search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Fix bug #7154 - mangling method = hash can crash storing a name not containing a '.'
[Samba/wip.git] / source3 / smbd / mangle_hash.c
blob1482d10b7a240388b8c1d739cda0d76c36cf1c07
1 /*
2 Unix SMB/CIFS implementation.
3 Name mangling
4 Copyright (C) Andrew Tridgell 1992-2002
5 Copyright (C) Simo Sorce 2001
6 Copyright (C) Andrew Bartlett 2002
7 Copyright (C) Jeremy Allison 2007
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 #include "includes.h"
24 #include "smbd/globals.h"
25
26 /* -------------------------------------------------------------------------- **
27 * Other stuff...
28 *
29 * magic_char - This is the magic char used for mangling. It's
30 * global. There is a call to lp_magicchar() in server.c
31 * that is used to override the initial value.
32 *
33 * MANGLE_BASE - This is the number of characters we use for name mangling.
34 *
35 * basechars - The set characters used for name mangling. This
36 * is static (scope is this file only).
37 *
38 * mangle() - Macro used to select a character from basechars (i.e.,
39 * mangle(n) will return the nth digit, modulo MANGLE_BASE).
40 *
41 * chartest - array 0..255. The index range is the set of all possible
42 * values of a byte. For each byte value, the content is a
43 * two nibble pair. See BASECHAR_MASK below.
44 *
45 * ct_initialized - False until the chartest array has been initialized via
46 * a call to init_chartest().
47 *
48 * BASECHAR_MASK - Masks the upper nibble of a one-byte value.
49 *
50 * isbasecahr() - Given a character, check the chartest array to see
51 * if that character is in the basechars set. This is
52 * faster than using strchr_m().
53 *
54 */
55
56 static const char basechars[43]="0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ_-!@#$%";
57 #define MANGLE_BASE (sizeof(basechars)/sizeof(char)-1)
58
59 #define mangle(V) ((char)(basechars[(V) % MANGLE_BASE]))
60 #define BASECHAR_MASK 0xf0
61 #define isbasechar(C) ( (chartest[ ((C) & 0xff) ]) & BASECHAR_MASK )
62
63 /* -------------------------------------------------------------------- */
64
65 static NTSTATUS has_valid_83_chars(const smb_ucs2_t *s, bool allow_wildcards)
66 {
67 if (!*s) {
68 return NT_STATUS_INVALID_PARAMETER;
69 }
70
71 if (!allow_wildcards && ms_has_wild_w(s)) {
72 return NT_STATUS_UNSUCCESSFUL;
73 }
74
75 while (*s) {
76 if(!isvalid83_w(*s)) {
77 return NT_STATUS_UNSUCCESSFUL;
78 }
79 s++;
80 }
81
82 return NT_STATUS_OK;
83 }
84
85 static NTSTATUS has_illegal_chars(const smb_ucs2_t *s, bool allow_wildcards)
86 {
87 if (!allow_wildcards && ms_has_wild_w(s)) {
88 return NT_STATUS_UNSUCCESSFUL;
89 }
90
91 while (*s) {
92 if (*s <= 0x1f) {
93 /* Control characters. */
94 return NT_STATUS_UNSUCCESSFUL;
95 }
96 switch(*s) {
97 case UCS2_CHAR('\\'):
98 case UCS2_CHAR('/'):
99 case UCS2_CHAR('|'):
100 case UCS2_CHAR(':'):
101 return NT_STATUS_UNSUCCESSFUL;
102 }
103 s++;
104 }
105
106 return NT_STATUS_OK;
107 }
108
109 /* return False if something fail and
110 * return 2 alloced unicode strings that contain prefix and extension
111 */
112
113 static NTSTATUS mangle_get_prefix(const smb_ucs2_t *ucs2_string, smb_ucs2_t **prefix,
114 smb_ucs2_t **extension, bool allow_wildcards)
115 {
116 size_t ext_len;
117 smb_ucs2_t *p;
118
119 *extension = 0;
120 *prefix = strdup_w(ucs2_string);
121 if (!*prefix) {
122 return NT_STATUS_NO_MEMORY;
123 }
124 if ((p = strrchr_w(*prefix, UCS2_CHAR('.')))) {
125 ext_len = strlen_w(p+1);
126 if ((ext_len > 0) && (ext_len < 4) && (p != *prefix) &&
127 (NT_STATUS_IS_OK(has_valid_83_chars(p+1,allow_wildcards)))) /* check extension */ {
128 *p = 0;
129 *extension = strdup_w(p+1);
130 if (!*extension) {
131 SAFE_FREE(*prefix);
132 return NT_STATUS_NO_MEMORY;
133 }
134 }
135 }
136 return NT_STATUS_OK;
137 }
138
139 /* ************************************************************************** **
140 * Return NT_STATUS_UNSUCCESSFUL if a name is a special msdos reserved name.
141 * or contains illegal characters.
142 *
143 * Input: fname - String containing the name to be tested.
144 *
145 * Output: NT_STATUS_UNSUCCESSFUL, if the condition above is true.
146 *
147 * Notes: This is a static function called by is_8_3(), below.
148 *
149 * ************************************************************************** **
150 */
151
152 static NTSTATUS is_valid_name(const smb_ucs2_t *fname, bool allow_wildcards, bool only_8_3)
153 {
154 smb_ucs2_t *str, *p;
155 size_t num_ucs2_chars;
156 NTSTATUS ret = NT_STATUS_OK;
157
158 if (!fname || !*fname)
159 return NT_STATUS_INVALID_PARAMETER;
160
161 /* . and .. are valid names. */
162 if (strcmp_wa(fname, ".")==0 || strcmp_wa(fname, "..")==0)
163 return NT_STATUS_OK;
164
165 if (only_8_3) {
166 ret = has_valid_83_chars(fname, allow_wildcards);
167 if (!NT_STATUS_IS_OK(ret))
168 return ret;
169 }
170
171 ret = has_illegal_chars(fname, allow_wildcards);
172 if (!NT_STATUS_IS_OK(ret))
173 return ret;
174
175 /* Name can't end in '.' or ' ' */
176 num_ucs2_chars = strlen_w(fname);
177 if (fname[num_ucs2_chars-1] == UCS2_CHAR('.') || fname[num_ucs2_chars-1] == UCS2_CHAR(' ')) {
178 return NT_STATUS_UNSUCCESSFUL;
179 }
180
181 str = strdup_w(fname);
182
183 /* Truncate copy after the first dot. */
184 p = strchr_w(str, UCS2_CHAR('.'));
185 if (p) {
186 *p = 0;
187 }
188
189 strupper_w(str);
190 p = &str[1];
191
192 switch(str[0])
193 {
194 case UCS2_CHAR('A'):
195 if(strcmp_wa(p, "UX") == 0)
196 ret = NT_STATUS_UNSUCCESSFUL;
197 break;
198 case UCS2_CHAR('C'):
199 if((strcmp_wa(p, "LOCK$") == 0)
200 || (strcmp_wa(p, "ON") == 0)
201 || (strcmp_wa(p, "OM1") == 0)
202 || (strcmp_wa(p, "OM2") == 0)
203 || (strcmp_wa(p, "OM3") == 0)
204 || (strcmp_wa(p, "OM4") == 0)
205 )
206 ret = NT_STATUS_UNSUCCESSFUL;
207 break;
208 case UCS2_CHAR('L'):
209 if((strcmp_wa(p, "PT1") == 0)
210 || (strcmp_wa(p, "PT2") == 0)
211 || (strcmp_wa(p, "PT3") == 0)
212 )
213 ret = NT_STATUS_UNSUCCESSFUL;
214 break;
215 case UCS2_CHAR('N'):
216 if(strcmp_wa(p, "UL") == 0)
217 ret = NT_STATUS_UNSUCCESSFUL;
218 break;
219 case UCS2_CHAR('P'):
220 if(strcmp_wa(p, "RN") == 0)
221 ret = NT_STATUS_UNSUCCESSFUL;
222 break;
223 default:
224 break;
225 }
226
227 SAFE_FREE(str);
228 return ret;
229 }
230
231 static NTSTATUS is_8_3_w(const smb_ucs2_t *fname, bool allow_wildcards)
232 {
233 smb_ucs2_t *pref = 0, *ext = 0;
234 size_t plen;
235 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
236
237 if (!fname || !*fname)
238 return NT_STATUS_INVALID_PARAMETER;
239
240 if (strlen_w(fname) > 12)
241 return NT_STATUS_UNSUCCESSFUL;
242
243 if (strcmp_wa(fname, ".") == 0 || strcmp_wa(fname, "..") == 0)
244 return NT_STATUS_OK;
245
246 /* Name cannot start with '.' */
247 if (*fname == UCS2_CHAR('.'))
248 return NT_STATUS_UNSUCCESSFUL;
249
250 if (!NT_STATUS_IS_OK(is_valid_name(fname, allow_wildcards, True)))
251 goto done;
252
253 if (!NT_STATUS_IS_OK(mangle_get_prefix(fname, &pref, &ext, allow_wildcards)))
254 goto done;
255 plen = strlen_w(pref);
256
257 if (strchr_wa(pref, '.'))
258 goto done;
259 if (plen < 1 || plen > 8)
260 goto done;
261 if (ext && (strlen_w(ext) > 3))
262 goto done;
263
264 ret = NT_STATUS_OK;
265
266 done:
267 SAFE_FREE(pref);
268 SAFE_FREE(ext);
269 return ret;
270 }
271
272 static bool is_8_3(const char *fname, bool check_case, bool allow_wildcards,
273 const struct share_params *p)
274 {
275 const char *f;
276 smb_ucs2_t *ucs2name;
277 NTSTATUS ret = NT_STATUS_UNSUCCESSFUL;
278 size_t size;
279 char magic_char;
280
281 magic_char = lp_magicchar(p);
282
283 if (!fname || !*fname)
284 return False;
285 if ((f = strrchr(fname, '/')) == NULL)
286 f = fname;
287 else
288 f++;
289
290 if (strlen(f) > 12)
291 return False;
292
293 if (!push_ucs2_talloc(NULL, &ucs2name, f, &size)) {
294 DEBUG(0,("is_8_3: internal error push_ucs2_talloc() failed!\n"));
295 goto done;
296 }
297
298 ret = is_8_3_w(ucs2name, allow_wildcards);
299
300 done:
301 TALLOC_FREE(ucs2name);
302
303 if (!NT_STATUS_IS_OK(ret)) {
304 return False;
305 }
306
307 return True;
308 }
309
310 /* -------------------------------------------------------------------------- **
311 * Functions...
312 */
313
314 /* ************************************************************************** **
315 * Initialize the static character test array.
316 *
317 * Input: none
318 *
319 * Output: none
320 *
321 * Notes: This function changes (loads) the contents of the <chartest>
322 * array. The scope of <chartest> is this file.
323 *
324 * ************************************************************************** **
325 */
326
327 static void init_chartest( void )
328 {
329 const unsigned char *s;
330
331 chartest = SMB_MALLOC_ARRAY(unsigned char, 256);
332
333 SMB_ASSERT(chartest != NULL);
334
335 for( s = (const unsigned char *)basechars; *s; s++ ) {
336 chartest[*s] |= BASECHAR_MASK;
337 }
338 }
339
340 /* ************************************************************************** **
341 * Return True if the name *could be* a mangled name.
342 *
343 * Input: s - A path name - in UNIX pathname format.
344 *
345 * Output: True if the name matches the pattern described below in the
346 * notes, else False.
347 *
348 * Notes: The input name is *not* tested for 8.3 compliance. This must be
349 * done separately. This function returns true if the name contains
350 * a magic character followed by excactly two characters from the
351 * basechars list (above), which in turn are followed either by the
352 * nul (end of string) byte or a dot (extension) or by a '/' (end of
353 * a directory name).
354 *
355 * ************************************************************************** **
356 */
357
358 static bool is_mangled(const char *s, const struct share_params *p)
359 {
360 char *magic;
361 char magic_char;
362
363 magic_char = lp_magicchar(p);
364
365 if (chartest == NULL) {
366 init_chartest();
367 }
368
369 magic = strchr_m( s, magic_char );
370 while( magic && magic[1] && magic[2] ) { /* 3 chars, 1st is magic. */
371 if( ('.' == magic[3] || '/' == magic[3] || !(magic[3])) /* Ends with '.' or nul or '/' ? */
372 && isbasechar( toupper_ascii(magic[1]) ) /* is 2nd char basechar? */
373 && isbasechar( toupper_ascii(magic[2]) ) ) /* is 3rd char basechar? */
374 return( True ); /* If all above, then true, */
375 magic = strchr_m( magic+1, magic_char ); /* else seek next magic. */
376 }
377 return( False );
378 }
379
380 /***************************************************************************
381 Initializes or clears the mangled cache.
382 ***************************************************************************/
383
384 static void mangle_reset( void )
385 {
386 /* We could close and re-open the tdb here... should we ? The old code did
387 the equivalent... JRA. */
388 }
389
390 /***************************************************************************
391 Add a mangled name into the cache.
392 If the extension of the raw name maps directly to the
393 extension of the mangled name, then we'll store both names
394 *without* extensions. That way, we can provide consistent
395 reverse mangling for all names that match. The test here is
396 a bit more careful than the one done in earlier versions of
397 mangle.c:
398
399 - the extension must exist on the raw name,
400 - it must be all lower case
401 - it must match the mangled extension (to prove that no
402 mangling occurred).
403 crh 07-Apr-1998
404 **************************************************************************/
405
406 static void cache_mangled_name( const char mangled_name[13],
407 const char *raw_name )
408 {
409 TDB_DATA data_val;
410 char mangled_name_key[13];
411 char *s1 = NULL;
412 char *s2 = NULL;
413
414 /* If the cache isn't initialized, give up. */
415 if( !tdb_mangled_cache )
416 return;
417
418 /* Init the string lengths. */
419 safe_strcpy(mangled_name_key, mangled_name, sizeof(mangled_name_key)-1);
420
421 /* See if the extensions are unmangled. If so, store the entry
422 * without the extension, thus creating a "group" reverse map.
423 */
424 s1 = strrchr( mangled_name_key, '.' );
425 if( s1 && (s2 = strrchr( raw_name, '.' )) ) {
426 size_t i = 1;
427 while( s1[i] && (tolower_ascii( s1[i] ) == s2[i]) )
428 i++;
429 if( !s1[i] && !s2[i] ) {
430 /* Truncate at the '.' */
431 *s1 = '\0';
432 /*
433 * DANGER WILL ROBINSON - this
434 * is changing a const string via
435 * an aliased pointer ! Remember to
436 * put it back once we've used it.
437 * JRA
438 */
439 *s2 = '\0';
440 }
441 }
442
443 /* Allocate a new cache entry. If the allocation fails, just return. */
444 data_val = string_term_tdb_data(raw_name);
445 if (tdb_store_bystring(tdb_mangled_cache, mangled_name_key, data_val, TDB_REPLACE) != 0) {
446 DEBUG(0,("cache_mangled_name: Error storing entry %s -> %s\n", mangled_name_key, raw_name));
447 } else {
448 DEBUG(5,("cache_mangled_name: Stored entry %s -> %s\n", mangled_name_key, raw_name));
449 }
450 /* Restore the change we made to the const string. */
451 if (s2) {
452 *s2 = '.';
453 }
454 }
455
456 /* ************************************************************************** **
457 * Check for a name on the mangled name stack
458 *
459 * Input: s - Input *and* output string buffer.
460 * maxlen - space in i/o string buffer.
461 * Output: True if the name was found in the cache, else False.
462 *
463 * Notes: If a reverse map is found, the function will overwrite the string
464 * space indicated by the input pointer <s>. This is frightening.
465 * It should be rewritten to return NULL if the long name was not
466 * found, and a pointer to the long name if it was found.
467 *
468 * ************************************************************************** **
469 */
470
471 static bool lookup_name_from_8_3(TALLOC_CTX *ctx,
472 const char *in,
473 char **out, /* talloced on the given context. */
474 const struct share_params *p)
475 {
476 TDB_DATA data_val;
477 char *saved_ext = NULL;
478 char *s = talloc_strdup(ctx, in);
479 char magic_char;
480
481 magic_char = lp_magicchar(p);
482
483 /* If the cache isn't initialized, give up. */
484 if(!s || !tdb_mangled_cache ) {
485 TALLOC_FREE(s);
486 return False;
487 }
488
489 data_val = tdb_fetch_bystring(tdb_mangled_cache, s);
490
491 /* If we didn't find the name *with* the extension, try without. */
492 if(data_val.dptr == NULL || data_val.dsize == 0) {
493 char *ext_start = strrchr( s, '.' );
494 if( ext_start ) {
495 if((saved_ext = talloc_strdup(ctx,ext_start)) == NULL) {
496 TALLOC_FREE(s);
497 return False;
498 }
499
500 *ext_start = '\0';
501 data_val = tdb_fetch_bystring(tdb_mangled_cache, s);
502 /*
503 * At this point s is the name without the
504 * extension. We re-add the extension if saved_ext
505 * is not null, before freeing saved_ext.
506 */
507 }
508 }
509
510 /* Okay, if we haven't found it we're done. */
511 if(data_val.dptr == NULL || data_val.dsize == 0) {
512 TALLOC_FREE(saved_ext);
513 TALLOC_FREE(s);
514 return False;
515 }
516
517 /* If we *did* find it, we need to talloc it on the given ctx. */
518 if (saved_ext) {
519 *out = talloc_asprintf(ctx, "%s%s",
520 (char *)data_val.dptr,
521 saved_ext);
522 } else {
523 *out = talloc_strdup(ctx, (char *)data_val.dptr);
524 }
525
526 TALLOC_FREE(s);
527 TALLOC_FREE(saved_ext);
528 SAFE_FREE(data_val.dptr);
529
530 return *out ? True : False;
531 }
532
533 /*****************************************************************************
534 Do the actual mangling to 8.3 format.
535 *****************************************************************************/
536
537 static bool to_8_3(char magic_char, const char *in, char out[13], int default_case)
538 {
539 int csum;
540 char *p;
541 char extension[4];
542 char base[9];
543 int baselen = 0;
544 int extlen = 0;
545 char *s = SMB_STRDUP(in);
546
547 extension[0] = 0;
548 base[0] = 0;
549
550 if (!s) {
551 return False;
552 }
553
554 p = strrchr(s,'.');
555 if( p && (strlen(p+1) < (size_t)4) ) {
556 bool all_normal = ( strisnormal(p+1, default_case) ); /* XXXXXXXXX */
557
558 if( all_normal && p[1] != 0 ) {
559 *p = 0;
560 csum = str_checksum( s );
561 *p = '.';
562 } else
563 csum = str_checksum(s);
564 } else
565 csum = str_checksum(s);
566
567 strupper_m( s );
568
569 if( p ) {
570 if( p == s )
571 safe_strcpy( extension, "___", 3 );
572 else {
573 *p++ = 0;
574 while( *p && extlen < 3 ) {
575 if ( *p != '.') {
576 extension[extlen++] = p[0];
577 }
578 p++;
579 }
580 extension[extlen] = 0;
581 }
582 }
583
584 p = s;
585
586 while( *p && baselen < 5 ) {
587 if (isbasechar(*p)) {
588 base[baselen++] = p[0];
589 }
590 p++;
591 }
592 base[baselen] = 0;
593
594 csum = csum % (MANGLE_BASE*MANGLE_BASE);
595
596 memcpy(out, base, baselen);
597 out[baselen] = magic_char;
598 out[baselen+1] = mangle( csum/MANGLE_BASE );
599 out[baselen+2] = mangle( csum );
600
601 if( *extension ) {
602 out[baselen+3] = '.';
603 safe_strcpy(&out[baselen+4], extension, 3);
604 }
605
606 SAFE_FREE(s);
607 return True;
608 }
609
610 static bool must_mangle(const char *name,
611 const struct share_params *p)
612 {
613 smb_ucs2_t *name_ucs2 = NULL;
614 NTSTATUS status;
615 size_t converted_size;
616 char magic_char;
617
618 magic_char = lp_magicchar(p);
619
620 if (!push_ucs2_talloc(NULL, &name_ucs2, name, &converted_size)) {
621 DEBUG(0, ("push_ucs2_talloc failed!\n"));
622 return False;
623 }
624 status = is_valid_name(name_ucs2, False, False);
625 TALLOC_FREE(name_ucs2);
626 /* We return true if we *must* mangle, so if it's
627 * a valid name (status == OK) then we must return
628 * false. Bug #6939. */
629 return !NT_STATUS_IS_OK(status);
630 }
631
632 /*****************************************************************************
633 * Convert a filename to DOS format. Return True if successful.
634 * Input: in Incoming name.
635 *
636 * out 8.3 DOS name.
637 *
638 * cache83 - If False, the mangled name cache will not be updated.
639 * This is usually used to prevent that we overwrite
640 * a conflicting cache entry prematurely, i.e. before
641 * we know whether the client is really interested in the
642 * current name. (See PR#13758). UKD.
643 *
644 * ****************************************************************************
645 */
646
647 static bool hash_name_to_8_3(const char *in,
648 char out[13],
649 bool cache83,
650 int default_case,
651 const struct share_params *p)
652 {
653 smb_ucs2_t *in_ucs2 = NULL;
654 size_t converted_size;
655 char magic_char;
656
657 magic_char = lp_magicchar(p);
658
659 DEBUG(5,("hash_name_to_8_3( %s, cache83 = %s)\n", in,
660 cache83 ? "True" : "False"));
661
662 if (!push_ucs2_talloc(NULL, &in_ucs2, in, &converted_size)) {
663 DEBUG(0, ("push_ucs2_talloc failed!\n"));
664 return False;
665 }
666
667 /* If it's already 8.3, just copy. */
668 if (NT_STATUS_IS_OK(is_valid_name(in_ucs2, False, False)) &&
669 NT_STATUS_IS_OK(is_8_3_w(in_ucs2, False))) {
670 TALLOC_FREE(in_ucs2);
671 safe_strcpy(out, in, 12);
672 return True;
673 }
674
675 TALLOC_FREE(in_ucs2);
676 if (!to_8_3(magic_char, in, out, default_case)) {
677 return False;
678 }
679
680 cache_mangled_name(out, in);
681
682 DEBUG(5,("hash_name_to_8_3(%s) ==> [%s]\n", in, out));
683 return True;
684 }
685
686 /*
687 the following provides the abstraction layer to make it easier
688 to drop in an alternative mangling implementation
689 */
690 static const struct mangle_fns mangle_hash_fns = {
691 mangle_reset,
692 is_mangled,
693 must_mangle,
694 is_8_3,
695 lookup_name_from_8_3,
696 hash_name_to_8_3
697 };
698
699 /* return the methods for this mangling implementation */
700 const struct mangle_fns *mangle_hash_init(void)
701 {
702 mangle_reset();
703
704 /* Create the in-memory tdb using our custom hash function. */
705 tdb_mangled_cache = tdb_open_ex("mangled_cache", 1031, TDB_INTERNAL,
706 (O_RDWR|O_CREAT), 0644, NULL, fast_string_hash);
707
708 return &mangle_hash_fns;
709 }
Anubhav's Work In Progress branches