search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
mount.cifs: don't allow it to be run as setuid root program
[Samba/nascimento.git] / source3 / smbd / smb2_lock.c
blob908e1cf8a4d575a640120d1467eedb199477dc78
1 /*
2 Unix SMB/CIFS implementation.
3 Core SMB2 server
4
5 Copyright (C) Stefan Metzmacher 2009
6
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
11
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
16
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "smbd/globals.h"
23 #include "../libcli/smb/smb_common.h"
24
25 struct smbd_smb2_lock_element {
26 uint64_t offset;
27 uint64_t length;
28 uint32_t flags;
29 };
30
31 static struct tevent_req *smbd_smb2_lock_send(TALLOC_CTX *mem_ctx,
32 struct tevent_context *ev,
33 struct smbd_smb2_request *smb2req,
34 uint32_t in_smbpid,
35 uint64_t in_file_id_volatile,
36 uint16_t in_lock_count,
37 struct smbd_smb2_lock_element *in_locks);
38 static NTSTATUS smbd_smb2_lock_recv(struct tevent_req *req);
39
40 static void smbd_smb2_request_lock_done(struct tevent_req *subreq);
41 NTSTATUS smbd_smb2_request_process_lock(struct smbd_smb2_request *req)
42 {
43 const uint8_t *inhdr;
44 const uint8_t *inbody;
45 const int i = req->current_idx;
46 size_t expected_body_size = 0x30;
47 size_t body_size;
48 uint32_t in_smbpid;
49 uint16_t in_lock_count;
50 uint64_t in_file_id_persistent;
51 uint64_t in_file_id_volatile;
52 struct smbd_smb2_lock_element *in_locks;
53 struct tevent_req *subreq;
54 const uint8_t *lock_buffer;
55 uint16_t l;
56
57 inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
58 if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
59 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
60 }
61
62 inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
63
64 body_size = SVAL(inbody, 0x00);
65 if (body_size != expected_body_size) {
66 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
67 }
68
69 in_smbpid = IVAL(inhdr, SMB2_HDR_PID);
70
71 in_lock_count = CVAL(inbody, 0x02);
72 /* 0x04 - 4 bytes reserved */
73 in_file_id_persistent = BVAL(inbody, 0x08);
74 in_file_id_volatile = BVAL(inbody, 0x10);
75
76 if (in_lock_count < 1) {
77 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
78 }
79
80 if (((in_lock_count - 1) * 0x18) > req->in.vector[i+2].iov_len) {
81 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
82 }
83
84 if (req->compat_chain_fsp) {
85 /* skip check */
86 } else if (in_file_id_persistent != 0) {
87 return smbd_smb2_request_error(req, NT_STATUS_FILE_CLOSED);
88 }
89
90 in_locks = talloc_array(req, struct smbd_smb2_lock_element,
91 in_lock_count);
92 if (in_locks == NULL) {
93 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
94 }
95
96 l = 0;
97 lock_buffer = inbody + 0x18;
98
99 in_locks[l].offset = BVAL(lock_buffer, 0x00);
100 in_locks[l].length = BVAL(lock_buffer, 0x08);
101 in_locks[l].flags = IVAL(lock_buffer, 0x10);
102 /* 0x14 - 4 reserved bytes */
103
104 lock_buffer = (const uint8_t *)req->in.vector[i+2].iov_base;
105
106 for (l=1; l < in_lock_count; l++) {
107 in_locks[l].offset = BVAL(lock_buffer, 0x00);
108 in_locks[l].length = BVAL(lock_buffer, 0x08);
109 in_locks[l].flags = IVAL(lock_buffer, 0x10);
110 /* 0x14 - 4 reserved bytes */
111
112 lock_buffer += 0x18;
113 }
114
115 subreq = smbd_smb2_lock_send(req,
116 req->sconn->smb2.event_ctx,
117 req,
118 in_smbpid,
119 in_file_id_volatile,
120 in_lock_count,
121 in_locks);
122 if (subreq == NULL) {
123 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
124 }
125 tevent_req_set_callback(subreq, smbd_smb2_request_lock_done, req);
126
127 return smbd_smb2_request_pending_queue(req, subreq);
128 }
129
130 static void smbd_smb2_request_lock_done(struct tevent_req *subreq)
131 {
132 struct smbd_smb2_request *req = tevent_req_callback_data(subreq,
133 struct smbd_smb2_request);
134 DATA_BLOB outbody;
135 NTSTATUS status;
136 NTSTATUS error; /* transport error */
137
138 status = smbd_smb2_lock_recv(subreq);
139 TALLOC_FREE(subreq);
140 if (!NT_STATUS_IS_OK(status)) {
141 error = smbd_smb2_request_error(req, status);
142 if (!NT_STATUS_IS_OK(error)) {
143 smbd_server_connection_terminate(req->sconn,
144 nt_errstr(error));
145 return;
146 }
147 return;
148 }
149
150 outbody = data_blob_talloc(req->out.vector, NULL, 0x04);
151 if (outbody.data == NULL) {
152 error = smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
153 if (!NT_STATUS_IS_OK(error)) {
154 smbd_server_connection_terminate(req->sconn,
155 nt_errstr(error));
156 return;
157 }
158 return;
159 }
160
161 SSVAL(outbody.data, 0x00, 0x04); /* struct size */
162 SSVAL(outbody.data, 0x02, 0); /* reserved */
163
164 error = smbd_smb2_request_done(req, outbody, NULL);
165 if (!NT_STATUS_IS_OK(error)) {
166 smbd_server_connection_terminate(req->sconn,
167 nt_errstr(error));
168 return;
169 }
170 }
171
172 struct smbd_smb2_lock_state {
173 struct smbd_smb2_request *smb2req;
174 };
175
176 static struct tevent_req *smbd_smb2_lock_send(TALLOC_CTX *mem_ctx,
177 struct tevent_context *ev,
178 struct smbd_smb2_request *smb2req,
179 uint32_t in_smbpid,
180 uint64_t in_file_id_volatile,
181 uint16_t in_lock_count,
182 struct smbd_smb2_lock_element *in_locks)
183 {
184 struct tevent_req *req;
185 struct smbd_smb2_lock_state *state;
186 struct smb_request *smbreq;
187 connection_struct *conn = smb2req->tcon->compat_conn;
188 files_struct *fsp;
189 int32_t timeout = -1;
190 bool isunlock = false;
191 uint16_t i;
192 struct smbd_lock_element *locks;
193 NTSTATUS status;
194 bool async = false;
195
196 req = tevent_req_create(mem_ctx, &state,
197 struct smbd_smb2_lock_state);
198 if (req == NULL) {
199 return NULL;
200 }
201 state->smb2req = smb2req;
202
203 DEBUG(10,("smbd_smb2_lock_send: file_id[0x%016llX]\n",
204 (unsigned long long)in_file_id_volatile));
205
206 smbreq = smbd_smb2_fake_smb_request(smb2req);
207 if (tevent_req_nomem(smbreq, req)) {
208 return tevent_req_post(req, ev);
209 }
210
211 fsp = file_fsp(smbreq, (uint16_t)in_file_id_volatile);
212 if (fsp == NULL) {
213 tevent_req_nterror(req, NT_STATUS_FILE_CLOSED);
214 return tevent_req_post(req, ev);
215 }
216 if (conn != fsp->conn) {
217 tevent_req_nterror(req, NT_STATUS_FILE_CLOSED);
218 return tevent_req_post(req, ev);
219 }
220 if (smb2req->session->vuid != fsp->vuid) {
221 tevent_req_nterror(req, NT_STATUS_FILE_CLOSED);
222 return tevent_req_post(req, ev);
223 }
224
225 locks = talloc_array(state, struct smbd_lock_element, in_lock_count);
226 if (locks == NULL) {
227 tevent_req_nterror(req, NT_STATUS_NO_MEMORY);
228 return tevent_req_post(req, ev);
229 }
230
231 switch (in_locks[0].flags) {
232 case SMB2_LOCK_FLAG_SHARED:
233 case SMB2_LOCK_FLAG_EXCLUSIVE:
234 if (in_lock_count > 1) {
235 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
236 return tevent_req_post(req, ev);
237 }
238 timeout = -1;
239 break;
240
241 case SMB2_LOCK_FLAG_SHARED|SMB2_LOCK_FLAG_FAIL_IMMEDIATELY:
242 case SMB2_LOCK_FLAG_EXCLUSIVE|SMB2_LOCK_FLAG_FAIL_IMMEDIATELY:
243 timeout = 0;
244 break;
245
246 case SMB2_LOCK_FLAG_UNLOCK:
247 /* only the first lock gives the UNLOCK bit - see
248 MS-SMB2 3.3.5.14 */
249 isunlock = true;
250 timeout = 0;
251 break;
252
253 default:
254 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
255 return tevent_req_post(req, ev);
256 }
257
258 for (i=0; i<in_lock_count; i++) {
259 uint64_t max_count;
260 bool invalid = false;
261
262 switch (in_locks[i].flags) {
263 case SMB2_LOCK_FLAG_SHARED:
264 case SMB2_LOCK_FLAG_EXCLUSIVE:
265 if (i > 0) {
266 tevent_req_nterror(req,
267 NT_STATUS_INVALID_PARAMETER);
268 return tevent_req_post(req, ev);
269 }
270 if (isunlock) {
271 tevent_req_nterror(req,
272 NT_STATUS_INVALID_PARAMETER);
273 return tevent_req_post(req, ev);
274 }
275 break;
276
277 case SMB2_LOCK_FLAG_SHARED|SMB2_LOCK_FLAG_FAIL_IMMEDIATELY:
278 case SMB2_LOCK_FLAG_EXCLUSIVE|SMB2_LOCK_FLAG_FAIL_IMMEDIATELY:
279 if (isunlock) {
280 tevent_req_nterror(req,
281 NT_STATUS_INVALID_PARAMETER);
282 return tevent_req_post(req, ev);
283 }
284 break;
285
286 case SMB2_LOCK_FLAG_UNLOCK:
287 if (!isunlock) {
288 tevent_req_nterror(req,
289 NT_STATUS_INVALID_PARAMETER);
290 return tevent_req_post(req, ev);
291 }
292 break;
293
294 default:
295 if (isunlock) {
296 /*
297 * is the first element was a UNLOCK
298 * we need to deferr the error response
299 * to the backend, because we need to process
300 * all unlock elements before
301 */
302 invalid = true;
303 break;
304 }
305 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
306 return tevent_req_post(req, ev);
307 }
308
309 locks[i].smbpid = in_smbpid;
310 locks[i].offset = in_locks[i].offset;
311 locks[i].count = in_locks[i].length;
312
313 if (in_locks[i].flags & SMB2_LOCK_FLAG_EXCLUSIVE) {
314 locks[i].brltype = WRITE_LOCK;
315 } else if (in_locks[i].flags & SMB2_LOCK_FLAG_SHARED) {
316 locks[i].brltype = READ_LOCK;
317 } else if (invalid) {
318 /*
319 * this is an invalid UNLOCK element
320 * and the backend needs to test for
321 * brltype != UNLOCK_LOCK and return
322 * NT_STATUS_INVALID_PARAMER
323 */
324 locks[i].brltype = READ_LOCK;
325 } else {
326 locks[i].brltype = UNLOCK_LOCK;
327 }
328
329 max_count = UINT64_MAX - locks[i].offset;
330 if (locks[i].count > max_count) {
331 tevent_req_nterror(req, NT_STATUS_INVALID_LOCK_RANGE);
332 return tevent_req_post(req, ev);
333 }
334 }
335
336 if (isunlock) {
337 status = smbd_do_locking(smbreq, fsp,
338 0,
339 timeout,
340 in_lock_count,
341 locks,
342 0,
343 NULL,
344 &async);
345 } else {
346 status = smbd_do_locking(smbreq, fsp,
347 0,
348 timeout,
349 0,
350 NULL,
351 in_lock_count,
352 locks,
353 &async);
354 }
355 if (!NT_STATUS_IS_OK(status)) {
356 if (NT_STATUS_EQUAL(status, NT_STATUS_FILE_LOCK_CONFLICT)) {
357 status = NT_STATUS_LOCK_NOT_GRANTED;
358 }
359 tevent_req_nterror(req, status);
360 return tevent_req_post(req, ev);
361 }
362
363 if (async) {
364 tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
365 return tevent_req_post(req, ev);
366 }
367
368 tevent_req_done(req);
369 return tevent_req_post(req, ev);
370 }
371
372 static NTSTATUS smbd_smb2_lock_recv(struct tevent_req *req)
373 {
374 NTSTATUS status;
375
376 if (tevent_req_is_nterror(req, &status)) {
377 tevent_req_received(req);
378 return status;
379 }
380
381 tevent_req_received(req);
382 return NT_STATUS_OK;
383 }