search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s4:provision - Updated FDS schema mapping.
[Samba/kamenim.git] / source3 / smbd / process.c
blob9a39779a2bcc1bb147d279db9cfefa1027735c38
1 /*
2 Unix SMB/CIFS implementation.
3 process incoming packets - main loop
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Volker Lendecke 2005-2007
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "smbd/globals.h"
23 #include "../librpc/gen_ndr/srv_dfs.h"
24 #include "../librpc/gen_ndr/srv_dssetup.h"
25 #include "../librpc/gen_ndr/srv_echo.h"
26 #include "../librpc/gen_ndr/srv_eventlog.h"
27 #include "../librpc/gen_ndr/srv_initshutdown.h"
28 #include "../librpc/gen_ndr/srv_lsa.h"
29 #include "../librpc/gen_ndr/srv_netlogon.h"
30 #include "../librpc/gen_ndr/srv_ntsvcs.h"
31 #include "../librpc/gen_ndr/srv_samr.h"
32 #include "../librpc/gen_ndr/srv_spoolss.h"
33 #include "../librpc/gen_ndr/srv_srvsvc.h"
34 #include "../librpc/gen_ndr/srv_svcctl.h"
35 #include "../librpc/gen_ndr/srv_winreg.h"
36 #include "../librpc/gen_ndr/srv_wkssvc.h"
37
38 extern bool global_machine_password_needs_changing;
39
40 static void construct_reply_common(struct smb_request *req, const char *inbuf,
41 char *outbuf);
42
43 /* Accessor function for smb_read_error for smbd functions. */
44
45 /****************************************************************************
46 Send an smb to a fd.
47 ****************************************************************************/
48
49 bool srv_send_smb(int fd, char *buffer,
50 bool do_signing, uint32_t seqnum,
51 bool do_encrypt,
52 struct smb_perfcount_data *pcd)
53 {
54 size_t len = 0;
55 size_t nwritten=0;
56 ssize_t ret;
57 char *buf_out = buffer;
58
59 if (do_signing) {
60 /* Sign the outgoing packet if required. */
61 srv_calculate_sign_mac(smbd_server_conn, buf_out, seqnum);
62 }
63
64 if (do_encrypt) {
65 NTSTATUS status = srv_encrypt_buffer(buffer, &buf_out);
66 if (!NT_STATUS_IS_OK(status)) {
67 DEBUG(0, ("send_smb: SMB encryption failed "
68 "on outgoing packet! Error %s\n",
69 nt_errstr(status) ));
70 goto out;
71 }
72 }
73
74 len = smb_len(buf_out) + 4;
75
76 ret = write_data(fd,buf_out+nwritten,len - nwritten);
77 if (ret <= 0) {
78 DEBUG(0,("Error writing %d bytes to client. %d. (%s)\n",
79 (int)len,(int)ret, strerror(errno) ));
80 srv_free_enc_buffer(buf_out);
81 goto out;
82 }
83
84 SMB_PERFCOUNT_SET_MSGLEN_OUT(pcd, len);
85 srv_free_enc_buffer(buf_out);
86 out:
87 SMB_PERFCOUNT_END(pcd);
88 return true;
89 }
90
91 /*******************************************************************
92 Setup the word count and byte count for a smb message.
93 ********************************************************************/
94
95 int srv_set_message(char *buf,
96 int num_words,
97 int num_bytes,
98 bool zero)
99 {
100 if (zero && (num_words || num_bytes)) {
101 memset(buf + smb_size,'\0',num_words*2 + num_bytes);
102 }
103 SCVAL(buf,smb_wct,num_words);
104 SSVAL(buf,smb_vwv + num_words*SIZEOFWORD,num_bytes);
105 smb_setlen(buf,(smb_size + num_words*2 + num_bytes - 4));
106 return (smb_size + num_words*2 + num_bytes);
107 }
108
109 static bool valid_smb_header(const uint8_t *inbuf)
110 {
111 if (is_encrypted_packet(inbuf)) {
112 return true;
113 }
114 /*
115 * This used to be (strncmp(smb_base(inbuf),"\377SMB",4) == 0)
116 * but it just looks weird to call strncmp for this one.
117 */
118 return (IVAL(smb_base(inbuf), 0) == 0x424D53FF);
119 }
120
121 /* Socket functions for smbd packet processing. */
122
123 static bool valid_packet_size(size_t len)
124 {
125 /*
126 * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
127 * of header. Don't print the error if this fits.... JRA.
128 */
129
130 if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
131 DEBUG(0,("Invalid packet length! (%lu bytes).\n",
132 (unsigned long)len));
133 return false;
134 }
135 return true;
136 }
137
138 static NTSTATUS read_packet_remainder(int fd, char *buffer,
139 unsigned int timeout, ssize_t len)
140 {
141 if (len <= 0) {
142 return NT_STATUS_OK;
143 }
144
145 return read_fd_with_timeout(fd, buffer, len, len, timeout, NULL);
146 }
147
148 /****************************************************************************
149 Attempt a zerocopy writeX read. We know here that len > smb_size-4
150 ****************************************************************************/
151
152 /*
153 * Unfortunately, earlier versions of smbclient/libsmbclient
154 * don't send this "standard" writeX header. I've fixed this
155 * for 3.2 but we'll use the old method with earlier versions.
156 * Windows and CIFSFS at least use this standard size. Not
157 * sure about MacOSX.
158 */
159
160 #define STANDARD_WRITE_AND_X_HEADER_SIZE (smb_size - 4 + /* basic header */ \
161 (2*14) + /* word count (including bcc) */ \
162 1 /* pad byte */)
163
164 static NTSTATUS receive_smb_raw_talloc_partial_read(TALLOC_CTX *mem_ctx,
165 const char lenbuf[4],
166 int fd, char **buffer,
167 unsigned int timeout,
168 size_t *p_unread,
169 size_t *len_ret)
170 {
171 /* Size of a WRITEX call (+4 byte len). */
172 char writeX_header[4 + STANDARD_WRITE_AND_X_HEADER_SIZE];
173 ssize_t len = smb_len_large(lenbuf); /* Could be a UNIX large writeX. */
174 ssize_t toread;
175 NTSTATUS status;
176
177 memcpy(writeX_header, lenbuf, 4);
178
179 status = read_fd_with_timeout(
180 fd, writeX_header + 4,
181 STANDARD_WRITE_AND_X_HEADER_SIZE,
182 STANDARD_WRITE_AND_X_HEADER_SIZE,
183 timeout, NULL);
184
185 if (!NT_STATUS_IS_OK(status)) {
186 return status;
187 }
188
189 /*
190 * Ok - now try and see if this is a possible
191 * valid writeX call.
192 */
193
194 if (is_valid_writeX_buffer((uint8_t *)writeX_header)) {
195 /*
196 * If the data offset is beyond what
197 * we've read, drain the extra bytes.
198 */
199 uint16_t doff = SVAL(writeX_header,smb_vwv11);
200 ssize_t newlen;
201
202 if (doff > STANDARD_WRITE_AND_X_HEADER_SIZE) {
203 size_t drain = doff - STANDARD_WRITE_AND_X_HEADER_SIZE;
204 if (drain_socket(smbd_server_fd(), drain) != drain) {
205 smb_panic("receive_smb_raw_talloc_partial_read:"
206 " failed to drain pending bytes");
207 }
208 } else {
209 doff = STANDARD_WRITE_AND_X_HEADER_SIZE;
210 }
211
212 /* Spoof down the length and null out the bcc. */
213 set_message_bcc(writeX_header, 0);
214 newlen = smb_len(writeX_header);
215
216 /* Copy the header we've written. */
217
218 *buffer = (char *)TALLOC_MEMDUP(mem_ctx,
219 writeX_header,
220 sizeof(writeX_header));
221
222 if (*buffer == NULL) {
223 DEBUG(0, ("Could not allocate inbuf of length %d\n",
224 (int)sizeof(writeX_header)));
225 return NT_STATUS_NO_MEMORY;
226 }
227
228 /* Work out the remaining bytes. */
229 *p_unread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
230 *len_ret = newlen + 4;
231 return NT_STATUS_OK;
232 }
233
234 if (!valid_packet_size(len)) {
235 return NT_STATUS_INVALID_PARAMETER;
236 }
237
238 /*
239 * Not a valid writeX call. Just do the standard
240 * talloc and return.
241 */
242
243 *buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
244
245 if (*buffer == NULL) {
246 DEBUG(0, ("Could not allocate inbuf of length %d\n",
247 (int)len+4));
248 return NT_STATUS_NO_MEMORY;
249 }
250
251 /* Copy in what we already read. */
252 memcpy(*buffer,
253 writeX_header,
254 4 + STANDARD_WRITE_AND_X_HEADER_SIZE);
255 toread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
256
257 if(toread > 0) {
258 status = read_packet_remainder(
259 fd, (*buffer) + 4 + STANDARD_WRITE_AND_X_HEADER_SIZE,
260 timeout, toread);
261
262 if (!NT_STATUS_IS_OK(status)) {
263 DEBUG(10, ("receive_smb_raw_talloc_partial_read: %s\n",
264 nt_errstr(status)));
265 return status;
266 }
267 }
268
269 *len_ret = len + 4;
270 return NT_STATUS_OK;
271 }
272
273 static NTSTATUS receive_smb_raw_talloc(TALLOC_CTX *mem_ctx, int fd,
274 char **buffer, unsigned int timeout,
275 size_t *p_unread, size_t *plen)
276 {
277 char lenbuf[4];
278 size_t len;
279 int min_recv_size = lp_min_receive_file_size();
280 NTSTATUS status;
281
282 *p_unread = 0;
283
284 status = read_smb_length_return_keepalive(fd, lenbuf, timeout, &len);
285 if (!NT_STATUS_IS_OK(status)) {
286 DEBUG(10, ("receive_smb_raw: %s\n", nt_errstr(status)));
287 return status;
288 }
289
290 if (CVAL(lenbuf,0) == 0 && min_recv_size &&
291 (smb_len_large(lenbuf) > /* Could be a UNIX large writeX. */
292 (min_recv_size + STANDARD_WRITE_AND_X_HEADER_SIZE)) &&
293 !srv_is_signing_active(smbd_server_conn)) {
294
295 return receive_smb_raw_talloc_partial_read(
296 mem_ctx, lenbuf, fd, buffer, timeout, p_unread, plen);
297 }
298
299 if (!valid_packet_size(len)) {
300 return NT_STATUS_INVALID_PARAMETER;
301 }
302
303 /*
304 * The +4 here can't wrap, we've checked the length above already.
305 */
306
307 *buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
308
309 if (*buffer == NULL) {
310 DEBUG(0, ("Could not allocate inbuf of length %d\n",
311 (int)len+4));
312 return NT_STATUS_NO_MEMORY;
313 }
314
315 memcpy(*buffer, lenbuf, sizeof(lenbuf));
316
317 status = read_packet_remainder(fd, (*buffer)+4, timeout, len);
318 if (!NT_STATUS_IS_OK(status)) {
319 return status;
320 }
321
322 *plen = len + 4;
323 return NT_STATUS_OK;
324 }
325
326 static NTSTATUS receive_smb_talloc(TALLOC_CTX *mem_ctx, int fd,
327 char **buffer, unsigned int timeout,
328 size_t *p_unread, bool *p_encrypted,
329 size_t *p_len,
330 uint32_t *seqnum)
331 {
332 size_t len = 0;
333 NTSTATUS status;
334
335 *p_encrypted = false;
336
337 status = receive_smb_raw_talloc(mem_ctx, fd, buffer, timeout,
338 p_unread, &len);
339 if (!NT_STATUS_IS_OK(status)) {
340 return status;
341 }
342
343 if (is_encrypted_packet((uint8_t *)*buffer)) {
344 status = srv_decrypt_buffer(*buffer);
345 if (!NT_STATUS_IS_OK(status)) {
346 DEBUG(0, ("receive_smb_talloc: SMB decryption failed on "
347 "incoming packet! Error %s\n",
348 nt_errstr(status) ));
349 return status;
350 }
351 *p_encrypted = true;
352 }
353
354 /* Check the incoming SMB signature. */
355 if (!srv_check_sign_mac(smbd_server_conn, *buffer, seqnum)) {
356 DEBUG(0, ("receive_smb: SMB Signature verification failed on "
357 "incoming packet!\n"));
358 return NT_STATUS_INVALID_NETWORK_RESPONSE;
359 }
360
361 *p_len = len;
362 return NT_STATUS_OK;
363 }
364
365 /*
366 * Initialize a struct smb_request from an inbuf
367 */
368
369 static void init_smb_request(struct smb_request *req, const uint8 *inbuf,
370 size_t unread_bytes, bool encrypted,
371 uint32_t seqnum)
372 {
373 struct smbd_server_connection *sconn = smbd_server_conn;
374 size_t req_size = smb_len(inbuf) + 4;
375 /* Ensure we have at least smb_size bytes. */
376 if (req_size < smb_size) {
377 DEBUG(0,("init_smb_request: invalid request size %u\n",
378 (unsigned int)req_size ));
379 exit_server_cleanly("Invalid SMB request");
380 }
381 req->cmd = CVAL(inbuf, smb_com);
382 req->flags2 = SVAL(inbuf, smb_flg2);
383 req->smbpid = SVAL(inbuf, smb_pid);
384 req->mid = SVAL(inbuf, smb_mid);
385 req->seqnum = seqnum;
386 req->vuid = SVAL(inbuf, smb_uid);
387 req->tid = SVAL(inbuf, smb_tid);
388 req->wct = CVAL(inbuf, smb_wct);
389 req->vwv = (uint16_t *)(inbuf+smb_vwv);
390 req->buflen = smb_buflen(inbuf);
391 req->buf = (const uint8_t *)smb_buf(inbuf);
392 req->unread_bytes = unread_bytes;
393 req->encrypted = encrypted;
394 req->conn = conn_find(sconn,req->tid);
395 req->chain_fsp = NULL;
396 req->chain_outbuf = NULL;
397 req->done = false;
398 smb_init_perfcount_data(&req->pcd);
399
400 /* Ensure we have at least wct words and 2 bytes of bcc. */
401 if (smb_size + req->wct*2 > req_size) {
402 DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n",
403 (unsigned int)req->wct,
404 (unsigned int)req_size));
405 exit_server_cleanly("Invalid SMB request");
406 }
407 /* Ensure bcc is correct. */
408 if (((uint8 *)smb_buf(inbuf)) + req->buflen > inbuf + req_size) {
409 DEBUG(0,("init_smb_request: invalid bcc number %u "
410 "(wct = %u, size %u)\n",
411 (unsigned int)req->buflen,
412 (unsigned int)req->wct,
413 (unsigned int)req_size));
414 exit_server_cleanly("Invalid SMB request");
415 }
416
417 req->outbuf = NULL;
418 }
419
420 static void process_smb(struct smbd_server_connection *conn,
421 uint8_t *inbuf, size_t nread, size_t unread_bytes,
422 uint32_t seqnum, bool encrypted,
423 struct smb_perfcount_data *deferred_pcd);
424
425 static void smbd_deferred_open_timer(struct event_context *ev,
426 struct timed_event *te,
427 struct timeval _tval,
428 void *private_data)
429 {
430 struct pending_message_list *msg = talloc_get_type(private_data,
431 struct pending_message_list);
432 TALLOC_CTX *mem_ctx = talloc_tos();
433 uint16_t mid = SVAL(msg->buf.data,smb_mid);
434 uint8_t *inbuf;
435
436 inbuf = (uint8_t *)talloc_memdup(mem_ctx, msg->buf.data,
437 msg->buf.length);
438 if (inbuf == NULL) {
439 exit_server("smbd_deferred_open_timer: talloc failed\n");
440 return;
441 }
442
443 /* We leave this message on the queue so the open code can
444 know this is a retry. */
445 DEBUG(5,("smbd_deferred_open_timer: trigger mid %u.\n",
446 (unsigned int)mid ));
447
448 /* Mark the message as processed so this is not
449 * re-processed in error. */
450 msg->processed = true;
451
452 process_smb(smbd_server_conn, inbuf,
453 msg->buf.length, 0,
454 msg->seqnum, msg->encrypted, &msg->pcd);
455
456 /* If it's still there and was processed, remove it. */
457 msg = get_open_deferred_message(mid);
458 if (msg && msg->processed) {
459 remove_deferred_open_smb_message(mid);
460 }
461 }
462
463 /****************************************************************************
464 Function to push a message onto the tail of a linked list of smb messages ready
465 for processing.
466 ****************************************************************************/
467
468 static bool push_queued_message(struct smb_request *req,
469 struct timeval request_time,
470 struct timeval end_time,
471 char *private_data, size_t private_len)
472 {
473 int msg_len = smb_len(req->inbuf) + 4;
474 struct pending_message_list *msg;
475
476 msg = TALLOC_ZERO_P(NULL, struct pending_message_list);
477
478 if(msg == NULL) {
479 DEBUG(0,("push_message: malloc fail (1)\n"));
480 return False;
481 }
482
483 msg->buf = data_blob_talloc(msg, req->inbuf, msg_len);
484 if(msg->buf.data == NULL) {
485 DEBUG(0,("push_message: malloc fail (2)\n"));
486 TALLOC_FREE(msg);
487 return False;
488 }
489
490 msg->request_time = request_time;
491 msg->seqnum = req->seqnum;
492 msg->encrypted = req->encrypted;
493 msg->processed = false;
494 SMB_PERFCOUNT_DEFER_OP(&req->pcd, &msg->pcd);
495
496 if (private_data) {
497 msg->private_data = data_blob_talloc(msg, private_data,
498 private_len);
499 if (msg->private_data.data == NULL) {
500 DEBUG(0,("push_message: malloc fail (3)\n"));
501 TALLOC_FREE(msg);
502 return False;
503 }
504 }
505
506 msg->te = event_add_timed(smbd_event_context(),
507 msg,
508 end_time,
509 smbd_deferred_open_timer,
510 msg);
511 if (!msg->te) {
512 DEBUG(0,("push_message: event_add_timed failed\n"));
513 TALLOC_FREE(msg);
514 return false;
515 }
516
517 DLIST_ADD_END(deferred_open_queue, msg, struct pending_message_list *);
518
519 DEBUG(10,("push_message: pushed message length %u on "
520 "deferred_open_queue\n", (unsigned int)msg_len));
521
522 return True;
523 }
524
525 /****************************************************************************
526 Function to delete a sharing violation open message by mid.
527 ****************************************************************************/
528
529 void remove_deferred_open_smb_message(uint16 mid)
530 {
531 struct pending_message_list *pml;
532
533 for (pml = deferred_open_queue; pml; pml = pml->next) {
534 if (mid == SVAL(pml->buf.data,smb_mid)) {
535 DEBUG(10,("remove_deferred_open_smb_message: "
536 "deleting mid %u len %u\n",
537 (unsigned int)mid,
538 (unsigned int)pml->buf.length ));
539 DLIST_REMOVE(deferred_open_queue, pml);
540 TALLOC_FREE(pml);
541 return;
542 }
543 }
544 }
545
546 /****************************************************************************
547 Move a sharing violation open retry message to the front of the list and
548 schedule it for immediate processing.
549 ****************************************************************************/
550
551 void schedule_deferred_open_smb_message(uint16 mid)
552 {
553 struct pending_message_list *pml;
554 int i = 0;
555
556 for (pml = deferred_open_queue; pml; pml = pml->next) {
557 uint16 msg_mid = SVAL(pml->buf.data,smb_mid);
558
559 DEBUG(10,("schedule_deferred_open_smb_message: [%d] msg_mid = %u\n", i++,
560 (unsigned int)msg_mid ));
561
562 if (mid == msg_mid) {
563 struct timed_event *te;
564
565 if (pml->processed) {
566 /* A processed message should not be
567 * rescheduled. */
568 DEBUG(0,("schedule_deferred_open_smb_message: LOGIC ERROR "
569 "message mid %u was already processed\n",
570 msg_mid ));
571 continue;
572 }
573
574 DEBUG(10,("schedule_deferred_open_smb_message: scheduling mid %u\n",
575 mid ));
576
577 te = event_add_timed(smbd_event_context(),
578 pml,
579 timeval_zero(),
580 smbd_deferred_open_timer,
581 pml);
582 if (!te) {
583 DEBUG(10,("schedule_deferred_open_smb_message: "
584 "event_add_timed() failed, skipping mid %u\n",
585 mid ));
586 }
587
588 TALLOC_FREE(pml->te);
589 pml->te = te;
590 DLIST_PROMOTE(deferred_open_queue, pml);
591 return;
592 }
593 }
594
595 DEBUG(10,("schedule_deferred_open_smb_message: failed to find message mid %u\n",
596 mid ));
597 }
598
599 /****************************************************************************
600 Return true if this mid is on the deferred queue and was not yet processed.
601 ****************************************************************************/
602
603 bool open_was_deferred(uint16 mid)
604 {
605 struct pending_message_list *pml;
606
607 for (pml = deferred_open_queue; pml; pml = pml->next) {
608 if (SVAL(pml->buf.data,smb_mid) == mid && !pml->processed) {
609 return True;
610 }
611 }
612 return False;
613 }
614
615 /****************************************************************************
616 Return the message queued by this mid.
617 ****************************************************************************/
618
619 struct pending_message_list *get_open_deferred_message(uint16 mid)
620 {
621 struct pending_message_list *pml;
622
623 for (pml = deferred_open_queue; pml; pml = pml->next) {
624 if (SVAL(pml->buf.data,smb_mid) == mid) {
625 return pml;
626 }
627 }
628 return NULL;
629 }
630
631 /****************************************************************************
632 Function to push a deferred open smb message onto a linked list of local smb
633 messages ready for processing.
634 ****************************************************************************/
635
636 bool push_deferred_smb_message(struct smb_request *req,
637 struct timeval request_time,
638 struct timeval timeout,
639 char *private_data, size_t priv_len)
640 {
641 struct timeval end_time;
642
643 if (req->unread_bytes) {
644 DEBUG(0,("push_deferred_smb_message: logic error ! "
645 "unread_bytes = %u\n",
646 (unsigned int)req->unread_bytes ));
647 smb_panic("push_deferred_smb_message: "
648 "logic error unread_bytes != 0" );
649 }
650
651 end_time = timeval_sum(&request_time, &timeout);
652
653 DEBUG(10,("push_deferred_open_smb_message: pushing message len %u mid %u "
654 "timeout time [%u.%06u]\n",
655 (unsigned int) smb_len(req->inbuf)+4, (unsigned int)req->mid,
656 (unsigned int)end_time.tv_sec,
657 (unsigned int)end_time.tv_usec));
658
659 return push_queued_message(req, request_time, end_time,
660 private_data, priv_len);
661 }
662
663 struct idle_event {
664 struct timed_event *te;
665 struct timeval interval;
666 char *name;
667 bool (*handler)(const struct timeval *now, void *private_data);
668 void *private_data;
669 };
670
671 static void smbd_idle_event_handler(struct event_context *ctx,
672 struct timed_event *te,
673 struct timeval now,
674 void *private_data)
675 {
676 struct idle_event *event =
677 talloc_get_type_abort(private_data, struct idle_event);
678
679 TALLOC_FREE(event->te);
680
681 DEBUG(10,("smbd_idle_event_handler: %s %p called\n",
682 event->name, event->te));
683
684 if (!event->handler(&now, event->private_data)) {
685 DEBUG(10,("smbd_idle_event_handler: %s %p stopped\n",
686 event->name, event->te));
687 /* Don't repeat, delete ourselves */
688 TALLOC_FREE(event);
689 return;
690 }
691
692 DEBUG(10,("smbd_idle_event_handler: %s %p rescheduled\n",
693 event->name, event->te));
694
695 event->te = event_add_timed(ctx, event,
696 timeval_sum(&now, &event->interval),
697 smbd_idle_event_handler, event);
698
699 /* We can't do much but fail here. */
700 SMB_ASSERT(event->te != NULL);
701 }
702
703 struct idle_event *event_add_idle(struct event_context *event_ctx,
704 TALLOC_CTX *mem_ctx,
705 struct timeval interval,
706 const char *name,
707 bool (*handler)(const struct timeval *now,
708 void *private_data),
709 void *private_data)
710 {
711 struct idle_event *result;
712 struct timeval now = timeval_current();
713
714 result = TALLOC_P(mem_ctx, struct idle_event);
715 if (result == NULL) {
716 DEBUG(0, ("talloc failed\n"));
717 return NULL;
718 }
719
720 result->interval = interval;
721 result->handler = handler;
722 result->private_data = private_data;
723
724 if (!(result->name = talloc_asprintf(result, "idle_evt(%s)", name))) {
725 DEBUG(0, ("talloc failed\n"));
726 TALLOC_FREE(result);
727 return NULL;
728 }
729
730 result->te = event_add_timed(event_ctx, result,
731 timeval_sum(&now, &interval),
732 smbd_idle_event_handler, result);
733 if (result->te == NULL) {
734 DEBUG(0, ("event_add_timed failed\n"));
735 TALLOC_FREE(result);
736 return NULL;
737 }
738
739 DEBUG(10,("event_add_idle: %s %p\n", result->name, result->te));
740 return result;
741 }
742
743 static void smbd_sig_term_handler(struct tevent_context *ev,
744 struct tevent_signal *se,
745 int signum,
746 int count,
747 void *siginfo,
748 void *private_data)
749 {
750 exit_server_cleanly("termination signal");
751 }
752
753 void smbd_setup_sig_term_handler(void)
754 {
755 struct tevent_signal *se;
756
757 se = tevent_add_signal(smbd_event_context(),
758 smbd_event_context(),
759 SIGTERM, 0,
760 smbd_sig_term_handler,
761 NULL);
762 if (!se) {
763 exit_server("failed to setup SIGTERM handler");
764 }
765 }
766
767 static void smbd_sig_hup_handler(struct tevent_context *ev,
768 struct tevent_signal *se,
769 int signum,
770 int count,
771 void *siginfo,
772 void *private_data)
773 {
774 change_to_root_user();
775 DEBUG(1,("Reloading services after SIGHUP\n"));
776 reload_services(False);
777 }
778
779 void smbd_setup_sig_hup_handler(void)
780 {
781 struct tevent_signal *se;
782
783 se = tevent_add_signal(smbd_event_context(),
784 smbd_event_context(),
785 SIGHUP, 0,
786 smbd_sig_hup_handler,
787 NULL);
788 if (!se) {
789 exit_server("failed to setup SIGHUP handler");
790 }
791 }
792
793 static NTSTATUS smbd_server_connection_loop_once(struct smbd_server_connection *conn)
794 {
795 fd_set r_fds, w_fds;
796 int selrtn;
797 struct timeval to;
798 int maxfd = 0;
799
800 to.tv_sec = SMBD_SELECT_TIMEOUT;
801 to.tv_usec = 0;
802
803 /*
804 * Setup the select fd sets.
805 */
806
807 FD_ZERO(&r_fds);
808 FD_ZERO(&w_fds);
809
810 /*
811 * Are there any timed events waiting ? If so, ensure we don't
812 * select for longer than it would take to wait for them.
813 */
814
815 {
816 struct timeval now;
817 GetTimeOfDay(&now);
818
819 event_add_to_select_args(smbd_event_context(), &now,
820 &r_fds, &w_fds, &to, &maxfd);
821 }
822
823 /* Process a signal and timed events now... */
824 if (run_events(smbd_event_context(), 0, NULL, NULL)) {
825 return NT_STATUS_RETRY;
826 }
827
828 {
829 int sav;
830 START_PROFILE(smbd_idle);
831
832 selrtn = sys_select(maxfd+1,&r_fds,&w_fds,NULL,&to);
833 sav = errno;
834
835 END_PROFILE(smbd_idle);
836 errno = sav;
837 }
838
839 if (run_events(smbd_event_context(), selrtn, &r_fds, &w_fds)) {
840 return NT_STATUS_RETRY;
841 }
842
843 /* Check if error */
844 if (selrtn == -1) {
845 /* something is wrong. Maybe the socket is dead? */
846 return map_nt_error_from_unix(errno);
847 }
848
849 /* Did we timeout ? */
850 if (selrtn == 0) {
851 return NT_STATUS_RETRY;
852 }
853
854 /* should not be reached */
855 return NT_STATUS_INTERNAL_ERROR;
856 }
857
858 /*
859 * Only allow 5 outstanding trans requests. We're allocating memory, so
860 * prevent a DoS.
861 */
862
863 NTSTATUS allow_new_trans(struct trans_state *list, int mid)
864 {
865 int count = 0;
866 for (; list != NULL; list = list->next) {
867
868 if (list->mid == mid) {
869 return NT_STATUS_INVALID_PARAMETER;
870 }
871
872 count += 1;
873 }
874 if (count > 5) {
875 return NT_STATUS_INSUFFICIENT_RESOURCES;
876 }
877
878 return NT_STATUS_OK;
879 }
880
881 /*
882 These flags determine some of the permissions required to do an operation
883
884 Note that I don't set NEED_WRITE on some write operations because they
885 are used by some brain-dead clients when printing, and I don't want to
886 force write permissions on print services.
887 */
888 #define AS_USER (1<<0)
889 #define NEED_WRITE (1<<1) /* Must be paired with AS_USER */
890 #define TIME_INIT (1<<2)
891 #define CAN_IPC (1<<3) /* Must be paired with AS_USER */
892 #define AS_GUEST (1<<5) /* Must *NOT* be paired with AS_USER */
893 #define DO_CHDIR (1<<6)
894
895 /*
896 define a list of possible SMB messages and their corresponding
897 functions. Any message that has a NULL function is unimplemented -
898 please feel free to contribute implementations!
899 */
900 static const struct smb_message_struct {
901 const char *name;
902 void (*fn)(struct smb_request *req);
903 int flags;
904 } smb_messages[256] = {
905
906 /* 0x00 */ { "SMBmkdir",reply_mkdir,AS_USER | NEED_WRITE},
907 /* 0x01 */ { "SMBrmdir",reply_rmdir,AS_USER | NEED_WRITE},
908 /* 0x02 */ { "SMBopen",reply_open,AS_USER },
909 /* 0x03 */ { "SMBcreate",reply_mknew,AS_USER},
910 /* 0x04 */ { "SMBclose",reply_close,AS_USER | CAN_IPC },
911 /* 0x05 */ { "SMBflush",reply_flush,AS_USER},
912 /* 0x06 */ { "SMBunlink",reply_unlink,AS_USER | NEED_WRITE },
913 /* 0x07 */ { "SMBmv",reply_mv,AS_USER | NEED_WRITE },
914 /* 0x08 */ { "SMBgetatr",reply_getatr,AS_USER},
915 /* 0x09 */ { "SMBsetatr",reply_setatr,AS_USER | NEED_WRITE},
916 /* 0x0a */ { "SMBread",reply_read,AS_USER},
917 /* 0x0b */ { "SMBwrite",reply_write,AS_USER | CAN_IPC },
918 /* 0x0c */ { "SMBlock",reply_lock,AS_USER},
919 /* 0x0d */ { "SMBunlock",reply_unlock,AS_USER},
920 /* 0x0e */ { "SMBctemp",reply_ctemp,AS_USER },
921 /* 0x0f */ { "SMBmknew",reply_mknew,AS_USER},
922 /* 0x10 */ { "SMBcheckpath",reply_checkpath,AS_USER},
923 /* 0x11 */ { "SMBexit",reply_exit,DO_CHDIR},
924 /* 0x12 */ { "SMBlseek",reply_lseek,AS_USER},
925 /* 0x13 */ { "SMBlockread",reply_lockread,AS_USER},
926 /* 0x14 */ { "SMBwriteunlock",reply_writeunlock,AS_USER},
927 /* 0x15 */ { NULL, NULL, 0 },
928 /* 0x16 */ { NULL, NULL, 0 },
929 /* 0x17 */ { NULL, NULL, 0 },
930 /* 0x18 */ { NULL, NULL, 0 },
931 /* 0x19 */ { NULL, NULL, 0 },
932 /* 0x1a */ { "SMBreadbraw",reply_readbraw,AS_USER},
933 /* 0x1b */ { "SMBreadBmpx",reply_readbmpx,AS_USER},
934 /* 0x1c */ { "SMBreadBs",reply_readbs,AS_USER },
935 /* 0x1d */ { "SMBwritebraw",reply_writebraw,AS_USER},
936 /* 0x1e */ { "SMBwriteBmpx",reply_writebmpx,AS_USER},
937 /* 0x1f */ { "SMBwriteBs",reply_writebs,AS_USER},
938 /* 0x20 */ { "SMBwritec", NULL,0},
939 /* 0x21 */ { NULL, NULL, 0 },
940 /* 0x22 */ { "SMBsetattrE",reply_setattrE,AS_USER | NEED_WRITE },
941 /* 0x23 */ { "SMBgetattrE",reply_getattrE,AS_USER },
942 /* 0x24 */ { "SMBlockingX",reply_lockingX,AS_USER },
943 /* 0x25 */ { "SMBtrans",reply_trans,AS_USER | CAN_IPC },
944 /* 0x26 */ { "SMBtranss",reply_transs,AS_USER | CAN_IPC},
945 /* 0x27 */ { "SMBioctl",reply_ioctl,0},
946 /* 0x28 */ { "SMBioctls", NULL,AS_USER},
947 /* 0x29 */ { "SMBcopy",reply_copy,AS_USER | NEED_WRITE },
948 /* 0x2a */ { "SMBmove", NULL,AS_USER | NEED_WRITE },
949 /* 0x2b */ { "SMBecho",reply_echo,0},
950 /* 0x2c */ { "SMBwriteclose",reply_writeclose,AS_USER},
951 /* 0x2d */ { "SMBopenX",reply_open_and_X,AS_USER | CAN_IPC },
952 /* 0x2e */ { "SMBreadX",reply_read_and_X,AS_USER | CAN_IPC },
953 /* 0x2f */ { "SMBwriteX",reply_write_and_X,AS_USER | CAN_IPC },
954 /* 0x30 */ { NULL, NULL, 0 },
955 /* 0x31 */ { NULL, NULL, 0 },
956 /* 0x32 */ { "SMBtrans2",reply_trans2, AS_USER | CAN_IPC },
957 /* 0x33 */ { "SMBtranss2",reply_transs2, AS_USER | CAN_IPC },
958 /* 0x34 */ { "SMBfindclose",reply_findclose,AS_USER},
959 /* 0x35 */ { "SMBfindnclose",reply_findnclose,AS_USER},
960 /* 0x36 */ { NULL, NULL, 0 },
961 /* 0x37 */ { NULL, NULL, 0 },
962 /* 0x38 */ { NULL, NULL, 0 },
963 /* 0x39 */ { NULL, NULL, 0 },
964 /* 0x3a */ { NULL, NULL, 0 },
965 /* 0x3b */ { NULL, NULL, 0 },
966 /* 0x3c */ { NULL, NULL, 0 },
967 /* 0x3d */ { NULL, NULL, 0 },
968 /* 0x3e */ { NULL, NULL, 0 },
969 /* 0x3f */ { NULL, NULL, 0 },
970 /* 0x40 */ { NULL, NULL, 0 },
971 /* 0x41 */ { NULL, NULL, 0 },
972 /* 0x42 */ { NULL, NULL, 0 },
973 /* 0x43 */ { NULL, NULL, 0 },
974 /* 0x44 */ { NULL, NULL, 0 },
975 /* 0x45 */ { NULL, NULL, 0 },
976 /* 0x46 */ { NULL, NULL, 0 },
977 /* 0x47 */ { NULL, NULL, 0 },
978 /* 0x48 */ { NULL, NULL, 0 },
979 /* 0x49 */ { NULL, NULL, 0 },
980 /* 0x4a */ { NULL, NULL, 0 },
981 /* 0x4b */ { NULL, NULL, 0 },
982 /* 0x4c */ { NULL, NULL, 0 },
983 /* 0x4d */ { NULL, NULL, 0 },
984 /* 0x4e */ { NULL, NULL, 0 },
985 /* 0x4f */ { NULL, NULL, 0 },
986 /* 0x50 */ { NULL, NULL, 0 },
987 /* 0x51 */ { NULL, NULL, 0 },
988 /* 0x52 */ { NULL, NULL, 0 },
989 /* 0x53 */ { NULL, NULL, 0 },
990 /* 0x54 */ { NULL, NULL, 0 },
991 /* 0x55 */ { NULL, NULL, 0 },
992 /* 0x56 */ { NULL, NULL, 0 },
993 /* 0x57 */ { NULL, NULL, 0 },
994 /* 0x58 */ { NULL, NULL, 0 },
995 /* 0x59 */ { NULL, NULL, 0 },
996 /* 0x5a */ { NULL, NULL, 0 },
997 /* 0x5b */ { NULL, NULL, 0 },
998 /* 0x5c */ { NULL, NULL, 0 },
999 /* 0x5d */ { NULL, NULL, 0 },
1000 /* 0x5e */ { NULL, NULL, 0 },
1001 /* 0x5f */ { NULL, NULL, 0 },
1002 /* 0x60 */ { NULL, NULL, 0 },
1003 /* 0x61 */ { NULL, NULL, 0 },
1004 /* 0x62 */ { NULL, NULL, 0 },
1005 /* 0x63 */ { NULL, NULL, 0 },
1006 /* 0x64 */ { NULL, NULL, 0 },
1007 /* 0x65 */ { NULL, NULL, 0 },
1008 /* 0x66 */ { NULL, NULL, 0 },
1009 /* 0x67 */ { NULL, NULL, 0 },
1010 /* 0x68 */ { NULL, NULL, 0 },
1011 /* 0x69 */ { NULL, NULL, 0 },
1012 /* 0x6a */ { NULL, NULL, 0 },
1013 /* 0x6b */ { NULL, NULL, 0 },
1014 /* 0x6c */ { NULL, NULL, 0 },
1015 /* 0x6d */ { NULL, NULL, 0 },
1016 /* 0x6e */ { NULL, NULL, 0 },
1017 /* 0x6f */ { NULL, NULL, 0 },
1018 /* 0x70 */ { "SMBtcon",reply_tcon,0},
1019 /* 0x71 */ { "SMBtdis",reply_tdis,DO_CHDIR},
1020 /* 0x72 */ { "SMBnegprot",reply_negprot,0},
1021 /* 0x73 */ { "SMBsesssetupX",reply_sesssetup_and_X,0},
1022 /* 0x74 */ { "SMBulogoffX",reply_ulogoffX, 0}, /* ulogoff doesn't give a valid TID */
1023 /* 0x75 */ { "SMBtconX",reply_tcon_and_X,0},
1024 /* 0x76 */ { NULL, NULL, 0 },
1025 /* 0x77 */ { NULL, NULL, 0 },
1026 /* 0x78 */ { NULL, NULL, 0 },
1027 /* 0x79 */ { NULL, NULL, 0 },
1028 /* 0x7a */ { NULL, NULL, 0 },
1029 /* 0x7b */ { NULL, NULL, 0 },
1030 /* 0x7c */ { NULL, NULL, 0 },
1031 /* 0x7d */ { NULL, NULL, 0 },
1032 /* 0x7e */ { NULL, NULL, 0 },
1033 /* 0x7f */ { NULL, NULL, 0 },
1034 /* 0x80 */ { "SMBdskattr",reply_dskattr,AS_USER},
1035 /* 0x81 */ { "SMBsearch",reply_search,AS_USER},
1036 /* 0x82 */ { "SMBffirst",reply_search,AS_USER},
1037 /* 0x83 */ { "SMBfunique",reply_search,AS_USER},
1038 /* 0x84 */ { "SMBfclose",reply_fclose,AS_USER},
1039 /* 0x85 */ { NULL, NULL, 0 },
1040 /* 0x86 */ { NULL, NULL, 0 },
1041 /* 0x87 */ { NULL, NULL, 0 },
1042 /* 0x88 */ { NULL, NULL, 0 },
1043 /* 0x89 */ { NULL, NULL, 0 },
1044 /* 0x8a */ { NULL, NULL, 0 },
1045 /* 0x8b */ { NULL, NULL, 0 },
1046 /* 0x8c */ { NULL, NULL, 0 },
1047 /* 0x8d */ { NULL, NULL, 0 },
1048 /* 0x8e */ { NULL, NULL, 0 },
1049 /* 0x8f */ { NULL, NULL, 0 },
1050 /* 0x90 */ { NULL, NULL, 0 },
1051 /* 0x91 */ { NULL, NULL, 0 },
1052 /* 0x92 */ { NULL, NULL, 0 },
1053 /* 0x93 */ { NULL, NULL, 0 },
1054 /* 0x94 */ { NULL, NULL, 0 },
1055 /* 0x95 */ { NULL, NULL, 0 },
1056 /* 0x96 */ { NULL, NULL, 0 },
1057 /* 0x97 */ { NULL, NULL, 0 },
1058 /* 0x98 */ { NULL, NULL, 0 },
1059 /* 0x99 */ { NULL, NULL, 0 },
1060 /* 0x9a */ { NULL, NULL, 0 },
1061 /* 0x9b */ { NULL, NULL, 0 },
1062 /* 0x9c */ { NULL, NULL, 0 },
1063 /* 0x9d */ { NULL, NULL, 0 },
1064 /* 0x9e */ { NULL, NULL, 0 },
1065 /* 0x9f */ { NULL, NULL, 0 },
1066 /* 0xa0 */ { "SMBnttrans",reply_nttrans, AS_USER | CAN_IPC },
1067 /* 0xa1 */ { "SMBnttranss",reply_nttranss, AS_USER | CAN_IPC },
1068 /* 0xa2 */ { "SMBntcreateX",reply_ntcreate_and_X, AS_USER | CAN_IPC },
1069 /* 0xa3 */ { NULL, NULL, 0 },
1070 /* 0xa4 */ { "SMBntcancel",reply_ntcancel, 0 },
1071 /* 0xa5 */ { "SMBntrename",reply_ntrename, AS_USER | NEED_WRITE },
1072 /* 0xa6 */ { NULL, NULL, 0 },
1073 /* 0xa7 */ { NULL, NULL, 0 },
1074 /* 0xa8 */ { NULL, NULL, 0 },
1075 /* 0xa9 */ { NULL, NULL, 0 },
1076 /* 0xaa */ { NULL, NULL, 0 },
1077 /* 0xab */ { NULL, NULL, 0 },
1078 /* 0xac */ { NULL, NULL, 0 },
1079 /* 0xad */ { NULL, NULL, 0 },
1080 /* 0xae */ { NULL, NULL, 0 },
1081 /* 0xaf */ { NULL, NULL, 0 },
1082 /* 0xb0 */ { NULL, NULL, 0 },
1083 /* 0xb1 */ { NULL, NULL, 0 },
1084 /* 0xb2 */ { NULL, NULL, 0 },
1085 /* 0xb3 */ { NULL, NULL, 0 },
1086 /* 0xb4 */ { NULL, NULL, 0 },
1087 /* 0xb5 */ { NULL, NULL, 0 },
1088 /* 0xb6 */ { NULL, NULL, 0 },
1089 /* 0xb7 */ { NULL, NULL, 0 },
1090 /* 0xb8 */ { NULL, NULL, 0 },
1091 /* 0xb9 */ { NULL, NULL, 0 },
1092 /* 0xba */ { NULL, NULL, 0 },
1093 /* 0xbb */ { NULL, NULL, 0 },
1094 /* 0xbc */ { NULL, NULL, 0 },
1095 /* 0xbd */ { NULL, NULL, 0 },
1096 /* 0xbe */ { NULL, NULL, 0 },
1097 /* 0xbf */ { NULL, NULL, 0 },
1098 /* 0xc0 */ { "SMBsplopen",reply_printopen,AS_USER},
1099 /* 0xc1 */ { "SMBsplwr",reply_printwrite,AS_USER},
1100 /* 0xc2 */ { "SMBsplclose",reply_printclose,AS_USER},
1101 /* 0xc3 */ { "SMBsplretq",reply_printqueue,AS_USER},
1102 /* 0xc4 */ { NULL, NULL, 0 },
1103 /* 0xc5 */ { NULL, NULL, 0 },
1104 /* 0xc6 */ { NULL, NULL, 0 },
1105 /* 0xc7 */ { NULL, NULL, 0 },
1106 /* 0xc8 */ { NULL, NULL, 0 },
1107 /* 0xc9 */ { NULL, NULL, 0 },
1108 /* 0xca */ { NULL, NULL, 0 },
1109 /* 0xcb */ { NULL, NULL, 0 },
1110 /* 0xcc */ { NULL, NULL, 0 },
1111 /* 0xcd */ { NULL, NULL, 0 },
1112 /* 0xce */ { NULL, NULL, 0 },
1113 /* 0xcf */ { NULL, NULL, 0 },
1114 /* 0xd0 */ { "SMBsends",reply_sends,AS_GUEST},
1115 /* 0xd1 */ { "SMBsendb", NULL,AS_GUEST},
1116 /* 0xd2 */ { "SMBfwdname", NULL,AS_GUEST},
1117 /* 0xd3 */ { "SMBcancelf", NULL,AS_GUEST},
1118 /* 0xd4 */ { "SMBgetmac", NULL,AS_GUEST},
1119 /* 0xd5 */ { "SMBsendstrt",reply_sendstrt,AS_GUEST},
1120 /* 0xd6 */ { "SMBsendend",reply_sendend,AS_GUEST},
1121 /* 0xd7 */ { "SMBsendtxt",reply_sendtxt,AS_GUEST},
1122 /* 0xd8 */ { NULL, NULL, 0 },
1123 /* 0xd9 */ { NULL, NULL, 0 },
1124 /* 0xda */ { NULL, NULL, 0 },
1125 /* 0xdb */ { NULL, NULL, 0 },
1126 /* 0xdc */ { NULL, NULL, 0 },
1127 /* 0xdd */ { NULL, NULL, 0 },
1128 /* 0xde */ { NULL, NULL, 0 },
1129 /* 0xdf */ { NULL, NULL, 0 },
1130 /* 0xe0 */ { NULL, NULL, 0 },
1131 /* 0xe1 */ { NULL, NULL, 0 },
1132 /* 0xe2 */ { NULL, NULL, 0 },
1133 /* 0xe3 */ { NULL, NULL, 0 },
1134 /* 0xe4 */ { NULL, NULL, 0 },
1135 /* 0xe5 */ { NULL, NULL, 0 },
1136 /* 0xe6 */ { NULL, NULL, 0 },
1137 /* 0xe7 */ { NULL, NULL, 0 },
1138 /* 0xe8 */ { NULL, NULL, 0 },
1139 /* 0xe9 */ { NULL, NULL, 0 },
1140 /* 0xea */ { NULL, NULL, 0 },
1141 /* 0xeb */ { NULL, NULL, 0 },
1142 /* 0xec */ { NULL, NULL, 0 },
1143 /* 0xed */ { NULL, NULL, 0 },
1144 /* 0xee */ { NULL, NULL, 0 },
1145 /* 0xef */ { NULL, NULL, 0 },
1146 /* 0xf0 */ { NULL, NULL, 0 },
1147 /* 0xf1 */ { NULL, NULL, 0 },
1148 /* 0xf2 */ { NULL, NULL, 0 },
1149 /* 0xf3 */ { NULL, NULL, 0 },
1150 /* 0xf4 */ { NULL, NULL, 0 },
1151 /* 0xf5 */ { NULL, NULL, 0 },
1152 /* 0xf6 */ { NULL, NULL, 0 },
1153 /* 0xf7 */ { NULL, NULL, 0 },
1154 /* 0xf8 */ { NULL, NULL, 0 },
1155 /* 0xf9 */ { NULL, NULL, 0 },
1156 /* 0xfa */ { NULL, NULL, 0 },
1157 /* 0xfb */ { NULL, NULL, 0 },
1158 /* 0xfc */ { NULL, NULL, 0 },
1159 /* 0xfd */ { NULL, NULL, 0 },
1160 /* 0xfe */ { NULL, NULL, 0 },
1161 /* 0xff */ { NULL, NULL, 0 }
1162
1163 };
1164
1165 /*******************************************************************
1166 allocate and initialize a reply packet
1167 ********************************************************************/
1168
1169 static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req,
1170 const char *inbuf, char **outbuf, uint8_t num_words,
1171 uint32_t num_bytes)
1172 {
1173 /*
1174 * Protect against integer wrap
1175 */
1176 if ((num_bytes > 0xffffff)
1177 || ((num_bytes + smb_size + num_words*2) > 0xffffff)) {
1178 char *msg;
1179 if (asprintf(&msg, "num_bytes too large: %u",
1180 (unsigned)num_bytes) == -1) {
1181 msg = CONST_DISCARD(char *, "num_bytes too large");
1182 }
1183 smb_panic(msg);
1184 }
1185
1186 *outbuf = TALLOC_ARRAY(mem_ctx, char,
1187 smb_size + num_words*2 + num_bytes);
1188 if (*outbuf == NULL) {
1189 return false;
1190 }
1191
1192 construct_reply_common(req, inbuf, *outbuf);
1193 srv_set_message(*outbuf, num_words, num_bytes, false);
1194 /*
1195 * Zero out the word area, the caller has to take care of the bcc area
1196 * himself
1197 */
1198 if (num_words != 0) {
1199 memset(*outbuf + smb_vwv0, 0, num_words*2);
1200 }
1201
1202 return true;
1203 }
1204
1205 void reply_outbuf(struct smb_request *req, uint8 num_words, uint32 num_bytes)
1206 {
1207 char *outbuf;
1208 if (!create_outbuf(req, req, (char *)req->inbuf, &outbuf, num_words,
1209 num_bytes)) {
1210 smb_panic("could not allocate output buffer\n");
1211 }
1212 req->outbuf = (uint8_t *)outbuf;
1213 }
1214
1215
1216 /*******************************************************************
1217 Dump a packet to a file.
1218 ********************************************************************/
1219
1220 static void smb_dump(const char *name, int type, const char *data, ssize_t len)
1221 {
1222 int fd, i;
1223 char *fname = NULL;
1224 if (DEBUGLEVEL < 50) {
1225 return;
1226 }
1227
1228 if (len < 4) len = smb_len(data)+4;
1229 for (i=1;i<100;i++) {
1230 if (asprintf(&fname, "/tmp/%s.%d.%s", name, i,
1231 type ? "req" : "resp") == -1) {
1232 return;
1233 }
1234 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
1235 if (fd != -1 || errno != EEXIST) break;
1236 }
1237 if (fd != -1) {
1238 ssize_t ret = write(fd, data, len);
1239 if (ret != len)
1240 DEBUG(0,("smb_dump: problem: write returned %d\n", (int)ret ));
1241 close(fd);
1242 DEBUG(0,("created %s len %lu\n", fname, (unsigned long)len));
1243 }
1244 SAFE_FREE(fname);
1245 }
1246
1247 /****************************************************************************
1248 Prepare everything for calling the actual request function, and potentially
1249 call the request function via the "new" interface.
1250
1251 Return False if the "legacy" function needs to be called, everything is
1252 prepared.
1253
1254 Return True if we're done.
1255
1256 I know this API sucks, but it is the one with the least code change I could
1257 find.
1258 ****************************************************************************/
1259
1260 static connection_struct *switch_message(uint8 type, struct smb_request *req, int size)
1261 {
1262 int flags;
1263 uint16 session_tag;
1264 connection_struct *conn = NULL;
1265 struct smbd_server_connection *sconn = smbd_server_conn;
1266
1267 errno = 0;
1268
1269 /* Make sure this is an SMB packet. smb_size contains NetBIOS header
1270 * so subtract 4 from it. */
1271 if (!valid_smb_header(req->inbuf)
1272 || (size < (smb_size - 4))) {
1273 DEBUG(2,("Non-SMB packet of length %d. Terminating server\n",
1274 smb_len(req->inbuf)));
1275 exit_server_cleanly("Non-SMB packet");
1276 }
1277
1278 if (smb_messages[type].fn == NULL) {
1279 DEBUG(0,("Unknown message type %d!\n",type));
1280 smb_dump("Unknown", 1, (char *)req->inbuf, size);
1281 reply_unknown_new(req, type);
1282 return NULL;
1283 }
1284
1285 flags = smb_messages[type].flags;
1286
1287 /* In share mode security we must ignore the vuid. */
1288 session_tag = (lp_security() == SEC_SHARE)
1289 ? UID_FIELD_INVALID : req->vuid;
1290 conn = req->conn;
1291
1292 DEBUG(3,("switch message %s (pid %d) conn 0x%lx\n", smb_fn_name(type),
1293 (int)sys_getpid(), (unsigned long)conn));
1294
1295 smb_dump(smb_fn_name(type), 1, (char *)req->inbuf, size);
1296
1297 /* Ensure this value is replaced in the incoming packet. */
1298 SSVAL(req->inbuf,smb_uid,session_tag);
1299
1300 /*
1301 * Ensure the correct username is in current_user_info. This is a
1302 * really ugly bugfix for problems with multiple session_setup_and_X's
1303 * being done and allowing %U and %G substitutions to work correctly.
1304 * There is a reason this code is done here, don't move it unless you
1305 * know what you're doing... :-).
1306 * JRA.
1307 */
1308
1309 if (session_tag != sconn->smb1.sessions.last_session_tag) {
1310 user_struct *vuser = NULL;
1311
1312 sconn->smb1.sessions.last_session_tag = session_tag;
1313 if(session_tag != UID_FIELD_INVALID) {
1314 vuser = get_valid_user_struct(sconn, session_tag);
1315 if (vuser) {
1316 set_current_user_info(
1317 vuser->server_info->sanitized_username,
1318 vuser->server_info->unix_name,
1319 pdb_get_domain(vuser->server_info
1320 ->sam_account));
1321 }
1322 }
1323 }
1324
1325 /* Does this call need to be run as the connected user? */
1326 if (flags & AS_USER) {
1327
1328 /* Does this call need a valid tree connection? */
1329 if (!conn) {
1330 /*
1331 * Amazingly, the error code depends on the command
1332 * (from Samba4).
1333 */
1334 if (type == SMBntcreateX) {
1335 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
1336 } else {
1337 reply_nterror(req, NT_STATUS_NETWORK_NAME_DELETED);
1338 }
1339 return NULL;
1340 }
1341
1342 if (!change_to_user(conn,session_tag)) {
1343 DEBUG(0, ("Error: Could not change to user. Removing "
1344 "deferred open, mid=%d.\n", req->mid));
1345 reply_force_doserror(req, ERRSRV, ERRbaduid);
1346 return conn;
1347 }
1348
1349 /* All NEED_WRITE and CAN_IPC flags must also have AS_USER. */
1350
1351 /* Does it need write permission? */
1352 if ((flags & NEED_WRITE) && !CAN_WRITE(conn)) {
1353 reply_nterror(req, NT_STATUS_MEDIA_WRITE_PROTECTED);
1354 return conn;
1355 }
1356
1357 /* IPC services are limited */
1358 if (IS_IPC(conn) && !(flags & CAN_IPC)) {
1359 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1360 return conn;
1361 }
1362 } else {
1363 /* This call needs to be run as root */
1364 change_to_root_user();
1365 }
1366
1367 /* load service specific parameters */
1368 if (conn) {
1369 if (req->encrypted) {
1370 conn->encrypted_tid = true;
1371 /* encrypted required from now on. */
1372 conn->encrypt_level = Required;
1373 } else if (ENCRYPTION_REQUIRED(conn)) {
1374 if (req->cmd != SMBtrans2 && req->cmd != SMBtranss2) {
1375 exit_server_cleanly("encryption required "
1376 "on connection");
1377 return conn;
1378 }
1379 }
1380
1381 if (!set_current_service(conn,SVAL(req->inbuf,smb_flg),
1382 (flags & (AS_USER|DO_CHDIR)
1383 ?True:False))) {
1384 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1385 return conn;
1386 }
1387 conn->num_smb_operations++;
1388 }
1389
1390 /* does this protocol need to be run as guest? */
1391 if ((flags & AS_GUEST)
1392 && (!change_to_guest() ||
1393 !check_access(smbd_server_fd(), lp_hostsallow(-1),
1394 lp_hostsdeny(-1)))) {
1395 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1396 return conn;
1397 }
1398
1399 smb_messages[type].fn(req);
1400 return req->conn;
1401 }
1402
1403 /****************************************************************************
1404 Construct a reply to the incoming packet.
1405 ****************************************************************************/
1406
1407 static void construct_reply(char *inbuf, int size, size_t unread_bytes,
1408 uint32_t seqnum, bool encrypted,
1409 struct smb_perfcount_data *deferred_pcd)
1410 {
1411 connection_struct *conn;
1412 struct smb_request *req;
1413
1414 if (!(req = talloc(talloc_tos(), struct smb_request))) {
1415 smb_panic("could not allocate smb_request");
1416 }
1417
1418 init_smb_request(req, (uint8 *)inbuf, unread_bytes, encrypted, seqnum);
1419 req->inbuf = (uint8_t *)talloc_move(req, &inbuf);
1420
1421 /* we popped this message off the queue - keep original perf data */
1422 if (deferred_pcd)
1423 req->pcd = *deferred_pcd;
1424 else {
1425 SMB_PERFCOUNT_START(&req->pcd);
1426 SMB_PERFCOUNT_SET_OP(&req->pcd, req->cmd);
1427 SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, size);
1428 }
1429
1430 conn = switch_message(req->cmd, req, size);
1431
1432 if (req->unread_bytes) {
1433 /* writeX failed. drain socket. */
1434 if (drain_socket(smbd_server_fd(), req->unread_bytes) !=
1435 req->unread_bytes) {
1436 smb_panic("failed to drain pending bytes");
1437 }
1438 req->unread_bytes = 0;
1439 }
1440
1441 if (req->done) {
1442 TALLOC_FREE(req);
1443 return;
1444 }
1445
1446 if (req->outbuf == NULL) {
1447 return;
1448 }
1449
1450 if (CVAL(req->outbuf,0) == 0) {
1451 show_msg((char *)req->outbuf);
1452 }
1453
1454 if (!srv_send_smb(smbd_server_fd(),
1455 (char *)req->outbuf,
1456 true, req->seqnum+1,
1457 IS_CONN_ENCRYPTED(conn)||req->encrypted,
1458 &req->pcd)) {
1459 exit_server_cleanly("construct_reply: srv_send_smb failed.");
1460 }
1461
1462 TALLOC_FREE(req);
1463
1464 return;
1465 }
1466
1467 /****************************************************************************
1468 Process an smb from the client
1469 ****************************************************************************/
1470 static void process_smb(struct smbd_server_connection *conn,
1471 uint8_t *inbuf, size_t nread, size_t unread_bytes,
1472 uint32_t seqnum, bool encrypted,
1473 struct smb_perfcount_data *deferred_pcd)
1474 {
1475 int msg_type = CVAL(inbuf,0);
1476
1477 DO_PROFILE_INC(smb_count);
1478
1479 DEBUG( 6, ( "got message type 0x%x of len 0x%x\n", msg_type,
1480 smb_len(inbuf) ) );
1481 DEBUG( 3, ( "Transaction %d of length %d (%u toread)\n", trans_num,
1482 (int)nread,
1483 (unsigned int)unread_bytes ));
1484
1485 if (msg_type != 0) {
1486 /*
1487 * NetBIOS session request, keepalive, etc.
1488 */
1489 reply_special((char *)inbuf);
1490 goto done;
1491 }
1492
1493 if (smbd_server_conn->allow_smb2) {
1494 if (smbd_is_smb2_header(inbuf, nread)) {
1495 smbd_smb2_first_negprot(smbd_server_conn, inbuf, nread);
1496 return;
1497 }
1498 smbd_server_conn->allow_smb2 = false;
1499 }
1500
1501 show_msg((char *)inbuf);
1502
1503 construct_reply((char *)inbuf,nread,unread_bytes,seqnum,encrypted,deferred_pcd);
1504 trans_num++;
1505
1506 done:
1507 conn->smb1.num_requests++;
1508
1509 /* The timeout_processing function isn't run nearly
1510 often enough to implement 'max log size' without
1511 overrunning the size of the file by many megabytes.
1512 This is especially true if we are running at debug
1513 level 10. Checking every 50 SMBs is a nice
1514 tradeoff of performance vs log file size overrun. */
1515
1516 if ((conn->smb1.num_requests % 50) == 0 &&
1517 need_to_check_log_size()) {
1518 change_to_root_user();
1519 check_log_size();
1520 }
1521 }
1522
1523 /****************************************************************************
1524 Return a string containing the function name of a SMB command.
1525 ****************************************************************************/
1526
1527 const char *smb_fn_name(int type)
1528 {
1529 const char *unknown_name = "SMBunknown";
1530
1531 if (smb_messages[type].name == NULL)
1532 return(unknown_name);
1533
1534 return(smb_messages[type].name);
1535 }
1536
1537 /****************************************************************************
1538 Helper functions for contruct_reply.
1539 ****************************************************************************/
1540
1541 void add_to_common_flags2(uint32 v)
1542 {
1543 common_flags2 |= v;
1544 }
1545
1546 void remove_from_common_flags2(uint32 v)
1547 {
1548 common_flags2 &= ~v;
1549 }
1550
1551 static void construct_reply_common(struct smb_request *req, const char *inbuf,
1552 char *outbuf)
1553 {
1554 srv_set_message(outbuf,0,0,false);
1555
1556 SCVAL(outbuf, smb_com, req->cmd);
1557 SIVAL(outbuf,smb_rcls,0);
1558 SCVAL(outbuf,smb_flg, FLAG_REPLY | (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES));
1559 SSVAL(outbuf,smb_flg2,
1560 (SVAL(inbuf,smb_flg2) & FLAGS2_UNICODE_STRINGS) |
1561 common_flags2);
1562 memset(outbuf+smb_pidhigh,'\0',(smb_tid-smb_pidhigh));
1563
1564 SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid));
1565 SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid));
1566 SSVAL(outbuf,smb_uid,SVAL(inbuf,smb_uid));
1567 SSVAL(outbuf,smb_mid,SVAL(inbuf,smb_mid));
1568 }
1569
1570 void construct_reply_common_req(struct smb_request *req, char *outbuf)
1571 {
1572 construct_reply_common(req, (char *)req->inbuf, outbuf);
1573 }
1574
1575 /*
1576 * How many bytes have we already accumulated up to the current wct field
1577 * offset?
1578 */
1579
1580 size_t req_wct_ofs(struct smb_request *req)
1581 {
1582 size_t buf_size;
1583
1584 if (req->chain_outbuf == NULL) {
1585 return smb_wct - 4;
1586 }
1587 buf_size = talloc_get_size(req->chain_outbuf);
1588 if ((buf_size % 4) != 0) {
1589 buf_size += (4 - (buf_size % 4));
1590 }
1591 return buf_size - 4;
1592 }
1593
1594 /*
1595 * Hack around reply_nterror & friends not being aware of chained requests,
1596 * generating illegal (i.e. wct==0) chain replies.
1597 */
1598
1599 static void fixup_chain_error_packet(struct smb_request *req)
1600 {
1601 uint8_t *outbuf = req->outbuf;
1602 req->outbuf = NULL;
1603 reply_outbuf(req, 2, 0);
1604 memcpy(req->outbuf, outbuf, smb_wct);
1605 TALLOC_FREE(outbuf);
1606 SCVAL(req->outbuf, smb_vwv0, 0xff);
1607 }
1608
1609 /**
1610 * @brief Find the smb_cmd offset of the last command pushed
1611 * @param[in] buf The buffer we're building up
1612 * @retval Where can we put our next andx cmd?
1613 *
1614 * While chaining requests, the "next" request we're looking at needs to put
1615 * its SMB_Command before the data the previous request already built up added
1616 * to the chain. Find the offset to the place where we have to put our cmd.
1617 */
1618
1619 static bool find_andx_cmd_ofs(uint8_t *buf, size_t *pofs)
1620 {
1621 uint8_t cmd;
1622 size_t ofs;
1623
1624 cmd = CVAL(buf, smb_com);
1625
1626 SMB_ASSERT(is_andx_req(cmd));
1627
1628 ofs = smb_vwv0;
1629
1630 while (CVAL(buf, ofs) != 0xff) {
1631
1632 if (!is_andx_req(CVAL(buf, ofs))) {
1633 return false;
1634 }
1635
1636 /*
1637 * ofs is from start of smb header, so add the 4 length
1638 * bytes. The next cmd is right after the wct field.
1639 */
1640 ofs = SVAL(buf, ofs+2) + 4 + 1;
1641
1642 SMB_ASSERT(ofs+4 < talloc_get_size(buf));
1643 }
1644
1645 *pofs = ofs;
1646 return true;
1647 }
1648
1649 /**
1650 * @brief Do the smb chaining at a buffer level
1651 * @param[in] poutbuf Pointer to the talloc'ed buffer to be modified
1652 * @param[in] smb_command The command that we want to issue
1653 * @param[in] wct How many words?
1654 * @param[in] vwv The words, already in network order
1655 * @param[in] bytes_alignment How shall we align "bytes"?
1656 * @param[in] num_bytes How many bytes?
1657 * @param[in] bytes The data the request ships
1658 *
1659 * smb_splice_chain() adds the vwv and bytes to the request already present in
1660 * *poutbuf.
1661 */
1662
1663 static bool smb_splice_chain(uint8_t **poutbuf, uint8_t smb_command,
1664 uint8_t wct, const uint16_t *vwv,
1665 size_t bytes_alignment,
1666 uint32_t num_bytes, const uint8_t *bytes)
1667 {
1668 uint8_t *outbuf;
1669 size_t old_size, new_size;
1670 size_t ofs;
1671 size_t chain_padding = 0;
1672 size_t bytes_padding = 0;
1673 bool first_request;
1674
1675 old_size = talloc_get_size(*poutbuf);
1676
1677 /*
1678 * old_size == smb_wct means we're pushing the first request in for
1679 * libsmb/
1680 */
1681
1682 first_request = (old_size == smb_wct);
1683
1684 if (!first_request && ((old_size % 4) != 0)) {
1685 /*
1686 * Align the wct field of subsequent requests to a 4-byte
1687 * boundary
1688 */
1689 chain_padding = 4 - (old_size % 4);
1690 }
1691
1692 /*
1693 * After the old request comes the new wct field (1 byte), the vwv's
1694 * and the num_bytes field. After at we might need to align the bytes
1695 * given to us to "bytes_alignment", increasing the num_bytes value.
1696 */
1697
1698 new_size = old_size + chain_padding + 1 + wct * sizeof(uint16_t) + 2;
1699
1700 if ((bytes_alignment != 0) && ((new_size % bytes_alignment) != 0)) {
1701 bytes_padding = bytes_alignment - (new_size % bytes_alignment);
1702 }
1703
1704 new_size += bytes_padding + num_bytes;
1705
1706 if ((smb_command != SMBwriteX) && (new_size > 0xffff)) {
1707 DEBUG(1, ("splice_chain: %u bytes won't fit\n",
1708 (unsigned)new_size));
1709 return false;
1710 }
1711
1712 outbuf = TALLOC_REALLOC_ARRAY(NULL, *poutbuf, uint8_t, new_size);
1713 if (outbuf == NULL) {
1714 DEBUG(0, ("talloc failed\n"));
1715 return false;
1716 }
1717 *poutbuf = outbuf;
1718
1719 if (first_request) {
1720 SCVAL(outbuf, smb_com, smb_command);
1721 } else {
1722 size_t andx_cmd_ofs;
1723
1724 if (!find_andx_cmd_ofs(outbuf, &andx_cmd_ofs)) {
1725 DEBUG(1, ("invalid command chain\n"));
1726 *poutbuf = TALLOC_REALLOC_ARRAY(
1727 NULL, *poutbuf, uint8_t, old_size);
1728 return false;
1729 }
1730
1731 if (chain_padding != 0) {
1732 memset(outbuf + old_size, 0, chain_padding);
1733 old_size += chain_padding;
1734 }
1735
1736 SCVAL(outbuf, andx_cmd_ofs, smb_command);
1737 SSVAL(outbuf, andx_cmd_ofs + 2, old_size - 4);
1738 }
1739
1740 ofs = old_size;
1741
1742 /*
1743 * Push the chained request:
1744 *
1745 * wct field
1746 */
1747
1748 SCVAL(outbuf, ofs, wct);
1749 ofs += 1;
1750
1751 /*
1752 * vwv array
1753 */
1754
1755 memcpy(outbuf + ofs, vwv, sizeof(uint16_t) * wct);
1756 ofs += sizeof(uint16_t) * wct;
1757
1758 /*
1759 * bcc (byte count)
1760 */
1761
1762 SSVAL(outbuf, ofs, num_bytes + bytes_padding);
1763 ofs += sizeof(uint16_t);
1764
1765 /*
1766 * padding
1767 */
1768
1769 if (bytes_padding != 0) {
1770 memset(outbuf + ofs, 0, bytes_padding);
1771 ofs += bytes_padding;
1772 }
1773
1774 /*
1775 * The bytes field
1776 */
1777
1778 memcpy(outbuf + ofs, bytes, num_bytes);
1779
1780 return true;
1781 }
1782
1783 /****************************************************************************
1784 Construct a chained reply and add it to the already made reply
1785 ****************************************************************************/
1786
1787 void chain_reply(struct smb_request *req)
1788 {
1789 size_t smblen = smb_len(req->inbuf);
1790 size_t already_used, length_needed;
1791 uint8_t chain_cmd;
1792 uint32_t chain_offset; /* uint32_t to avoid overflow */
1793
1794 uint8_t wct;
1795 uint16_t *vwv;
1796 uint16_t buflen;
1797 uint8_t *buf;
1798
1799 if (IVAL(req->outbuf, smb_rcls) != 0) {
1800 fixup_chain_error_packet(req);
1801 }
1802
1803 /*
1804 * Any of the AndX requests and replies have at least a wct of
1805 * 2. vwv[0] is the next command, vwv[1] is the offset from the
1806 * beginning of the SMB header to the next wct field.
1807 *
1808 * None of the AndX requests put anything valuable in vwv[0] and [1],
1809 * so we can overwrite it here to form the chain.
1810 */
1811
1812 if ((req->wct < 2) || (CVAL(req->outbuf, smb_wct) < 2)) {
1813 if (req->chain_outbuf == NULL) {
1814 req->chain_outbuf = TALLOC_REALLOC_ARRAY(
1815 req, req->outbuf, uint8_t,
1816 smb_len(req->outbuf) + 4);
1817 if (req->chain_outbuf == NULL) {
1818 smb_panic("talloc failed");
1819 }
1820 }
1821 req->outbuf = NULL;
1822 goto error;
1823 }
1824
1825 /*
1826 * Here we assume that this is the end of the chain. For that we need
1827 * to set "next command" to 0xff and the offset to 0. If we later find
1828 * more commands in the chain, this will be overwritten again.
1829 */
1830
1831 SCVAL(req->outbuf, smb_vwv0, 0xff);
1832 SCVAL(req->outbuf, smb_vwv0+1, 0);
1833 SSVAL(req->outbuf, smb_vwv1, 0);
1834
1835 if (req->chain_outbuf == NULL) {
1836 /*
1837 * In req->chain_outbuf we collect all the replies. Start the
1838 * chain by copying in the first reply.
1839 *
1840 * We do the realloc because later on we depend on
1841 * talloc_get_size to determine the length of
1842 * chain_outbuf. The reply_xxx routines might have
1843 * over-allocated (reply_pipe_read_and_X used to be such an
1844 * example).
1845 */
1846 req->chain_outbuf = TALLOC_REALLOC_ARRAY(
1847 req, req->outbuf, uint8_t, smb_len(req->outbuf) + 4);
1848 if (req->chain_outbuf == NULL) {
1849 smb_panic("talloc failed");
1850 }
1851 req->outbuf = NULL;
1852 } else {
1853 /*
1854 * Update smb headers where subsequent chained commands
1855 * may have updated them.
1856 */
1857 SCVAL(req->chain_outbuf, smb_tid, CVAL(req->outbuf, smb_tid));
1858 SCVAL(req->chain_outbuf, smb_uid, CVAL(req->outbuf, smb_uid));
1859
1860 if (!smb_splice_chain(&req->chain_outbuf,
1861 CVAL(req->outbuf, smb_com),
1862 CVAL(req->outbuf, smb_wct),
1863 (uint16_t *)(req->outbuf + smb_vwv),
1864 0, smb_buflen(req->outbuf),
1865 (uint8_t *)smb_buf(req->outbuf))) {
1866 goto error;
1867 }
1868 TALLOC_FREE(req->outbuf);
1869 }
1870
1871 /*
1872 * We use the old request's vwv field to grab the next chained command
1873 * and offset into the chained fields.
1874 */
1875
1876 chain_cmd = CVAL(req->vwv+0, 0);
1877 chain_offset = SVAL(req->vwv+1, 0);
1878
1879 if (chain_cmd == 0xff) {
1880 /*
1881 * End of chain, no more requests from the client. So ship the
1882 * replies.
1883 */
1884 smb_setlen((char *)(req->chain_outbuf),
1885 talloc_get_size(req->chain_outbuf) - 4);
1886
1887 if (!srv_send_smb(smbd_server_fd(), (char *)req->chain_outbuf,
1888 true, req->seqnum+1,
1889 IS_CONN_ENCRYPTED(req->conn)
1890 ||req->encrypted,
1891 &req->pcd)) {
1892 exit_server_cleanly("chain_reply: srv_send_smb "
1893 "failed.");
1894 }
1895 TALLOC_FREE(req->chain_outbuf);
1896 req->done = true;
1897 return;
1898 }
1899
1900 /* add a new perfcounter for this element of chain */
1901 SMB_PERFCOUNT_ADD(&req->pcd);
1902 SMB_PERFCOUNT_SET_OP(&req->pcd, chain_cmd);
1903 SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, smblen);
1904
1905 /*
1906 * Check if the client tries to fool us. The request so far uses the
1907 * space to the end of the byte buffer in the request just
1908 * processed. The chain_offset can't point into that area. If that was
1909 * the case, we could end up with an endless processing of the chain,
1910 * we would always handle the same request.
1911 */
1912
1913 already_used = PTR_DIFF(req->buf+req->buflen, smb_base(req->inbuf));
1914 if (chain_offset < already_used) {
1915 goto error;
1916 }
1917
1918 /*
1919 * Next check: Make sure the chain offset does not point beyond the
1920 * overall smb request length.
1921 */
1922
1923 length_needed = chain_offset+1; /* wct */
1924 if (length_needed > smblen) {
1925 goto error;
1926 }
1927
1928 /*
1929 * Now comes the pointer magic. Goal here is to set up req->vwv and
1930 * req->buf correctly again to be able to call the subsequent
1931 * switch_message(). The chain offset (the former vwv[1]) points at
1932 * the new wct field.
1933 */
1934
1935 wct = CVAL(smb_base(req->inbuf), chain_offset);
1936
1937 /*
1938 * Next consistency check: Make the new vwv array fits in the overall
1939 * smb request.
1940 */
1941
1942 length_needed += (wct+1)*sizeof(uint16_t); /* vwv+buflen */
1943 if (length_needed > smblen) {
1944 goto error;
1945 }
1946 vwv = (uint16_t *)(smb_base(req->inbuf) + chain_offset + 1);
1947
1948 /*
1949 * Now grab the new byte buffer....
1950 */
1951
1952 buflen = SVAL(vwv+wct, 0);
1953
1954 /*
1955 * .. and check that it fits.
1956 */
1957
1958 length_needed += buflen;
1959 if (length_needed > smblen) {
1960 goto error;
1961 }
1962 buf = (uint8_t *)(vwv+wct+1);
1963
1964 req->cmd = chain_cmd;
1965 req->wct = wct;
1966 req->vwv = vwv;
1967 req->buflen = buflen;
1968 req->buf = buf;
1969
1970 switch_message(chain_cmd, req, smblen);
1971
1972 if (req->outbuf == NULL) {
1973 /*
1974 * This happens if the chained command has suspended itself or
1975 * if it has called srv_send_smb() itself.
1976 */
1977 return;
1978 }
1979
1980 /*
1981 * We end up here if the chained command was not itself chained or
1982 * suspended, but for example a close() command. We now need to splice
1983 * the chained commands' outbuf into the already built up chain_outbuf
1984 * and ship the result.
1985 */
1986 goto done;
1987
1988 error:
1989 /*
1990 * We end up here if there's any error in the chain syntax. Report a
1991 * DOS error, just like Windows does.
1992 */
1993 reply_force_doserror(req, ERRSRV, ERRerror);
1994 fixup_chain_error_packet(req);
1995
1996 done:
1997 /*
1998 * This scary statement intends to set the
1999 * FLAGS2_32_BIT_ERROR_CODES flg2 field in req->chain_outbuf
2000 * to the value req->outbuf carries
2001 */
2002 SSVAL(req->chain_outbuf, smb_flg2,
2003 (SVAL(req->chain_outbuf, smb_flg2) & ~FLAGS2_32_BIT_ERROR_CODES)
2004 | (SVAL(req->outbuf, smb_flg2) & FLAGS2_32_BIT_ERROR_CODES));
2005
2006 /*
2007 * Transfer the error codes from the subrequest to the main one
2008 */
2009 SSVAL(req->chain_outbuf, smb_rcls, SVAL(req->outbuf, smb_rcls));
2010 SSVAL(req->chain_outbuf, smb_err, SVAL(req->outbuf, smb_err));
2011
2012 if (!smb_splice_chain(&req->chain_outbuf,
2013 CVAL(req->outbuf, smb_com),
2014 CVAL(req->outbuf, smb_wct),
2015 (uint16_t *)(req->outbuf + smb_vwv),
2016 0, smb_buflen(req->outbuf),
2017 (uint8_t *)smb_buf(req->outbuf))) {
2018 exit_server_cleanly("chain_reply: smb_splice_chain failed\n");
2019 }
2020 TALLOC_FREE(req->outbuf);
2021
2022 smb_setlen((char *)(req->chain_outbuf),
2023 talloc_get_size(req->chain_outbuf) - 4);
2024
2025 show_msg((char *)(req->chain_outbuf));
2026
2027 if (!srv_send_smb(smbd_server_fd(), (char *)req->chain_outbuf,
2028 true, req->seqnum+1,
2029 IS_CONN_ENCRYPTED(req->conn)||req->encrypted,
2030 &req->pcd)) {
2031 exit_server_cleanly("construct_reply: srv_send_smb failed.");
2032 }
2033 TALLOC_FREE(req->chain_outbuf);
2034 req->done = true;
2035 }
2036
2037 /****************************************************************************
2038 Check if services need reloading.
2039 ****************************************************************************/
2040
2041 void check_reload(time_t t)
2042 {
2043 time_t printcap_cache_time = (time_t)lp_printcap_cache_time();
2044
2045 if(last_smb_conf_reload_time == 0) {
2046 last_smb_conf_reload_time = t;
2047 /* Our printing subsystem might not be ready at smbd start up.
2048 Then no printer is available till the first printers check
2049 is performed. A lower initial interval circumvents this. */
2050 if ( printcap_cache_time > 60 )
2051 last_printer_reload_time = t - printcap_cache_time + 60;
2052 else
2053 last_printer_reload_time = t;
2054 }
2055
2056 if (mypid != getpid()) { /* First time or fork happened meanwhile */
2057 /* randomize over 60 second the printcap reload to avoid all
2058 * process hitting cupsd at the same time */
2059 int time_range = 60;
2060
2061 last_printer_reload_time += random() % time_range;
2062 mypid = getpid();
2063 }
2064
2065 if (t >= last_smb_conf_reload_time+SMBD_RELOAD_CHECK) {
2066 reload_services(True);
2067 last_smb_conf_reload_time = t;
2068 }
2069
2070 /* 'printcap cache time = 0' disable the feature */
2071
2072 if ( printcap_cache_time != 0 )
2073 {
2074 /* see if it's time to reload or if the clock has been set back */
2075
2076 if ( (t >= last_printer_reload_time+printcap_cache_time)
2077 || (t-last_printer_reload_time < 0) )
2078 {
2079 DEBUG( 3,( "Printcap cache time expired.\n"));
2080 reload_printers();
2081 last_printer_reload_time = t;
2082 }
2083 }
2084 }
2085
2086 static void smbd_server_connection_write_handler(struct smbd_server_connection *conn)
2087 {
2088 /* TODO: make write nonblocking */
2089 }
2090
2091 static void smbd_server_connection_read_handler(struct smbd_server_connection *conn)
2092 {
2093 uint8_t *inbuf = NULL;
2094 size_t inbuf_len = 0;
2095 size_t unread_bytes = 0;
2096 bool encrypted = false;
2097 TALLOC_CTX *mem_ctx = talloc_tos();
2098 NTSTATUS status;
2099 uint32_t seqnum;
2100
2101 /* TODO: make this completely nonblocking */
2102
2103 status = receive_smb_talloc(mem_ctx, smbd_server_fd(),
2104 (char **)(void *)&inbuf,
2105 0, /* timeout */
2106 &unread_bytes,
2107 &encrypted,
2108 &inbuf_len, &seqnum);
2109 if (NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
2110 goto process;
2111 }
2112 if (NT_STATUS_IS_ERR(status)) {
2113 exit_server_cleanly("failed to receive smb request");
2114 }
2115 if (!NT_STATUS_IS_OK(status)) {
2116 return;
2117 }
2118
2119 process:
2120 process_smb(conn, inbuf, inbuf_len, unread_bytes,
2121 seqnum, encrypted, NULL);
2122 }
2123
2124 static void smbd_server_connection_handler(struct event_context *ev,
2125 struct fd_event *fde,
2126 uint16_t flags,
2127 void *private_data)
2128 {
2129 struct smbd_server_connection *conn = talloc_get_type(private_data,
2130 struct smbd_server_connection);
2131
2132 if (flags & EVENT_FD_WRITE) {
2133 smbd_server_connection_write_handler(conn);
2134 } else if (flags & EVENT_FD_READ) {
2135 smbd_server_connection_read_handler(conn);
2136 }
2137 }
2138
2139
2140 /****************************************************************************
2141 received when we should release a specific IP
2142 ****************************************************************************/
2143 static void release_ip(const char *ip, void *priv)
2144 {
2145 char addr[INET6_ADDRSTRLEN];
2146 char *p = addr;
2147
2148 client_socket_addr(get_client_fd(),addr,sizeof(addr));
2149
2150 if (strncmp("::ffff:", addr, 7) == 0) {
2151 p = addr + 7;
2152 }
2153
2154 if ((strcmp(p, ip) == 0) || ((p != addr) && strcmp(addr, ip) == 0)) {
2155 /* we can't afford to do a clean exit - that involves
2156 database writes, which would potentially mean we
2157 are still running after the failover has finished -
2158 we have to get rid of this process ID straight
2159 away */
2160 DEBUG(0,("Got release IP message for our IP %s - exiting immediately\n",
2161 ip));
2162 /* note we must exit with non-zero status so the unclean handler gets
2163 called in the parent, so that the brl database is tickled */
2164 _exit(1);
2165 }
2166 }
2167
2168 static void msg_release_ip(struct messaging_context *msg_ctx, void *private_data,
2169 uint32_t msg_type, struct server_id server_id, DATA_BLOB *data)
2170 {
2171 release_ip((char *)data->data, NULL);
2172 }
2173
2174 #ifdef CLUSTER_SUPPORT
2175 static int client_get_tcp_info(struct sockaddr_storage *server,
2176 struct sockaddr_storage *client)
2177 {
2178 socklen_t length;
2179 if (server_fd == -1) {
2180 return -1;
2181 }
2182 length = sizeof(*server);
2183 if (getsockname(server_fd, (struct sockaddr *)server, &length) != 0) {
2184 return -1;
2185 }
2186 length = sizeof(*client);
2187 if (getpeername(server_fd, (struct sockaddr *)client, &length) != 0) {
2188 return -1;
2189 }
2190 return 0;
2191 }
2192 #endif
2193
2194 /*
2195 * Send keepalive packets to our client
2196 */
2197 static bool keepalive_fn(const struct timeval *now, void *private_data)
2198 {
2199 if (!send_keepalive(smbd_server_fd())) {
2200 DEBUG( 2, ( "Keepalive failed - exiting.\n" ) );
2201 return False;
2202 }
2203 return True;
2204 }
2205
2206 /*
2207 * Do the recurring check if we're idle
2208 */
2209 static bool deadtime_fn(const struct timeval *now, void *private_data)
2210 {
2211 struct smbd_server_connection *sconn = smbd_server_conn;
2212 if ((conn_num_open(sconn) == 0)
2213 || (conn_idle_all(sconn, now->tv_sec))) {
2214 DEBUG( 2, ( "Closing idle connection\n" ) );
2215 messaging_send(smbd_messaging_context(), procid_self(),
2216 MSG_SHUTDOWN, &data_blob_null);
2217 return False;
2218 }
2219
2220 return True;
2221 }
2222
2223 /*
2224 * Do the recurring log file and smb.conf reload checks.
2225 */
2226
2227 static bool housekeeping_fn(const struct timeval *now, void *private_data)
2228 {
2229 change_to_root_user();
2230
2231 /* update printer queue caches if necessary */
2232 update_monitored_printq_cache();
2233
2234 /* check if we need to reload services */
2235 check_reload(time(NULL));
2236
2237 /* Change machine password if neccessary. */
2238 attempt_machine_password_change();
2239
2240 /*
2241 * Force a log file check.
2242 */
2243 force_check_log_size();
2244 check_log_size();
2245 return true;
2246 }
2247
2248 /****************************************************************************
2249 Process commands from the client
2250 ****************************************************************************/
2251
2252 void smbd_process(void)
2253 {
2254 TALLOC_CTX *frame = talloc_stackframe();
2255 char remaddr[INET6_ADDRSTRLEN];
2256
2257 if (lp_maxprotocol() == PROTOCOL_SMB2 &&
2258 lp_security() != SEC_SHARE) {
2259 smbd_server_conn->allow_smb2 = true;
2260 }
2261
2262 /* Ensure child is set to blocking mode */
2263 set_blocking(smbd_server_fd(),True);
2264
2265 set_socket_options(smbd_server_fd(),"SO_KEEPALIVE");
2266 set_socket_options(smbd_server_fd(), lp_socket_options());
2267
2268 /* this is needed so that we get decent entries
2269 in smbstatus for port 445 connects */
2270 set_remote_machine_name(get_peer_addr(smbd_server_fd(),
2271 remaddr,
2272 sizeof(remaddr)),
2273 false);
2274 reload_services(true);
2275
2276 /*
2277 * Before the first packet, check the global hosts allow/ hosts deny
2278 * parameters before doing any parsing of packets passed to us by the
2279 * client. This prevents attacks on our parsing code from hosts not in
2280 * the hosts allow list.
2281 */
2282
2283 if (!check_access(smbd_server_fd(), lp_hostsallow(-1),
2284 lp_hostsdeny(-1))) {
2285 char addr[INET6_ADDRSTRLEN];
2286
2287 /*
2288 * send a negative session response "not listening on calling
2289 * name"
2290 */
2291 unsigned char buf[5] = {0x83, 0, 0, 1, 0x81};
2292 DEBUG( 1, ("Connection denied from %s\n",
2293 client_addr(get_client_fd(),addr,sizeof(addr)) ) );
2294 (void)srv_send_smb(smbd_server_fd(),(char *)buf, false,
2295 0, false, NULL);
2296 exit_server_cleanly("connection denied");
2297 }
2298
2299 static_init_rpc;
2300
2301 init_modules();
2302
2303 smb_perfcount_init();
2304
2305 if (!init_account_policy()) {
2306 exit_server("Could not open account policy tdb.\n");
2307 }
2308
2309 if (*lp_rootdir()) {
2310 if (chroot(lp_rootdir()) != 0) {
2311 DEBUG(0,("Failed to change root to %s\n", lp_rootdir()));
2312 exit_server("Failed to chroot()");
2313 }
2314 if (chdir("/") == -1) {
2315 DEBUG(0,("Failed to chdir to / on chroot to %s\n", lp_rootdir()));
2316 exit_server("Failed to chroot()");
2317 }
2318 DEBUG(0,("Changed root to %s\n", lp_rootdir()));
2319 }
2320
2321 if (!srv_init_signing(smbd_server_conn)) {
2322 exit_server("Failed to init smb_signing");
2323 }
2324
2325 /* Setup oplocks */
2326 if (!init_oplocks(smbd_messaging_context()))
2327 exit_server("Failed to init oplocks");
2328
2329 /* Setup aio signal handler. */
2330 initialize_async_io_handler();
2331
2332 /* register our message handlers */
2333 messaging_register(smbd_messaging_context(), NULL,
2334 MSG_SMB_FORCE_TDIS, msg_force_tdis);
2335 messaging_register(smbd_messaging_context(), NULL,
2336 MSG_SMB_RELEASE_IP, msg_release_ip);
2337 messaging_register(smbd_messaging_context(), NULL,
2338 MSG_SMB_CLOSE_FILE, msg_close_file);
2339
2340 /*
2341 * Use the default MSG_DEBUG handler to avoid rebroadcasting
2342 * MSGs to all child processes
2343 */
2344 messaging_deregister(smbd_messaging_context(),
2345 MSG_DEBUG, NULL);
2346 messaging_register(smbd_messaging_context(), NULL,
2347 MSG_DEBUG, debug_message);
2348
2349 if ((lp_keepalive() != 0)
2350 && !(event_add_idle(smbd_event_context(), NULL,
2351 timeval_set(lp_keepalive(), 0),
2352 "keepalive", keepalive_fn,
2353 NULL))) {
2354 DEBUG(0, ("Could not add keepalive event\n"));
2355 exit(1);
2356 }
2357
2358 if (!(event_add_idle(smbd_event_context(), NULL,
2359 timeval_set(IDLE_CLOSED_TIMEOUT, 0),
2360 "deadtime", deadtime_fn, NULL))) {
2361 DEBUG(0, ("Could not add deadtime event\n"));
2362 exit(1);
2363 }
2364
2365 if (!(event_add_idle(smbd_event_context(), NULL,
2366 timeval_set(SMBD_SELECT_TIMEOUT, 0),
2367 "housekeeping", housekeeping_fn, NULL))) {
2368 DEBUG(0, ("Could not add housekeeping event\n"));
2369 exit(1);
2370 }
2371
2372 #ifdef CLUSTER_SUPPORT
2373
2374 if (lp_clustering()) {
2375 /*
2376 * We need to tell ctdb about our client's TCP
2377 * connection, so that for failover ctdbd can send
2378 * tickle acks, triggering a reconnection by the
2379 * client.
2380 */
2381
2382 struct sockaddr_storage srv, clnt;
2383
2384 if (client_get_tcp_info(&srv, &clnt) == 0) {
2385
2386 NTSTATUS status;
2387
2388 status = ctdbd_register_ips(
2389 messaging_ctdbd_connection(),
2390 &srv, &clnt, release_ip, NULL);
2391
2392 if (!NT_STATUS_IS_OK(status)) {
2393 DEBUG(0, ("ctdbd_register_ips failed: %s\n",
2394 nt_errstr(status)));
2395 }
2396 } else
2397 {
2398 DEBUG(0,("Unable to get tcp info for "
2399 "CTDB_CONTROL_TCP_CLIENT: %s\n",
2400 strerror(errno)));
2401 }
2402 }
2403
2404 #endif
2405
2406 smbd_server_conn->nbt.got_session = false;
2407
2408 smbd_server_conn->smb1.negprot.max_recv = MIN(lp_maxxmit(),BUFFER_SIZE);
2409
2410 smbd_server_conn->smb1.sessions.done_sesssetup = false;
2411 smbd_server_conn->smb1.sessions.max_send = BUFFER_SIZE;
2412 smbd_server_conn->smb1.sessions.last_session_tag = UID_FIELD_INVALID;
2413 /* users from session setup */
2414 smbd_server_conn->smb1.sessions.session_userlist = NULL;
2415 /* workgroup from session setup. */
2416 smbd_server_conn->smb1.sessions.session_workgroup = NULL;
2417 /* this holds info on user ids that are already validated for this VC */
2418 smbd_server_conn->smb1.sessions.validated_users = NULL;
2419 smbd_server_conn->smb1.sessions.next_vuid = VUID_OFFSET;
2420 smbd_server_conn->smb1.sessions.num_validated_vuids = 0;
2421 #ifdef HAVE_NETGROUP
2422 smbd_server_conn->smb1.sessions.my_yp_domain = NULL;
2423 #endif
2424
2425 conn_init(smbd_server_conn);
2426 if (!init_dptrs(smbd_server_conn)) {
2427 exit_server("init_dptrs() failed");
2428 }
2429
2430 smbd_server_conn->smb1.fde = event_add_fd(smbd_event_context(),
2431 smbd_server_conn,
2432 smbd_server_fd(),
2433 EVENT_FD_READ,
2434 smbd_server_connection_handler,
2435 smbd_server_conn);
2436 if (!smbd_server_conn->smb1.fde) {
2437 exit_server("failed to create smbd_server_connection fde");
2438 }
2439
2440 TALLOC_FREE(frame);
2441
2442 while (True) {
2443 NTSTATUS status;
2444
2445 frame = talloc_stackframe_pool(8192);
2446
2447 errno = 0;
2448
2449 status = smbd_server_connection_loop_once(smbd_server_conn);
2450 if (!NT_STATUS_EQUAL(status, NT_STATUS_RETRY) &&
2451 !NT_STATUS_IS_OK(status)) {
2452 DEBUG(3, ("smbd_server_connection_loop_once failed: %s,"
2453 " exiting\n", nt_errstr(status)));
2454 break;
2455 }
2456
2457 TALLOC_FREE(frame);
2458 }
2459
2460 exit_server_cleanly(NULL);
2461 }
2462
2463 bool req_is_in_chain(struct smb_request *req)
2464 {
2465 if (req->vwv != (uint16_t *)(req->inbuf+smb_vwv)) {
2466 /*
2467 * We're right now handling a subsequent request, so we must
2468 * be in a chain
2469 */
2470 return true;
2471 }
2472
2473 if (!is_andx_req(req->cmd)) {
2474 return false;
2475 }
2476
2477 if (req->wct < 2) {
2478 /*
2479 * Okay, an illegal request, but definitely not chained :-)
2480 */
2481 return false;
2482 }
2483
2484 return (CVAL(req->vwv+0, 0) != 0xFF);
2485 }
kamenim's samba4 branches