {
2327 struct smbd_server_connection *conn = talloc_get_type(private_data,
2328 struct smbd_server_connection);
2329
2330 if (flags & EVENT_FD_WRITE) {
2331 smbd_server_connection_write_handler(conn);
2332 } else if (flags & EVENT_FD_READ) {
2333 smbd_server_connection_read_handler(
2334 conn, conn->smb1.echo_handler.trusted_fd);
2335 }
2336 }
2337
2338 /****************************************************************************
2339 received when we should release a specific IP
2340 ****************************************************************************/
2341 static void release_ip(const char *ip, void *priv)
2342 {
2343 char addr[INET6_ADDRSTRLEN];
2344 char *p = addr;
2345
2346 client_socket_addr(get_client_fd(),addr,sizeof(addr));
2347
2348 if (strncmp("::ffff:", addr, 7) == 0) {
2349 p = addr + 7;
2350 }
2351
2352 if ((strcmp(p, ip) == 0) || ((p != addr) && strcmp(addr, ip) == 0)) {
2353 /* we can't afford to do a clean exit - that involves
2354 database writes, which would potentially mean we
2355 are still running after the failover has finished -
2356 we have to get rid of this process ID straight
2357 away */
2358 DEBUG(0,("Got release IP message for our IP %s - exiting immediately\n",
2359 ip));
2360 /* note we must exit with non-zero status so the unclean handler gets
2361 called in the parent, so that the brl database is tickled */
2362 _exit(1);
2363 }
2364 }
2365
2366 static void msg_release_ip(struct messaging_context *msg_ctx, void *private_data,
2367 uint32_t msg_type, struct server_id server_id, DATA_BLOB *data)
2368 {
2369 release_ip((char *)data->data, NULL);
2370 }
2371
2372 #ifdef CLUSTER_SUPPORT
2373 static int client_get_tcp_info(struct sockaddr_storage *server,
2374 struct sockaddr_storage *client)
2375 {
2376 socklen_t length;
2377 if (server_fd == -1) {
2378 return -1;
2379 }
2380 length = sizeof(*server);
2381 if (getsockname(server_fd, (struct sockaddr *)server, &length) != 0) {
2382 return -1;
2383 }
2384 length = sizeof(*client);
2385 if (getpeername(server_fd, (struct sockaddr *)client, &length) != 0) {
2386 return -1;
2387 }
2388 return 0;
2389 }
2390 #endif
2391
2392 /*
2393 * Send keepalive packets to our client
2394 */
2395 static bool keepalive_fn(const struct timeval *now, void *private_data)
2396 {
2397 bool ret;
2398
2399 smbd_lock_socket(smbd_server_conn);
2400 ret = send_keepalive(smbd_server_fd());
2401 smbd_unlock_socket(smbd_server_conn);
2402
2403 if (!ret) {
2404 DEBUG( 2, ( "Keepalive failed - exiting.\n" ) );
2405 return False;
2406 }
2407 return True;
2408 }
2409
2410 /*
2411 * Do the recurring check if we're idle
2412 */
2413 static bool deadtime_fn(const struct timeval *now, void *private_data)
2414 {
2415 struct smbd_server_connection *sconn = smbd_server_conn;
2416
2417 if (sconn->allow_smb2) {
2418 /* TODO: implement real idle check */
2419 if (sconn->smb2.sessions.list) {
2420 return true;
2421 }
2422 DEBUG( 2, ( "Closing idle SMB2 connection\n" ) );
2423 messaging_send(smbd_messaging_context(), procid_self(),
2424 MSG_SHUTDOWN, &data_blob_null);
2425 return false;
2426 }
2427
2428 if ((conn_num_open(sconn) == 0)
2429 || (conn_idle_all(sconn, now->tv_sec))) {
2430 DEBUG( 2, ( "Closing idle SMB1 connection\n" ) );
2431 messaging_send(smbd_messaging_context(), procid_self(),
2432 MSG_SHUTDOWN, &data_blob_null);
2433 return False;
2434 }
2435
2436 return True;
2437 }
2438
2439 /*
2440 * Do the recurring log file and smb.conf reload checks.
2441 */
2442
2443 static bool housekeeping_fn(const struct timeval *now, void *private_data)
2444 {
2445 change_to_root_user();
2446
2447 /* update printer queue caches if necessary */
2448 update_monitored_printq_cache();
2449
2450 /* check if we need to reload services */
2451 check_reload(time(NULL));
2452
2453 /* Change machine password if neccessary. */
2454 attempt_machine_password_change();
2455
2456 /*
2457 * Force a log file check.
2458 */
2459 force_check_log_size();
2460 check_log_size();
2461 return true;
2462 }
2463
2464 static int create_unlink_tmp(const char *dir)
2465 {
2466 char *fname;
2467 int fd;
2468
2469 fname = talloc_asprintf(talloc_tos(), "%s/listenerlock_XXXXXX", dir);
2470 if (fname == NULL) {
2471 errno = ENOMEM;
2472 return -1;
2473 }
2474 fd = mkstemp(fname);
2475 if (fd == -1) {
2476 TALLOC_FREE(fname);
2477 return -1;
2478 }
2479 if (unlink(fname) == -1) {
2480 int sys_errno = errno;
2481 close(fd);
2482 TALLOC_FREE(fname);
2483 errno = sys_errno;
2484 return -1;
2485 }
2486 TALLOC_FREE(fname);
2487 return fd;
2488 }
2489
2490 struct smbd_echo_state {
2491 struct tevent_context *ev;
2492 struct iovec *pending;
2493 struct smbd_server_connection *sconn;
2494 int parent_pipe;
2495
2496 struct tevent_fd *parent_fde;
2497
2498 struct tevent_fd *read_fde;
2499 struct tevent_req *write_req;
2500 };
2501
2502 static void smbd_echo_writer_done(struct tevent_req *req);
2503
2504 static void smbd_echo_activate_writer(struct smbd_echo_state *state)
2505 {
2506 int num_pending;
2507
2508 if (state->write_req != NULL) {
2509 return;
2510 }
2511
2512 num_pending = talloc_array_length(state->pending);
2513 if (num_pending == 0) {
2514 return;
2515 }
2516
2517 state->write_req = writev_send(state, state->ev, NULL,
2518 state->parent_pipe, false,
2519 state->pending, num_pending);
2520 if (state->write_req == NULL) {
2521 DEBUG(1, ("writev_send failed\n"));
2522 exit(1);
2523 }
2524
2525 talloc_steal(state->write_req, state->pending);
2526 state->pending = NULL;
2527
2528 tevent_req_set_callback(state->write_req, smbd_echo_writer_done,
2529 state);
2530 }
2531
2532 static void smbd_echo_writer_done(struct tevent_req *req)
2533 {
2534 struct smbd_echo_state *state = tevent_req_callback_data(
2535 req, struct smbd_echo_state);
2536 ssize_t written;
2537 int err;
2538
2539 written = writev_recv(req, &err);
2540 TALLOC_FREE(req);
2541 state->write_req = NULL;
2542 if (written == -1) {
2543 DEBUG(1, ("writev to parent failed: %s\n", strerror(err)));
2544 exit(1);
2545 }
2546 DEBUG(10,("echo_handler[%d]: forwarded pdu to main\n", (int)sys_getpid()));
2547 smbd_echo_activate_writer(state);
2548 }
2549
2550 static bool smbd_echo_reply(int fd,
2551 uint8_t *inbuf, size_t inbuf_len,
2552 uint32_t seqnum)
2553 {
2554 struct smb_request req;
2555 uint16_t num_replies;
2556 size_t out_len;
2557 char *outbuf;
2558 bool ok;
2559
2560 if (inbuf_len < smb_size) {
2561 DEBUG(10, ("Got short packet: %d bytes\n", (int)inbuf_len));
2562 return false;
2563 }
2564 if (!valid_smb_header(inbuf)) {
2565 DEBUG(10, ("Got invalid SMB header\n"));
2566 return false;
2567 }
2568
2569 if (!init_smb_request(&req, inbuf, 0, false, seqnum)) {
2570 return false;
2571 }
2572 req.inbuf = inbuf;
2573
2574 DEBUG(10, ("smbecho handler got cmd %d (%s)\n", (int)req.cmd,
2575 smb_messages[req.cmd].name
2576 ? smb_messages[req.cmd].name : "unknown"));
2577
2578 if (req.cmd != SMBecho) {
2579 return false;
2580 }
2581 if (req.wct < 1) {
2582 return false;
2583 }
2584
2585 num_replies = SVAL(req.vwv+0, 0);
2586 if (num_replies != 1) {
2587 /* Not a Windows "Hey, you're still there?" request */
2588 return false;
2589 }
2590
2591 if (!create_outbuf(talloc_tos(), &req, (char *)req.inbuf, &outbuf,
2592 1, req.buflen)) {
2593 DEBUG(10, ("create_outbuf failed\n"));
2594 return false;
2595 }
2596 req.outbuf = (uint8_t *)outbuf;
2597
2598 SSVAL(req.outbuf, smb_vwv0, num_replies);
2599
2600 if (req.buflen > 0) {
2601 memcpy(smb_buf(req.outbuf), req.buf, req.buflen);
2602 }
2603
2604 out_len = smb_len(req.outbuf) + 4;
2605
2606 ok = srv_send_smb(smbd_server_fd(),
2607 (char *)outbuf,
2608 true, seqnum+1,
2609 false, &req.pcd);
2610 TALLOC_FREE(outbuf);
2611 if (!ok) {
2612 exit(1);
2613 }
2614
2615 return true;
2616 }
2617
2618 static void smbd_echo_exit(struct tevent_context *ev,
2619 struct tevent_fd *fde, uint16_t flags,
2620 void *private_data)
2621 {
2622 DEBUG(2, ("smbd_echo_exit: lost connection to parent\n"));
2623 exit(0);
2624 }
2625
2626 static void smbd_echo_reader(struct tevent_context *ev,
2627 struct tevent_fd *fde, uint16_t flags,
2628 void *private_data)
2629 {
2630 struct smbd_echo_state *state = talloc_get_type_abort(
2631 private_data, struct smbd_echo_state);
2632 struct smbd_server_connection *sconn = state->sconn;
2633 size_t unread, num_pending;
2634 NTSTATUS status;
2635 struct iovec *tmp;
2636 uint32_t seqnum = 0;
2637 bool reply;
2638 bool ok;
2639 bool encrypted = false;
2640
2641 ok = smbd_lock_socket_internal(sconn);
2642 if (!ok) {
2643 DEBUG(0, ("%s: failed to lock socket\n",
2644 __location__));
2645 exit(1);
2646 }
2647
2648 if (!fd_is_readable(smbd_server_fd())) {
2649 DEBUG(10,("echo_handler[%d] the parent smbd was faster\n",
2650 (int)sys_getpid()));
2651 ok = smbd_unlock_socket_internal(sconn);
2652 if (!ok) {
2653 DEBUG(1, ("%s: failed to unlock socket in\n",
2654 __location__));
2655 exit(1);
2656 }
2657 return;
2658 }
2659
2660 num_pending = talloc_array_length(state->pending);
2661 tmp = talloc_realloc(state, state->pending, struct iovec,
2662 num_pending+1);
2663 if (tmp == NULL) {
2664 DEBUG(1, ("talloc_realloc failed\n"));
2665 exit(1);
2666 }
2667 state->pending = tmp;
2668
2669 DEBUG(10,("echo_handler[%d]: reading pdu\n", (int)sys_getpid()));
2670
2671 status = receive_smb_talloc(state->pending, smbd_server_fd(),
2672 (char **)(void *)&state->pending[num_pending].iov_base,
2673 0 /* timeout */,
2674 &unread,
2675 &encrypted,
2676 &state->pending[num_pending].iov_len,
2677 &seqnum,
2678 false /* trusted_channel*/);
2679 if (!NT_STATUS_IS_OK(status)) {
2680 DEBUG(1, ("echo_handler[%d]: receive_smb_raw_talloc failed: %s\n",
2681 (int)sys_getpid(), nt_errstr(status)));
2682 exit(1);
2683 }
2684
2685 ok = smbd_unlock_socket_internal(sconn);
2686 if (!ok) {
2687 DEBUG(1, ("%s: failed to unlock socket in\n",
2688 __location__));
2689 exit(1);
2690 }
2691
2692 /*
2693 * place the seqnum in the packet so that the main process can reply
2694 * with signing
2695 */
2696 SIVAL((uint8_t *)state->pending[num_pending].iov_base, smb_ss_field, seqnum);
2697 SIVAL((uint8_t *)state->pending[num_pending].iov_base, smb_ss_field+4, NT_STATUS_V(NT_STATUS_OK));
2698
2699 reply = smbd_echo_reply(smbd_server_fd(),
2700 (uint8_t *)state->pending[num_pending].iov_base,
2701 state->pending[num_pending].iov_len,
2702 seqnum);
2703 if (reply) {
2704 DEBUG(10,("echo_handler[%d]: replied to client\n", (int)sys_getpid()));
2705 /* no check, shrinking by some bytes does not fail */
2706 state->pending = talloc_realloc(state, state->pending,
2707 struct iovec,
2708 num_pending);
2709 } else {
2710 DEBUG(10,("echo_handler[%d]: forward to main\n", (int)sys_getpid()));
2711 smbd_echo_activate_writer(state);
2712 }
2713 }
2714
2715 static void smbd_echo_loop(struct smbd_server_connection *sconn,
2716 int parent_pipe)
2717 {
2718 struct smbd_echo_state *state;
2719
2720 state = talloc_zero(sconn, struct smbd_echo_state);
2721 if (state == NULL) {
2722 DEBUG(1, ("talloc failed\n"));
2723 return;
2724 }
2725 state->sconn = sconn;
2726 state->parent_pipe = parent_pipe;
2727 state->ev = s3_tevent_context_init(state);
2728 if (state->ev == NULL) {
2729 DEBUG(1, ("tevent_context_init failed\n"));
2730 TALLOC_FREE(state);
2731 return;
2732 }
2733 state->parent_fde = tevent_add_fd(state->ev, state, parent_pipe,
2734 TEVENT_FD_READ, smbd_echo_exit,
2735 state);
2736 if (state->parent_fde == NULL) {
2737 DEBUG(1, ("tevent_add_fd failed\n"));
2738 TALLOC_FREE(state);
2739 return;
2740 }
2741 state->read_fde = tevent_add_fd(state->ev, state, smbd_server_fd(),
2742 TEVENT_FD_READ, smbd_echo_reader,
2743 state);
2744 if (state->read_fde == NULL) {
2745 DEBUG(1, ("tevent_add_fd failed\n"));
2746 TALLOC_FREE(state);
2747 return;
2748 }
2749
2750 while (true) {
2751 if (tevent_loop_once(state->ev) == -1) {
2752 DEBUG(1, ("tevent_loop_once failed: %s\n",
2753 strerror(errno)));
2754 break;
2755 }
2756 }
2757 TALLOC_FREE(state);
2758 }
2759
2760 /*
2761 * Handle SMBecho requests in a forked child process
2762 */
2763 static bool fork_echo_handler(struct smbd_server_connection *sconn)
2764 {
2765 int listener_pipe[2];
2766 int res;
2767 pid_t child;
2768
2769 res = pipe(listener_pipe);
2770 if (res == -1) {
2771 DEBUG(1, ("pipe() failed: %s\n", strerror(errno)));
2772 return false;
2773 }
2774 sconn->smb1.echo_handler.socket_lock_fd = create_unlink_tmp(lp_lockdir());
2775 if (sconn->smb1.echo_handler.socket_lock_fd == -1) {
2776 DEBUG(1, ("Could not create lock fd: %s\n", strerror(errno)));
2777 goto fail;
2778 }
2779
2780 child = sys_fork();
2781 if (child == 0) {
2782 NTSTATUS status;
2783
2784 close(listener_pipe[0]);
2785
2786 status = reinit_after_fork(smbd_messaging_context(),
2787 smbd_event_context(), false);
2788 if (!NT_STATUS_IS_OK(status)) {
2789 DEBUG(1, ("reinit_after_fork failed: %s\n",
2790 nt_errstr(status)));
2791 exit(1);
2792 }
2793 smbd_echo_loop(sconn, listener_pipe[1]);
2794 exit(0);
2795 }
2796 close(listener_pipe[1]);
2797 listener_pipe[1] = -1;
2798 sconn->smb1.echo_handler.trusted_fd = listener_pipe[0];
2799
2800 DEBUG(10,("fork_echo_handler: main[%d] echo_child[%d]\n", (int)sys_getpid(), child));
2801
2802 /*
2803 * Without smb signing this is the same as the normal smbd
2804 * listener. This needs to change once signing comes in.
2805 */
2806 sconn->smb1.echo_handler.trusted_fde = event_add_fd(smbd_event_context(),
2807 sconn,
2808 sconn->smb1.echo_handler.trusted_fd,
2809 EVENT_FD_READ,
2810 smbd_server_echo_handler,
2811 sconn);
2812 if (sconn->smb1.echo_handler.trusted_fde == NULL) {
2813 DEBUG(1, ("event_add_fd failed\n"));
2814 goto fail;
2815 }
2816
2817 return true;
2818
2819 fail:
2820 if (listener_pipe[0] != -1) {
2821 close(listener_pipe[0]);
2822 }
2823 if (listener_pipe[1] != -1) {
2824 close(listener_pipe[1]);
2825 }
2826 sconn->smb1.echo_handler.trusted_fd = -1;
2827 if (sconn->smb1.echo_handler.socket_lock_fd != -1) {
2828 close(sconn->smb1.echo_handler.socket_lock_fd);
2829 }
2830 sconn->smb1.echo_handler.trusted_fd = -1;
2831 sconn->smb1.echo_handler.socket_lock_fd = -1;
2832 return false;
2833 }
2834
2835 /****************************************************************************
2836 Process commands from the client
2837 ****************************************************************************/
2838
2839 void smbd_process(void)
2840 {
2841 TALLOC_CTX *frame = talloc_stackframe();
2842 struct sockaddr_storage ss;
2843 struct sockaddr *sa = NULL;
2844 socklen_t sa_len;
2845 struct tsocket_address *local_address = NULL;
2846 struct tsocket_address *remote_address = NULL;
2847 const char *remaddr = NULL;
2848 int ret;
2849
2850 if (lp_maxprotocol() == PROTOCOL_SMB2 &&
2851 lp_security() != SEC_SHARE &&
2852 !lp_async_smb_echo_handler()) {
2853 smbd_server_conn->allow_smb2 = true;
2854 }
2855
2856 /* Ensure child is set to blocking mode */
2857 set_blocking(smbd_server_fd(),True);
2858
2859 set_socket_options(smbd_server_fd(),"SO_KEEPALIVE");
2860 set_socket_options(smbd_server_fd(), lp_socket_options());
2861
2862 sa = (struct sockaddr *)(void *)&ss;
2863 sa_len = sizeof(ss);
2864 ret = getpeername(smbd_server_fd(), sa, &sa_len);
2865 if (ret != 0) {
2866 int level = (errno == ENOTCONN)?2:0;
2867 DEBUG(level,("getpeername() failed - %s\n", strerror(errno)));
2868 exit_server("getpeername() failed.\n");
2869 }
2870 ret = tsocket_address_bsd_from_sockaddr(smbd_server_conn,
2871 sa, sa_len,
2872 &remote_address);
2873 if (ret != 0) {
2874 DEBUG(0,("%s: tsocket_address_bsd_from_sockaddr remote failed - %s\n",
2875 __location__, strerror(errno)));
2876 exit_server("tsocket_address_bsd_from_sockaddr remote failed.\n");
2877 }
2878
2879 sa = (struct sockaddr *)(void *)&ss;
2880 sa_len = sizeof(ss);
2881 ret = getsockname(smbd_server_fd(), sa, &sa_len);
2882 if (ret != 0) {
2883 int level = (errno == ENOTCONN)?2:0;
2884 DEBUG(level,("getsockname() failed - %s\n", strerror(errno)));
2885 exit_server("getsockname() failed.\n");
2886 }
2887 ret = tsocket_address_bsd_from_sockaddr(smbd_server_conn,
2888 sa, sa_len,
2889 &local_address);
2890 if (ret != 0) {
2891 DEBUG(0,("%s: tsocket_address_bsd_from_sockaddr remote failed - %s\n",
2892 __location__, strerror(errno)));
2893 exit_server("tsocket_address_bsd_from_sockaddr remote failed.\n");
2894 }
2895
2896 smbd_server_conn->local_address = local_address;
2897 smbd_server_conn->remote_address = remote_address;
2898
2899 if (tsocket_address_is_inet(remote_address, "ip")) {
2900 remaddr = tsocket_address_inet_addr_string(
2901 smbd_server_conn->remote_address,
2902 talloc_tos());
2903 if (remaddr == NULL) {
2904
2905 }
2906 } else {
2907 remaddr = "0.0.0.0";
2908 }
2909
2910 /* this is needed so that we get decent entries
2911 in smbstatus for port 445 connects */
2912 set_remote_machine_name(remaddr, false);
2913 reload_services(true);
2914
2915 /*
2916 * Before the first packet, check the global hosts allow/ hosts deny
2917 * parameters before doing any parsing of packets passed to us by the
2918 * client. This prevents attacks on our parsing code from hosts not in
2919 * the hosts allow list.
2920 */
2921
2922 if (!check_access(smbd_server_fd(), lp_hostsallow(-1),
2923 lp_hostsdeny(-1))) {
2924 /*
2925 * send a negative session response "not listening on calling
2926 * name"
2927 */
2928 unsigned char buf[5] = {0x83, 0, 0, 1, 0x81};
2929 DEBUG( 1, ("Connection denied from %s to %s\n",
2930 tsocket_address_string(remote_address, talloc_tos()),
2931 tsocket_address_string(local_address, talloc_tos())));
2932 (void)srv_send_smb(smbd_server_fd(),(char *)buf, false,
2933 0, false, NULL);
2934 exit_server_cleanly("connection denied");
2935 }
2936
2937 DEBUG(10, ("Connection allowed from %s to %s\n",
2938 tsocket_address_string(remote_address, talloc_tos()),
2939 tsocket_address_string(local_address, talloc_tos())));
2940
2941 static_init_rpc;
2942
2943 init_modules();
2944
2945 smb_perfcount_init();
2946
2947 if (!init_account_policy()) {
2948 exit_server("Could not open account policy tdb.\n");
2949 }
2950
2951 if (*lp_rootdir()) {
2952 if (chroot(lp_rootdir()) != 0) {
2953 DEBUG(0,("Failed to change root to %s\n", lp_rootdir()));
2954 exit_server("Failed to chroot()");
2955 }
2956 if (chdir("/") == -1) {
2957 DEBUG(0,("Failed to chdir to / on chroot to %s\n", lp_rootdir()));
2958 exit_server("Failed to chroot()");
2959 }
2960 DEBUG(0,("Changed root to %s\n", lp_rootdir()));
2961 }
2962
2963 if (!srv_init_signing(smbd_server_conn)) {
2964 exit_server("Failed to init smb_signing");
2965 }
2966
2967 if (lp_async_smb_echo_handler() && !fork_echo_handler(smbd_server_conn)) {
2968 exit_server("Failed to fork echo handler");
2969 }
2970
2971 /* Setup oplocks */
2972 if (!init_oplocks(smbd_messaging_context()))
2973 exit_server("Failed to init oplocks");
2974
2975 /* register our message handlers */
2976 messaging_register(smbd_messaging_context(), NULL,
2977 MSG_SMB_FORCE_TDIS, msg_force_tdis);
2978 messaging_register(smbd_messaging_context(), NULL,
2979 MSG_SMB_RELEASE_IP, msg_release_ip);
2980 messaging_register(smbd_messaging_context(), NULL,
2981 MSG_SMB_CLOSE_FILE, msg_close_file);
2982
2983 /*
2984 * Use the default MSG_DEBUG handler to avoid rebroadcasting
2985 * MSGs to all child processes
2986 */
2987 messaging_deregister(smbd_messaging_context(),
2988 MSG_DEBUG, NULL);
2989 messaging_register(smbd_messaging_context(), NULL,
2990 MSG_DEBUG, debug_message);
2991
2992 if ((lp_keepalive() != 0)
2993 && !(event_add_idle(smbd_event_context(), NULL,
2994 timeval_set(lp_keepalive(), 0),
2995 "keepalive", keepalive_fn,
2996 NULL))) {
2997 DEBUG(0, ("Could not add keepalive event\n"));
2998 exit(1);
2999 }
3000
3001 if (!(event_add_idle(smbd_event_context(), NULL,
3002 timeval_set(IDLE_CLOSED_TIMEOUT, 0),
3003 "deadtime", deadtime_fn, NULL))) {
3004 DEBUG(0, ("Could not add deadtime event\n"));
3005 exit(1);
3006 }
3007
3008 if (!(event_add_idle(smbd_event_context(), NULL,
3009 timeval_set(SMBD_SELECT_TIMEOUT, 0),
3010 "housekeeping", housekeeping_fn, NULL))) {
3011 DEBUG(0, ("Could not add housekeeping event\n"));
3012 exit(1);
3013 }
3014
3015 #ifdef CLUSTER_SUPPORT
3016
3017 if (lp_clustering()) {
3018 /*
3019 * We need to tell ctdb about our client's TCP
3020 * connection, so that for failover ctdbd can send
3021 * tickle acks, triggering a reconnection by the
3022 * client.
3023 */
3024
3025 struct sockaddr_storage srv, clnt;
3026
3027 if (client_get_tcp_info(&srv, &clnt) == 0) {
3028
3029 NTSTATUS status;
3030
3031 status = ctdbd_register_ips(
3032 messaging_ctdbd_connection(),
3033 &srv, &clnt, release_ip, NULL);
3034
3035 if (!NT_STATUS_IS_OK(status)) {
3036 DEBUG(0, ("ctdbd_register_ips failed: %s\n",
3037 nt_errstr(status)));
3038 }
3039 } else
3040 {
3041 DEBUG(0,("Unable to get tcp info for "
3042 "CTDB_CONTROL_TCP_CLIENT: %s\n",
3043 strerror(errno)));
3044 }
3045 }
3046
3047 #endif
3048
3049 smbd_server_conn->nbt.got_session = false;
3050
3051 smbd_server_conn->smb1.negprot.max_recv = MIN(lp_maxxmit(),BUFFER_SIZE);
3052
3053 smbd_server_conn->smb1.sessions.done_sesssetup = false;
3054 smbd_server_conn->smb1.sessions.max_send = BUFFER_SIZE;
3055 smbd_server_conn->smb1.sessions.last_session_tag = UID_FIELD_INVALID;
3056 /* users from session setup */
3057 smbd_server_conn->smb1.sessions.session_userlist = NULL;
3058 /* workgroup from session setup. */
3059 smbd_server_conn->smb1.sessions.session_workgroup = NULL;
3060 /* this holds info on user ids that are already validated for this VC */
3061 smbd_server_conn->smb1.sessions.validated_users = NULL;
3062 smbd_server_conn->smb1.sessions.next_vuid = VUID_OFFSET;
3063 smbd_server_conn->smb1.sessions.num_validated_vuids = 0;
3064 #ifdef HAVE_NETGROUP
3065 smbd_server_conn->smb1.sessions.my_yp_domain = NULL;
3066 #endif
3067
3068 conn_init(smbd_server_conn);
3069 if (!init_dptrs(smbd_server_conn)) {
3070 exit_server("init_dptrs() failed");
3071 }
3072
3073 smbd_server_conn->smb1.fde = event_add_fd(smbd_event_context(),
3074 smbd_server_conn,
3075 smbd_server_fd(),
3076 EVENT_FD_READ,
3077 smbd_server_connection_handler,
3078 smbd_server_conn);
3079 if (!smbd_server_conn->smb1.fde) {
3080 exit_server("failed to create smbd_server_connection fde");
3081 }
3082
3083 TALLOC_FREE(frame);
3084
3085 while (True) {
3086 NTSTATUS status;
3087
3088 frame = talloc_stackframe_pool(8192);
3089
3090 errno = 0;
3091
3092 status = smbd_server_connection_loop_once(smbd_server_conn);
3093 if (!NT_STATUS_EQUAL(status, NT_STATUS_RETRY) &&
3094 !NT_STATUS_IS_OK(status)) {
3095 DEBUG(3, ("smbd_server_connection_loop_once failed: %s,"
3096 " exiting\n", nt_errstr(status)));
3097 break;
3098 }
3099
3100 TALLOC_FREE(frame);
3101 }
3102
3103 exit_server_cleanly(NULL);
3104 }
3105
3106 bool req_is_in_chain(struct smb_request *req)
3107 {
3108 if (req->vwv != (uint16_t *)(req->inbuf+smb_vwv)) {
3109 /*
3110 * We're right now handling a subsequent request, so we must
3111 * be in a chain
3112 */
3113 return true;
3114 }
3115
3116 if (!is_andx_req(req->cmd)) {
3117 return false;
3118 }
3119
3120 if (req->wct < 2) {
3121 /*
3122 * Okay, an illegal request, but definitely not chained :-)
3123 */
3124 return false;
3125 }
3126
3127 return (CVAL(req->vwv+0, 0) != 0xFF);
3128 }
reg import