search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3: Add vfs_aio_posix
[Samba/gebeck_regimport.git] / source3 / smbd / process.c
blobadb773d74972760836a46e46625bdfc971a73da5
1 /*
2 Unix SMB/CIFS implementation.
3 process incoming packets - main loop
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Volker Lendecke 2005-2007
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "../lib/tsocket/tsocket.h"
23 #include "system/filesys.h"
24 #include "smbd/smbd.h"
25 #include "smbd/globals.h"
26 #include "librpc/gen_ndr/netlogon.h"
27 #include "../lib/async_req/async_sock.h"
28 #include "ctdbd_conn.h"
29 #include "../lib/util/select.h"
30 #include "printing/queue_process.h"
31 #include "system/select.h"
32 #include "passdb.h"
33 #include "auth.h"
34 #include "messages.h"
35 #include "smbprofile.h"
36 #include "rpc_server/spoolss/srv_spoolss_nt.h"
37 #include "libsmb/libsmb.h"
38 #include "../lib/util/tevent_ntstatus.h"
39 #include "../libcli/security/dom_sid.h"
40 #include "../libcli/security/security_token.h"
41 #include "lib/id_cache.h"
42 #include "serverid.h"
43
44 /* Internal message queue for deferred opens. */
45 struct pending_message_list {
46 struct pending_message_list *next, *prev;
47 struct timeval request_time; /* When was this first issued? */
48 struct smbd_server_connection *sconn;
49 struct timed_event *te;
50 struct smb_perfcount_data pcd;
51 uint32_t seqnum;
52 bool encrypted;
53 bool processed;
54 DATA_BLOB buf;
55 DATA_BLOB private_data;
56 };
57
58 static void construct_reply_common(struct smb_request *req, const char *inbuf,
59 char *outbuf);
60 static struct pending_message_list *get_deferred_open_message_smb(
61 struct smbd_server_connection *sconn, uint64_t mid);
62 static bool smb_splice_chain(uint8_t **poutbuf, const uint8_t *andx_buf);
63
64 static bool smbd_lock_socket_internal(struct smbd_server_connection *sconn)
65 {
66 bool ok;
67
68 if (sconn->smb1.echo_handler.socket_lock_fd == -1) {
69 return true;
70 }
71
72 sconn->smb1.echo_handler.ref_count++;
73
74 if (sconn->smb1.echo_handler.ref_count > 1) {
75 return true;
76 }
77
78 DEBUG(10,("pid[%d] wait for socket lock\n", (int)getpid()));
79
80 do {
81 ok = fcntl_lock(
82 sconn->smb1.echo_handler.socket_lock_fd,
83 F_SETLKW, 0, 0, F_WRLCK);
84 } while (!ok && (errno == EINTR));
85
86 if (!ok) {
87 DEBUG(1, ("fcntl_lock failed: %s\n", strerror(errno)));
88 return false;
89 }
90
91 DEBUG(10,("pid[%d] got for socket lock\n", (int)getpid()));
92
93 return true;
94 }
95
96 void smbd_lock_socket(struct smbd_server_connection *sconn)
97 {
98 if (!smbd_lock_socket_internal(sconn)) {
99 exit_server_cleanly("failed to lock socket");
100 }
101 }
102
103 static bool smbd_unlock_socket_internal(struct smbd_server_connection *sconn)
104 {
105 bool ok;
106
107 if (sconn->smb1.echo_handler.socket_lock_fd == -1) {
108 return true;
109 }
110
111 sconn->smb1.echo_handler.ref_count--;
112
113 if (sconn->smb1.echo_handler.ref_count > 0) {
114 return true;
115 }
116
117 do {
118 ok = fcntl_lock(
119 sconn->smb1.echo_handler.socket_lock_fd,
120 F_SETLKW, 0, 0, F_UNLCK);
121 } while (!ok && (errno == EINTR));
122
123 if (!ok) {
124 DEBUG(1, ("fcntl_lock failed: %s\n", strerror(errno)));
125 return false;
126 }
127
128 DEBUG(10,("pid[%d] unlocked socket\n", (int)getpid()));
129
130 return true;
131 }
132
133 void smbd_unlock_socket(struct smbd_server_connection *sconn)
134 {
135 if (!smbd_unlock_socket_internal(sconn)) {
136 exit_server_cleanly("failed to unlock socket");
137 }
138 }
139
140 /* Accessor function for smb_read_error for smbd functions. */
141
142 /****************************************************************************
143 Send an smb to a fd.
144 ****************************************************************************/
145
146 bool srv_send_smb(struct smbd_server_connection *sconn, char *buffer,
147 bool do_signing, uint32_t seqnum,
148 bool do_encrypt,
149 struct smb_perfcount_data *pcd)
150 {
151 size_t len = 0;
152 size_t nwritten=0;
153 ssize_t ret;
154 char *buf_out = buffer;
155
156 smbd_lock_socket(sconn);
157
158 if (do_signing) {
159 /* Sign the outgoing packet if required. */
160 srv_calculate_sign_mac(sconn, buf_out, seqnum);
161 }
162
163 if (do_encrypt) {
164 NTSTATUS status = srv_encrypt_buffer(sconn, buffer, &buf_out);
165 if (!NT_STATUS_IS_OK(status)) {
166 DEBUG(0, ("send_smb: SMB encryption failed "
167 "on outgoing packet! Error %s\n",
168 nt_errstr(status) ));
169 goto out;
170 }
171 }
172
173 len = smb_len(buf_out) + 4;
174
175 ret = write_data(sconn->sock, buf_out+nwritten, len - nwritten);
176 if (ret <= 0) {
177
178 char addr[INET6_ADDRSTRLEN];
179 /*
180 * Try and give an error message saying what
181 * client failed.
182 */
183 DEBUG(1,("pid[%d] Error writing %d bytes to client %s. %d. (%s)\n",
184 (int)getpid(), (int)len,
185 get_peer_addr(sconn->sock, addr, sizeof(addr)),
186 (int)ret, strerror(errno) ));
187
188 srv_free_enc_buffer(sconn, buf_out);
189 goto out;
190 }
191
192 SMB_PERFCOUNT_SET_MSGLEN_OUT(pcd, len);
193 srv_free_enc_buffer(sconn, buf_out);
194 out:
195 SMB_PERFCOUNT_END(pcd);
196
197 smbd_unlock_socket(sconn);
198 return true;
199 }
200
201 /*******************************************************************
202 Setup the word count and byte count for a smb message.
203 ********************************************************************/
204
205 int srv_set_message(char *buf,
206 int num_words,
207 int num_bytes,
208 bool zero)
209 {
210 if (zero && (num_words || num_bytes)) {
211 memset(buf + smb_size,'\0',num_words*2 + num_bytes);
212 }
213 SCVAL(buf,smb_wct,num_words);
214 SSVAL(buf,smb_vwv + num_words*SIZEOFWORD,num_bytes);
215 smb_setlen(buf,(smb_size + num_words*2 + num_bytes - 4));
216 return (smb_size + num_words*2 + num_bytes);
217 }
218
219 static bool valid_smb_header(struct smbd_server_connection *sconn,
220 const uint8_t *inbuf)
221 {
222 if (is_encrypted_packet(sconn, inbuf)) {
223 return true;
224 }
225 /*
226 * This used to be (strncmp(smb_base(inbuf),"\377SMB",4) == 0)
227 * but it just looks weird to call strncmp for this one.
228 */
229 return (IVAL(smb_base(inbuf), 0) == 0x424D53FF);
230 }
231
232 /* Socket functions for smbd packet processing. */
233
234 static bool valid_packet_size(size_t len)
235 {
236 /*
237 * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
238 * of header. Don't print the error if this fits.... JRA.
239 */
240
241 if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
242 DEBUG(0,("Invalid packet length! (%lu bytes).\n",
243 (unsigned long)len));
244 return false;
245 }
246 return true;
247 }
248
249 static NTSTATUS read_packet_remainder(int fd, char *buffer,
250 unsigned int timeout, ssize_t len)
251 {
252 NTSTATUS status;
253
254 if (len <= 0) {
255 return NT_STATUS_OK;
256 }
257
258 status = read_fd_with_timeout(fd, buffer, len, len, timeout, NULL);
259 if (!NT_STATUS_IS_OK(status)) {
260 char addr[INET6_ADDRSTRLEN];
261 DEBUG(0, ("read_fd_with_timeout failed for client %s read "
262 "error = %s.\n",
263 get_peer_addr(fd, addr, sizeof(addr)),
264 nt_errstr(status)));
265 }
266 return status;
267 }
268
269 /****************************************************************************
270 Attempt a zerocopy writeX read. We know here that len > smb_size-4
271 ****************************************************************************/
272
273 /*
274 * Unfortunately, earlier versions of smbclient/libsmbclient
275 * don't send this "standard" writeX header. I've fixed this
276 * for 3.2 but we'll use the old method with earlier versions.
277 * Windows and CIFSFS at least use this standard size. Not
278 * sure about MacOSX.
279 */
280
281 #define STANDARD_WRITE_AND_X_HEADER_SIZE (smb_size - 4 + /* basic header */ \
282 (2*14) + /* word count (including bcc) */ \
283 1 /* pad byte */)
284
285 static NTSTATUS receive_smb_raw_talloc_partial_read(TALLOC_CTX *mem_ctx,
286 const char lenbuf[4],
287 struct smbd_server_connection *sconn,
288 int sock,
289 char **buffer,
290 unsigned int timeout,
291 size_t *p_unread,
292 size_t *len_ret)
293 {
294 /* Size of a WRITEX call (+4 byte len). */
295 char writeX_header[4 + STANDARD_WRITE_AND_X_HEADER_SIZE];
296 ssize_t len = smb_len_large(lenbuf); /* Could be a UNIX large writeX. */
297 ssize_t toread;
298 NTSTATUS status;
299
300 memcpy(writeX_header, lenbuf, 4);
301
302 status = read_fd_with_timeout(
303 sock, writeX_header + 4,
304 STANDARD_WRITE_AND_X_HEADER_SIZE,
305 STANDARD_WRITE_AND_X_HEADER_SIZE,
306 timeout, NULL);
307
308 if (!NT_STATUS_IS_OK(status)) {
309 DEBUG(0, ("read_fd_with_timeout failed for client %s read "
310 "error = %s.\n",
311 tsocket_address_string(sconn->remote_address,
312 talloc_tos()),
313 nt_errstr(status)));
314 return status;
315 }
316
317 /*
318 * Ok - now try and see if this is a possible
319 * valid writeX call.
320 */
321
322 if (is_valid_writeX_buffer(sconn, (uint8_t *)writeX_header)) {
323 /*
324 * If the data offset is beyond what
325 * we've read, drain the extra bytes.
326 */
327 uint16_t doff = SVAL(writeX_header,smb_vwv11);
328 ssize_t newlen;
329
330 if (doff > STANDARD_WRITE_AND_X_HEADER_SIZE) {
331 size_t drain = doff - STANDARD_WRITE_AND_X_HEADER_SIZE;
332 if (drain_socket(sock, drain) != drain) {
333 smb_panic("receive_smb_raw_talloc_partial_read:"
334 " failed to drain pending bytes");
335 }
336 } else {
337 doff = STANDARD_WRITE_AND_X_HEADER_SIZE;
338 }
339
340 /* Spoof down the length and null out the bcc. */
341 set_message_bcc(writeX_header, 0);
342 newlen = smb_len(writeX_header);
343
344 /* Copy the header we've written. */
345
346 *buffer = (char *)talloc_memdup(mem_ctx,
347 writeX_header,
348 sizeof(writeX_header));
349
350 if (*buffer == NULL) {
351 DEBUG(0, ("Could not allocate inbuf of length %d\n",
352 (int)sizeof(writeX_header)));
353 return NT_STATUS_NO_MEMORY;
354 }
355
356 /* Work out the remaining bytes. */
357 *p_unread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
358 *len_ret = newlen + 4;
359 return NT_STATUS_OK;
360 }
361
362 if (!valid_packet_size(len)) {
363 return NT_STATUS_INVALID_PARAMETER;
364 }
365
366 /*
367 * Not a valid writeX call. Just do the standard
368 * talloc and return.
369 */
370
371 *buffer = talloc_array(mem_ctx, char, len+4);
372
373 if (*buffer == NULL) {
374 DEBUG(0, ("Could not allocate inbuf of length %d\n",
375 (int)len+4));
376 return NT_STATUS_NO_MEMORY;
377 }
378
379 /* Copy in what we already read. */
380 memcpy(*buffer,
381 writeX_header,
382 4 + STANDARD_WRITE_AND_X_HEADER_SIZE);
383 toread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
384
385 if(toread > 0) {
386 status = read_packet_remainder(
387 sock,
388 (*buffer) + 4 + STANDARD_WRITE_AND_X_HEADER_SIZE,
389 timeout, toread);
390
391 if (!NT_STATUS_IS_OK(status)) {
392 DEBUG(10, ("receive_smb_raw_talloc_partial_read: %s\n",
393 nt_errstr(status)));
394 return status;
395 }
396 }
397
398 *len_ret = len + 4;
399 return NT_STATUS_OK;
400 }
401
402 static NTSTATUS receive_smb_raw_talloc(TALLOC_CTX *mem_ctx,
403 struct smbd_server_connection *sconn,
404 int sock,
405 char **buffer, unsigned int timeout,
406 size_t *p_unread, size_t *plen)
407 {
408 char lenbuf[4];
409 size_t len;
410 int min_recv_size = lp_min_receive_file_size();
411 NTSTATUS status;
412
413 *p_unread = 0;
414
415 status = read_smb_length_return_keepalive(sock, lenbuf, timeout,
416 &len);
417 if (!NT_STATUS_IS_OK(status)) {
418 return status;
419 }
420
421 if (CVAL(lenbuf,0) == 0 && min_recv_size &&
422 (smb_len_large(lenbuf) > /* Could be a UNIX large writeX. */
423 (min_recv_size + STANDARD_WRITE_AND_X_HEADER_SIZE)) &&
424 !srv_is_signing_active(sconn) &&
425 sconn->smb1.echo_handler.trusted_fde == NULL) {
426
427 return receive_smb_raw_talloc_partial_read(
428 mem_ctx, lenbuf, sconn, sock, buffer, timeout,
429 p_unread, plen);
430 }
431
432 if (!valid_packet_size(len)) {
433 return NT_STATUS_INVALID_PARAMETER;
434 }
435
436 /*
437 * The +4 here can't wrap, we've checked the length above already.
438 */
439
440 *buffer = talloc_array(mem_ctx, char, len+4);
441
442 if (*buffer == NULL) {
443 DEBUG(0, ("Could not allocate inbuf of length %d\n",
444 (int)len+4));
445 return NT_STATUS_NO_MEMORY;
446 }
447
448 memcpy(*buffer, lenbuf, sizeof(lenbuf));
449
450 status = read_packet_remainder(sock, (*buffer)+4, timeout, len);
451 if (!NT_STATUS_IS_OK(status)) {
452 return status;
453 }
454
455 *plen = len + 4;
456 return NT_STATUS_OK;
457 }
458
459 static NTSTATUS receive_smb_talloc(TALLOC_CTX *mem_ctx,
460 struct smbd_server_connection *sconn,
461 int sock,
462 char **buffer, unsigned int timeout,
463 size_t *p_unread, bool *p_encrypted,
464 size_t *p_len,
465 uint32_t *seqnum,
466 bool trusted_channel)
467 {
468 size_t len = 0;
469 NTSTATUS status;
470
471 *p_encrypted = false;
472
473 status = receive_smb_raw_talloc(mem_ctx, sconn, sock, buffer, timeout,
474 p_unread, &len);
475 if (!NT_STATUS_IS_OK(status)) {
476 DEBUG(NT_STATUS_EQUAL(status, NT_STATUS_END_OF_FILE)?5:1,
477 ("receive_smb_raw_talloc failed for client %s "
478 "read error = %s.\n",
479 tsocket_address_string(sconn->remote_address,
480 talloc_tos()),
481 nt_errstr(status)) );
482 return status;
483 }
484
485 if (is_encrypted_packet(sconn, (uint8_t *)*buffer)) {
486 status = srv_decrypt_buffer(sconn, *buffer);
487 if (!NT_STATUS_IS_OK(status)) {
488 DEBUG(0, ("receive_smb_talloc: SMB decryption failed on "
489 "incoming packet! Error %s\n",
490 nt_errstr(status) ));
491 return status;
492 }
493 *p_encrypted = true;
494 }
495
496 /* Check the incoming SMB signature. */
497 if (!srv_check_sign_mac(sconn, *buffer, seqnum, trusted_channel)) {
498 DEBUG(0, ("receive_smb: SMB Signature verification failed on "
499 "incoming packet!\n"));
500 return NT_STATUS_INVALID_NETWORK_RESPONSE;
501 }
502
503 *p_len = len;
504 return NT_STATUS_OK;
505 }
506
507 /*
508 * Initialize a struct smb_request from an inbuf
509 */
510
511 static bool init_smb_request(struct smb_request *req,
512 struct smbd_server_connection *sconn,
513 const uint8 *inbuf,
514 size_t unread_bytes, bool encrypted,
515 uint32_t seqnum)
516 {
517 struct smbXsrv_tcon *tcon;
518 NTSTATUS status;
519 NTTIME now;
520 size_t req_size = smb_len(inbuf) + 4;
521
522 /* Ensure we have at least smb_size bytes. */
523 if (req_size < smb_size) {
524 DEBUG(0,("init_smb_request: invalid request size %u\n",
525 (unsigned int)req_size ));
526 return false;
527 }
528
529 req->request_time = timeval_current();
530 now = timeval_to_nttime(&req->request_time);
531
532 req->cmd = CVAL(inbuf, smb_com);
533 req->flags2 = SVAL(inbuf, smb_flg2);
534 req->smbpid = SVAL(inbuf, smb_pid);
535 req->mid = (uint64_t)SVAL(inbuf, smb_mid);
536 req->seqnum = seqnum;
537 req->vuid = SVAL(inbuf, smb_uid);
538 req->tid = SVAL(inbuf, smb_tid);
539 req->wct = CVAL(inbuf, smb_wct);
540 req->vwv = (const uint16_t *)(inbuf+smb_vwv);
541 req->buflen = smb_buflen(inbuf);
542 req->buf = (const uint8_t *)smb_buf_const(inbuf);
543 req->unread_bytes = unread_bytes;
544 req->encrypted = encrypted;
545 req->sconn = sconn;
546 status = smb1srv_tcon_lookup(sconn->conn, req->tid, now, &tcon);
547 if (NT_STATUS_IS_OK(status)) {
548 req->conn = tcon->compat;
549 } else {
550 req->conn = NULL;
551 }
552 req->chain_fsp = NULL;
553 req->smb2req = NULL;
554 req->priv_paths = NULL;
555 req->chain = NULL;
556 smb_init_perfcount_data(&req->pcd);
557
558 /* Ensure we have at least wct words and 2 bytes of bcc. */
559 if (smb_size + req->wct*2 > req_size) {
560 DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n",
561 (unsigned int)req->wct,
562 (unsigned int)req_size));
563 return false;
564 }
565 /* Ensure bcc is correct. */
566 if (((const uint8_t *)smb_buf_const(inbuf)) + req->buflen > inbuf + req_size) {
567 DEBUG(0,("init_smb_request: invalid bcc number %u "
568 "(wct = %u, size %u)\n",
569 (unsigned int)req->buflen,
570 (unsigned int)req->wct,
571 (unsigned int)req_size));
572 return false;
573 }
574
575 req->outbuf = NULL;
576 return true;
577 }
578
579 static void process_smb(struct smbd_server_connection *conn,
580 uint8_t *inbuf, size_t nread, size_t unread_bytes,
581 uint32_t seqnum, bool encrypted,
582 struct smb_perfcount_data *deferred_pcd);
583
584 static void smbd_deferred_open_timer(struct event_context *ev,
585 struct timed_event *te,
586 struct timeval _tval,
587 void *private_data)
588 {
589 struct pending_message_list *msg = talloc_get_type(private_data,
590 struct pending_message_list);
591 struct smbd_server_connection *sconn = msg->sconn;
592 TALLOC_CTX *mem_ctx = talloc_tos();
593 uint64_t mid = (uint64_t)SVAL(msg->buf.data,smb_mid);
594 uint8_t *inbuf;
595
596 inbuf = (uint8_t *)talloc_memdup(mem_ctx, msg->buf.data,
597 msg->buf.length);
598 if (inbuf == NULL) {
599 exit_server("smbd_deferred_open_timer: talloc failed\n");
600 return;
601 }
602
603 /* We leave this message on the queue so the open code can
604 know this is a retry. */
605 DEBUG(5,("smbd_deferred_open_timer: trigger mid %llu.\n",
606 (unsigned long long)mid ));
607
608 /* Mark the message as processed so this is not
609 * re-processed in error. */
610 msg->processed = true;
611
612 process_smb(sconn, inbuf,
613 msg->buf.length, 0,
614 msg->seqnum, msg->encrypted, &msg->pcd);
615
616 /* If it's still there and was processed, remove it. */
617 msg = get_deferred_open_message_smb(sconn, mid);
618 if (msg && msg->processed) {
619 remove_deferred_open_message_smb(sconn, mid);
620 }
621 }
622
623 /****************************************************************************
624 Function to push a message onto the tail of a linked list of smb messages ready
625 for processing.
626 ****************************************************************************/
627
628 static bool push_queued_message(struct smb_request *req,
629 struct timeval request_time,
630 struct timeval end_time,
631 char *private_data, size_t private_len)
632 {
633 int msg_len = smb_len(req->inbuf) + 4;
634 struct pending_message_list *msg;
635
636 msg = talloc_zero(NULL, struct pending_message_list);
637
638 if(msg == NULL) {
639 DEBUG(0,("push_message: malloc fail (1)\n"));
640 return False;
641 }
642 msg->sconn = req->sconn;
643
644 msg->buf = data_blob_talloc(msg, req->inbuf, msg_len);
645 if(msg->buf.data == NULL) {
646 DEBUG(0,("push_message: malloc fail (2)\n"));
647 TALLOC_FREE(msg);
648 return False;
649 }
650
651 msg->request_time = request_time;
652 msg->seqnum = req->seqnum;
653 msg->encrypted = req->encrypted;
654 msg->processed = false;
655 SMB_PERFCOUNT_DEFER_OP(&req->pcd, &msg->pcd);
656
657 if (private_data) {
658 msg->private_data = data_blob_talloc(msg, private_data,
659 private_len);
660 if (msg->private_data.data == NULL) {
661 DEBUG(0,("push_message: malloc fail (3)\n"));
662 TALLOC_FREE(msg);
663 return False;
664 }
665 }
666
667 msg->te = tevent_add_timer(msg->sconn->ev_ctx,
668 msg,
669 end_time,
670 smbd_deferred_open_timer,
671 msg);
672 if (!msg->te) {
673 DEBUG(0,("push_message: event_add_timed failed\n"));
674 TALLOC_FREE(msg);
675 return false;
676 }
677
678 DLIST_ADD_END(req->sconn->deferred_open_queue, msg,
679 struct pending_message_list *);
680
681 DEBUG(10,("push_message: pushed message length %u on "
682 "deferred_open_queue\n", (unsigned int)msg_len));
683
684 return True;
685 }
686
687 /****************************************************************************
688 Function to delete a sharing violation open message by mid.
689 ****************************************************************************/
690
691 void remove_deferred_open_message_smb(struct smbd_server_connection *sconn,
692 uint64_t mid)
693 {
694 struct pending_message_list *pml;
695
696 if (sconn->using_smb2) {
697 remove_deferred_open_message_smb2(sconn, mid);
698 return;
699 }
700
701 for (pml = sconn->deferred_open_queue; pml; pml = pml->next) {
702 if (mid == (uint64_t)SVAL(pml->buf.data,smb_mid)) {
703 DEBUG(10,("remove_deferred_open_message_smb: "
704 "deleting mid %llu len %u\n",
705 (unsigned long long)mid,
706 (unsigned int)pml->buf.length ));
707 DLIST_REMOVE(sconn->deferred_open_queue, pml);
708 TALLOC_FREE(pml);
709 return;
710 }
711 }
712 }
713
714 /****************************************************************************
715 Move a sharing violation open retry message to the front of the list and
716 schedule it for immediate processing.
717 ****************************************************************************/
718
719 bool schedule_deferred_open_message_smb(struct smbd_server_connection *sconn,
720 uint64_t mid)
721 {
722 struct pending_message_list *pml;
723 int i = 0;
724
725 if (sconn->using_smb2) {
726 return schedule_deferred_open_message_smb2(sconn, mid);
727 }
728
729 for (pml = sconn->deferred_open_queue; pml; pml = pml->next) {
730 uint64_t msg_mid = (uint64_t)SVAL(pml->buf.data,smb_mid);
731
732 DEBUG(10,("schedule_deferred_open_message_smb: [%d] "
733 "msg_mid = %llu\n",
734 i++,
735 (unsigned long long)msg_mid ));
736
737 if (mid == msg_mid) {
738 struct timed_event *te;
739
740 if (pml->processed) {
741 /* A processed message should not be
742 * rescheduled. */
743 DEBUG(0,("schedule_deferred_open_message_smb: LOGIC ERROR "
744 "message mid %llu was already processed\n",
745 (unsigned long long)msg_mid ));
746 continue;
747 }
748
749 DEBUG(10,("schedule_deferred_open_message_smb: "
750 "scheduling mid %llu\n",
751 (unsigned long long)mid ));
752
753 te = tevent_add_timer(pml->sconn->ev_ctx,
754 pml,
755 timeval_zero(),
756 smbd_deferred_open_timer,
757 pml);
758 if (!te) {
759 DEBUG(10,("schedule_deferred_open_message_smb: "
760 "event_add_timed() failed, "
761 "skipping mid %llu\n",
762 (unsigned long long)msg_mid ));
763 }
764
765 TALLOC_FREE(pml->te);
766 pml->te = te;
767 DLIST_PROMOTE(sconn->deferred_open_queue, pml);
768 return true;
769 }
770 }
771
772 DEBUG(10,("schedule_deferred_open_message_smb: failed to "
773 "find message mid %llu\n",
774 (unsigned long long)mid ));
775
776 return false;
777 }
778
779 /****************************************************************************
780 Return true if this mid is on the deferred queue and was not yet processed.
781 ****************************************************************************/
782
783 bool open_was_deferred(struct smbd_server_connection *sconn, uint64_t mid)
784 {
785 struct pending_message_list *pml;
786
787 if (sconn->using_smb2) {
788 return open_was_deferred_smb2(sconn, mid);
789 }
790
791 for (pml = sconn->deferred_open_queue; pml; pml = pml->next) {
792 if (((uint64_t)SVAL(pml->buf.data,smb_mid)) == mid && !pml->processed) {
793 return True;
794 }
795 }
796 return False;
797 }
798
799 /****************************************************************************
800 Return the message queued by this mid.
801 ****************************************************************************/
802
803 static struct pending_message_list *get_deferred_open_message_smb(
804 struct smbd_server_connection *sconn, uint64_t mid)
805 {
806 struct pending_message_list *pml;
807
808 for (pml = sconn->deferred_open_queue; pml; pml = pml->next) {
809 if (((uint64_t)SVAL(pml->buf.data,smb_mid)) == mid) {
810 return pml;
811 }
812 }
813 return NULL;
814 }
815
816 /****************************************************************************
817 Get the state data queued by this mid.
818 ****************************************************************************/
819
820 bool get_deferred_open_message_state(struct smb_request *smbreq,
821 struct timeval *p_request_time,
822 void **pp_state)
823 {
824 struct pending_message_list *pml;
825
826 if (smbreq->sconn->using_smb2) {
827 return get_deferred_open_message_state_smb2(smbreq->smb2req,
828 p_request_time,
829 pp_state);
830 }
831
832 pml = get_deferred_open_message_smb(smbreq->sconn, smbreq->mid);
833 if (!pml) {
834 return false;
835 }
836 if (p_request_time) {
837 *p_request_time = pml->request_time;
838 }
839 if (pp_state) {
840 *pp_state = (void *)pml->private_data.data;
841 }
842 return true;
843 }
844
845 /****************************************************************************
846 Function to push a deferred open smb message onto a linked list of local smb
847 messages ready for processing.
848 ****************************************************************************/
849
850 bool push_deferred_open_message_smb(struct smb_request *req,
851 struct timeval request_time,
852 struct timeval timeout,
853 struct file_id id,
854 char *private_data, size_t priv_len)
855 {
856 struct timeval end_time;
857
858 if (req->smb2req) {
859 return push_deferred_open_message_smb2(req->smb2req,
860 request_time,
861 timeout,
862 id,
863 private_data,
864 priv_len);
865 }
866
867 if (req->unread_bytes) {
868 DEBUG(0,("push_deferred_open_message_smb: logic error ! "
869 "unread_bytes = %u\n",
870 (unsigned int)req->unread_bytes ));
871 smb_panic("push_deferred_open_message_smb: "
872 "logic error unread_bytes != 0" );
873 }
874
875 end_time = timeval_sum(&request_time, &timeout);
876
877 DEBUG(10,("push_deferred_open_message_smb: pushing message "
878 "len %u mid %llu timeout time [%u.%06u]\n",
879 (unsigned int) smb_len(req->inbuf)+4,
880 (unsigned long long)req->mid,
881 (unsigned int)end_time.tv_sec,
882 (unsigned int)end_time.tv_usec));
883
884 return push_queued_message(req, request_time, end_time,
885 private_data, priv_len);
886 }
887
888 static void smbd_sig_term_handler(struct tevent_context *ev,
889 struct tevent_signal *se,
890 int signum,
891 int count,
892 void *siginfo,
893 void *private_data)
894 {
895 exit_server_cleanly("termination signal");
896 }
897
898 void smbd_setup_sig_term_handler(struct smbd_server_connection *sconn)
899 {
900 struct tevent_signal *se;
901
902 se = tevent_add_signal(sconn->ev_ctx,
903 sconn,
904 SIGTERM, 0,
905 smbd_sig_term_handler,
906 sconn);
907 if (!se) {
908 exit_server("failed to setup SIGTERM handler");
909 }
910 }
911
912 static void smbd_sig_hup_handler(struct tevent_context *ev,
913 struct tevent_signal *se,
914 int signum,
915 int count,
916 void *siginfo,
917 void *private_data)
918 {
919 struct smbd_server_connection *sconn =
920 talloc_get_type_abort(private_data,
921 struct smbd_server_connection);
922
923 change_to_root_user();
924 DEBUG(1,("Reloading services after SIGHUP\n"));
925 reload_services(sconn, conn_snum_used, false);
926 }
927
928 void smbd_setup_sig_hup_handler(struct smbd_server_connection *sconn)
929 {
930 struct tevent_signal *se;
931
932 se = tevent_add_signal(sconn->ev_ctx,
933 sconn,
934 SIGHUP, 0,
935 smbd_sig_hup_handler,
936 sconn);
937 if (!se) {
938 exit_server("failed to setup SIGHUP handler");
939 }
940 }
941
942 static void smbd_conf_updated(struct messaging_context *msg,
943 void *private_data,
944 uint32_t msg_type,
945 struct server_id server_id,
946 DATA_BLOB *data)
947 {
948 struct smbd_server_connection *sconn =
949 talloc_get_type_abort(private_data,
950 struct smbd_server_connection);
951
952 DEBUG(10,("smbd_conf_updated: Got message saying smb.conf was "
953 "updated. Reloading.\n"));
954 change_to_root_user();
955 reload_services(sconn, conn_snum_used, false);
956 }
957
958 /*
959 * Only allow 5 outstanding trans requests. We're allocating memory, so
960 * prevent a DoS.
961 */
962
963 NTSTATUS allow_new_trans(struct trans_state *list, uint64_t mid)
964 {
965 int count = 0;
966 for (; list != NULL; list = list->next) {
967
968 if (list->mid == mid) {
969 return NT_STATUS_INVALID_PARAMETER;
970 }
971
972 count += 1;
973 }
974 if (count > 5) {
975 return NT_STATUS_INSUFFICIENT_RESOURCES;
976 }
977
978 return NT_STATUS_OK;
979 }
980
981 /*
982 These flags determine some of the permissions required to do an operation
983
984 Note that I don't set NEED_WRITE on some write operations because they
985 are used by some brain-dead clients when printing, and I don't want to
986 force write permissions on print services.
987 */
988 #define AS_USER (1<<0)
989 #define NEED_WRITE (1<<1) /* Must be paired with AS_USER */
990 #define TIME_INIT (1<<2)
991 #define CAN_IPC (1<<3) /* Must be paired with AS_USER */
992 #define AS_GUEST (1<<5) /* Must *NOT* be paired with AS_USER */
993 #define DO_CHDIR (1<<6)
994
995 /*
996 define a list of possible SMB messages and their corresponding
997 functions. Any message that has a NULL function is unimplemented -
998 please feel free to contribute implementations!
999 */
1000 static const struct smb_message_struct {
1001 const char *name;
1002 void (*fn)(struct smb_request *req);
1003 int flags;
1004 } smb_messages[256] = {
1005
1006 /* 0x00 */ { "SMBmkdir",reply_mkdir,AS_USER | NEED_WRITE},
1007 /* 0x01 */ { "SMBrmdir",reply_rmdir,AS_USER | NEED_WRITE},
1008 /* 0x02 */ { "SMBopen",reply_open,AS_USER },
1009 /* 0x03 */ { "SMBcreate",reply_mknew,AS_USER},
1010 /* 0x04 */ { "SMBclose",reply_close,AS_USER | CAN_IPC },
1011 /* 0x05 */ { "SMBflush",reply_flush,AS_USER},
1012 /* 0x06 */ { "SMBunlink",reply_unlink,AS_USER | NEED_WRITE },
1013 /* 0x07 */ { "SMBmv",reply_mv,AS_USER | NEED_WRITE },
1014 /* 0x08 */ { "SMBgetatr",reply_getatr,AS_USER},
1015 /* 0x09 */ { "SMBsetatr",reply_setatr,AS_USER | NEED_WRITE},
1016 /* 0x0a */ { "SMBread",reply_read,AS_USER},
1017 /* 0x0b */ { "SMBwrite",reply_write,AS_USER | CAN_IPC },
1018 /* 0x0c */ { "SMBlock",reply_lock,AS_USER},
1019 /* 0x0d */ { "SMBunlock",reply_unlock,AS_USER},
1020 /* 0x0e */ { "SMBctemp",reply_ctemp,AS_USER },
1021 /* 0x0f */ { "SMBmknew",reply_mknew,AS_USER},
1022 /* 0x10 */ { "SMBcheckpath",reply_checkpath,AS_USER},
1023 /* 0x11 */ { "SMBexit",reply_exit,DO_CHDIR},
1024 /* 0x12 */ { "SMBlseek",reply_lseek,AS_USER},
1025 /* 0x13 */ { "SMBlockread",reply_lockread,AS_USER},
1026 /* 0x14 */ { "SMBwriteunlock",reply_writeunlock,AS_USER},
1027 /* 0x15 */ { NULL, NULL, 0 },
1028 /* 0x16 */ { NULL, NULL, 0 },
1029 /* 0x17 */ { NULL, NULL, 0 },
1030 /* 0x18 */ { NULL, NULL, 0 },
1031 /* 0x19 */ { NULL, NULL, 0 },
1032 /* 0x1a */ { "SMBreadbraw",reply_readbraw,AS_USER},
1033 /* 0x1b */ { "SMBreadBmpx",reply_readbmpx,AS_USER},
1034 /* 0x1c */ { "SMBreadBs",reply_readbs,AS_USER },
1035 /* 0x1d */ { "SMBwritebraw",reply_writebraw,AS_USER},
1036 /* 0x1e */ { "SMBwriteBmpx",reply_writebmpx,AS_USER},
1037 /* 0x1f */ { "SMBwriteBs",reply_writebs,AS_USER},
1038 /* 0x20 */ { "SMBwritec", NULL,0},
1039 /* 0x21 */ { NULL, NULL, 0 },
1040 /* 0x22 */ { "SMBsetattrE",reply_setattrE,AS_USER | NEED_WRITE },
1041 /* 0x23 */ { "SMBgetattrE",reply_getattrE,AS_USER },
1042 /* 0x24 */ { "SMBlockingX",reply_lockingX,AS_USER },
1043 /* 0x25 */ { "SMBtrans",reply_trans,AS_USER | CAN_IPC },
1044 /* 0x26 */ { "SMBtranss",reply_transs,AS_USER | CAN_IPC},
1045 /* 0x27 */ { "SMBioctl",reply_ioctl,0},
1046 /* 0x28 */ { "SMBioctls", NULL,AS_USER},
1047 /* 0x29 */ { "SMBcopy",reply_copy,AS_USER | NEED_WRITE },
1048 /* 0x2a */ { "SMBmove", NULL,AS_USER | NEED_WRITE },
1049 /* 0x2b */ { "SMBecho",reply_echo,0},
1050 /* 0x2c */ { "SMBwriteclose",reply_writeclose,AS_USER},
1051 /* 0x2d */ { "SMBopenX",reply_open_and_X,AS_USER | CAN_IPC },
1052 /* 0x2e */ { "SMBreadX",reply_read_and_X,AS_USER | CAN_IPC },
1053 /* 0x2f */ { "SMBwriteX",reply_write_and_X,AS_USER | CAN_IPC },
1054 /* 0x30 */ { NULL, NULL, 0 },
1055 /* 0x31 */ { NULL, NULL, 0 },
1056 /* 0x32 */ { "SMBtrans2",reply_trans2, AS_USER | CAN_IPC },
1057 /* 0x33 */ { "SMBtranss2",reply_transs2, AS_USER | CAN_IPC },
1058 /* 0x34 */ { "SMBfindclose",reply_findclose,AS_USER},
1059 /* 0x35 */ { "SMBfindnclose",reply_findnclose,AS_USER},
1060 /* 0x36 */ { NULL, NULL, 0 },
1061 /* 0x37 */ { NULL, NULL, 0 },
1062 /* 0x38 */ { NULL, NULL, 0 },
1063 /* 0x39 */ { NULL, NULL, 0 },
1064 /* 0x3a */ { NULL, NULL, 0 },
1065 /* 0x3b */ { NULL, NULL, 0 },
1066 /* 0x3c */ { NULL, NULL, 0 },
1067 /* 0x3d */ { NULL, NULL, 0 },
1068 /* 0x3e */ { NULL, NULL, 0 },
1069 /* 0x3f */ { NULL, NULL, 0 },
1070 /* 0x40 */ { NULL, NULL, 0 },
1071 /* 0x41 */ { NULL, NULL, 0 },
1072 /* 0x42 */ { NULL, NULL, 0 },
1073 /* 0x43 */ { NULL, NULL, 0 },
1074 /* 0x44 */ { NULL, NULL, 0 },
1075 /* 0x45 */ { NULL, NULL, 0 },
1076 /* 0x46 */ { NULL, NULL, 0 },
1077 /* 0x47 */ { NULL, NULL, 0 },
1078 /* 0x48 */ { NULL, NULL, 0 },
1079 /* 0x49 */ { NULL, NULL, 0 },
1080 /* 0x4a */ { NULL, NULL, 0 },
1081 /* 0x4b */ { NULL, NULL, 0 },
1082 /* 0x4c */ { NULL, NULL, 0 },
1083 /* 0x4d */ { NULL, NULL, 0 },
1084 /* 0x4e */ { NULL, NULL, 0 },
1085 /* 0x4f */ { NULL, NULL, 0 },
1086 /* 0x50 */ { NULL, NULL, 0 },
1087 /* 0x51 */ { NULL, NULL, 0 },
1088 /* 0x52 */ { NULL, NULL, 0 },
1089 /* 0x53 */ { NULL, NULL, 0 },
1090 /* 0x54 */ { NULL, NULL, 0 },
1091 /* 0x55 */ { NULL, NULL, 0 },
1092 /* 0x56 */ { NULL, NULL, 0 },
1093 /* 0x57 */ { NULL, NULL, 0 },
1094 /* 0x58 */ { NULL, NULL, 0 },
1095 /* 0x59 */ { NULL, NULL, 0 },
1096 /* 0x5a */ { NULL, NULL, 0 },
1097 /* 0x5b */ { NULL, NULL, 0 },
1098 /* 0x5c */ { NULL, NULL, 0 },
1099 /* 0x5d */ { NULL, NULL, 0 },
1100 /* 0x5e */ { NULL, NULL, 0 },
1101 /* 0x5f */ { NULL, NULL, 0 },
1102 /* 0x60 */ { NULL, NULL, 0 },
1103 /* 0x61 */ { NULL, NULL, 0 },
1104 /* 0x62 */ { NULL, NULL, 0 },
1105 /* 0x63 */ { NULL, NULL, 0 },
1106 /* 0x64 */ { NULL, NULL, 0 },
1107 /* 0x65 */ { NULL, NULL, 0 },
1108 /* 0x66 */ { NULL, NULL, 0 },
1109 /* 0x67 */ { NULL, NULL, 0 },
1110 /* 0x68 */ { NULL, NULL, 0 },
1111 /* 0x69 */ { NULL, NULL, 0 },
1112 /* 0x6a */ { NULL, NULL, 0 },
1113 /* 0x6b */ { NULL, NULL, 0 },
1114 /* 0x6c */ { NULL, NULL, 0 },
1115 /* 0x6d */ { NULL, NULL, 0 },
1116 /* 0x6e */ { NULL, NULL, 0 },
1117 /* 0x6f */ { NULL, NULL, 0 },
1118 /* 0x70 */ { "SMBtcon",reply_tcon,0},
1119 /* 0x71 */ { "SMBtdis",reply_tdis,DO_CHDIR},
1120 /* 0x72 */ { "SMBnegprot",reply_negprot,0},
1121 /* 0x73 */ { "SMBsesssetupX",reply_sesssetup_and_X,0},
1122 /* 0x74 */ { "SMBulogoffX",reply_ulogoffX, 0}, /* ulogoff doesn't give a valid TID */
1123 /* 0x75 */ { "SMBtconX",reply_tcon_and_X,0},
1124 /* 0x76 */ { NULL, NULL, 0 },
1125 /* 0x77 */ { NULL, NULL, 0 },
1126 /* 0x78 */ { NULL, NULL, 0 },
1127 /* 0x79 */ { NULL, NULL, 0 },
1128 /* 0x7a */ { NULL, NULL, 0 },
1129 /* 0x7b */ { NULL, NULL, 0 },
1130 /* 0x7c */ { NULL, NULL, 0 },
1131 /* 0x7d */ { NULL, NULL, 0 },
1132 /* 0x7e */ { NULL, NULL, 0 },
1133 /* 0x7f */ { NULL, NULL, 0 },
1134 /* 0x80 */ { "SMBdskattr",reply_dskattr,AS_USER},
1135 /* 0x81 */ { "SMBsearch",reply_search,AS_USER},
1136 /* 0x82 */ { "SMBffirst",reply_search,AS_USER},
1137 /* 0x83 */ { "SMBfunique",reply_search,AS_USER},
1138 /* 0x84 */ { "SMBfclose",reply_fclose,AS_USER},
1139 /* 0x85 */ { NULL, NULL, 0 },
1140 /* 0x86 */ { NULL, NULL, 0 },
1141 /* 0x87 */ { NULL, NULL, 0 },
1142 /* 0x88 */ { NULL, NULL, 0 },
1143 /* 0x89 */ { NULL, NULL, 0 },
1144 /* 0x8a */ { NULL, NULL, 0 },
1145 /* 0x8b */ { NULL, NULL, 0 },
1146 /* 0x8c */ { NULL, NULL, 0 },
1147 /* 0x8d */ { NULL, NULL, 0 },
1148 /* 0x8e */ { NULL, NULL, 0 },
1149 /* 0x8f */ { NULL, NULL, 0 },
1150 /* 0x90 */ { NULL, NULL, 0 },
1151 /* 0x91 */ { NULL, NULL, 0 },
1152 /* 0x92 */ { NULL, NULL, 0 },
1153 /* 0x93 */ { NULL, NULL, 0 },
1154 /* 0x94 */ { NULL, NULL, 0 },
1155 /* 0x95 */ { NULL, NULL, 0 },
1156 /* 0x96 */ { NULL, NULL, 0 },
1157 /* 0x97 */ { NULL, NULL, 0 },
1158 /* 0x98 */ { NULL, NULL, 0 },
1159 /* 0x99 */ { NULL, NULL, 0 },
1160 /* 0x9a */ { NULL, NULL, 0 },
1161 /* 0x9b */ { NULL, NULL, 0 },
1162 /* 0x9c */ { NULL, NULL, 0 },
1163 /* 0x9d */ { NULL, NULL, 0 },
1164 /* 0x9e */ { NULL, NULL, 0 },
1165 /* 0x9f */ { NULL, NULL, 0 },
1166 /* 0xa0 */ { "SMBnttrans",reply_nttrans, AS_USER | CAN_IPC },
1167 /* 0xa1 */ { "SMBnttranss",reply_nttranss, AS_USER | CAN_IPC },
1168 /* 0xa2 */ { "SMBntcreateX",reply_ntcreate_and_X, AS_USER | CAN_IPC },
1169 /* 0xa3 */ { NULL, NULL, 0 },
1170 /* 0xa4 */ { "SMBntcancel",reply_ntcancel, 0 },
1171 /* 0xa5 */ { "SMBntrename",reply_ntrename, AS_USER | NEED_WRITE },
1172 /* 0xa6 */ { NULL, NULL, 0 },
1173 /* 0xa7 */ { NULL, NULL, 0 },
1174 /* 0xa8 */ { NULL, NULL, 0 },
1175 /* 0xa9 */ { NULL, NULL, 0 },
1176 /* 0xaa */ { NULL, NULL, 0 },
1177 /* 0xab */ { NULL, NULL, 0 },
1178 /* 0xac */ { NULL, NULL, 0 },
1179 /* 0xad */ { NULL, NULL, 0 },
1180 /* 0xae */ { NULL, NULL, 0 },
1181 /* 0xaf */ { NULL, NULL, 0 },
1182 /* 0xb0 */ { NULL, NULL, 0 },
1183 /* 0xb1 */ { NULL, NULL, 0 },
1184 /* 0xb2 */ { NULL, NULL, 0 },
1185 /* 0xb3 */ { NULL, NULL, 0 },
1186 /* 0xb4 */ { NULL, NULL, 0 },
1187 /* 0xb5 */ { NULL, NULL, 0 },
1188 /* 0xb6 */ { NULL, NULL, 0 },
1189 /* 0xb7 */ { NULL, NULL, 0 },
1190 /* 0xb8 */ { NULL, NULL, 0 },
1191 /* 0xb9 */ { NULL, NULL, 0 },
1192 /* 0xba */ { NULL, NULL, 0 },
1193 /* 0xbb */ { NULL, NULL, 0 },
1194 /* 0xbc */ { NULL, NULL, 0 },
1195 /* 0xbd */ { NULL, NULL, 0 },
1196 /* 0xbe */ { NULL, NULL, 0 },
1197 /* 0xbf */ { NULL, NULL, 0 },
1198 /* 0xc0 */ { "SMBsplopen",reply_printopen,AS_USER},
1199 /* 0xc1 */ { "SMBsplwr",reply_printwrite,AS_USER},
1200 /* 0xc2 */ { "SMBsplclose",reply_printclose,AS_USER},
1201 /* 0xc3 */ { "SMBsplretq",reply_printqueue,AS_USER},
1202 /* 0xc4 */ { NULL, NULL, 0 },
1203 /* 0xc5 */ { NULL, NULL, 0 },
1204 /* 0xc6 */ { NULL, NULL, 0 },
1205 /* 0xc7 */ { NULL, NULL, 0 },
1206 /* 0xc8 */ { NULL, NULL, 0 },
1207 /* 0xc9 */ { NULL, NULL, 0 },
1208 /* 0xca */ { NULL, NULL, 0 },
1209 /* 0xcb */ { NULL, NULL, 0 },
1210 /* 0xcc */ { NULL, NULL, 0 },
1211 /* 0xcd */ { NULL, NULL, 0 },
1212 /* 0xce */ { NULL, NULL, 0 },
1213 /* 0xcf */ { NULL, NULL, 0 },
1214 /* 0xd0 */ { "SMBsends",reply_sends,AS_GUEST},
1215 /* 0xd1 */ { "SMBsendb", NULL,AS_GUEST},
1216 /* 0xd2 */ { "SMBfwdname", NULL,AS_GUEST},
1217 /* 0xd3 */ { "SMBcancelf", NULL,AS_GUEST},
1218 /* 0xd4 */ { "SMBgetmac", NULL,AS_GUEST},
1219 /* 0xd5 */ { "SMBsendstrt",reply_sendstrt,AS_GUEST},
1220 /* 0xd6 */ { "SMBsendend",reply_sendend,AS_GUEST},
1221 /* 0xd7 */ { "SMBsendtxt",reply_sendtxt,AS_GUEST},
1222 /* 0xd8 */ { NULL, NULL, 0 },
1223 /* 0xd9 */ { NULL, NULL, 0 },
1224 /* 0xda */ { NULL, NULL, 0 },
1225 /* 0xdb */ { NULL, NULL, 0 },
1226 /* 0xdc */ { NULL, NULL, 0 },
1227 /* 0xdd */ { NULL, NULL, 0 },
1228 /* 0xde */ { NULL, NULL, 0 },
1229 /* 0xdf */ { NULL, NULL, 0 },
1230 /* 0xe0 */ { NULL, NULL, 0 },
1231 /* 0xe1 */ { NULL, NULL, 0 },
1232 /* 0xe2 */ { NULL, NULL, 0 },
1233 /* 0xe3 */ { NULL, NULL, 0 },
1234 /* 0xe4 */ { NULL, NULL, 0 },
1235 /* 0xe5 */ { NULL, NULL, 0 },
1236 /* 0xe6 */ { NULL, NULL, 0 },
1237 /* 0xe7 */ { NULL, NULL, 0 },
1238 /* 0xe8 */ { NULL, NULL, 0 },
1239 /* 0xe9 */ { NULL, NULL, 0 },
1240 /* 0xea */ { NULL, NULL, 0 },
1241 /* 0xeb */ { NULL, NULL, 0 },
1242 /* 0xec */ { NULL, NULL, 0 },
1243 /* 0xed */ { NULL, NULL, 0 },
1244 /* 0xee */ { NULL, NULL, 0 },
1245 /* 0xef */ { NULL, NULL, 0 },
1246 /* 0xf0 */ { NULL, NULL, 0 },
1247 /* 0xf1 */ { NULL, NULL, 0 },
1248 /* 0xf2 */ { NULL, NULL, 0 },
1249 /* 0xf3 */ { NULL, NULL, 0 },
1250 /* 0xf4 */ { NULL, NULL, 0 },
1251 /* 0xf5 */ { NULL, NULL, 0 },
1252 /* 0xf6 */ { NULL, NULL, 0 },
1253 /* 0xf7 */ { NULL, NULL, 0 },
1254 /* 0xf8 */ { NULL, NULL, 0 },
1255 /* 0xf9 */ { NULL, NULL, 0 },
1256 /* 0xfa */ { NULL, NULL, 0 },
1257 /* 0xfb */ { NULL, NULL, 0 },
1258 /* 0xfc */ { NULL, NULL, 0 },
1259 /* 0xfd */ { NULL, NULL, 0 },
1260 /* 0xfe */ { NULL, NULL, 0 },
1261 /* 0xff */ { NULL, NULL, 0 }
1262
1263 };
1264
1265 /*******************************************************************
1266 allocate and initialize a reply packet
1267 ********************************************************************/
1268
1269 static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req,
1270 const char *inbuf, char **outbuf, uint8_t num_words,
1271 uint32_t num_bytes)
1272 {
1273 /*
1274 * Protect against integer wrap
1275 */
1276 if ((num_bytes > 0xffffff)
1277 || ((num_bytes + smb_size + num_words*2) > 0xffffff)) {
1278 char *msg;
1279 if (asprintf(&msg, "num_bytes too large: %u",
1280 (unsigned)num_bytes) == -1) {
1281 msg = discard_const_p(char, "num_bytes too large");
1282 }
1283 smb_panic(msg);
1284 }
1285
1286 *outbuf = talloc_array(mem_ctx, char,
1287 smb_size + num_words*2 + num_bytes);
1288 if (*outbuf == NULL) {
1289 return false;
1290 }
1291
1292 construct_reply_common(req, inbuf, *outbuf);
1293 srv_set_message(*outbuf, num_words, num_bytes, false);
1294 /*
1295 * Zero out the word area, the caller has to take care of the bcc area
1296 * himself
1297 */
1298 if (num_words != 0) {
1299 memset(*outbuf + smb_vwv0, 0, num_words*2);
1300 }
1301
1302 return true;
1303 }
1304
1305 void reply_outbuf(struct smb_request *req, uint8 num_words, uint32 num_bytes)
1306 {
1307 char *outbuf;
1308 if (!create_outbuf(req, req, (const char *)req->inbuf, &outbuf, num_words,
1309 num_bytes)) {
1310 smb_panic("could not allocate output buffer\n");
1311 }
1312 req->outbuf = (uint8_t *)outbuf;
1313 }
1314
1315
1316 /*******************************************************************
1317 Dump a packet to a file.
1318 ********************************************************************/
1319
1320 static void smb_dump(const char *name, int type, const char *data)
1321 {
1322 size_t len;
1323 int fd, i;
1324 char *fname = NULL;
1325 if (DEBUGLEVEL < 50) {
1326 return;
1327 }
1328
1329 len = smb_len_tcp(data)+4;
1330 for (i=1;i<100;i++) {
1331 fname = talloc_asprintf(talloc_tos(),
1332 "/tmp/%s.%d.%s",
1333 name,
1334 i,
1335 type ? "req" : "resp");
1336 if (fname == NULL) {
1337 return;
1338 }
1339 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
1340 if (fd != -1 || errno != EEXIST) break;
1341 TALLOC_FREE(fname);
1342 }
1343 if (fd != -1) {
1344 ssize_t ret = write(fd, data, len);
1345 if (ret != len)
1346 DEBUG(0,("smb_dump: problem: write returned %d\n", (int)ret ));
1347 close(fd);
1348 DEBUG(0,("created %s len %lu\n", fname, (unsigned long)len));
1349 }
1350 TALLOC_FREE(fname);
1351 }
1352
1353 /****************************************************************************
1354 Prepare everything for calling the actual request function, and potentially
1355 call the request function via the "new" interface.
1356
1357 Return False if the "legacy" function needs to be called, everything is
1358 prepared.
1359
1360 Return True if we're done.
1361
1362 I know this API sucks, but it is the one with the least code change I could
1363 find.
1364 ****************************************************************************/
1365
1366 static connection_struct *switch_message(uint8 type, struct smb_request *req)
1367 {
1368 int flags;
1369 uint64_t session_tag;
1370 connection_struct *conn = NULL;
1371 struct smbd_server_connection *sconn = req->sconn;
1372 NTTIME now = timeval_to_nttime(&req->request_time);
1373 struct smbXsrv_session *session = NULL;
1374 NTSTATUS status;
1375
1376 errno = 0;
1377
1378 if (smb_messages[type].fn == NULL) {
1379 DEBUG(0,("Unknown message type %d!\n",type));
1380 smb_dump("Unknown", 1, (const char *)req->inbuf);
1381 reply_unknown_new(req, type);
1382 return NULL;
1383 }
1384
1385 flags = smb_messages[type].flags;
1386
1387 /* In share mode security we must ignore the vuid. */
1388 session_tag = req->vuid;
1389 conn = req->conn;
1390
1391 DEBUG(3,("switch message %s (pid %d) conn 0x%lx\n", smb_fn_name(type),
1392 (int)getpid(), (unsigned long)conn));
1393
1394 smb_dump(smb_fn_name(type), 1, (const char *)req->inbuf);
1395
1396 /* Ensure this value is replaced in the incoming packet. */
1397 SSVAL(discard_const_p(uint8_t, req->inbuf),smb_uid,session_tag);
1398
1399 /*
1400 * Ensure the correct username is in current_user_info. This is a
1401 * really ugly bugfix for problems with multiple session_setup_and_X's
1402 * being done and allowing %U and %G substitutions to work correctly.
1403 * There is a reason this code is done here, don't move it unless you
1404 * know what you're doing... :-).
1405 * JRA.
1406 */
1407
1408 /*
1409 * lookup an existing session
1410 *
1411 * Note: for now we only check for NT_STATUS_NETWORK_SESSION_EXPIRED
1412 * here, the main check is still in change_to_user()
1413 */
1414 status = smb1srv_session_lookup(sconn->conn,
1415 session_tag,
1416 now,
1417 &session);
1418 if (NT_STATUS_EQUAL(status, NT_STATUS_NETWORK_SESSION_EXPIRED)) {
1419 switch (type) {
1420 case SMBsesssetupX:
1421 status = NT_STATUS_OK;
1422 break;
1423 default:
1424 DEBUG(1,("Error: session %llu is expired, mid=%llu.\n",
1425 (unsigned long long)session_tag,
1426 (unsigned long long)req->mid));
1427 reply_nterror(req, NT_STATUS_NETWORK_SESSION_EXPIRED);
1428 return conn;
1429 }
1430 }
1431
1432 if (session_tag != sconn->smb1.sessions.last_session_tag) {
1433 struct user_struct *vuser = NULL;
1434
1435 sconn->smb1.sessions.last_session_tag = session_tag;
1436 if (session) {
1437 vuser = session->compat;
1438 }
1439 if (vuser) {
1440 set_current_user_info(
1441 vuser->session_info->unix_info->sanitized_username,
1442 vuser->session_info->unix_info->unix_name,
1443 vuser->session_info->info->domain_name);
1444 }
1445 }
1446
1447 /* Does this call need to be run as the connected user? */
1448 if (flags & AS_USER) {
1449
1450 /* Does this call need a valid tree connection? */
1451 if (!conn) {
1452 /*
1453 * Amazingly, the error code depends on the command
1454 * (from Samba4).
1455 */
1456 if (type == SMBntcreateX) {
1457 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
1458 } else {
1459 reply_nterror(req, NT_STATUS_NETWORK_NAME_DELETED);
1460 }
1461 return NULL;
1462 }
1463
1464 if (!change_to_user(conn,session_tag)) {
1465 DEBUG(0, ("Error: Could not change to user. Removing "
1466 "deferred open, mid=%llu.\n",
1467 (unsigned long long)req->mid));
1468 reply_force_doserror(req, ERRSRV, ERRbaduid);
1469 return conn;
1470 }
1471
1472 /* All NEED_WRITE and CAN_IPC flags must also have AS_USER. */
1473
1474 /* Does it need write permission? */
1475 if ((flags & NEED_WRITE) && !CAN_WRITE(conn)) {
1476 reply_nterror(req, NT_STATUS_MEDIA_WRITE_PROTECTED);
1477 return conn;
1478 }
1479
1480 /* IPC services are limited */
1481 if (IS_IPC(conn) && !(flags & CAN_IPC)) {
1482 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1483 return conn;
1484 }
1485 } else {
1486 /* This call needs to be run as root */
1487 change_to_root_user();
1488 }
1489
1490 /* load service specific parameters */
1491 if (conn) {
1492 if (req->encrypted) {
1493 conn->encrypted_tid = true;
1494 /* encrypted required from now on. */
1495 conn->encrypt_level = Required;
1496 } else if (ENCRYPTION_REQUIRED(conn)) {
1497 if (req->cmd != SMBtrans2 && req->cmd != SMBtranss2) {
1498 exit_server_cleanly("encryption required "
1499 "on connection");
1500 return conn;
1501 }
1502 }
1503
1504 if (!set_current_service(conn,SVAL(req->inbuf,smb_flg),
1505 (flags & (AS_USER|DO_CHDIR)
1506 ?True:False))) {
1507 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1508 return conn;
1509 }
1510 conn->num_smb_operations++;
1511 }
1512
1513 /*
1514 * Does this protocol need to be run as guest? (Only archane
1515 * messenger service requests have this...)
1516 */
1517 if (flags & AS_GUEST) {
1518 char *raddr;
1519 bool ok;
1520
1521 if (!change_to_guest()) {
1522 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1523 return conn;
1524 }
1525
1526 raddr = tsocket_address_inet_addr_string(sconn->remote_address,
1527 talloc_tos());
1528 if (raddr == NULL) {
1529 reply_nterror(req, NT_STATUS_NO_MEMORY);
1530 return conn;
1531 }
1532
1533 /*
1534 * Haven't we checked this in smbd_process already???
1535 */
1536
1537 ok = allow_access(lp_hostsdeny(-1), lp_hostsallow(-1),
1538 sconn->remote_hostname, raddr);
1539 TALLOC_FREE(raddr);
1540
1541 if (!ok) {
1542 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1543 return conn;
1544 }
1545 }
1546
1547 smb_messages[type].fn(req);
1548 return req->conn;
1549 }
1550
1551 /****************************************************************************
1552 Construct a reply to the incoming packet.
1553 ****************************************************************************/
1554
1555 static void construct_reply(struct smbd_server_connection *sconn,
1556 char *inbuf, int size, size_t unread_bytes,
1557 uint32_t seqnum, bool encrypted,
1558 struct smb_perfcount_data *deferred_pcd)
1559 {
1560 connection_struct *conn;
1561 struct smb_request *req;
1562
1563 if (!(req = talloc(talloc_tos(), struct smb_request))) {
1564 smb_panic("could not allocate smb_request");
1565 }
1566
1567 if (!init_smb_request(req, sconn, (uint8 *)inbuf, unread_bytes,
1568 encrypted, seqnum)) {
1569 exit_server_cleanly("Invalid SMB request");
1570 }
1571
1572 req->inbuf = (uint8_t *)talloc_move(req, &inbuf);
1573
1574 /* we popped this message off the queue - keep original perf data */
1575 if (deferred_pcd)
1576 req->pcd = *deferred_pcd;
1577 else {
1578 SMB_PERFCOUNT_START(&req->pcd);
1579 SMB_PERFCOUNT_SET_OP(&req->pcd, req->cmd);
1580 SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, size);
1581 }
1582
1583 conn = switch_message(req->cmd, req);
1584
1585 if (req->outbuf == NULL) {
1586 return;
1587 }
1588
1589 if (CVAL(req->outbuf,0) == 0) {
1590 show_msg((char *)req->outbuf);
1591 }
1592
1593 if (!srv_send_smb(req->sconn,
1594 (char *)req->outbuf,
1595 true, req->seqnum+1,
1596 IS_CONN_ENCRYPTED(conn)||req->encrypted,
1597 &req->pcd)) {
1598 exit_server_cleanly("construct_reply: srv_send_smb failed.");
1599 }
1600
1601 TALLOC_FREE(req);
1602
1603 return;
1604 }
1605
1606 static void construct_reply_chain(struct smbd_server_connection *sconn,
1607 char *inbuf, int size, uint32_t seqnum,
1608 bool encrypted,
1609 struct smb_perfcount_data *deferred_pcd)
1610 {
1611 struct smb_request **reqs = NULL;
1612 struct smb_request *req;
1613 unsigned num_reqs;
1614 bool ok;
1615
1616 ok = smb1_parse_chain(talloc_tos(), (uint8_t *)inbuf, sconn, encrypted,
1617 seqnum, &reqs, &num_reqs);
1618 if (!ok) {
1619 char errbuf[smb_size];
1620 error_packet(errbuf, 0, 0, NT_STATUS_INVALID_PARAMETER,
1621 __LINE__, __FILE__);
1622 if (!srv_send_smb(sconn, errbuf, true, seqnum, encrypted,
1623 NULL)) {
1624 exit_server_cleanly("construct_reply_chain: "
1625 "srv_send_smb failed.");
1626 }
1627 return;
1628 }
1629
1630 req = reqs[0];
1631 req->inbuf = (uint8_t *)talloc_move(reqs, &inbuf);
1632
1633 req->conn = switch_message(req->cmd, req);
1634
1635 if (req->outbuf == NULL) {
1636 /*
1637 * Request has suspended itself, will come
1638 * back here.
1639 */
1640 return;
1641 }
1642 smb_request_done(req);
1643 }
1644
1645 /*
1646 * To be called from an async SMB handler that is potentially chained
1647 * when it is finished for shipping.
1648 */
1649
1650 void smb_request_done(struct smb_request *req)
1651 {
1652 struct smb_request **reqs = NULL;
1653 struct smb_request *first_req;
1654 size_t i, num_reqs, next_index;
1655 NTSTATUS status;
1656
1657 if (req->chain == NULL) {
1658 first_req = req;
1659 goto shipit;
1660 }
1661
1662 reqs = req->chain;
1663 num_reqs = talloc_array_length(reqs);
1664
1665 for (i=0; i<num_reqs; i++) {
1666 if (reqs[i] == req) {
1667 break;
1668 }
1669 }
1670 if (i == num_reqs) {
1671 /*
1672 * Invalid chain, should not happen
1673 */
1674 status = NT_STATUS_INTERNAL_ERROR;
1675 goto error;
1676 }
1677 next_index = i+1;
1678
1679 while ((next_index < num_reqs) && (IVAL(req->outbuf, smb_rcls) == 0)) {
1680 struct smb_request *next = reqs[next_index];
1681 struct smbXsrv_tcon *tcon;
1682 NTTIME now = timeval_to_nttime(&req->request_time);
1683
1684 next->vuid = SVAL(req->outbuf, smb_uid);
1685 next->tid = SVAL(req->outbuf, smb_tid);
1686 status = smb1srv_tcon_lookup(req->sconn->conn, req->tid,
1687 now, &tcon);
1688 if (NT_STATUS_IS_OK(status)) {
1689 req->conn = tcon->compat;
1690 } else {
1691 req->conn = NULL;
1692 }
1693 next->chain_fsp = req->chain_fsp;
1694 next->inbuf = (uint8_t *)req->inbuf;
1695
1696 req = next;
1697 req->conn = switch_message(req->cmd, req);
1698
1699 if (req->outbuf == NULL) {
1700 /*
1701 * Request has suspended itself, will come
1702 * back here.
1703 */
1704 return;
1705 }
1706 next_index += 1;
1707 }
1708
1709 first_req = reqs[0];
1710
1711 for (i=1; i<next_index; i++) {
1712 bool ok;
1713
1714 ok = smb_splice_chain(&first_req->outbuf, reqs[i]->outbuf);
1715 if (!ok) {
1716 status = NT_STATUS_INTERNAL_ERROR;
1717 goto error;
1718 }
1719 }
1720
1721 SSVAL(first_req->outbuf, smb_uid, SVAL(req->outbuf, smb_uid));
1722 SSVAL(first_req->outbuf, smb_tid, SVAL(req->outbuf, smb_tid));
1723
1724 /*
1725 * This scary statement intends to set the
1726 * FLAGS2_32_BIT_ERROR_CODES flg2 field in first_req->outbuf
1727 * to the value last_req->outbuf carries
1728 */
1729 SSVAL(first_req->outbuf, smb_flg2,
1730 (SVAL(first_req->outbuf, smb_flg2) & ~FLAGS2_32_BIT_ERROR_CODES)
1731 |(SVAL(req->outbuf, smb_flg2) & FLAGS2_32_BIT_ERROR_CODES));
1732
1733 /*
1734 * Transfer the error codes from the subrequest to the main one
1735 */
1736 SSVAL(first_req->outbuf, smb_rcls, SVAL(req->outbuf, smb_rcls));
1737 SSVAL(first_req->outbuf, smb_err, SVAL(req->outbuf, smb_err));
1738
1739 _smb_setlen_large(
1740 first_req->outbuf, talloc_get_size(first_req->outbuf) - 4);
1741
1742 shipit:
1743 if (!srv_send_smb(first_req->sconn,
1744 (char *)first_req->outbuf,
1745 true, first_req->seqnum+1,
1746 IS_CONN_ENCRYPTED(req->conn)||first_req->encrypted,
1747 &first_req->pcd)) {
1748 exit_server_cleanly("construct_reply_chain: srv_send_smb "
1749 "failed.");
1750 }
1751 TALLOC_FREE(req); /* non-chained case */
1752 TALLOC_FREE(reqs); /* chained case */
1753 return;
1754
1755 error:
1756 {
1757 char errbuf[smb_size];
1758 error_packet(errbuf, 0, 0, status, __LINE__, __FILE__);
1759 if (!srv_send_smb(req->sconn, errbuf, true,
1760 req->seqnum+1, req->encrypted,
1761 NULL)) {
1762 exit_server_cleanly("construct_reply_chain: "
1763 "srv_send_smb failed.");
1764 }
1765 }
1766 TALLOC_FREE(req); /* non-chained case */
1767 TALLOC_FREE(reqs); /* chained case */
1768 }
1769
1770 /****************************************************************************
1771 Process an smb from the client
1772 ****************************************************************************/
1773 static void process_smb(struct smbd_server_connection *sconn,
1774 uint8_t *inbuf, size_t nread, size_t unread_bytes,
1775 uint32_t seqnum, bool encrypted,
1776 struct smb_perfcount_data *deferred_pcd)
1777 {
1778 int msg_type = CVAL(inbuf,0);
1779
1780 DO_PROFILE_INC(smb_count);
1781
1782 DEBUG( 6, ( "got message type 0x%x of len 0x%x\n", msg_type,
1783 smb_len(inbuf) ) );
1784 DEBUG(3, ("Transaction %d of length %d (%u toread)\n",
1785 sconn->trans_num, (int)nread, (unsigned int)unread_bytes));
1786
1787 if (msg_type != NBSSmessage) {
1788 /*
1789 * NetBIOS session request, keepalive, etc.
1790 */
1791 reply_special(sconn, (char *)inbuf, nread);
1792 goto done;
1793 }
1794
1795 if (sconn->using_smb2) {
1796 /* At this point we're not really using smb2,
1797 * we make the decision here.. */
1798 if (smbd_is_smb2_header(inbuf, nread)) {
1799 smbd_smb2_first_negprot(sconn, inbuf, nread);
1800 return;
1801 } else if (nread >= smb_size && valid_smb_header(sconn, inbuf)
1802 && CVAL(inbuf, smb_com) != 0x72) {
1803 /* This is a non-negprot SMB1 packet.
1804 Disable SMB2 from now on. */
1805 sconn->using_smb2 = false;
1806 }
1807 }
1808
1809 /* Make sure this is an SMB packet. smb_size contains NetBIOS header
1810 * so subtract 4 from it. */
1811 if ((nread < (smb_size - 4)) || !valid_smb_header(sconn, inbuf)) {
1812 DEBUG(2,("Non-SMB packet of length %d. Terminating server\n",
1813 smb_len(inbuf)));
1814
1815 /* special magic for immediate exit */
1816 if ((nread == 9) &&
1817 (IVAL(inbuf, 4) == 0x74697865) &&
1818 lp_parm_bool(-1, "smbd", "suicide mode", false)) {
1819 uint8_t exitcode = CVAL(inbuf, 8);
1820 DEBUG(1, ("Exiting immediately with code %d\n",
1821 (int)exitcode));
1822 exit(exitcode);
1823 }
1824
1825 exit_server_cleanly("Non-SMB packet");
1826 }
1827
1828 show_msg((char *)inbuf);
1829
1830 if ((unread_bytes == 0) && smb1_is_chain(inbuf)) {
1831 construct_reply_chain(sconn, (char *)inbuf, nread,
1832 seqnum, encrypted, deferred_pcd);
1833 } else {
1834 construct_reply(sconn, (char *)inbuf, nread, unread_bytes,
1835 seqnum, encrypted, deferred_pcd);
1836 }
1837
1838 sconn->trans_num++;
1839
1840 done:
1841 sconn->num_requests++;
1842
1843 /* The timeout_processing function isn't run nearly
1844 often enough to implement 'max log size' without
1845 overrunning the size of the file by many megabytes.
1846 This is especially true if we are running at debug
1847 level 10. Checking every 50 SMBs is a nice
1848 tradeoff of performance vs log file size overrun. */
1849
1850 if ((sconn->num_requests % 50) == 0 &&
1851 need_to_check_log_size()) {
1852 change_to_root_user();
1853 check_log_size();
1854 }
1855 }
1856
1857 /****************************************************************************
1858 Return a string containing the function name of a SMB command.
1859 ****************************************************************************/
1860
1861 const char *smb_fn_name(int type)
1862 {
1863 const char *unknown_name = "SMBunknown";
1864
1865 if (smb_messages[type].name == NULL)
1866 return(unknown_name);
1867
1868 return(smb_messages[type].name);
1869 }
1870
1871 /****************************************************************************
1872 Helper functions for contruct_reply.
1873 ****************************************************************************/
1874
1875 void add_to_common_flags2(uint32 v)
1876 {
1877 common_flags2 |= v;
1878 }
1879
1880 void remove_from_common_flags2(uint32 v)
1881 {
1882 common_flags2 &= ~v;
1883 }
1884
1885 static void construct_reply_common(struct smb_request *req, const char *inbuf,
1886 char *outbuf)
1887 {
1888 uint16_t in_flags2 = SVAL(inbuf,smb_flg2);
1889 uint16_t out_flags2 = common_flags2;
1890
1891 out_flags2 |= in_flags2 & FLAGS2_UNICODE_STRINGS;
1892 out_flags2 |= in_flags2 & FLAGS2_SMB_SECURITY_SIGNATURES;
1893 out_flags2 |= in_flags2 & FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED;
1894
1895 srv_set_message(outbuf,0,0,false);
1896
1897 SCVAL(outbuf, smb_com, req->cmd);
1898 SIVAL(outbuf,smb_rcls,0);
1899 SCVAL(outbuf,smb_flg, FLAG_REPLY | (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES));
1900 SSVAL(outbuf,smb_flg2, out_flags2);
1901 memset(outbuf+smb_pidhigh,'\0',(smb_tid-smb_pidhigh));
1902 memcpy(outbuf+smb_ss_field, inbuf+smb_ss_field, 8);
1903
1904 SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid));
1905 SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid));
1906 SSVAL(outbuf,smb_uid,SVAL(inbuf,smb_uid));
1907 SSVAL(outbuf,smb_mid,SVAL(inbuf,smb_mid));
1908 }
1909
1910 void construct_reply_common_req(struct smb_request *req, char *outbuf)
1911 {
1912 construct_reply_common(req, (const char *)req->inbuf, outbuf);
1913 }
1914
1915 /**
1916 * @brief Find the smb_cmd offset of the last command pushed
1917 * @param[in] buf The buffer we're building up
1918 * @retval Where can we put our next andx cmd?
1919 *
1920 * While chaining requests, the "next" request we're looking at needs to put
1921 * its SMB_Command before the data the previous request already built up added
1922 * to the chain. Find the offset to the place where we have to put our cmd.
1923 */
1924
1925 static bool find_andx_cmd_ofs(uint8_t *buf, size_t *pofs)
1926 {
1927 uint8_t cmd;
1928 size_t ofs;
1929
1930 cmd = CVAL(buf, smb_com);
1931
1932 if (!is_andx_req(cmd)) {
1933 return false;
1934 }
1935
1936 ofs = smb_vwv0;
1937
1938 while (CVAL(buf, ofs) != 0xff) {
1939
1940 if (!is_andx_req(CVAL(buf, ofs))) {
1941 return false;
1942 }
1943
1944 /*
1945 * ofs is from start of smb header, so add the 4 length
1946 * bytes. The next cmd is right after the wct field.
1947 */
1948 ofs = SVAL(buf, ofs+2) + 4 + 1;
1949
1950 if (ofs+4 >= talloc_get_size(buf)) {
1951 return false;
1952 }
1953 }
1954
1955 *pofs = ofs;
1956 return true;
1957 }
1958
1959 /**
1960 * @brief Do the smb chaining at a buffer level
1961 * @param[in] poutbuf Pointer to the talloc'ed buffer to be modified
1962 * @param[in] andx_buf Buffer to be appended
1963 */
1964
1965 static bool smb_splice_chain(uint8_t **poutbuf, const uint8_t *andx_buf)
1966 {
1967 uint8_t smb_command = CVAL(andx_buf, smb_com);
1968 uint8_t wct = CVAL(andx_buf, smb_wct);
1969 const uint16_t *vwv = (const uint16_t *)(andx_buf + smb_vwv);
1970 uint32_t num_bytes = smb_buflen(andx_buf);
1971 const uint8_t *bytes = (const uint8_t *)smb_buf_const(andx_buf);
1972
1973 uint8_t *outbuf;
1974 size_t old_size, new_size;
1975 size_t ofs;
1976 size_t chain_padding = 0;
1977 size_t andx_cmd_ofs;
1978
1979
1980 old_size = talloc_get_size(*poutbuf);
1981
1982 if ((old_size % 4) != 0) {
1983 /*
1984 * Align the wct field of subsequent requests to a 4-byte
1985 * boundary
1986 */
1987 chain_padding = 4 - (old_size % 4);
1988 }
1989
1990 /*
1991 * After the old request comes the new wct field (1 byte), the vwv's
1992 * and the num_bytes field.
1993 */
1994
1995 new_size = old_size + chain_padding + 1 + wct * sizeof(uint16_t) + 2;
1996 new_size += num_bytes;
1997
1998 if ((smb_command != SMBwriteX) && (new_size > 0xffff)) {
1999 DEBUG(1, ("smb_splice_chain: %u bytes won't fit\n",
2000 (unsigned)new_size));
2001 return false;
2002 }
2003
2004 outbuf = talloc_realloc(NULL, *poutbuf, uint8_t, new_size);
2005 if (outbuf == NULL) {
2006 DEBUG(0, ("talloc failed\n"));
2007 return false;
2008 }
2009 *poutbuf = outbuf;
2010
2011 if (!find_andx_cmd_ofs(outbuf, &andx_cmd_ofs)) {
2012 DEBUG(1, ("invalid command chain\n"));
2013 *poutbuf = talloc_realloc(NULL, *poutbuf, uint8_t, old_size);
2014 return false;
2015 }
2016
2017 if (chain_padding != 0) {
2018 memset(outbuf + old_size, 0, chain_padding);
2019 old_size += chain_padding;
2020 }
2021
2022 SCVAL(outbuf, andx_cmd_ofs, smb_command);
2023 SSVAL(outbuf, andx_cmd_ofs + 2, old_size - 4);
2024
2025 ofs = old_size;
2026
2027 /*
2028 * Push the chained request:
2029 *
2030 * wct field
2031 */
2032
2033 SCVAL(outbuf, ofs, wct);
2034 ofs += 1;
2035
2036 /*
2037 * vwv array
2038 */
2039
2040 memcpy(outbuf + ofs, vwv, sizeof(uint16_t) * wct);
2041
2042 /*
2043 * HACK ALERT
2044 *
2045 * Read&X has an offset into its data buffer at
2046 * vwv[6]. reply_read_andx has no idea anymore that it's
2047 * running from within a chain, so we have to fix up the
2048 * offset here.
2049 *
2050 * Although it looks disgusting at this place, I want to keep
2051 * it here. The alternative would be to push knowledge about
2052 * the andx chain down into read&x again.
2053 */
2054
2055 if (smb_command == SMBreadX) {
2056 uint8_t *bytes_addr;
2057
2058 if (wct < 7) {
2059 /*
2060 * Invalid read&x response
2061 */
2062 return false;
2063 }
2064
2065 bytes_addr = outbuf + ofs /* vwv start */
2066 + sizeof(uint16_t) * wct /* vwv array */
2067 + sizeof(uint16_t); /* bcc */
2068
2069 SSVAL(outbuf + ofs, 6 * sizeof(uint16_t),
2070 bytes_addr - outbuf - 4);
2071 }
2072
2073 ofs += sizeof(uint16_t) * wct;
2074
2075 /*
2076 * bcc (byte count)
2077 */
2078
2079 SSVAL(outbuf, ofs, num_bytes);
2080 ofs += sizeof(uint16_t);
2081
2082 /*
2083 * The bytes field
2084 */
2085
2086 memcpy(outbuf + ofs, bytes, num_bytes);
2087
2088 return true;
2089 }
2090
2091 bool smb1_is_chain(const uint8_t *buf)
2092 {
2093 uint8_t cmd, wct, andx_cmd;
2094
2095 cmd = CVAL(buf, smb_com);
2096 if (!is_andx_req(cmd)) {
2097 return false;
2098 }
2099 wct = CVAL(buf, smb_wct);
2100 if (wct < 2) {
2101 return false;
2102 }
2103 andx_cmd = CVAL(buf, smb_vwv);
2104 return (andx_cmd != 0xFF);
2105 }
2106
2107 bool smb1_walk_chain(const uint8_t *buf,
2108 bool (*fn)(uint8_t cmd,
2109 uint8_t wct, const uint16_t *vwv,
2110 uint16_t num_bytes, const uint8_t *bytes,
2111 void *private_data),
2112 void *private_data)
2113 {
2114 size_t smblen = smb_len(buf);
2115 const char *smb_buf = smb_base(buf);
2116 uint8_t cmd, chain_cmd;
2117 uint8_t wct;
2118 const uint16_t *vwv;
2119 uint16_t num_bytes;
2120 const uint8_t *bytes;
2121
2122 cmd = CVAL(buf, smb_com);
2123 wct = CVAL(buf, smb_wct);
2124 vwv = (const uint16_t *)(buf + smb_vwv);
2125 num_bytes = smb_buflen(buf);
2126 bytes = (uint8_t *)smb_buf_const(buf);
2127
2128 if (!fn(cmd, wct, vwv, num_bytes, bytes, private_data)) {
2129 return false;
2130 }
2131
2132 if (!is_andx_req(cmd)) {
2133 return true;
2134 }
2135 if (wct < 2) {
2136 return false;
2137 }
2138
2139 chain_cmd = CVAL(vwv, 0);
2140
2141 while (chain_cmd != 0xff) {
2142 uint32_t chain_offset; /* uint32_t to avoid overflow */
2143 size_t length_needed;
2144 ptrdiff_t vwv_offset;
2145
2146 chain_offset = SVAL(vwv+1, 0);
2147
2148 /*
2149 * Check if the client tries to fool us. The chain
2150 * offset needs to point beyond the current request in
2151 * the chain, it needs to strictly grow. Otherwise we
2152 * might be tricked into an endless loop always
2153 * processing the same request over and over again. We
2154 * used to assume that vwv and the byte buffer array
2155 * in a chain are always attached, but OS/2 the
2156 * Write&X/Read&X chain puts the Read&X vwv array
2157 * right behind the Write&X vwv chain. The Write&X bcc
2158 * array is put behind the Read&X vwv array. So now we
2159 * check whether the chain offset points strictly
2160 * behind the previous vwv array. req->buf points
2161 * right after the vwv array of the previous
2162 * request. See
2163 * https://bugzilla.samba.org/show_bug.cgi?id=8360 for
2164 * more information.
2165 */
2166
2167 vwv_offset = ((const char *)vwv - smb_buf);
2168 if (chain_offset <= vwv_offset) {
2169 return false;
2170 }
2171
2172 /*
2173 * Next check: Make sure the chain offset does not
2174 * point beyond the overall smb request length.
2175 */
2176
2177 length_needed = chain_offset+1; /* wct */
2178 if (length_needed > smblen) {
2179 return false;
2180 }
2181
2182 /*
2183 * Now comes the pointer magic. Goal here is to set up
2184 * vwv and buf correctly again. The chain offset (the
2185 * former vwv[1]) points at the new wct field.
2186 */
2187
2188 wct = CVAL(smb_buf, chain_offset);
2189
2190 if (is_andx_req(chain_cmd) && (wct < 2)) {
2191 return false;
2192 }
2193
2194 /*
2195 * Next consistency check: Make the new vwv array fits
2196 * in the overall smb request.
2197 */
2198
2199 length_needed += (wct+1)*sizeof(uint16_t); /* vwv+buflen */
2200 if (length_needed > smblen) {
2201 return false;
2202 }
2203 vwv = (const uint16_t *)(smb_buf + chain_offset + 1);
2204
2205 /*
2206 * Now grab the new byte buffer....
2207 */
2208
2209 num_bytes = SVAL(vwv+wct, 0);
2210
2211 /*
2212 * .. and check that it fits.
2213 */
2214
2215 length_needed += num_bytes;
2216 if (length_needed > smblen) {
2217 return false;
2218 }
2219 bytes = (const uint8_t *)(vwv+wct+1);
2220
2221 if (!fn(chain_cmd, wct, vwv, num_bytes, bytes, private_data)) {
2222 return false;
2223 }
2224
2225 if (!is_andx_req(chain_cmd)) {
2226 return true;
2227 }
2228 chain_cmd = CVAL(vwv, 0);
2229 }
2230 return true;
2231 }
2232
2233 static bool smb1_chain_length_cb(uint8_t cmd,
2234 uint8_t wct, const uint16_t *vwv,
2235 uint16_t num_bytes, const uint8_t *bytes,
2236 void *private_data)
2237 {
2238 unsigned *count = (unsigned *)private_data;
2239 *count += 1;
2240 return true;
2241 }
2242
2243 unsigned smb1_chain_length(const uint8_t *buf)
2244 {
2245 unsigned count = 0;
2246
2247 if (!smb1_walk_chain(buf, smb1_chain_length_cb, &count)) {
2248 return 0;
2249 }
2250 return count;
2251 }
2252
2253 struct smb1_parse_chain_state {
2254 TALLOC_CTX *mem_ctx;
2255 const uint8_t *buf;
2256 struct smbd_server_connection *sconn;
2257 bool encrypted;
2258 uint32_t seqnum;
2259
2260 struct smb_request **reqs;
2261 unsigned num_reqs;
2262 };
2263
2264 static bool smb1_parse_chain_cb(uint8_t cmd,
2265 uint8_t wct, const uint16_t *vwv,
2266 uint16_t num_bytes, const uint8_t *bytes,
2267 void *private_data)
2268 {
2269 struct smb1_parse_chain_state *state =
2270 (struct smb1_parse_chain_state *)private_data;
2271 struct smb_request **reqs;
2272 struct smb_request *req;
2273 bool ok;
2274
2275 reqs = talloc_realloc(state->mem_ctx, state->reqs,
2276 struct smb_request *, state->num_reqs+1);
2277 if (reqs == NULL) {
2278 return false;
2279 }
2280 state->reqs = reqs;
2281
2282 req = talloc(reqs, struct smb_request);
2283 if (req == NULL) {
2284 return false;
2285 }
2286
2287 ok = init_smb_request(req, state->sconn, state->buf, 0,
2288 state->encrypted, state->seqnum);
2289 if (!ok) {
2290 return false;
2291 }
2292 req->cmd = cmd;
2293 req->wct = wct;
2294 req->vwv = vwv;
2295 req->buflen = num_bytes;
2296 req->buf = bytes;
2297
2298 reqs[state->num_reqs] = req;
2299 state->num_reqs += 1;
2300 return true;
2301 }
2302
2303 bool smb1_parse_chain(TALLOC_CTX *mem_ctx, const uint8_t *buf,
2304 struct smbd_server_connection *sconn,
2305 bool encrypted, uint32_t seqnum,
2306 struct smb_request ***reqs, unsigned *num_reqs)
2307 {
2308 struct smb1_parse_chain_state state;
2309 unsigned i;
2310
2311 state.mem_ctx = mem_ctx;
2312 state.buf = buf;
2313 state.sconn = sconn;
2314 state.encrypted = encrypted;
2315 state.seqnum = seqnum;
2316 state.reqs = NULL;
2317 state.num_reqs = 0;
2318
2319 if (!smb1_walk_chain(buf, smb1_parse_chain_cb, &state)) {
2320 TALLOC_FREE(state.reqs);
2321 return false;
2322 }
2323 for (i=0; i<state.num_reqs; i++) {
2324 state.reqs[i]->chain = state.reqs;
2325 }
2326 *reqs = state.reqs;
2327 *num_reqs = state.num_reqs;
2328 return true;
2329 }
2330
2331 /****************************************************************************
2332 Check if services need reloading.
2333 ****************************************************************************/
2334
2335 static void check_reload(struct smbd_server_connection *sconn, time_t t)
2336 {
2337
2338 if (last_smb_conf_reload_time == 0) {
2339 last_smb_conf_reload_time = t;
2340 }
2341
2342 if (t >= last_smb_conf_reload_time+SMBD_RELOAD_CHECK) {
2343 reload_services(sconn, conn_snum_used, true);
2344 last_smb_conf_reload_time = t;
2345 }
2346 }
2347
2348 static bool fd_is_readable(int fd)
2349 {
2350 int ret, revents;
2351
2352 ret = poll_one_fd(fd, POLLIN|POLLHUP, 0, &revents);
2353
2354 return ((ret > 0) && ((revents & (POLLIN|POLLHUP|POLLERR)) != 0));
2355
2356 }
2357
2358 static void smbd_server_connection_write_handler(
2359 struct smbd_server_connection *sconn)
2360 {
2361 /* TODO: make write nonblocking */
2362 }
2363
2364 static void smbd_server_connection_read_handler(
2365 struct smbd_server_connection *sconn, int fd)
2366 {
2367 uint8_t *inbuf = NULL;
2368 size_t inbuf_len = 0;
2369 size_t unread_bytes = 0;
2370 bool encrypted = false;
2371 TALLOC_CTX *mem_ctx = talloc_tos();
2372 NTSTATUS status;
2373 uint32_t seqnum;
2374
2375 bool from_client;
2376
2377 if (lp_async_smb_echo_handler()
2378 && fd_is_readable(sconn->smb1.echo_handler.trusted_fd)) {
2379 /*
2380 * This is the super-ugly hack to prefer the packets
2381 * forwarded by the echo handler over the ones by the
2382 * client directly
2383 */
2384 fd = sconn->smb1.echo_handler.trusted_fd;
2385 }
2386
2387 from_client = (sconn->sock == fd);
2388
2389 if (from_client) {
2390 smbd_lock_socket(sconn);
2391
2392 if (!fd_is_readable(fd)) {
2393 DEBUG(10,("the echo listener was faster\n"));
2394 smbd_unlock_socket(sconn);
2395 return;
2396 }
2397 }
2398
2399 /* TODO: make this completely nonblocking */
2400 status = receive_smb_talloc(mem_ctx, sconn, fd,
2401 (char **)(void *)&inbuf,
2402 0, /* timeout */
2403 &unread_bytes,
2404 &encrypted,
2405 &inbuf_len, &seqnum,
2406 false /* trusted channel */);
2407
2408 if (from_client) {
2409 smbd_unlock_socket(sconn);
2410 }
2411
2412 if (NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
2413 goto process;
2414 }
2415 if (NT_STATUS_IS_ERR(status)) {
2416 exit_server_cleanly("failed to receive smb request");
2417 }
2418 if (!NT_STATUS_IS_OK(status)) {
2419 return;
2420 }
2421
2422 process:
2423 process_smb(sconn, inbuf, inbuf_len, unread_bytes,
2424 seqnum, encrypted, NULL);
2425 }
2426
2427 static void smbd_server_connection_handler(struct event_context *ev,
2428 struct fd_event *fde,
2429 uint16_t flags,
2430 void *private_data)
2431 {
2432 struct smbd_server_connection *conn = talloc_get_type(private_data,
2433 struct smbd_server_connection);
2434
2435 if (flags & EVENT_FD_WRITE) {
2436 smbd_server_connection_write_handler(conn);
2437 return;
2438 }
2439 if (flags & EVENT_FD_READ) {
2440 smbd_server_connection_read_handler(conn, conn->sock);
2441 return;
2442 }
2443 }
2444
2445 static void smbd_server_echo_handler(struct event_context *ev,
2446 struct fd_event *fde,
2447 uint16_t flags,
2448 void *private_data)
2449 {
2450 struct smbd_server_connection *conn = talloc_get_type(private_data,
2451 struct smbd_server_connection);
2452
2453 if (flags & EVENT_FD_WRITE) {
2454 smbd_server_connection_write_handler(conn);
2455 return;
2456 }
2457 if (flags & EVENT_FD_READ) {
2458 smbd_server_connection_read_handler(
2459 conn, conn->smb1.echo_handler.trusted_fd);
2460 return;
2461 }
2462 }
2463
2464 #ifdef CLUSTER_SUPPORT
2465 /****************************************************************************
2466 received when we should release a specific IP
2467 ****************************************************************************/
2468 static void release_ip(const char *ip, void *priv)
2469 {
2470 const char *addr = (const char *)priv;
2471 const char *p = addr;
2472
2473 if (strncmp("::ffff:", addr, 7) == 0) {
2474 p = addr + 7;
2475 }
2476
2477 DEBUG(10, ("Got release IP message for %s, "
2478 "our address is %s\n", ip, p));
2479
2480 if ((strcmp(p, ip) == 0) || ((p != addr) && strcmp(addr, ip) == 0)) {
2481 /* we can't afford to do a clean exit - that involves
2482 database writes, which would potentially mean we
2483 are still running after the failover has finished -
2484 we have to get rid of this process ID straight
2485 away */
2486 DEBUG(0,("Got release IP message for our IP %s - exiting immediately\n",
2487 ip));
2488 /* note we must exit with non-zero status so the unclean handler gets
2489 called in the parent, so that the brl database is tickled */
2490 _exit(1);
2491 }
2492 }
2493
2494 static int client_get_tcp_info(int sock, struct sockaddr_storage *server,
2495 struct sockaddr_storage *client)
2496 {
2497 socklen_t length;
2498 length = sizeof(*server);
2499 if (getsockname(sock, (struct sockaddr *)server, &length) != 0) {
2500 return -1;
2501 }
2502 length = sizeof(*client);
2503 if (getpeername(sock, (struct sockaddr *)client, &length) != 0) {
2504 return -1;
2505 }
2506 return 0;
2507 }
2508 #endif
2509
2510 /*
2511 * Send keepalive packets to our client
2512 */
2513 static bool keepalive_fn(const struct timeval *now, void *private_data)
2514 {
2515 struct smbd_server_connection *sconn = talloc_get_type_abort(
2516 private_data, struct smbd_server_connection);
2517 bool ret;
2518
2519 if (sconn->using_smb2) {
2520 /* Don't do keepalives on an SMB2 connection. */
2521 return false;
2522 }
2523
2524 smbd_lock_socket(sconn);
2525 ret = send_keepalive(sconn->sock);
2526 smbd_unlock_socket(sconn);
2527
2528 if (!ret) {
2529 char addr[INET6_ADDRSTRLEN];
2530 /*
2531 * Try and give an error message saying what
2532 * client failed.
2533 */
2534 DEBUG(0, ("send_keepalive failed for client %s. "
2535 "Error %s - exiting\n",
2536 get_peer_addr(sconn->sock, addr, sizeof(addr)),
2537 strerror(errno)));
2538 return False;
2539 }
2540 return True;
2541 }
2542
2543 /*
2544 * Do the recurring check if we're idle
2545 */
2546 static bool deadtime_fn(const struct timeval *now, void *private_data)
2547 {
2548 struct smbd_server_connection *sconn =
2549 (struct smbd_server_connection *)private_data;
2550
2551 if ((conn_num_open(sconn) == 0)
2552 || (conn_idle_all(sconn, now->tv_sec))) {
2553 DEBUG( 2, ( "Closing idle connection\n" ) );
2554 messaging_send(sconn->msg_ctx,
2555 messaging_server_id(sconn->msg_ctx),
2556 MSG_SHUTDOWN, &data_blob_null);
2557 return False;
2558 }
2559
2560 return True;
2561 }
2562
2563 /*
2564 * Do the recurring log file and smb.conf reload checks.
2565 */
2566
2567 static bool housekeeping_fn(const struct timeval *now, void *private_data)
2568 {
2569 struct smbd_server_connection *sconn = talloc_get_type_abort(
2570 private_data, struct smbd_server_connection);
2571
2572 DEBUG(5, ("housekeeping\n"));
2573
2574 change_to_root_user();
2575
2576 /* update printer queue caches if necessary */
2577 update_monitored_printq_cache(sconn->msg_ctx);
2578
2579 /* check if we need to reload services */
2580 check_reload(sconn, time_mono(NULL));
2581
2582 /*
2583 * Force a log file check.
2584 */
2585 force_check_log_size();
2586 check_log_size();
2587 return true;
2588 }
2589
2590 /*
2591 * Read an smb packet in the echo handler child, giving the parent
2592 * smbd one second to react once the socket becomes readable.
2593 */
2594
2595 struct smbd_echo_read_state {
2596 struct tevent_context *ev;
2597 struct smbd_server_connection *sconn;
2598
2599 char *buf;
2600 size_t buflen;
2601 uint32_t seqnum;
2602 };
2603
2604 static void smbd_echo_read_readable(struct tevent_req *subreq);
2605 static void smbd_echo_read_waited(struct tevent_req *subreq);
2606
2607 static struct tevent_req *smbd_echo_read_send(
2608 TALLOC_CTX *mem_ctx, struct tevent_context *ev,
2609 struct smbd_server_connection *sconn)
2610 {
2611 struct tevent_req *req, *subreq;
2612 struct smbd_echo_read_state *state;
2613
2614 req = tevent_req_create(mem_ctx, &state,
2615 struct smbd_echo_read_state);
2616 if (req == NULL) {
2617 return NULL;
2618 }
2619 state->ev = ev;
2620 state->sconn = sconn;
2621
2622 subreq = wait_for_read_send(state, ev, sconn->sock);
2623 if (tevent_req_nomem(subreq, req)) {
2624 return tevent_req_post(req, ev);
2625 }
2626 tevent_req_set_callback(subreq, smbd_echo_read_readable, req);
2627 return req;
2628 }
2629
2630 static void smbd_echo_read_readable(struct tevent_req *subreq)
2631 {
2632 struct tevent_req *req = tevent_req_callback_data(
2633 subreq, struct tevent_req);
2634 struct smbd_echo_read_state *state = tevent_req_data(
2635 req, struct smbd_echo_read_state);
2636 bool ok;
2637 int err;
2638
2639 ok = wait_for_read_recv(subreq, &err);
2640 TALLOC_FREE(subreq);
2641 if (!ok) {
2642 tevent_req_nterror(req, map_nt_error_from_unix(err));
2643 return;
2644 }
2645
2646 /*
2647 * Give the parent smbd one second to step in
2648 */
2649
2650 subreq = tevent_wakeup_send(
2651 state, state->ev, timeval_current_ofs(1, 0));
2652 if (tevent_req_nomem(subreq, req)) {
2653 return;
2654 }
2655 tevent_req_set_callback(subreq, smbd_echo_read_waited, req);
2656 }
2657
2658 static void smbd_echo_read_waited(struct tevent_req *subreq)
2659 {
2660 struct tevent_req *req = tevent_req_callback_data(
2661 subreq, struct tevent_req);
2662 struct smbd_echo_read_state *state = tevent_req_data(
2663 req, struct smbd_echo_read_state);
2664 struct smbd_server_connection *sconn = state->sconn;
2665 bool ok;
2666 NTSTATUS status;
2667 size_t unread = 0;
2668 bool encrypted;
2669
2670 ok = tevent_wakeup_recv(subreq);
2671 TALLOC_FREE(subreq);
2672 if (!ok) {
2673 tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
2674 return;
2675 }
2676
2677 ok = smbd_lock_socket_internal(sconn);
2678 if (!ok) {
2679 tevent_req_nterror(req, map_nt_error_from_unix(errno));
2680 DEBUG(0, ("%s: failed to lock socket\n", __location__));
2681 return;
2682 }
2683
2684 if (!fd_is_readable(sconn->sock)) {
2685 DEBUG(10,("echo_handler[%d] the parent smbd was faster\n",
2686 (int)getpid()));
2687
2688 ok = smbd_unlock_socket_internal(sconn);
2689 if (!ok) {
2690 tevent_req_nterror(req, map_nt_error_from_unix(errno));
2691 DEBUG(1, ("%s: failed to unlock socket\n",
2692 __location__));
2693 return;
2694 }
2695
2696 subreq = wait_for_read_send(state, state->ev, sconn->sock);
2697 if (tevent_req_nomem(subreq, req)) {
2698 return;
2699 }
2700 tevent_req_set_callback(subreq, smbd_echo_read_readable, req);
2701 return;
2702 }
2703
2704 status = receive_smb_talloc(state, sconn, sconn->sock, &state->buf,
2705 0 /* timeout */,
2706 &unread,
2707 &encrypted,
2708 &state->buflen,
2709 &state->seqnum,
2710 false /* trusted_channel*/);
2711
2712 if (tevent_req_nterror(req, status)) {
2713 tevent_req_nterror(req, status);
2714 DEBUG(1, ("echo_handler[%d]: receive_smb_raw_talloc failed: %s\n",
2715 (int)getpid(), nt_errstr(status)));
2716 return;
2717 }
2718
2719 ok = smbd_unlock_socket_internal(sconn);
2720 if (!ok) {
2721 tevent_req_nterror(req, map_nt_error_from_unix(errno));
2722 DEBUG(1, ("%s: failed to unlock socket\n", __location__));
2723 return;
2724 }
2725 tevent_req_done(req);
2726 }
2727
2728 static NTSTATUS smbd_echo_read_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
2729 char **pbuf, size_t *pbuflen, uint32_t *pseqnum)
2730 {
2731 struct smbd_echo_read_state *state = tevent_req_data(
2732 req, struct smbd_echo_read_state);
2733 NTSTATUS status;
2734
2735 if (tevent_req_is_nterror(req, &status)) {
2736 return status;
2737 }
2738 *pbuf = talloc_move(mem_ctx, &state->buf);
2739 *pbuflen = state->buflen;
2740 *pseqnum = state->seqnum;
2741 return NT_STATUS_OK;
2742 }
2743
2744 struct smbd_echo_state {
2745 struct tevent_context *ev;
2746 struct iovec *pending;
2747 struct smbd_server_connection *sconn;
2748 int parent_pipe;
2749
2750 struct tevent_fd *parent_fde;
2751
2752 struct tevent_req *write_req;
2753 };
2754
2755 static void smbd_echo_writer_done(struct tevent_req *req);
2756
2757 static void smbd_echo_activate_writer(struct smbd_echo_state *state)
2758 {
2759 int num_pending;
2760
2761 if (state->write_req != NULL) {
2762 return;
2763 }
2764
2765 num_pending = talloc_array_length(state->pending);
2766 if (num_pending == 0) {
2767 return;
2768 }
2769
2770 state->write_req = writev_send(state, state->ev, NULL,
2771 state->parent_pipe, false,
2772 state->pending, num_pending);
2773 if (state->write_req == NULL) {
2774 DEBUG(1, ("writev_send failed\n"));
2775 exit(1);
2776 }
2777
2778 talloc_steal(state->write_req, state->pending);
2779 state->pending = NULL;
2780
2781 tevent_req_set_callback(state->write_req, smbd_echo_writer_done,
2782 state);
2783 }
2784
2785 static void smbd_echo_writer_done(struct tevent_req *req)
2786 {
2787 struct smbd_echo_state *state = tevent_req_callback_data(
2788 req, struct smbd_echo_state);
2789 ssize_t written;
2790 int err;
2791
2792 written = writev_recv(req, &err);
2793 TALLOC_FREE(req);
2794 state->write_req = NULL;
2795 if (written == -1) {
2796 DEBUG(1, ("writev to parent failed: %s\n", strerror(err)));
2797 exit(1);
2798 }
2799 DEBUG(10,("echo_handler[%d]: forwarded pdu to main\n", (int)getpid()));
2800 smbd_echo_activate_writer(state);
2801 }
2802
2803 static bool smbd_echo_reply(struct smbd_echo_state *state,
2804 uint8_t *inbuf, size_t inbuf_len,
2805 uint32_t seqnum)
2806 {
2807 struct smb_request req;
2808 uint16_t num_replies;
2809 char *outbuf;
2810 bool ok;
2811
2812 if ((inbuf_len == 4) && (CVAL(inbuf, 0) == NBSSkeepalive)) {
2813 DEBUG(10, ("Got netbios keepalive\n"));
2814 /*
2815 * Just swallow it
2816 */
2817 return true;
2818 }
2819
2820 if (inbuf_len < smb_size) {
2821 DEBUG(10, ("Got short packet: %d bytes\n", (int)inbuf_len));
2822 return false;
2823 }
2824 if (!valid_smb_header(state->sconn, inbuf)) {
2825 DEBUG(10, ("Got invalid SMB header\n"));
2826 return false;
2827 }
2828
2829 if (!init_smb_request(&req, state->sconn, inbuf, 0, false,
2830 seqnum)) {
2831 return false;
2832 }
2833 req.inbuf = inbuf;
2834
2835 DEBUG(10, ("smbecho handler got cmd %d (%s)\n", (int)req.cmd,
2836 smb_messages[req.cmd].name
2837 ? smb_messages[req.cmd].name : "unknown"));
2838
2839 if (req.cmd != SMBecho) {
2840 return false;
2841 }
2842 if (req.wct < 1) {
2843 return false;
2844 }
2845
2846 num_replies = SVAL(req.vwv+0, 0);
2847 if (num_replies != 1) {
2848 /* Not a Windows "Hey, you're still there?" request */
2849 return false;
2850 }
2851
2852 if (!create_outbuf(talloc_tos(), &req, (const char *)req.inbuf, &outbuf,
2853 1, req.buflen)) {
2854 DEBUG(10, ("create_outbuf failed\n"));
2855 return false;
2856 }
2857 req.outbuf = (uint8_t *)outbuf;
2858
2859 SSVAL(req.outbuf, smb_vwv0, num_replies);
2860
2861 if (req.buflen > 0) {
2862 memcpy(smb_buf(req.outbuf), req.buf, req.buflen);
2863 }
2864
2865 ok = srv_send_smb(req.sconn,
2866 (char *)outbuf,
2867 true, seqnum+1,
2868 false, &req.pcd);
2869 TALLOC_FREE(outbuf);
2870 if (!ok) {
2871 exit(1);
2872 }
2873
2874 return true;
2875 }
2876
2877 static void smbd_echo_exit(struct tevent_context *ev,
2878 struct tevent_fd *fde, uint16_t flags,
2879 void *private_data)
2880 {
2881 DEBUG(2, ("smbd_echo_exit: lost connection to parent\n"));
2882 exit(0);
2883 }
2884
2885 static void smbd_echo_got_packet(struct tevent_req *req);
2886
2887 static void smbd_echo_loop(struct smbd_server_connection *sconn,
2888 int parent_pipe)
2889 {
2890 struct smbd_echo_state *state;
2891 struct tevent_req *read_req;
2892
2893 state = talloc_zero(sconn, struct smbd_echo_state);
2894 if (state == NULL) {
2895 DEBUG(1, ("talloc failed\n"));
2896 return;
2897 }
2898 state->sconn = sconn;
2899 state->parent_pipe = parent_pipe;
2900 state->ev = s3_tevent_context_init(state);
2901 if (state->ev == NULL) {
2902 DEBUG(1, ("tevent_context_init failed\n"));
2903 TALLOC_FREE(state);
2904 return;
2905 }
2906 state->parent_fde = tevent_add_fd(state->ev, state, parent_pipe,
2907 TEVENT_FD_READ, smbd_echo_exit,
2908 state);
2909 if (state->parent_fde == NULL) {
2910 DEBUG(1, ("tevent_add_fd failed\n"));
2911 TALLOC_FREE(state);
2912 return;
2913 }
2914
2915 read_req = smbd_echo_read_send(state, state->ev, sconn);
2916 if (read_req == NULL) {
2917 DEBUG(1, ("smbd_echo_read_send failed\n"));
2918 TALLOC_FREE(state);
2919 return;
2920 }
2921 tevent_req_set_callback(read_req, smbd_echo_got_packet, state);
2922
2923 while (true) {
2924 if (tevent_loop_once(state->ev) == -1) {
2925 DEBUG(1, ("tevent_loop_once failed: %s\n",
2926 strerror(errno)));
2927 break;
2928 }
2929 }
2930 TALLOC_FREE(state);
2931 }
2932
2933 static void smbd_echo_got_packet(struct tevent_req *req)
2934 {
2935 struct smbd_echo_state *state = tevent_req_callback_data(
2936 req, struct smbd_echo_state);
2937 NTSTATUS status;
2938 char *buf = NULL;
2939 size_t buflen = 0;
2940 uint32_t seqnum = 0;
2941 bool reply;
2942
2943 status = smbd_echo_read_recv(req, state, &buf, &buflen, &seqnum);
2944 TALLOC_FREE(req);
2945 if (!NT_STATUS_IS_OK(status)) {
2946 DEBUG(1, ("smbd_echo_read_recv returned %s\n",
2947 nt_errstr(status)));
2948 exit(1);
2949 }
2950
2951 reply = smbd_echo_reply(state, (uint8_t *)buf, buflen, seqnum);
2952 if (!reply) {
2953 size_t num_pending;
2954 struct iovec *tmp;
2955 struct iovec *iov;
2956
2957 num_pending = talloc_array_length(state->pending);
2958 tmp = talloc_realloc(state, state->pending, struct iovec,
2959 num_pending+1);
2960 if (tmp == NULL) {
2961 DEBUG(1, ("talloc_realloc failed\n"));
2962 exit(1);
2963 }
2964 state->pending = tmp;
2965
2966 if (buflen >= smb_size) {
2967 /*
2968 * place the seqnum in the packet so that the main process
2969 * can reply with signing
2970 */
2971 SIVAL(buf, smb_ss_field, seqnum);
2972 SIVAL(buf, smb_ss_field+4, NT_STATUS_V(NT_STATUS_OK));
2973 }
2974
2975 iov = &state->pending[num_pending];
2976 iov->iov_base = buf;
2977 iov->iov_len = buflen;
2978
2979 DEBUG(10,("echo_handler[%d]: forward to main\n",
2980 (int)getpid()));
2981 smbd_echo_activate_writer(state);
2982 }
2983
2984 req = smbd_echo_read_send(state, state->ev, state->sconn);
2985 if (req == NULL) {
2986 DEBUG(1, ("smbd_echo_read_send failed\n"));
2987 exit(1);
2988 }
2989 tevent_req_set_callback(req, smbd_echo_got_packet, state);
2990 }
2991
2992
2993 /*
2994 * Handle SMBecho requests in a forked child process
2995 */
2996 bool fork_echo_handler(struct smbd_server_connection *sconn)
2997 {
2998 int listener_pipe[2];
2999 int res;
3000 pid_t child;
3001
3002 res = pipe(listener_pipe);
3003 if (res == -1) {
3004 DEBUG(1, ("pipe() failed: %s\n", strerror(errno)));
3005 return false;
3006 }
3007 sconn->smb1.echo_handler.socket_lock_fd = create_unlink_tmp(lp_lockdir());
3008 if (sconn->smb1.echo_handler.socket_lock_fd == -1) {
3009 DEBUG(1, ("Could not create lock fd: %s\n", strerror(errno)));
3010 goto fail;
3011 }
3012
3013 child = fork();
3014 if (child == 0) {
3015 NTSTATUS status;
3016
3017 close(listener_pipe[0]);
3018 set_blocking(listener_pipe[1], false);
3019
3020 status = reinit_after_fork(sconn->msg_ctx,
3021 sconn->ev_ctx,
3022 false);
3023 if (!NT_STATUS_IS_OK(status)) {
3024 DEBUG(1, ("reinit_after_fork failed: %s\n",
3025 nt_errstr(status)));
3026 exit(1);
3027 }
3028 smbd_echo_loop(sconn, listener_pipe[1]);
3029 exit(0);
3030 }
3031 close(listener_pipe[1]);
3032 listener_pipe[1] = -1;
3033 sconn->smb1.echo_handler.trusted_fd = listener_pipe[0];
3034
3035 DEBUG(10,("fork_echo_handler: main[%d] echo_child[%d]\n", (int)getpid(), child));
3036
3037 /*
3038 * Without smb signing this is the same as the normal smbd
3039 * listener. This needs to change once signing comes in.
3040 */
3041 sconn->smb1.echo_handler.trusted_fde = tevent_add_fd(sconn->ev_ctx,
3042 sconn,
3043 sconn->smb1.echo_handler.trusted_fd,
3044 TEVENT_FD_READ,
3045 smbd_server_echo_handler,
3046 sconn);
3047 if (sconn->smb1.echo_handler.trusted_fde == NULL) {
3048 DEBUG(1, ("event_add_fd failed\n"));
3049 goto fail;
3050 }
3051
3052 return true;
3053
3054 fail:
3055 if (listener_pipe[0] != -1) {
3056 close(listener_pipe[0]);
3057 }
3058 if (listener_pipe[1] != -1) {
3059 close(listener_pipe[1]);
3060 }
3061 sconn->smb1.echo_handler.trusted_fd = -1;
3062 if (sconn->smb1.echo_handler.socket_lock_fd != -1) {
3063 close(sconn->smb1.echo_handler.socket_lock_fd);
3064 }
3065 sconn->smb1.echo_handler.trusted_fd = -1;
3066 sconn->smb1.echo_handler.socket_lock_fd = -1;
3067 return false;
3068 }
3069
3070 #if CLUSTER_SUPPORT
3071
3072 static NTSTATUS smbd_register_ips(struct smbd_server_connection *sconn,
3073 struct sockaddr_storage *srv,
3074 struct sockaddr_storage *clnt)
3075 {
3076 struct ctdbd_connection *cconn;
3077 char tmp_addr[INET6_ADDRSTRLEN];
3078 char *addr;
3079
3080 cconn = messaging_ctdbd_connection();
3081 if (cconn == NULL) {
3082 return NT_STATUS_NO_MEMORY;
3083 }
3084
3085 if (client_socket_addr(sconn->sock, tmp_addr, sizeof(tmp_addr)) == NULL) {
3086 return NT_STATUS_NO_MEMORY;
3087 }
3088 addr = talloc_strdup(cconn, tmp_addr);
3089 if (addr == NULL) {
3090 return NT_STATUS_NO_MEMORY;
3091 }
3092 return ctdbd_register_ips(cconn, srv, clnt, release_ip, addr);
3093 }
3094
3095 #endif
3096
3097 static bool uid_in_use(const struct user_struct *user, uid_t uid)
3098 {
3099 while (user) {
3100 if (user->session_info &&
3101 (user->session_info->unix_token->uid == uid)) {
3102 return true;
3103 }
3104 user = user->next;
3105 }
3106 return false;
3107 }
3108
3109 static bool gid_in_use(const struct user_struct *user, gid_t gid)
3110 {
3111 while (user) {
3112 if (user->session_info != NULL) {
3113 int i;
3114 struct security_unix_token *utok;
3115
3116 utok = user->session_info->unix_token;
3117 if (utok->gid == gid) {
3118 return true;
3119 }
3120 for(i=0; i<utok->ngroups; i++) {
3121 if (utok->groups[i] == gid) {
3122 return true;
3123 }
3124 }
3125 }
3126 user = user->next;
3127 }
3128 return false;
3129 }
3130
3131 static bool sid_in_use(const struct user_struct *user,
3132 const struct dom_sid *psid)
3133 {
3134 while (user) {
3135 struct security_token *tok;
3136
3137 if (user->session_info == NULL) {
3138 continue;
3139 }
3140 tok = user->session_info->security_token;
3141 if (tok == NULL) {
3142 /*
3143 * Not sure session_info->security_token can
3144 * ever be NULL. This check might be not
3145 * necessary.
3146 */
3147 continue;
3148 }
3149 if (security_token_has_sid(tok, psid)) {
3150 return true;
3151 }
3152 user = user->next;
3153 }
3154 return false;
3155 }
3156
3157 static bool id_in_use(const struct user_struct *user,
3158 const struct id_cache_ref *id)
3159 {
3160 switch(id->type) {
3161 case UID:
3162 return uid_in_use(user, id->id.uid);
3163 case GID:
3164 return gid_in_use(user, id->id.gid);
3165 case SID:
3166 return sid_in_use(user, &id->id.sid);
3167 default:
3168 break;
3169 }
3170 return false;
3171 }
3172
3173 static void smbd_id_cache_kill(struct messaging_context *msg_ctx,
3174 void *private_data,
3175 uint32_t msg_type,
3176 struct server_id server_id,
3177 DATA_BLOB* data)
3178 {
3179 const char *msg = (data && data->data)
3180 ? (const char *)data->data : "<NULL>";
3181 struct id_cache_ref id;
3182 struct smbd_server_connection *sconn =
3183 talloc_get_type_abort(private_data,
3184 struct smbd_server_connection);
3185
3186 if (!id_cache_ref_parse(msg, &id)) {
3187 DEBUG(0, ("Invalid ?ID: %s\n", msg));
3188 return;
3189 }
3190
3191 if (id_in_use(sconn->users, &id)) {
3192 exit_server_cleanly(msg);
3193 }
3194 id_cache_delete_from_cache(&id);
3195 }
3196
3197 NTSTATUS smbXsrv_connection_init_tables(struct smbXsrv_connection *conn,
3198 enum protocol_types protocol)
3199 {
3200 NTSTATUS status;
3201
3202 set_Protocol(protocol);
3203 conn->protocol = protocol;
3204
3205 if (protocol >= PROTOCOL_SMB2_02) {
3206 status = smb2srv_session_table_init(conn);
3207 if (!NT_STATUS_IS_OK(status)) {
3208 return status;
3209 }
3210
3211 status = smb2srv_open_table_init(conn);
3212 if (!NT_STATUS_IS_OK(status)) {
3213 return status;
3214 }
3215 } else {
3216 status = smb1srv_session_table_init(conn);
3217 if (!NT_STATUS_IS_OK(status)) {
3218 return status;
3219 }
3220
3221 status = smb1srv_tcon_table_init(conn);
3222 if (!NT_STATUS_IS_OK(status)) {
3223 return status;
3224 }
3225
3226 status = smb1srv_open_table_init(conn);
3227 if (!NT_STATUS_IS_OK(status)) {
3228 return status;
3229 }
3230 }
3231
3232 return NT_STATUS_OK;
3233 }
3234
3235 static void smbd_tevent_trace_callback(enum tevent_trace_point point,
3236 void *private_data)
3237 {
3238 struct smbXsrv_connection *conn =
3239 talloc_get_type_abort(private_data,
3240 struct smbXsrv_connection);
3241
3242 switch (point) {
3243 case TEVENT_TRACE_BEFORE_WAIT:
3244 /*
3245 * This just removes compiler warning
3246 * without profile support
3247 */
3248 conn->smbd_idle_profstamp = 0;
3249 START_PROFILE_STAMP(smbd_idle, conn->smbd_idle_profstamp);
3250 break;
3251 case TEVENT_TRACE_AFTER_WAIT:
3252 END_PROFILE_STAMP(smbd_idle, conn->smbd_idle_profstamp);
3253 break;
3254 }
3255 }
3256
3257 /****************************************************************************
3258 Process commands from the client
3259 ****************************************************************************/
3260
3261 void smbd_process(struct tevent_context *ev_ctx,
3262 struct messaging_context *msg_ctx,
3263 int sock_fd,
3264 bool interactive)
3265 {
3266 TALLOC_CTX *frame = talloc_stackframe();
3267 struct smbXsrv_connection *conn;
3268 struct smbd_server_connection *sconn;
3269 struct sockaddr_storage ss;
3270 struct sockaddr *sa = NULL;
3271 socklen_t sa_socklen;
3272 struct tsocket_address *local_address = NULL;
3273 struct tsocket_address *remote_address = NULL;
3274 const char *locaddr = NULL;
3275 const char *remaddr = NULL;
3276 char *rhost;
3277 int ret;
3278
3279 conn = talloc_zero(ev_ctx, struct smbXsrv_connection);
3280 if (conn == NULL) {
3281 DEBUG(0,("talloc_zero(struct smbXsrv_connection)\n"));
3282 exit_server_cleanly("talloc_zero(struct smbXsrv_connection).\n");
3283 }
3284
3285 conn->ev_ctx = ev_ctx;
3286 conn->msg_ctx = msg_ctx;
3287
3288 sconn = talloc_zero(conn, struct smbd_server_connection);
3289 if (!sconn) {
3290 exit_server("failed to create smbd_server_connection");
3291 }
3292
3293 conn->sconn = sconn;
3294 sconn->conn = conn;
3295
3296 /*
3297 * TODO: remove this...:-)
3298 */
3299 global_smbXsrv_connection = conn;
3300
3301 sconn->ev_ctx = ev_ctx;
3302 sconn->msg_ctx = msg_ctx;
3303 sconn->sock = sock_fd;
3304 sconn->smb1.echo_handler.trusted_fd = -1;
3305 sconn->smb1.echo_handler.socket_lock_fd = -1;
3306
3307 if (!interactive) {
3308 smbd_setup_sig_term_handler(sconn);
3309 smbd_setup_sig_hup_handler(sconn);
3310
3311 if (!serverid_register(messaging_server_id(msg_ctx),
3312 FLAG_MSG_GENERAL|FLAG_MSG_SMBD
3313 |FLAG_MSG_DBWRAP
3314 |FLAG_MSG_PRINT_GENERAL)) {
3315 exit_server_cleanly("Could not register myself in "
3316 "serverid.tdb");
3317 }
3318 }
3319
3320 if (lp_srv_maxprotocol() >= PROTOCOL_SMB2_02) {
3321 /*
3322 * We're not making the decision here,
3323 * we're just allowing the client
3324 * to decide between SMB1 and SMB2
3325 * with the first negprot
3326 * packet.
3327 */
3328 sconn->using_smb2 = true;
3329 }
3330
3331 /* Ensure child is set to blocking mode */
3332 set_blocking(sconn->sock,True);
3333
3334 set_socket_options(sconn->sock, "SO_KEEPALIVE");
3335 set_socket_options(sconn->sock, lp_socket_options());
3336
3337 sa = (struct sockaddr *)(void *)&ss;
3338 sa_socklen = sizeof(ss);
3339 ret = getpeername(sconn->sock, sa, &sa_socklen);
3340 if (ret != 0) {
3341 int level = (errno == ENOTCONN)?2:0;
3342 DEBUG(level,("getpeername() failed - %s\n", strerror(errno)));
3343 exit_server_cleanly("getpeername() failed.\n");
3344 }
3345 ret = tsocket_address_bsd_from_sockaddr(sconn,
3346 sa, sa_socklen,
3347 &remote_address);
3348 if (ret != 0) {
3349 DEBUG(0,("%s: tsocket_address_bsd_from_sockaddr remote failed - %s\n",
3350 __location__, strerror(errno)));
3351 exit_server_cleanly("tsocket_address_bsd_from_sockaddr remote failed.\n");
3352 }
3353
3354 sa = (struct sockaddr *)(void *)&ss;
3355 sa_socklen = sizeof(ss);
3356 ret = getsockname(sconn->sock, sa, &sa_socklen);
3357 if (ret != 0) {
3358 int level = (errno == ENOTCONN)?2:0;
3359 DEBUG(level,("getsockname() failed - %s\n", strerror(errno)));
3360 exit_server_cleanly("getsockname() failed.\n");
3361 }
3362 ret = tsocket_address_bsd_from_sockaddr(sconn,
3363 sa, sa_socklen,
3364 &local_address);
3365 if (ret != 0) {
3366 DEBUG(0,("%s: tsocket_address_bsd_from_sockaddr remote failed - %s\n",
3367 __location__, strerror(errno)));
3368 exit_server_cleanly("tsocket_address_bsd_from_sockaddr remote failed.\n");
3369 }
3370
3371 sconn->local_address = local_address;
3372 sconn->remote_address = remote_address;
3373
3374 if (tsocket_address_is_inet(local_address, "ip")) {
3375 locaddr = tsocket_address_inet_addr_string(
3376 sconn->local_address,
3377 talloc_tos());
3378 if (locaddr == NULL) {
3379 DEBUG(0,("%s: tsocket_address_inet_addr_string local failed - %s\n",
3380 __location__, strerror(errno)));
3381 exit_server_cleanly("tsocket_address_inet_addr_string local failed.\n");
3382 }
3383 } else {
3384 locaddr = "0.0.0.0";
3385 }
3386
3387 if (tsocket_address_is_inet(remote_address, "ip")) {
3388 remaddr = tsocket_address_inet_addr_string(
3389 sconn->remote_address,
3390 talloc_tos());
3391 if (remaddr == NULL) {
3392 DEBUG(0,("%s: tsocket_address_inet_addr_string remote failed - %s\n",
3393 __location__, strerror(errno)));
3394 exit_server_cleanly("tsocket_address_inet_addr_string remote failed.\n");
3395 }
3396 } else {
3397 remaddr = "0.0.0.0";
3398 }
3399
3400 /* this is needed so that we get decent entries
3401 in smbstatus for port 445 connects */
3402 set_remote_machine_name(remaddr, false);
3403 reload_services(sconn, conn_snum_used, true);
3404
3405 /*
3406 * Before the first packet, check the global hosts allow/ hosts deny
3407 * parameters before doing any parsing of packets passed to us by the
3408 * client. This prevents attacks on our parsing code from hosts not in
3409 * the hosts allow list.
3410 */
3411
3412 ret = get_remote_hostname(remote_address,
3413 &rhost,
3414 talloc_tos());
3415 if (ret < 0) {
3416 DEBUG(0,("%s: get_remote_hostname failed - %s\n",
3417 __location__, strerror(errno)));
3418 exit_server_cleanly("get_remote_hostname failed.\n");
3419 }
3420 if (strequal(rhost, "UNKNOWN")) {
3421 rhost = talloc_strdup(talloc_tos(), remaddr);
3422 }
3423 sconn->remote_hostname = talloc_move(sconn, &rhost);
3424
3425 sub_set_socket_ids(remaddr,
3426 sconn->remote_hostname,
3427 locaddr);
3428
3429 if (!allow_access(lp_hostsdeny(-1), lp_hostsallow(-1),
3430 sconn->remote_hostname,
3431 remaddr)) {
3432 /*
3433 * send a negative session response "not listening on calling
3434 * name"
3435 */
3436 unsigned char buf[5] = {0x83, 0, 0, 1, 0x81};
3437 DEBUG( 1, ("Connection denied from %s to %s\n",
3438 tsocket_address_string(remote_address, talloc_tos()),
3439 tsocket_address_string(local_address, talloc_tos())));
3440 (void)srv_send_smb(sconn,(char *)buf, false,
3441 0, false, NULL);
3442 exit_server_cleanly("connection denied");
3443 }
3444
3445 DEBUG(10, ("Connection allowed from %s to %s\n",
3446 tsocket_address_string(remote_address, talloc_tos()),
3447 tsocket_address_string(local_address, talloc_tos())));
3448
3449 if (lp_preload_modules()) {
3450 smb_load_modules(lp_preload_modules());
3451 }
3452
3453 smb_perfcount_init();
3454
3455 if (!init_account_policy()) {
3456 exit_server("Could not open account policy tdb.\n");
3457 }
3458
3459 if (*lp_rootdir(talloc_tos())) {
3460 if (chroot(lp_rootdir(talloc_tos())) != 0) {
3461 DEBUG(0,("Failed to change root to %s\n",
3462 lp_rootdir(talloc_tos())));
3463 exit_server("Failed to chroot()");
3464 }
3465 if (chdir("/") == -1) {
3466 DEBUG(0,("Failed to chdir to / on chroot to %s\n", lp_rootdir(talloc_tos())));
3467 exit_server("Failed to chroot()");
3468 }
3469 DEBUG(0,("Changed root to %s\n", lp_rootdir(talloc_tos())));
3470 }
3471
3472 if (!srv_init_signing(sconn)) {
3473 exit_server("Failed to init smb_signing");
3474 }
3475
3476 if (!file_init(sconn)) {
3477 exit_server("file_init() failed");
3478 }
3479
3480 /* Setup oplocks */
3481 if (!init_oplocks(sconn))
3482 exit_server("Failed to init oplocks");
3483
3484 /* register our message handlers */
3485 messaging_register(sconn->msg_ctx, sconn,
3486 MSG_SMB_FORCE_TDIS, msg_force_tdis);
3487 messaging_register(sconn->msg_ctx, sconn,
3488 MSG_SMB_CLOSE_FILE, msg_close_file);
3489 messaging_register(sconn->msg_ctx, sconn,
3490 MSG_SMB_FILE_RENAME, msg_file_was_renamed);
3491
3492 id_cache_register_msgs(sconn->msg_ctx);
3493 messaging_deregister(sconn->msg_ctx, ID_CACHE_KILL, NULL);
3494 messaging_register(sconn->msg_ctx, sconn,
3495 ID_CACHE_KILL, smbd_id_cache_kill);
3496
3497 messaging_deregister(sconn->msg_ctx,
3498 MSG_SMB_CONF_UPDATED, sconn->ev_ctx);
3499 messaging_register(sconn->msg_ctx, sconn,
3500 MSG_SMB_CONF_UPDATED, smbd_conf_updated);
3501
3502 /*
3503 * Use the default MSG_DEBUG handler to avoid rebroadcasting
3504 * MSGs to all child processes
3505 */
3506 messaging_deregister(sconn->msg_ctx,
3507 MSG_DEBUG, NULL);
3508 messaging_register(sconn->msg_ctx, NULL,
3509 MSG_DEBUG, debug_message);
3510
3511 if ((lp_keepalive() != 0)
3512 && !(event_add_idle(ev_ctx, NULL,
3513 timeval_set(lp_keepalive(), 0),
3514 "keepalive", keepalive_fn,
3515 sconn))) {
3516 DEBUG(0, ("Could not add keepalive event\n"));
3517 exit(1);
3518 }
3519
3520 if (!(event_add_idle(ev_ctx, NULL,
3521 timeval_set(IDLE_CLOSED_TIMEOUT, 0),
3522 "deadtime", deadtime_fn, sconn))) {
3523 DEBUG(0, ("Could not add deadtime event\n"));
3524 exit(1);
3525 }
3526
3527 if (!(event_add_idle(ev_ctx, NULL,
3528 timeval_set(SMBD_HOUSEKEEPING_INTERVAL, 0),
3529 "housekeeping", housekeeping_fn, sconn))) {
3530 DEBUG(0, ("Could not add housekeeping event\n"));
3531 exit(1);
3532 }
3533
3534 #ifdef CLUSTER_SUPPORT
3535
3536 if (lp_clustering()) {
3537 /*
3538 * We need to tell ctdb about our client's TCP
3539 * connection, so that for failover ctdbd can send
3540 * tickle acks, triggering a reconnection by the
3541 * client.
3542 */
3543
3544 struct sockaddr_storage srv, clnt;
3545
3546 if (client_get_tcp_info(sconn->sock, &srv, &clnt) == 0) {
3547 NTSTATUS status;
3548 status = smbd_register_ips(sconn, &srv, &clnt);
3549 if (!NT_STATUS_IS_OK(status)) {
3550 DEBUG(0, ("ctdbd_register_ips failed: %s\n",
3551 nt_errstr(status)));
3552 }
3553 } else
3554 {
3555 DEBUG(0,("Unable to get tcp info for "
3556 "CTDB_CONTROL_TCP_CLIENT: %s\n",
3557 strerror(errno)));
3558 }
3559 }
3560
3561 #endif
3562
3563 sconn->nbt.got_session = false;
3564
3565 sconn->smb1.negprot.max_recv = MIN(lp_max_xmit(),BUFFER_SIZE);
3566
3567 sconn->smb1.sessions.done_sesssetup = false;
3568 sconn->smb1.sessions.max_send = BUFFER_SIZE;
3569 sconn->smb1.sessions.last_session_tag = UID_FIELD_INVALID;
3570
3571 if (!init_dptrs(sconn)) {
3572 exit_server("init_dptrs() failed");
3573 }
3574
3575 sconn->smb1.fde = event_add_fd(ev_ctx,
3576 sconn,
3577 sconn->sock,
3578 EVENT_FD_READ,
3579 smbd_server_connection_handler,
3580 sconn);
3581 if (!sconn->smb1.fde) {
3582 exit_server("failed to create smbd_server_connection fde");
3583 }
3584
3585 sconn->conn->local_address = sconn->local_address;
3586 sconn->conn->remote_address = sconn->remote_address;
3587 sconn->conn->remote_hostname = sconn->remote_hostname;
3588 sconn->conn->protocol = PROTOCOL_NONE;
3589
3590 TALLOC_FREE(frame);
3591
3592 tevent_set_trace_callback(ev_ctx, smbd_tevent_trace_callback, conn);
3593
3594 while (True) {
3595 frame = talloc_stackframe_pool(8192);
3596
3597 errno = 0;
3598 if (tevent_loop_once(ev_ctx) == -1) {
3599 if (errno != EINTR) {
3600 DEBUG(3, ("tevent_loop_once failed: %s,"
3601 " exiting\n", strerror(errno) ));
3602 break;
3603 }
3604 }
3605
3606 TALLOC_FREE(frame);
3607 }
3608
3609 exit_server_cleanly(NULL);
3610 }
3611
3612 bool req_is_in_chain(struct smb_request *req)
3613 {
3614 if (req->vwv != (const uint16_t *)(req->inbuf+smb_vwv)) {
3615 /*
3616 * We're right now handling a subsequent request, so we must
3617 * be in a chain
3618 */
3619 return true;
3620 }
3621
3622 if (!is_andx_req(req->cmd)) {
3623 return false;
3624 }
3625
3626 if (req->wct < 2) {
3627 /*
3628 * Okay, an illegal request, but definitely not chained :-)
3629 */
3630 return false;
3631 }
3632
3633 return (CVAL(req->vwv+0, 0) != 0xFF);
3634 }
reg import