1/* 2 Unix SMB/CIFS implementation. 3 process incoming packets - main loop 4 Copyright (C) Andrew Tridgell 1992-1998 5 Copyright (C) Volker Lendecke 2005-2007 6 7 This program is free software; you can redistribute it and/or modify 8 it under the terms of the GNU General Public License as published by 9 the Free Software Foundation; either version 3 of the License, or 10 (at your option) any later version. 11 12 This program is distributed in the hope that it will be useful, 13 but WITHOUT ANY WARRANTY; without even the implied warranty of 14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 GNU General Public License for more details. 16 17 You should have received a copy of the GNU General Public License 18 along with this program. If not, see <http://www.gnu.org/licenses/>. 19*/ 20 21#include "includes.h" 22#include "smbd/globals.h" 23#include "../librpc/gen_ndr/srv_dfs.h" 24#include "../librpc/gen_ndr/srv_dssetup.h" 25#include "../librpc/gen_ndr/srv_echo.h" 26#include "../librpc/gen_ndr/srv_eventlog.h" 27#include "../librpc/gen_ndr/srv_initshutdown.h" 28#include "../librpc/gen_ndr/srv_lsa.h" 29#include "../librpc/gen_ndr/srv_netlogon.h" 30#include "../librpc/gen_ndr/srv_ntsvcs.h" 31#include "../librpc/gen_ndr/srv_samr.h" 32#include "../librpc/gen_ndr/srv_spoolss.h" 33#include "../librpc/gen_ndr/srv_srvsvc.h" 34#include "../librpc/gen_ndr/srv_svcctl.h" 35#include "../librpc/gen_ndr/srv_winreg.h" 36#include "../librpc/gen_ndr/srv_wkssvc.h" 37 38extern bool global_machine_password_needs_changing; 39 40static void construct_reply_common(struct smb_request *req, const char *inbuf, 41 char *outbuf); 42 43/* Accessor function for smb_read_error for smbd functions. */ 44 45/**************************************************************************** 46 Send an smb to a fd. 47****************************************************************************/ 48 49bool srv_send_smb(int fd, char *buffer, 50 bool do_signing, uint32_t seqnum, 51 bool do_encrypt, 52 struct smb_perfcount_data *pcd) 53{ 54 size_t len = 0; 55 size_t nwritten=0; 56 ssize_t ret; 57 char *buf_out = buffer; 58 59 if (do_signing) { 60 /* Sign the outgoing packet if required. */ 61 srv_calculate_sign_mac(smbd_server_conn, buf_out, seqnum); 62 } 63 64 if (do_encrypt) { 65 NTSTATUS status = srv_encrypt_buffer(buffer, &buf_out); 66 if (!NT_STATUS_IS_OK(status)) { 67 DEBUG(0, ("send_smb: SMB encryption failed " 68 "on outgoing packet! Error %s\n", 69 nt_errstr(status) )); 70 goto out; 71 } 72 } 73 74 len = smb_len(buf_out) + 4; 75 76 ret = write_data(fd,buf_out+nwritten,len - nwritten); 77 if (ret <= 0) { 78 DEBUG(0,("Error writing %d bytes to client. %d. (%s)\n", 79 (int)len,(int)ret, strerror(errno) )); 80 srv_free_enc_buffer(buf_out); 81 goto out; 82 } 83 84 SMB_PERFCOUNT_SET_MSGLEN_OUT(pcd, len); 85 srv_free_enc_buffer(buf_out); 86out: 87 SMB_PERFCOUNT_END(pcd); 88 return true; 89} 90 91/******************************************************************* 92 Setup the word count and byte count for a smb message. 93********************************************************************/ 94 95int srv_set_message(char *buf, 96 int num_words, 97 int num_bytes, 98 bool zero) 99{ 100 if (zero && (num_words || num_bytes)) { 101 memset(buf + smb_size,'\0',num_words*2 + num_bytes); 102 } 103 SCVAL(buf,smb_wct,num_words); 104 SSVAL(buf,smb_vwv + num_words*SIZEOFWORD,num_bytes); 105 smb_setlen(buf,(smb_size + num_words*2 + num_bytes - 4)); 106 return (smb_size + num_words*2 + num_bytes); 107} 108 109static bool valid_smb_header(const uint8_t *inbuf) 110{ 111 if (is_encrypted_packet(inbuf)) { 112 return true; 113 } 114 /* 115 * This used to be (strncmp(smb_base(inbuf),"\377SMB",4) == 0) 116 * but it just looks weird to call strncmp for this one. 117 */ 118 return (IVAL(smb_base(inbuf), 0) == 0x424D53FF); 119} 120 121/* Socket functions for smbd packet processing. */ 122 123static bool valid_packet_size(size_t len) 124{ 125 /* 126 * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes 127 * of header. Don't print the error if this fits.... JRA. 128 */ 129 130 if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) { 131 DEBUG(0,("Invalid packet length! (%lu bytes).\n", 132 (unsigned long)len)); 133 return false; 134 } 135 return true; 136} 137 138static NTSTATUS read_packet_remainder(int fd, char *buffer, 139 unsigned int timeout, ssize_t len) 140{ 141 if (len <= 0) { 142 return NT_STATUS_OK; 143 } 144 145 return read_fd_with_timeout(fd, buffer, len, len, timeout, NULL); 146} 147 148/**************************************************************************** 149 Attempt a zerocopy writeX read. We know here that len > smb_size-4 150****************************************************************************/ 151 152/* 153 * Unfortunately, earlier versions of smbclient/libsmbclient 154 * don't send this "standard" writeX header. I've fixed this 155 * for 3.2 but we'll use the old method with earlier versions. 156 * Windows and CIFSFS at least use this standard size. Not 157 * sure about MacOSX. 158 */ 159 160#define STANDARD_WRITE_AND_X_HEADER_SIZE (smb_size - 4 + /* basic header */ \ 161 (2*14) + /* word count (including bcc) */ \ 162 1 /* pad byte */) 163 164static NTSTATUS receive_smb_raw_talloc_partial_read(TALLOC_CTX *mem_ctx, 165 const char lenbuf[4], 166 int fd, char **buffer, 167 unsigned int timeout, 168 size_t *p_unread, 169 size_t *len_ret) 170{ 171 /* Size of a WRITEX call (+4 byte len). */ 172 char writeX_header[4 + STANDARD_WRITE_AND_X_HEADER_SIZE]; 173 ssize_t len = smb_len_large(lenbuf); /* Could be a UNIX large writeX. */ 174 ssize_t toread; 175 NTSTATUS status; 176 177 memcpy(writeX_header, lenbuf, 4); 178 179 status = read_fd_with_timeout( 180 fd, writeX_header + 4, 181 STANDARD_WRITE_AND_X_HEADER_SIZE, 182 STANDARD_WRITE_AND_X_HEADER_SIZE, 183 timeout, NULL); 184 185 if (!NT_STATUS_IS_OK(status)) { 186 return status; 187 } 188 189 /* 190 * Ok - now try and see if this is a possible 191 * valid writeX call. 192 */ 193 194 if (is_valid_writeX_buffer((uint8_t *)writeX_header)) { 195 /* 196 * If the data offset is beyond what 197 * we've read, drain the extra bytes. 198 */ 199 uint16_t doff = SVAL(writeX_header,smb_vwv11); 200 ssize_t newlen; 201 202 if (doff > STANDARD_WRITE_AND_X_HEADER_SIZE) { 203 size_t drain = doff - STANDARD_WRITE_AND_X_HEADER_SIZE; 204 if (drain_socket(smbd_server_fd(), drain) != drain) { 205 smb_panic("receive_smb_raw_talloc_partial_read:" 206 " failed to drain pending bytes"); 207 } 208 } else { 209 doff = STANDARD_WRITE_AND_X_HEADER_SIZE; 210 } 211 212 /* Spoof down the length and null out the bcc. */ 213 set_message_bcc(writeX_header, 0); 214 newlen = smb_len(writeX_header); 215 216 /* Copy the header we've written. */ 217 218 *buffer = (char *)TALLOC_MEMDUP(mem_ctx, 219 writeX_header, 220 sizeof(writeX_header)); 221 222 if (*buffer == NULL) { 223 DEBUG(0, ("Could not allocate inbuf of length %d\n", 224 (int)sizeof(writeX_header))); 225 return NT_STATUS_NO_MEMORY; 226 } 227 228 /* Work out the remaining bytes. */ 229 *p_unread = len - STANDARD_WRITE_AND_X_HEADER_SIZE; 230 *len_ret = newlen + 4; 231 return NT_STATUS_OK; 232 } 233 234 if (!valid_packet_size(len)) { 235 return NT_STATUS_INVALID_PARAMETER; 236 } 237 238 /* 239 * Not a valid writeX call. Just do the standard 240 * talloc and return. 241 */ 242 243 *buffer = TALLOC_ARRAY(mem_ctx, char, len+4); 244 245 if (*buffer == NULL) { 246 DEBUG(0, ("Could not allocate inbuf of length %d\n", 247 (int)len+4)); 248 return NT_STATUS_NO_MEMORY; 249 } 250 251 /* Copy in what we already read. */ 252 memcpy(*buffer, 253 writeX_header, 254 4 + STANDARD_WRITE_AND_X_HEADER_SIZE); 255 toread = len - STANDARD_WRITE_AND_X_HEADER_SIZE; 256 257 if(toread > 0) { 258 status = read_packet_remainder( 259 fd, (*buffer) + 4 + STANDARD_WRITE_AND_X_HEADER_SIZE, 260 timeout, toread); 261 262 if (!NT_STATUS_IS_OK(status)) { 263 DEBUG(10, ("receive_smb_raw_talloc_partial_read: %s\n", 264 nt_errstr(status))); 265 return status; 266 } 267 } 268 269 *len_ret = len + 4; 270 return NT_STATUS_OK; 271} 272 273static NTSTATUS receive_smb_raw_talloc(TALLOC_CTX *mem_ctx, int fd, 274 char **buffer, unsigned int timeout, 275 size_t *p_unread, size_t *plen) 276{ 277 char lenbuf[4]; 278 size_t len; 279 int min_recv_size = lp_min_receive_file_size(); 280 NTSTATUS status; 281 282 *p_unread = 0; 283 284 status = read_smb_length_return_keepalive(fd, lenbuf, timeout, &len); 285 if (!NT_STATUS_IS_OK(status)) { 286 DEBUG(10, ("receive_smb_raw: %s\n", nt_errstr(status))); 287 return status; 288 } 289 290 if (CVAL(lenbuf,0) == 0 && min_recv_size && 291 (smb_len_large(lenbuf) > /* Could be a UNIX large writeX. */ 292 (min_recv_size + STANDARD_WRITE_AND_X_HEADER_SIZE)) && 293 !srv_is_signing_active(smbd_server_conn)) { 294 295 return receive_smb_raw_talloc_partial_read( 296 mem_ctx, lenbuf, fd, buffer, timeout, p_unread, plen); 297 } 298 299 if (!valid_packet_size(len)) { 300 return NT_STATUS_INVALID_PARAMETER; 301 } 302 303 /* 304 * The +4 here can't wrap, we've checked the length above already. 305 */ 306 307 *buffer = TALLOC_ARRAY(mem_ctx, char, len+4); 308 309 if (*buffer == NULL) { 310 DEBUG(0, ("Could not allocate inbuf of length %d\n", 311 (int)len+4)); 312 return NT_STATUS_NO_MEMORY; 313 } 314 315 memcpy(*buffer, lenbuf, sizeof(lenbuf)); 316 317 status = read_packet_remainder(fd, (*buffer)+4, timeout, len); 318 if (!NT_STATUS_IS_OK(status)) { 319 return status; 320 } 321 322 *plen = len + 4; 323 return NT_STATUS_OK; 324} 325 326static NTSTATUS receive_smb_talloc(TALLOC_CTX *mem_ctx, int fd, 327 char **buffer, unsigned int timeout, 328 size_t *p_unread, bool *p_encrypted, 329 size_t *p_len, 330 uint32_t *seqnum) 331{ 332 size_t len = 0; 333 NTSTATUS status; 334 335 *p_encrypted = false; 336 337 status = receive_smb_raw_talloc(mem_ctx, fd, buffer, timeout, 338 p_unread, &len); 339 if (!NT_STATUS_IS_OK(status)) { 340 return status; 341 } 342 343 if (is_encrypted_packet((uint8_t *)*buffer)) { 344 status = srv_decrypt_buffer(*buffer); 345 if (!NT_STATUS_IS_OK(status)) { 346 DEBUG(0, ("receive_smb_talloc: SMB decryption failed on " 347 "incoming packet! Error %s\n", 348 nt_errstr(status) )); 349 return status; 350 } 351 *p_encrypted = true; 352 } 353 354 /* Check the incoming SMB signature. */ 355 if (!srv_check_sign_mac(smbd_server_conn, *buffer, seqnum)) { 356 DEBUG(0, ("receive_smb: SMB Signature verification failed on " 357 "incoming packet!\n")); 358 return NT_STATUS_INVALID_NETWORK_RESPONSE; 359 } 360 361 *p_len = len; 362 return NT_STATUS_OK; 363} 364 365/* 366 * Initialize a struct smb_request from an inbuf 367 */ 368 369void init_smb_request(struct smb_request *req, 370 const uint8 *inbuf, 371 size_t unread_bytes, 372 bool encrypted) 373{ 374 struct smbd_server_connection *sconn = smbd_server_conn; 375 size_t req_size = smb_len(inbuf) + 4; 376 /* Ensure we have at least smb_size bytes. */ 377 if (req_size < smb_size) { 378 DEBUG(0,("init_smb_request: invalid request size %u\n", 379 (unsigned int)req_size )); 380 exit_server_cleanly("Invalid SMB request"); 381 } 382 req->cmd = CVAL(inbuf, smb_com); 383 req->flags2 = SVAL(inbuf, smb_flg2); 384 req->smbpid = SVAL(inbuf, smb_pid); 385 req->mid = SVAL(inbuf, smb_mid); 386 req->seqnum = 0; 387 req->vuid = SVAL(inbuf, smb_uid); 388 req->tid = SVAL(inbuf, smb_tid); 389 req->wct = CVAL(inbuf, smb_wct); 390 req->vwv = (uint16_t *)(inbuf+smb_vwv); 391 req->buflen = smb_buflen(inbuf); 392 req->buf = (const uint8_t *)smb_buf(inbuf); 393 req->unread_bytes = unread_bytes; 394 req->encrypted = encrypted; 395 req->conn = conn_find(sconn,req->tid); 396 req->chain_fsp = NULL; 397 req->chain_outbuf = NULL; 398 req->done = false; 399 smb_init_perfcount_data(&req->pcd); 400 401 /* Ensure we have at least wct words and 2 bytes of bcc. */ 402 if (smb_size + req->wct*2 > req_size) { 403 DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n", 404 (unsigned int)req->wct, 405 (unsigned int)req_size)); 406 exit_server_cleanly("Invalid SMB request"); 407 } 408 /* Ensure bcc is correct. */ 409 if (((uint8 *)smb_buf(inbuf)) + req->buflen > inbuf + req_size) { 410 DEBUG(0,("init_smb_request: invalid bcc number %u " 411 "(wct = %u, size %u)\n", 412 (unsigned int)req->buflen, 413 (unsigned int)req->wct, 414 (unsigned int)req_size)); 415 exit_server_cleanly("Invalid SMB request"); 416 } 417 418 req->outbuf = NULL; 419} 420 421static void process_smb(struct smbd_server_connection *conn, 422 uint8_t *inbuf, size_t nread, size_t unread_bytes, 423 uint32_t seqnum, bool encrypted, 424 struct smb_perfcount_data *deferred_pcd); 425 426static void smbd_deferred_open_timer(struct event_context *ev, 427 struct timed_event *te, 428 struct timeval _tval, 429 void *private_data) 430{ 431 struct pending_message_list *msg = talloc_get_type(private_data, 432 struct pending_message_list); 433 TALLOC_CTX *mem_ctx = talloc_tos(); 434 uint16_t mid = SVAL(msg->buf.data,smb_mid); 435 uint8_t *inbuf; 436 437 inbuf = (uint8_t *)talloc_memdup(mem_ctx, msg->buf.data, 438 msg->buf.length); 439 if (inbuf == NULL) { 440 exit_server("smbd_deferred_open_timer: talloc failed\n"); 441 return; 442 } 443 444 /* We leave this message on the queue so the open code can 445 know this is a retry. */ 446 DEBUG(5,("smbd_deferred_open_timer: trigger mid %u.\n", 447 (unsigned int)mid )); 448 449 /* Mark the message as processed so this is not 450 * re-processed in error. */ 451 msg->processed = true; 452 453 process_smb(smbd_server_conn, inbuf, 454 msg->buf.length, 0, 455 msg->seqnum, msg->encrypted, &msg->pcd); 456 457 /* If it's still there and was processed, remove it. */ 458 msg = get_open_deferred_message(mid); 459 if (msg && msg->processed) { 460 remove_deferred_open_smb_message(mid); 461 } 462} 463 464/**************************************************************************** 465 Function to push a message onto the tail of a linked list of smb messages ready 466 for processing. 467****************************************************************************/ 468 469static bool push_queued_message(struct smb_request *req, 470 struct timeval request_time, 471 struct timeval end_time, 472 char *private_data, size_t private_len) 473{ 474 int msg_len = smb_len(req->inbuf) + 4; 475 struct pending_message_list *msg; 476 477 msg = TALLOC_ZERO_P(NULL, struct pending_message_list); 478 479 if(msg == NULL) { 480 DEBUG(0,("push_message: malloc fail (1)\n")); 481 return False; 482 } 483 484 msg->buf = data_blob_talloc(msg, req->inbuf, msg_len); 485 if(msg->buf.data == NULL) { 486 DEBUG(0,("push_message: malloc fail (2)\n")); 487 TALLOC_FREE(msg); 488 return False; 489 } 490 491 msg->request_time = request_time; 492 msg->seqnum = req->seqnum; 493 msg->encrypted = req->encrypted; 494 msg->processed = false; 495 SMB_PERFCOUNT_DEFER_OP(&req->pcd, &msg->pcd); 496 497 if (private_data) { 498 msg->private_data = data_blob_talloc(msg, private_data, 499 private_len); 500 if (msg->private_data.data == NULL) { 501 DEBUG(0,("push_message: malloc fail (3)\n")); 502 TALLOC_FREE(msg); 503 return False; 504 } 505 } 506 507 msg->te = event_add_timed(smbd_event_context(), 508 msg, 509 end_time, 510 smbd_deferred_open_timer, 511 msg); 512 if (!msg->te) { 513 DEBUG(0,("push_message: event_add_timed failed\n")); 514 TALLOC_FREE(msg); 515 return false; 516 } 517 518 DLIST_ADD_END(deferred_open_queue, msg, struct pending_message_list *); 519 520 DEBUG(10,("push_message: pushed message length %u on " 521 "deferred_open_queue\n", (unsigned int)msg_len)); 522 523 return True; 524} 525 526/**************************************************************************** 527 Function to delete a sharing violation open message by mid. 528****************************************************************************/ 529 530void remove_deferred_open_smb_message(uint16 mid) 531{ 532 struct pending_message_list *pml; 533 534 for (pml = deferred_open_queue; pml; pml = pml->next) { 535 if (mid == SVAL(pml->buf.data,smb_mid)) { 536 DEBUG(10,("remove_deferred_open_smb_message: " 537 "deleting mid %u len %u\n", 538 (unsigned int)mid, 539 (unsigned int)pml->buf.length )); 540 DLIST_REMOVE(deferred_open_queue, pml); 541 TALLOC_FREE(pml); 542 return; 543 } 544 } 545} 546 547/**************************************************************************** 548 Move a sharing violation open retry message to the front of the list and 549 schedule it for immediate processing. 550****************************************************************************/ 551 552void schedule_deferred_open_smb_message(uint16 mid) 553{ 554 struct pending_message_list *pml; 555 int i = 0; 556 557 for (pml = deferred_open_queue; pml; pml = pml->next) { 558 uint16 msg_mid = SVAL(pml->buf.data,smb_mid); 559 560 DEBUG(10,("schedule_deferred_open_smb_message: [%d] msg_mid = %u\n", i++, 561 (unsigned int)msg_mid )); 562 563 if (mid == msg_mid) { 564 struct timed_event *te; 565 566 if (pml->processed) { 567 /* A processed message should not be 568 * rescheduled. */ 569 DEBUG(0,("schedule_deferred_open_smb_message: LOGIC ERROR " 570 "message mid %u was already processed\n", 571 msg_mid )); 572 continue; 573 } 574 575 DEBUG(10,("schedule_deferred_open_smb_message: scheduling mid %u\n", 576 mid )); 577 578 te = event_add_timed(smbd_event_context(), 579 pml, 580 timeval_zero(), 581 smbd_deferred_open_timer, 582 pml); 583 if (!te) { 584 DEBUG(10,("schedule_deferred_open_smb_message: " 585 "event_add_timed() failed, skipping mid %u\n", 586 mid )); 587 } 588 589 TALLOC_FREE(pml->te); 590 pml->te = te; 591 DLIST_PROMOTE(deferred_open_queue, pml); 592 return; 593 } 594 } 595 596 DEBUG(10,("schedule_deferred_open_smb_message: failed to find message mid %u\n", 597 mid )); 598} 599 600/**************************************************************************** 601 Return true if this mid is on the deferred queue and was not yet processed. 602****************************************************************************/ 603 604bool open_was_deferred(uint16 mid) 605{ 606 struct pending_message_list *pml; 607 608 for (pml = deferred_open_queue; pml; pml = pml->next) { 609 if (SVAL(pml->buf.data,smb_mid) == mid && !pml->processed) { 610 return True; 611 } 612 } 613 return False; 614} 615 616/**************************************************************************** 617 Return the message queued by this mid. 618****************************************************************************/ 619 620struct pending_message_list *get_open_deferred_message(uint16 mid) 621{ 622 struct pending_message_list *pml; 623 624 for (pml = deferred_open_queue; pml; pml = pml->next) { 625 if (SVAL(pml->buf.data,smb_mid) == mid) { 626 return pml; 627 } 628 } 629 return NULL; 630} 631 632/**************************************************************************** 633 Function to push a deferred open smb message onto a linked list of local smb 634 messages ready for processing. 635****************************************************************************/ 636 637bool push_deferred_smb_message(struct smb_request *req, 638 struct timeval request_time, 639 struct timeval timeout, 640 char *private_data, size_t priv_len) 641{ 642 struct timeval end_time; 643 644 if (req->unread_bytes) { 645 DEBUG(0,("push_deferred_smb_message: logic error ! " 646 "unread_bytes = %u\n", 647 (unsigned int)req->unread_bytes )); 648 smb_panic("push_deferred_smb_message: " 649 "logic error unread_bytes != 0" ); 650 } 651 652 end_time = timeval_sum(&request_time, &timeout); 653 654 DEBUG(10,("push_deferred_open_smb_message: pushing message len %u mid %u " 655 "timeout time [%u.%06u]\n", 656 (unsigned int) smb_len(req->inbuf)+4, (unsigned int)req->mid, 657 (unsigned int)end_time.tv_sec, 658 (unsigned int)end_time.tv_usec)); 659 660 return push_queued_message(req, request_time, end_time, 661 private_data, priv_len); 662} 663 664struct idle_event { 665 struct timed_event *te; 666 struct timeval interval; 667 char *name; 668 bool (*handler)(const struct timeval *now, void *private_data); 669 void *private_data; 670}; 671 672static void smbd_idle_event_handler(struct event_context *ctx, 673 struct timed_event *te, 674 struct timeval now, 675 void *private_data) 676{ 677 struct idle_event *event = 678 talloc_get_type_abort(private_data, struct idle_event); 679 680 TALLOC_FREE(event->te); 681 682 DEBUG(10,("smbd_idle_event_handler: %s %p called\n", 683 event->name, event->te)); 684 685 if (!event->handler(&now, event->private_data)) { 686 DEBUG(10,("smbd_idle_event_handler: %s %p stopped\n", 687 event->name, event->te)); 688 /* Don't repeat, delete ourselves */ 689 TALLOC_FREE(event); 690 return; 691 } 692 693 DEBUG(10,("smbd_idle_event_handler: %s %p rescheduled\n", 694 event->name, event->te)); 695 696 event->te = event_add_timed(ctx, event, 697 timeval_sum(&now, &event->interval), 698 smbd_idle_event_handler, event); 699 700 /* We can't do much but fail here. */ 701 SMB_ASSERT(event->te != NULL); 702} 703 704struct idle_event *event_add_idle(struct event_context *event_ctx, 705 TALLOC_CTX *mem_ctx, 706 struct timeval interval, 707 const char *name, 708 bool (*handler)(const struct timeval *now, 709 void *private_data), 710 void *private_data) 711{ 712 struct idle_event *result; 713 struct timeval now = timeval_current(); 714 715 result = TALLOC_P(mem_ctx, struct idle_event); 716 if (result == NULL) { 717 DEBUG(0, ("talloc failed\n")); 718 return NULL; 719 } 720 721 result->interval = interval; 722 result->handler = handler; 723 result->private_data = private_data; 724 725 if (!(result->name = talloc_asprintf(result, "idle_evt(%s)", name))) { 726 DEBUG(0, ("talloc failed\n")); 727 TALLOC_FREE(result); 728 return NULL; 729 } 730 731 result->te = event_add_timed(event_ctx, result, 732 timeval_sum(&now, &interval), 733 smbd_idle_event_handler, result); 734 if (result->te == NULL) { 735 DEBUG(0, ("event_add_timed failed\n")); 736 TALLOC_FREE(result); 737 return NULL; 738 } 739 740 DEBUG(10,("event_add_idle: %s %p\n", result->name, result->te)); 741 return result; 742} 743 744static void smbd_sig_term_handler(struct tevent_context *ev, 745 struct tevent_signal *se, 746 int signum, 747 int count, 748 void *siginfo, 749 void *private_data) 750{ 751 exit_server_cleanly("termination signal"); 752} 753 754void smbd_setup_sig_term_handler(void) 755{ 756 struct tevent_signal *se; 757 758 se = tevent_add_signal(smbd_event_context(), 759 smbd_event_context(), 760 SIGTERM, 0, 761 smbd_sig_term_handler, 762 NULL); 763 if (!se) { 764 exit_server("failed to setup SIGTERM handler"); 765 } 766} 767 768static void smbd_sig_hup_handler(struct tevent_context *ev, 769 struct tevent_signal *se, 770 int signum, 771 int count, 772 void *siginfo, 773 void *private_data) 774{ 775 change_to_root_user(); 776 DEBUG(1,("Reloading services after SIGHUP\n")); 777 reload_services(False); 778} 779 780void smbd_setup_sig_hup_handler(void) 781{ 782 struct tevent_signal *se; 783 784 se = tevent_add_signal(smbd_event_context(), 785 smbd_event_context(), 786 SIGHUP, 0, 787 smbd_sig_hup_handler, 788 NULL); 789 if (!se) { 790 exit_server("failed to setup SIGHUP handler"); 791 } 792} 793 794static NTSTATUS smbd_server_connection_loop_once(struct smbd_server_connection *conn) 795{ 796 fd_set r_fds, w_fds; 797 int selrtn; 798 struct timeval to; 799 int maxfd = 0; 800 801 to.tv_sec = SMBD_SELECT_TIMEOUT; 802 to.tv_usec = 0; 803 804 /* 805 * Setup the select fd sets. 806 */ 807 808 FD_ZERO(&r_fds); 809 FD_ZERO(&w_fds); 810 811 /* 812 * Are there any timed events waiting ? If so, ensure we don't 813 * select for longer than it would take to wait for them. 814 */ 815 816 { 817 struct timeval now; 818 GetTimeOfDay(&now); 819 820 event_add_to_select_args(smbd_event_context(), &now, 821 &r_fds, &w_fds, &to, &maxfd); 822 } 823 824 /* Process a signal and timed events now... */ 825 if (run_events(smbd_event_context(), 0, NULL, NULL)) { 826 return NT_STATUS_RETRY; 827 } 828 829 { 830 int sav; 831 START_PROFILE(smbd_idle); 832 833 selrtn = sys_select(maxfd+1,&r_fds,&w_fds,NULL,&to); 834 sav = errno; 835 836 END_PROFILE(smbd_idle); 837 errno = sav; 838 } 839 840 if (selrtn == -1 && errno != EINTR) { 841 return map_nt_error_from_unix(errno); 842 } 843 844 if (run_events(smbd_event_context(), selrtn, &r_fds, &w_fds)) { 845 return NT_STATUS_RETRY; 846 } 847 848 /* Check if error */ 849 if (selrtn == -1) { 850 /* something is wrong. Maybe the socket is dead? */ 851 return map_nt_error_from_unix(errno); 852 } 853 854 /* Did we timeout ? */ 855 if (selrtn == 0) { 856 return NT_STATUS_RETRY; 857 } 858 859 /* should not be reached */ 860 return NT_STATUS_INTERNAL_ERROR; 861} 862 863/* 864 * Only allow 5 outstanding trans requests. We're allocating memory, so 865 * prevent a DoS. 866 */ 867 868NTSTATUS allow_new_trans(struct trans_state *list, int mid) 869{ 870 int count = 0; 871 for (; list != NULL; list = list->next) { 872 873 if (list->mid == mid) { 874 return NT_STATUS_INVALID_PARAMETER; 875 } 876 877 count += 1; 878 } 879 if (count > 5) { 880 return NT_STATUS_INSUFFICIENT_RESOURCES; 881 } 882 883 return NT_STATUS_OK; 884} 885 886/* 887These flags determine some of the permissions required to do an operation 888 889Note that I don't set NEED_WRITE on some write operations because they 890are used by some brain-dead clients when printing, and I don't want to 891force write permissions on print services. 892*/ 893#define AS_USER (1<<0) 894#define NEED_WRITE (1<<1) /* Must be paired with AS_USER */ 895#define TIME_INIT (1<<2) 896#define CAN_IPC (1<<3) /* Must be paired with AS_USER */ 897#define AS_GUEST (1<<5) /* Must *NOT* be paired with AS_USER */ 898#define DO_CHDIR (1<<6) 899 900/* 901 define a list of possible SMB messages and their corresponding 902 functions. Any message that has a NULL function is unimplemented - 903 please feel free to contribute implementations! 904*/ 905static const struct smb_message_struct { 906 const char *name; 907 void (*fn)(struct smb_request *req); 908 int flags; 909} smb_messages[256] = { 910 911/* 0x00 */ { "SMBmkdir",reply_mkdir,AS_USER | NEED_WRITE}, 912/* 0x01 */ { "SMBrmdir",reply_rmdir,AS_USER | NEED_WRITE}, 913/* 0x02 */ { "SMBopen",reply_open,AS_USER }, 914/* 0x03 */ { "SMBcreate",reply_mknew,AS_USER}, 915/* 0x04 */ { "SMBclose",reply_close,AS_USER | CAN_IPC }, 916/* 0x05 */ { "SMBflush",reply_flush,AS_USER}, 917/* 0x06 */ { "SMBunlink",reply_unlink,AS_USER | NEED_WRITE }, 918/* 0x07 */ { "SMBmv",reply_mv,AS_USER | NEED_WRITE }, 919/* 0x08 */ { "SMBgetatr",reply_getatr,AS_USER}, 920/* 0x09 */ { "SMBsetatr",reply_setatr,AS_USER | NEED_WRITE}, 921/* 0x0a */ { "SMBread",reply_read,AS_USER}, 922/* 0x0b */ { "SMBwrite",reply_write,AS_USER | CAN_IPC }, 923/* 0x0c */ { "SMBlock",reply_lock,AS_USER}, 924/* 0x0d */ { "SMBunlock",reply_unlock,AS_USER}, 925/* 0x0e */ { "SMBctemp",reply_ctemp,AS_USER }, 926/* 0x0f */ { "SMBmknew",reply_mknew,AS_USER}, 927/* 0x10 */ { "SMBcheckpath",reply_checkpath,AS_USER}, 928/* 0x11 */ { "SMBexit",reply_exit,DO_CHDIR}, 929/* 0x12 */ { "SMBlseek",reply_lseek,AS_USER}, 930/* 0x13 */ { "SMBlockread",reply_lockread,AS_USER}, 931/* 0x14 */ { "SMBwriteunlock",reply_writeunlock,AS_USER}, 932/* 0x15 */ { NULL, NULL, 0 }, 933/* 0x16 */ { NULL, NULL, 0 }, 934/* 0x17 */ { NULL, NULL, 0 }, 935/* 0x18 */ { NULL, NULL, 0 }, 936/* 0x19 */ { NULL, NULL, 0 }, 937/* 0x1a */ { "SMBreadbraw",reply_readbraw,AS_USER}, 938/* 0x1b */ { "SMBreadBmpx",reply_readbmpx,AS_USER}, 939/* 0x1c */ { "SMBreadBs",reply_readbs,AS_USER }, 940/* 0x1d */ { "SMBwritebraw",reply_writebraw,AS_USER}, 941/* 0x1e */ { "SMBwriteBmpx",reply_writebmpx,AS_USER}, 942/* 0x1f */ { "SMBwriteBs",reply_writebs,AS_USER}, 943/* 0x20 */ { "SMBwritec", NULL,0}, 944/* 0x21 */ { NULL, NULL, 0 }, 945/* 0x22 */ { "SMBsetattrE",reply_setattrE,AS_USER | NEED_WRITE }, 946/* 0x23 */ { "SMBgetattrE",reply_getattrE,AS_USER }, 947/* 0x24 */ { "SMBlockingX",reply_lockingX,AS_USER }, 948/* 0x25 */ { "SMBtrans",reply_trans,AS_USER | CAN_IPC }, 949/* 0x26 */ { "SMBtranss",reply_transs,AS_USER | CAN_IPC}, 950/* 0x27 */ { "SMBioctl",reply_ioctl,0}, 951/* 0x28 */ { "SMBioctls", NULL,AS_USER}, 952/* 0x29 */ { "SMBcopy",reply_copy,AS_USER | NEED_WRITE }, 953/* 0x2a */ { "SMBmove", NULL,AS_USER | NEED_WRITE }, 954/* 0x2b */ { "SMBecho",reply_echo,0}, 955/* 0x2c */ { "SMBwriteclose",reply_writeclose,AS_USER}, 956/* 0x2d */ { "SMBopenX",reply_open_and_X,AS_USER | CAN_IPC }, 957/* 0x2e */ { "SMBreadX",reply_read_and_X,AS_USER | CAN_IPC }, 958/* 0x2f */ { "SMBwriteX",reply_write_and_X,AS_USER | CAN_IPC }, 959/* 0x30 */ { NULL, NULL, 0 }, 960/* 0x31 */ { NULL, NULL, 0 }, 961/* 0x32 */ { "SMBtrans2",reply_trans2, AS_USER | CAN_IPC }, 962/* 0x33 */ { "SMBtranss2",reply_transs2, AS_USER | CAN_IPC }, 963/* 0x34 */ { "SMBfindclose",reply_findclose,AS_USER}, 964/* 0x35 */ { "SMBfindnclose",reply_findnclose,AS_USER}, 965/* 0x36 */ { NULL, NULL, 0 }, 966/* 0x37 */ { NULL, NULL, 0 }, 967/* 0x38 */ { NULL, NULL, 0 }, 968/* 0x39 */ { NULL, NULL, 0 }, 969/* 0x3a */ { NULL, NULL, 0 }, 970/* 0x3b */ { NULL, NULL, 0 }, 971/* 0x3c */ { NULL, NULL, 0 }, 972/* 0x3d */ { NULL, NULL, 0 }, 973/* 0x3e */ { NULL, NULL, 0 }, 974/* 0x3f */ { NULL, NULL, 0 }, 975/* 0x40 */ { NULL, NULL, 0 }, 976/* 0x41 */ { NULL, NULL, 0 }, 977/* 0x42 */ { NULL, NULL, 0 }, 978/* 0x43 */ { NULL, NULL, 0 }, 979/* 0x44 */ { NULL, NULL, 0 }, 980/* 0x45 */ { NULL, NULL, 0 }, 981/* 0x46 */ { NULL, NULL, 0 }, 982/* 0x47 */ { NULL, NULL, 0 }, 983/* 0x48 */ { NULL, NULL, 0 }, 984/* 0x49 */ { NULL, NULL, 0 }, 985/* 0x4a */ { NULL, NULL, 0 }, 986/* 0x4b */ { NULL, NULL, 0 }, 987/* 0x4c */ { NULL, NULL, 0 }, 988/* 0x4d */ { NULL, NULL, 0 }, 989/* 0x4e */ { NULL, NULL, 0 }, 990/* 0x4f */ { NULL, NULL, 0 }, 991/* 0x50 */ { NULL, NULL, 0 }, 992/* 0x51 */ { NULL, NULL, 0 }, 993/* 0x52 */ { NULL, NULL, 0 }, 994/* 0x53 */ { NULL, NULL, 0 }, 995/* 0x54 */ { NULL, NULL, 0 }, 996/* 0x55 */ { NULL, NULL, 0 }, 997/* 0x56 */ { NULL, NULL, 0 }, 998/* 0x57 */ { NULL, NULL, 0 }, 999/* 0x58 */ { NULL, NULL, 0 }, 1000/* 0x59 */ { NULL, NULL, 0 }, 1001/* 0x5a */ { NULL, NULL, 0 }, 1002/* 0x5b */ { NULL, NULL, 0 }, 1003/* 0x5c */ { NULL, NULL, 0 }, 1004/* 0x5d */ { NULL, NULL, 0 }, 1005/* 0x5e */ { NULL, NULL, 0 }, 1006/* 0x5f */ { NULL, NULL, 0 }, 1007/* 0x60 */ { NULL, NULL, 0 }, 1008/* 0x61 */ { NULL, NULL, 0 }, 1009/* 0x62 */ { NULL, NULL, 0 }, 1010/* 0x63 */ { NULL, NULL, 0 }, 1011/* 0x64 */ { NULL, NULL, 0 }, 1012/* 0x65 */ { NULL, NULL, 0 }, 1013/* 0x66 */ { NULL, NULL, 0 }, 1014/* 0x67 */ { NULL, NULL, 0 }, 1015/* 0x68 */ { NULL, NULL, 0 }, 1016/* 0x69 */ { NULL, NULL, 0 }, 1017/* 0x6a */ { NULL, NULL, 0 }, 1018/* 0x6b */ { NULL, NULL, 0 }, 1019/* 0x6c */ { NULL, NULL, 0 }, 1020/* 0x6d */ { NULL, NULL, 0 }, 1021/* 0x6e */ { NULL, NULL, 0 }, 1022/* 0x6f */ { NULL, NULL, 0 }, 1023/* 0x70 */ { "SMBtcon",reply_tcon,0}, 1024/* 0x71 */ { "SMBtdis",reply_tdis,DO_CHDIR}, 1025/* 0x72 */ { "SMBnegprot",reply_negprot,0}, 1026/* 0x73 */ { "SMBsesssetupX",reply_sesssetup_and_X,0}, 1027/* 0x74 */ { "SMBulogoffX",reply_ulogoffX, 0}, /* ulogoff doesn't give a valid TID */ 1028/* 0x75 */ { "SMBtconX",reply_tcon_and_X,0}, 1029/* 0x76 */ { NULL, NULL, 0 }, 1030/* 0x77 */ { NULL, NULL, 0 }, 1031/* 0x78 */ { NULL, NULL, 0 }, 1032/* 0x79 */ { NULL, NULL, 0 }, 1033/* 0x7a */ { NULL, NULL, 0 }, 1034/* 0x7b */ { NULL, NULL, 0 }, 1035/* 0x7c */ { NULL, NULL, 0 }, 1036/* 0x7d */ { NULL, NULL, 0 }, 1037/* 0x7e */ { NULL, NULL, 0 }, 1038/* 0x7f */ { NULL, NULL, 0 }, 1039/* 0x80 */ { "SMBdskattr",reply_dskattr,AS_USER}, 1040/* 0x81 */ { "SMBsearch",reply_search,AS_USER}, 1041/* 0x82 */ { "SMBffirst",reply_search,AS_USER}, 1042/* 0x83 */ { "SMBfunique",reply_search,AS_USER}, 1043/* 0x84 */ { "SMBfclose",reply_fclose,AS_USER}, 1044/* 0x85 */ { NULL, NULL, 0 }, 1045/* 0x86 */ { NULL, NULL, 0 }, 1046/* 0x87 */ { NULL, NULL, 0 }, 1047/* 0x88 */ { NULL, NULL, 0 }, 1048/* 0x89 */ { NULL, NULL, 0 }, 1049/* 0x8a */ { NULL, NULL, 0 }, 1050/* 0x8b */ { NULL, NULL, 0 }, 1051/* 0x8c */ { NULL, NULL, 0 }, 1052/* 0x8d */ { NULL, NULL, 0 }, 1053/* 0x8e */ { NULL, NULL, 0 }, 1054/* 0x8f */ { NULL, NULL, 0 }, 1055/* 0x90 */ { NULL, NULL, 0 }, 1056/* 0x91 */ { NULL, NULL, 0 }, 1057/* 0x92 */ { NULL, NULL, 0 }, 1058/* 0x93 */ { NULL, NULL, 0 }, 1059/* 0x94 */ { NULL, NULL, 0 }, 1060/* 0x95 */ { NULL, NULL, 0 }, 1061/* 0x96 */ { NULL, NULL, 0 }, 1062/* 0x97 */ { NULL, NULL, 0 }, 1063/* 0x98 */ { NULL, NULL, 0 }, 1064/* 0x99 */ { NULL, NULL, 0 }, 1065/* 0x9a */ { NULL, NULL, 0 }, 1066/* 0x9b */ { NULL, NULL, 0 }, 1067/* 0x9c */ { NULL, NULL, 0 }, 1068/* 0x9d */ { NULL, NULL, 0 }, 1069/* 0x9e */ { NULL, NULL, 0 }, 1070/* 0x9f */ { NULL, NULL, 0 }, 1071/* 0xa0 */ { "SMBnttrans",reply_nttrans, AS_USER | CAN_IPC }, 1072/* 0xa1 */ { "SMBnttranss",reply_nttranss, AS_USER | CAN_IPC }, 1073/* 0xa2 */ { "SMBntcreateX",reply_ntcreate_and_X, AS_USER | CAN_IPC }, 1074/* 0xa3 */ { NULL, NULL, 0 }, 1075/* 0xa4 */ { "SMBntcancel",reply_ntcancel, 0 }, 1076/* 0xa5 */ { "SMBntrename",reply_ntrename, AS_USER | NEED_WRITE }, 1077/* 0xa6 */ { NULL, NULL, 0 }, 1078/* 0xa7 */ { NULL, NULL, 0 }, 1079/* 0xa8 */ { NULL, NULL, 0 }, 1080/* 0xa9 */ { NULL, NULL, 0 }, 1081/* 0xaa */ { NULL, NULL, 0 }, 1082/* 0xab */ { NULL, NULL, 0 }, 1083/* 0xac */ { NULL, NULL, 0 }, 1084/* 0xad */ { NULL, NULL, 0 }, 1085/* 0xae */ { NULL, NULL, 0 }, 1086/* 0xaf */ { NULL, NULL, 0 }, 1087/* 0xb0 */ { NULL, NULL, 0 }, 1088/* 0xb1 */ { NULL, NULL, 0 }, 1089/* 0xb2 */ { NULL, NULL, 0 }, 1090/* 0xb3 */ { NULL, NULL, 0 }, 1091/* 0xb4 */ { NULL, NULL, 0 }, 1092/* 0xb5 */ { NULL, NULL, 0 }, 1093/* 0xb6 */ { NULL, NULL, 0 }, 1094/* 0xb7 */ { NULL, NULL, 0 }, 1095/* 0xb8 */ { NULL, NULL, 0 }, 1096/* 0xb9 */ { NULL, NULL, 0 }, 1097/* 0xba */ { NULL, NULL, 0 }, 1098/* 0xbb */ { NULL, NULL, 0 }, 1099/* 0xbc */ { NULL, NULL, 0 }, 1100/* 0xbd */ { NULL, NULL, 0 }, 1101/* 0xbe */ { NULL, NULL, 0 }, 1102/* 0xbf */ { NULL, NULL, 0 }, 1103/* 0xc0 */ { "SMBsplopen",reply_printopen,AS_USER}, 1104/* 0xc1 */ { "SMBsplwr",reply_printwrite,AS_USER}, 1105/* 0xc2 */ { "SMBsplclose",reply_printclose,AS_USER}, 1106/* 0xc3 */ { "SMBsplretq",reply_printqueue,AS_USER}, 1107/* 0xc4 */ { NULL, NULL, 0 }, 1108/* 0xc5 */ { NULL, NULL, 0 }, 1109/* 0xc6 */ { NULL, NULL, 0 }, 1110/* 0xc7 */ { NULL, NULL, 0 }, 1111/* 0xc8 */ { NULL, NULL, 0 }, 1112/* 0xc9 */ { NULL, NULL, 0 }, 1113/* 0xca */ { NULL, NULL, 0 }, 1114/* 0xcb */ { NULL, NULL, 0 }, 1115/* 0xcc */ { NULL, NULL, 0 }, 1116/* 0xcd */ { NULL, NULL, 0 }, 1117/* 0xce */ { NULL, NULL, 0 }, 1118/* 0xcf */ { NULL, NULL, 0 }, 1119/* 0xd0 */ { "SMBsends",reply_sends,AS_GUEST}, 1120/* 0xd1 */ { "SMBsendb", NULL,AS_GUEST}, 1121/* 0xd2 */ { "SMBfwdname", NULL,AS_GUEST}, 1122/* 0xd3 */ { "SMBcancelf", NULL,AS_GUEST}, 1123/* 0xd4 */ { "SMBgetmac", NULL,AS_GUEST}, 1124/* 0xd5 */ { "SMBsendstrt",reply_sendstrt,AS_GUEST}, 1125/* 0xd6 */ { "SMBsendend",reply_sendend,AS_GUEST}, 1126/* 0xd7 */ { "SMBsendtxt",reply_sendtxt,AS_GUEST}, 1127/* 0xd8 */ { NULL, NULL, 0 }, 1128/* 0xd9 */ { NULL, NULL, 0 }, 1129/* 0xda */ { NULL, NULL, 0 }, 1130/* 0xdb */ { NULL, NULL, 0 }, 1131/* 0xdc */ { NULL, NULL, 0 }, 1132/* 0xdd */ { NULL, NULL, 0 }, 1133/* 0xde */ { NULL, NULL, 0 }, 1134/* 0xdf */ { NULL, NULL, 0 }, 1135/* 0xe0 */ { NULL, NULL, 0 }, 1136/* 0xe1 */ { NULL, NULL, 0 }, 1137/* 0xe2 */ { NULL, NULL, 0 }, 1138/* 0xe3 */ { NULL, NULL, 0 }, 1139/* 0xe4 */ { NULL, NULL, 0 }, 1140/* 0xe5 */ { NULL, NULL, 0 }, 1141/* 0xe6 */ { NULL, NULL, 0 }, 1142/* 0xe7 */ { NULL, NULL, 0 }, 1143/* 0xe8 */ { NULL, NULL, 0 }, 1144/* 0xe9 */ { NULL, NULL, 0 }, 1145/* 0xea */ { NULL, NULL, 0 }, 1146/* 0xeb */ { NULL, NULL, 0 }, 1147/* 0xec */ { NULL, NULL, 0 }, 1148/* 0xed */ { NULL, NULL, 0 }, 1149/* 0xee */ { NULL, NULL, 0 }, 1150/* 0xef */ { NULL, NULL, 0 }, 1151/* 0xf0 */ { NULL, NULL, 0 }, 1152/* 0xf1 */ { NULL, NULL, 0 }, 1153/* 0xf2 */ { NULL, NULL, 0 }, 1154/* 0xf3 */ { NULL, NULL, 0 }, 1155/* 0xf4 */ { NULL, NULL, 0 }, 1156/* 0xf5 */ { NULL, NULL, 0 }, 1157/* 0xf6 */ { NULL, NULL, 0 }, 1158/* 0xf7 */ { NULL, NULL, 0 }, 1159/* 0xf8 */ { NULL, NULL, 0 }, 1160/* 0xf9 */ { NULL, NULL, 0 }, 1161/* 0xfa */ { NULL, NULL, 0 }, 1162/* 0xfb */ { NULL, NULL, 0 }, 1163/* 0xfc */ { NULL, NULL, 0 }, 1164/* 0xfd */ { NULL, NULL, 0 }, 1165/* 0xfe */ { NULL, NULL, 0 }, 1166/* 0xff */ { NULL, NULL, 0 } 1167 1168}; 1169 1170/******************************************************************* 1171 allocate and initialize a reply packet 1172********************************************************************/ 1173 1174static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req, 1175 const char *inbuf, char **outbuf, uint8_t num_words, 1176 uint32_t num_bytes) 1177{ 1178 /* 1179 * Protect against integer wrap 1180 */ 1181 if ((num_bytes > 0xffffff) 1182 || ((num_bytes + smb_size + num_words*2) > 0xffffff)) { 1183 char *msg; 1184 if (asprintf(&msg, "num_bytes too large: %u", 1185 (unsigned)num_bytes) == -1) { 1186 msg = CONST_DISCARD(char *, "num_bytes too large"); 1187 } 1188 smb_panic(msg); 1189 } 1190 1191 *outbuf = TALLOC_ARRAY(mem_ctx, char, 1192 smb_size + num_words*2 + num_bytes); 1193 if (*outbuf == NULL) { 1194 return false; 1195 } 1196 1197 construct_reply_common(req, inbuf, *outbuf); 1198 srv_set_message(*outbuf, num_words, num_bytes, false); 1199 /* 1200 * Zero out the word area, the caller has to take care of the bcc area 1201 * himself 1202 */ 1203 if (num_words != 0) { 1204 memset(*outbuf + smb_vwv0, 0, num_words*2); 1205 } 1206 1207 return true; 1208} 1209 1210void reply_outbuf(struct smb_request *req, uint8 num_words, uint32 num_bytes) 1211{ 1212 char *outbuf; 1213 if (!create_outbuf(req, req, (char *)req->inbuf, &outbuf, num_words, 1214 num_bytes)) { 1215 smb_panic("could not allocate output buffer\n"); 1216 } 1217 req->outbuf = (uint8_t *)outbuf; 1218} 1219 1220 1221/******************************************************************* 1222 Dump a packet to a file. 1223********************************************************************/ 1224 1225static void smb_dump(const char *name, int type, const char *data, ssize_t len) 1226{ 1227 int fd, i; 1228 char *fname = NULL; 1229 if (DEBUGLEVEL < 50) { 1230 return; 1231 } 1232 1233 if (len < 4) len = smb_len(data)+4; 1234 for (i=1;i<100;i++) { 1235 if (asprintf(&fname, "/tmp/%s.%d.%s", name, i, 1236 type ? "req" : "resp") == -1) { 1237 return; 1238 } 1239 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644); 1240 if (fd != -1 || errno != EEXIST) break; 1241 } 1242 if (fd != -1) { 1243 ssize_t ret = write(fd, data, len); 1244 if (ret != len) 1245 DEBUG(0,("smb_dump: problem: write returned %d\n", (int)ret )); 1246 close(fd); 1247 DEBUG(0,("created %s len %lu\n", fname, (unsigned long)len)); 1248 } 1249 SAFE_FREE(fname); 1250} 1251 1252/**************************************************************************** 1253 Prepare everything for calling the actual request function, and potentially 1254 call the request function via the "new" interface. 1255 1256 Return False if the "legacy" function needs to be called, everything is 1257 prepared. 1258 1259 Return True if we're done. 1260 1261 I know this API sucks, but it is the one with the least code change I could 1262 find. 1263****************************************************************************/ 1264 1265static connection_struct *switch_message(uint8 type, struct smb_request *req, int size) 1266{ 1267 int flags; 1268 uint16 session_tag; 1269 connection_struct *conn = NULL; 1270 struct smbd_server_connection *sconn = smbd_server_conn; 1271 1272 errno = 0; 1273 1274 /* Make sure this is an SMB packet. smb_size contains NetBIOS header 1275 * so subtract 4 from it. */ 1276 if (!valid_smb_header(req->inbuf) 1277 || (size < (smb_size - 4))) { 1278 DEBUG(2,("Non-SMB packet of length %d. Terminating server\n", 1279 smb_len(req->inbuf))); 1280 exit_server_cleanly("Non-SMB packet"); 1281 } 1282 1283 if (smb_messages[type].fn == NULL) { 1284 DEBUG(0,("Unknown message type %d!\n",type)); 1285 smb_dump("Unknown", 1, (char *)req->inbuf, size); 1286 reply_unknown_new(req, type); 1287 return NULL; 1288 } 1289 1290 flags = smb_messages[type].flags; 1291 1292 /* In share mode security we must ignore the vuid. */ 1293 session_tag = (lp_security() == SEC_SHARE) 1294 ? UID_FIELD_INVALID : req->vuid; 1295 conn = req->conn; 1296 1297 DEBUG(3,("switch message %s (pid %d) conn 0x%lx\n", smb_fn_name(type), 1298 (int)sys_getpid(), (unsigned long)conn)); 1299 1300 smb_dump(smb_fn_name(type), 1, (char *)req->inbuf, size); 1301 1302 /* Ensure this value is replaced in the incoming packet. */ 1303 SSVAL(req->inbuf,smb_uid,session_tag); 1304 1305 /* 1306 * Ensure the correct username is in current_user_info. This is a 1307 * really ugly bugfix for problems with multiple session_setup_and_X's 1308 * being done and allowing %U and %G substitutions to work correctly. 1309 * There is a reason this code is done here, don't move it unless you 1310 * know what you're doing... :-). 1311 * JRA. 1312 */ 1313 1314 if (session_tag != sconn->smb1.sessions.last_session_tag) { 1315 user_struct *vuser = NULL; 1316 1317 sconn->smb1.sessions.last_session_tag = session_tag; 1318 if(session_tag != UID_FIELD_INVALID) { 1319 vuser = get_valid_user_struct(sconn, session_tag); 1320 if (vuser) { 1321 set_current_user_info( 1322 vuser->server_info->sanitized_username, 1323 vuser->server_info->unix_name, 1324 pdb_get_domain(vuser->server_info 1325 ->sam_account)); 1326 } 1327 } 1328 } 1329 1330 /* Does this call need to be run as the connected user? */ 1331 if (flags & AS_USER) { 1332 1333 /* Does this call need a valid tree connection? */ 1334 if (!conn) { 1335 /* 1336 * Amazingly, the error code depends on the command 1337 * (from Samba4). 1338 */ 1339 if (type == SMBntcreateX) { 1340 reply_nterror(req, NT_STATUS_INVALID_HANDLE); 1341 } else { 1342 reply_nterror(req, NT_STATUS_NETWORK_NAME_DELETED); 1343 } 1344 return NULL; 1345 } 1346 1347 if (!change_to_user(conn,session_tag)) { 1348 DEBUG(0, ("Error: Could not change to user. Removing " 1349 "deferred open, mid=%d.\n", req->mid)); 1350 reply_force_doserror(req, ERRSRV, ERRbaduid); 1351 return conn; 1352 } 1353 1354 /* All NEED_WRITE and CAN_IPC flags must also have AS_USER. */ 1355 1356 /* Does it need write permission? */ 1357 if ((flags & NEED_WRITE) && !CAN_WRITE(conn)) { 1358 reply_nterror(req, NT_STATUS_MEDIA_WRITE_PROTECTED); 1359 return conn; 1360 } 1361 1362 /* IPC services are limited */ 1363 if (IS_IPC(conn) && !(flags & CAN_IPC)) { 1364 reply_nterror(req, NT_STATUS_ACCESS_DENIED); 1365 return conn; 1366 } 1367 } else { 1368 /* This call needs to be run as root */ 1369 change_to_root_user(); 1370 } 1371 1372 /* load service specific parameters */ 1373 if (conn) { 1374 if (req->encrypted) { 1375 conn->encrypted_tid = true; 1376 /* encrypted required from now on. */ 1377 conn->encrypt_level = Required; 1378 } else if (ENCRYPTION_REQUIRED(conn)) { 1379 if (req->cmd != SMBtrans2 && req->cmd != SMBtranss2) { 1380 exit_server_cleanly("encryption required " 1381 "on connection"); 1382 return conn; 1383 } 1384 } 1385 1386 if (!set_current_service(conn,SVAL(req->inbuf,smb_flg), 1387 (flags & (AS_USER|DO_CHDIR) 1388 ?True:False))) { 1389 reply_nterror(req, NT_STATUS_ACCESS_DENIED); 1390 return conn; 1391 } 1392 conn->num_smb_operations++; 1393 } 1394 1395 /* does this protocol need to be run as guest? */ 1396 if ((flags & AS_GUEST) 1397 && (!change_to_guest() || 1398 !check_access(smbd_server_fd(), lp_hostsallow(-1), 1399 lp_hostsdeny(-1)))) { 1400 reply_nterror(req, NT_STATUS_ACCESS_DENIED); 1401 return conn; 1402 } 1403 1404 smb_messages[type].fn(req); 1405 return req->conn; 1406} 1407 1408/**************************************************************************** 1409 Construct a reply to the incoming packet. 1410****************************************************************************/ 1411 1412static void construct_reply(char *inbuf, int size, size_t unread_bytes, 1413 uint32_t seqnum, bool encrypted, 1414 struct smb_perfcount_data *deferred_pcd) 1415{ 1416 connection_struct *conn; 1417 struct smb_request *req; 1418 1419 if (!(req = talloc(talloc_tos(), struct smb_request))) { 1420 smb_panic("could not allocate smb_request"); 1421 } 1422 1423 init_smb_request(req, (uint8 *)inbuf, unread_bytes, encrypted); 1424 req->inbuf = (uint8_t *)talloc_move(req, &inbuf); 1425 req->seqnum = seqnum; 1426 1427 /* we popped this message off the queue - keep original perf data */ 1428 if (deferred_pcd) 1429 req->pcd = *deferred_pcd; 1430 else { 1431 SMB_PERFCOUNT_START(&req->pcd); 1432 SMB_PERFCOUNT_SET_OP(&req->pcd, req->cmd); 1433 SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, size); 1434 } 1435 1436 conn = switch_message(req->cmd, req, size); 1437 1438 if (req->unread_bytes) { 1439 /* writeX failed. drain socket. */ 1440 if (drain_socket(smbd_server_fd(), req->unread_bytes) != 1441 req->unread_bytes) { 1442 smb_panic("failed to drain pending bytes"); 1443 } 1444 req->unread_bytes = 0; 1445 } 1446 1447 if (req->done) { 1448 TALLOC_FREE(req); 1449 return; 1450 } 1451 1452 if (req->outbuf == NULL) { 1453 return; 1454 } 1455 1456 if (CVAL(req->outbuf,0) == 0) { 1457 show_msg((char *)req->outbuf); 1458 } 1459 1460 if (!srv_send_smb(smbd_server_fd(), 1461 (char *)req->outbuf, 1462 true, req->seqnum+1, 1463 IS_CONN_ENCRYPTED(conn)||req->encrypted, 1464 &req->pcd)) { 1465 exit_server_cleanly("construct_reply: srv_send_smb failed."); 1466 } 1467 1468 TALLOC_FREE(req); 1469 1470 return; 1471} 1472 1473/**************************************************************************** 1474 Process an smb from the client 1475****************************************************************************/ 1476static void process_smb(struct smbd_server_connection *conn, 1477 uint8_t *inbuf, size_t nread, size_t unread_bytes, 1478 uint32_t seqnum, bool encrypted, 1479 struct smb_perfcount_data *deferred_pcd) 1480{ 1481 int msg_type = CVAL(inbuf,0); 1482 1483 DO_PROFILE_INC(smb_count); 1484 1485 DEBUG( 6, ( "got message type 0x%x of len 0x%x\n", msg_type, 1486 smb_len(inbuf) ) ); 1487 DEBUG( 3, ( "Transaction %d of length %d (%u toread)\n", trans_num, 1488 (int)nread, 1489 (unsigned int)unread_bytes )); 1490 1491 if (msg_type != 0) { 1492 /* 1493 * NetBIOS session request, keepalive, etc. 1494 */ 1495 reply_special((char *)inbuf, nread); 1496 goto done; 1497 } 1498 1499 if (smbd_server_conn->allow_smb2) { 1500 if (smbd_is_smb2_header(inbuf, nread)) { 1501 smbd_smb2_first_negprot(smbd_server_conn, inbuf, nread); 1502 return; 1503 } 1504 smbd_server_conn->allow_smb2 = false; 1505 } 1506 1507 show_msg((char *)inbuf); 1508 1509 construct_reply((char *)inbuf,nread,unread_bytes,seqnum,encrypted,deferred_pcd); 1510 trans_num++; 1511 1512done: 1513 conn->smb1.num_requests++; 1514 1515 /* The timeout_processing function isn't run nearly 1516 often enough to implement 'max log size' without 1517 overrunning the size of the file by many megabytes. 1518 This is especially true if we are running at debug 1519 level 10. Checking every 50 SMBs is a nice 1520 tradeoff of performance vs log file size overrun. */ 1521 1522 if ((conn->smb1.num_requests % 50) == 0 && 1523 need_to_check_log_size()) { 1524 change_to_root_user(); 1525 check_log_size(); 1526 } 1527} 1528 1529/**************************************************************************** 1530 Return a string containing the function name of a SMB command. 1531****************************************************************************/ 1532 1533const char *smb_fn_name(int type) 1534{ 1535 const char *unknown_name = "SMBunknown"; 1536 1537 if (smb_messages[type].name == NULL) 1538 return(unknown_name); 1539 1540 return(smb_messages[type].name); 1541} 1542 1543/**************************************************************************** 1544 Helper functions for contruct_reply. 1545****************************************************************************/ 1546 1547void add_to_common_flags2(uint32 v) 1548{ 1549 common_flags2 |= v; 1550} 1551 1552void remove_from_common_flags2(uint32 v) 1553{ 1554 common_flags2 &= ~v; 1555} 1556 1557static void construct_reply_common(struct smb_request *req, const char *inbuf, 1558 char *outbuf) 1559{ 1560 srv_set_message(outbuf,0,0,false); 1561 1562 SCVAL(outbuf, smb_com, req->cmd); 1563 SIVAL(outbuf,smb_rcls,0); 1564 SCVAL(outbuf,smb_flg, FLAG_REPLY | (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES)); 1565 SSVAL(outbuf,smb_flg2, 1566 (SVAL(inbuf,smb_flg2) & FLAGS2_UNICODE_STRINGS) | 1567 common_flags2); 1568 memset(outbuf+smb_pidhigh,'\0',(smb_tid-smb_pidhigh)); 1569 1570 SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid)); 1571 SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid)); 1572 SSVAL(outbuf,smb_uid,SVAL(inbuf,smb_uid)); 1573 SSVAL(outbuf,smb_mid,SVAL(inbuf,smb_mid)); 1574} 1575 1576void construct_reply_common_req(struct smb_request *req, char *outbuf) 1577{ 1578 construct_reply_common(req, (char *)req->inbuf, outbuf); 1579} 1580 1581/* 1582 * How many bytes have we already accumulated up to the current wct field 1583 * offset? 1584 */ 1585 1586size_t req_wct_ofs(struct smb_request *req) 1587{ 1588 size_t buf_size; 1589 1590 if (req->chain_outbuf == NULL) { 1591 return smb_wct - 4; 1592 } 1593 buf_size = talloc_get_size(req->chain_outbuf); 1594 if ((buf_size % 4) != 0) { 1595 buf_size += (4 - (buf_size % 4)); 1596 } 1597 return buf_size - 4; 1598} 1599 1600/* 1601 * Hack around reply_nterror & friends not being aware of chained requests, 1602 * generating illegal (i.e. wct==0) chain replies. 1603 */ 1604 1605static void fixup_chain_error_packet(struct smb_request *req) 1606{ 1607 uint8_t *outbuf = req->outbuf; 1608 req->outbuf = NULL; 1609 reply_outbuf(req, 2, 0); 1610 memcpy(req->outbuf, outbuf, smb_wct); 1611 TALLOC_FREE(outbuf); 1612 SCVAL(req->outbuf, smb_vwv0, 0xff); 1613} 1614 1615/** 1616 * @brief Find the smb_cmd offset of the last command pushed 1617 * @param[in] buf The buffer we're building up 1618 * @retval Where can we put our next andx cmd? 1619 * 1620 * While chaining requests, the "next" request we're looking at needs to put 1621 * its SMB_Command before the data the previous request already built up added 1622 * to the chain. Find the offset to the place where we have to put our cmd. 1623 */ 1624 1625static bool find_andx_cmd_ofs(uint8_t *buf, size_t *pofs) 1626{ 1627 uint8_t cmd; 1628 size_t ofs; 1629 1630 cmd = CVAL(buf, smb_com); 1631 1632 SMB_ASSERT(is_andx_req(cmd)); 1633 1634 ofs = smb_vwv0; 1635 1636 while (CVAL(buf, ofs) != 0xff) { 1637 1638 if (!is_andx_req(CVAL(buf, ofs))) { 1639 return false; 1640 } 1641 1642 /* 1643 * ofs is from start of smb header, so add the 4 length 1644 * bytes. The next cmd is right after the wct field. 1645 */ 1646 ofs = SVAL(buf, ofs+2) + 4 + 1; 1647 1648 SMB_ASSERT(ofs+4 < talloc_get_size(buf)); 1649 } 1650 1651 *pofs = ofs; 1652 return true; 1653} 1654 1655/** 1656 * @brief Do the smb chaining at a buffer level 1657 * @param[in] poutbuf Pointer to the talloc'ed buffer to be modified 1658 * @param[in] smb_command The command that we want to issue 1659 * @param[in] wct How many words? 1660 * @param[in] vwv The words, already in network order 1661 * @param[in] bytes_alignment How shall we align "bytes"? 1662 * @param[in] num_bytes How many bytes? 1663 * @param[in] bytes The data the request ships 1664 * 1665 * smb_splice_chain() adds the vwv and bytes to the request already present in 1666 * *poutbuf. 1667 */ 1668 1669static bool smb_splice_chain(uint8_t **poutbuf, uint8_t smb_command, 1670 uint8_t wct, const uint16_t *vwv, 1671 size_t bytes_alignment, 1672 uint32_t num_bytes, const uint8_t *bytes) 1673{ 1674 uint8_t *outbuf; 1675 size_t old_size, new_size; 1676 size_t ofs; 1677 size_t chain_padding = 0; 1678 size_t bytes_padding = 0; 1679 bool first_request; 1680 1681 old_size = talloc_get_size(*poutbuf); 1682 1683 /* 1684 * old_size == smb_wct means we're pushing the first request in for 1685 * libsmb/ 1686 */ 1687 1688 first_request = (old_size == smb_wct); 1689 1690 if (!first_request && ((old_size % 4) != 0)) { 1691 /* 1692 * Align the wct field of subsequent requests to a 4-byte 1693 * boundary 1694 */ 1695 chain_padding = 4 - (old_size % 4); 1696 } 1697 1698 /* 1699 * After the old request comes the new wct field (1 byte), the vwv's 1700 * and the num_bytes field. After at we might need to align the bytes 1701 * given to us to "bytes_alignment", increasing the num_bytes value. 1702 */ 1703 1704 new_size = old_size + chain_padding + 1 + wct * sizeof(uint16_t) + 2; 1705 1706 if ((bytes_alignment != 0) && ((new_size % bytes_alignment) != 0)) { 1707 bytes_padding = bytes_alignment - (new_size % bytes_alignment); 1708 } 1709 1710 new_size += bytes_padding + num_bytes; 1711 1712 if ((smb_command != SMBwriteX) && (new_size > 0xffff)) { 1713 DEBUG(1, ("splice_chain: %u bytes won't fit\n", 1714 (unsigned)new_size)); 1715 return false; 1716 } 1717 1718 outbuf = TALLOC_REALLOC_ARRAY(NULL, *poutbuf, uint8_t, new_size); 1719 if (outbuf == NULL) { 1720 DEBUG(0, ("talloc failed\n")); 1721 return false; 1722 } 1723 *poutbuf = outbuf; 1724 1725 if (first_request) { 1726 SCVAL(outbuf, smb_com, smb_command); 1727 } else { 1728 size_t andx_cmd_ofs; 1729 1730 if (!find_andx_cmd_ofs(outbuf, &andx_cmd_ofs)) { 1731 DEBUG(1, ("invalid command chain\n")); 1732 *poutbuf = TALLOC_REALLOC_ARRAY( 1733 NULL, *poutbuf, uint8_t, old_size); 1734 return false; 1735 } 1736 1737 if (chain_padding != 0) { 1738 memset(outbuf + old_size, 0, chain_padding); 1739 old_size += chain_padding; 1740 } 1741 1742 SCVAL(outbuf, andx_cmd_ofs, smb_command); 1743 SSVAL(outbuf, andx_cmd_ofs + 2, old_size - 4); 1744 } 1745 1746 ofs = old_size; 1747 1748 /* 1749 * Push the chained request: 1750 * 1751 * wct field 1752 */ 1753 1754 SCVAL(outbuf, ofs, wct); 1755 ofs += 1; 1756 1757 /* 1758 * vwv array 1759 */ 1760 1761 memcpy(outbuf + ofs, vwv, sizeof(uint16_t) * wct); 1762 ofs += sizeof(uint16_t) * wct; 1763 1764 /* 1765 * bcc (byte count) 1766 */ 1767 1768 SSVAL(outbuf, ofs, num_bytes + bytes_padding); 1769 ofs += sizeof(uint16_t); 1770 1771 /* 1772 * padding 1773 */ 1774 1775 if (bytes_padding != 0) { 1776 memset(outbuf + ofs, 0, bytes_padding); 1777 ofs += bytes_padding; 1778 } 1779 1780 /* 1781 * The bytes field 1782 */ 1783 1784 memcpy(outbuf + ofs, bytes, num_bytes); 1785 1786 return true; 1787} 1788 1789/**************************************************************************** 1790 Construct a chained reply and add it to the already made reply 1791****************************************************************************/ 1792 1793void chain_reply(struct smb_request *req) 1794{ 1795 size_t smblen = smb_len(req->inbuf); 1796 size_t already_used, length_needed; 1797 uint8_t chain_cmd; 1798 uint32_t chain_offset; /* uint32_t to avoid overflow */ 1799 1800 uint8_t wct; 1801 uint16_t *vwv; 1802 uint16_t buflen; 1803 uint8_t *buf; 1804 1805 if (IVAL(req->outbuf, smb_rcls) != 0) { 1806 fixup_chain_error_packet(req); 1807 } 1808 1809 /* 1810 * Any of the AndX requests and replies have at least a wct of 1811 * 2. vwv[0] is the next command, vwv[1] is the offset from the 1812 * beginning of the SMB header to the next wct field. 1813 * 1814 * None of the AndX requests put anything valuable in vwv[0] and [1], 1815 * so we can overwrite it here to form the chain. 1816 */ 1817 1818 if ((req->wct < 2) || (CVAL(req->outbuf, smb_wct) < 2)) { 1819 if (req->chain_outbuf == NULL) { 1820 req->chain_outbuf = TALLOC_REALLOC_ARRAY( 1821 req, req->outbuf, uint8_t, 1822 smb_len(req->outbuf) + 4); 1823 if (req->chain_outbuf == NULL) { 1824 smb_panic("talloc failed"); 1825 } 1826 } 1827 req->outbuf = NULL; 1828 goto error; 1829 } 1830 1831 /* 1832 * Here we assume that this is the end of the chain. For that we need 1833 * to set "next command" to 0xff and the offset to 0. If we later find 1834 * more commands in the chain, this will be overwritten again. 1835 */ 1836 1837 SCVAL(req->outbuf, smb_vwv0, 0xff); 1838 SCVAL(req->outbuf, smb_vwv0+1, 0); 1839 SSVAL(req->outbuf, smb_vwv1, 0); 1840 1841 if (req->chain_outbuf == NULL) { 1842 /* 1843 * In req->chain_outbuf we collect all the replies. Start the 1844 * chain by copying in the first reply. 1845 * 1846 * We do the realloc because later on we depend on 1847 * talloc_get_size to determine the length of 1848 * chain_outbuf. The reply_xxx routines might have 1849 * over-allocated (reply_pipe_read_and_X used to be such an 1850 * example). 1851 */ 1852 req->chain_outbuf = TALLOC_REALLOC_ARRAY( 1853 req, req->outbuf, uint8_t, smb_len(req->outbuf) + 4); 1854 if (req->chain_outbuf == NULL) { 1855 smb_panic("talloc failed"); 1856 } 1857 req->outbuf = NULL; 1858 } else { 1859 /* 1860 * Update smb headers where subsequent chained commands 1861 * may have updated them. 1862 */ 1863 SSVAL(req->chain_outbuf, smb_tid, SVAL(req->outbuf, smb_tid)); 1864 SSVAL(req->chain_outbuf, smb_uid, SVAL(req->outbuf, smb_uid)); 1865 1866 if (!smb_splice_chain(&req->chain_outbuf, 1867 CVAL(req->outbuf, smb_com), 1868 CVAL(req->outbuf, smb_wct), 1869 (uint16_t *)(req->outbuf + smb_vwv), 1870 0, smb_buflen(req->outbuf), 1871 (uint8_t *)smb_buf(req->outbuf))) { 1872 goto error; 1873 } 1874 TALLOC_FREE(req->outbuf); 1875 } 1876 1877 /* 1878 * We use the old request's vwv field to grab the next chained command 1879 * and offset into the chained fields. 1880 */ 1881 1882 chain_cmd = CVAL(req->vwv+0, 0); 1883 chain_offset = SVAL(req->vwv+1, 0); 1884 1885 if (chain_cmd == 0xff) { 1886 /* 1887 * End of chain, no more requests from the client. So ship the 1888 * replies. 1889 */ 1890 smb_setlen((char *)(req->chain_outbuf), 1891 talloc_get_size(req->chain_outbuf) - 4); 1892 1893 if (!srv_send_smb(smbd_server_fd(), (char *)req->chain_outbuf, 1894 true, req->seqnum+1, 1895 IS_CONN_ENCRYPTED(req->conn) 1896 ||req->encrypted, 1897 &req->pcd)) { 1898 exit_server_cleanly("chain_reply: srv_send_smb " 1899 "failed."); 1900 } 1901 TALLOC_FREE(req->chain_outbuf); 1902 req->done = true; 1903 return; 1904 } 1905 1906 /* add a new perfcounter for this element of chain */ 1907 SMB_PERFCOUNT_ADD(&req->pcd); 1908 SMB_PERFCOUNT_SET_OP(&req->pcd, chain_cmd); 1909 SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, smblen); 1910 1911 /* 1912 * Check if the client tries to fool us. The request so far uses the 1913 * space to the end of the byte buffer in the request just 1914 * processed. The chain_offset can't point into that area. If that was 1915 * the case, we could end up with an endless processing of the chain, 1916 * we would always handle the same request. 1917 */ 1918 1919 already_used = PTR_DIFF(req->buf+req->buflen, smb_base(req->inbuf)); 1920 if (chain_offset < already_used) { 1921 goto error; 1922 } 1923 1924 /* 1925 * Next check: Make sure the chain offset does not point beyond the 1926 * overall smb request length. 1927 */ 1928 1929 length_needed = chain_offset+1; /* wct */ 1930 if (length_needed > smblen) { 1931 goto error; 1932 } 1933 1934 /* 1935 * Now comes the pointer magic. Goal here is to set up req->vwv and 1936 * req->buf correctly again to be able to call the subsequent 1937 * switch_message(). The chain offset (the former vwv[1]) points at 1938 * the new wct field. 1939 */ 1940 1941 wct = CVAL(smb_base(req->inbuf), chain_offset); 1942 1943 /* 1944 * Next consistency check: Make the new vwv array fits in the overall 1945 * smb request. 1946 */ 1947 1948 length_needed += (wct+1)*sizeof(uint16_t); /* vwv+buflen */ 1949 if (length_needed > smblen) { 1950 goto error; 1951 } 1952 vwv = (uint16_t *)(smb_base(req->inbuf) + chain_offset + 1); 1953 1954 /* 1955 * Now grab the new byte buffer.... 1956 */ 1957 1958 buflen = SVAL(vwv+wct, 0); 1959 1960 /* 1961 * .. and check that it fits. 1962 */ 1963 1964 length_needed += buflen; 1965 if (length_needed > smblen) { 1966 goto error; 1967 } 1968 buf = (uint8_t *)(vwv+wct+1); 1969 1970 req->cmd = chain_cmd; 1971 req->wct = wct; 1972 req->vwv = vwv; 1973 req->buflen = buflen; 1974 req->buf = buf; 1975 1976 switch_message(chain_cmd, req, smblen); 1977 1978 if (req->outbuf == NULL) { 1979 /* 1980 * This happens if the chained command has suspended itself or 1981 * if it has called srv_send_smb() itself. 1982 */ 1983 return; 1984 } 1985 1986 /* 1987 * We end up here if the chained command was not itself chained or 1988 * suspended, but for example a close() command. We now need to splice 1989 * the chained commands' outbuf into the already built up chain_outbuf 1990 * and ship the result. 1991 */ 1992 goto done; 1993 1994 error: 1995 /* 1996 * We end up here if there's any error in the chain syntax. Report a 1997 * DOS error, just like Windows does. 1998 */ 1999 reply_force_doserror(req, ERRSRV, ERRerror); 2000 fixup_chain_error_packet(req); 2001 2002 done: 2003 /* 2004 * This scary statement intends to set the 2005 * FLAGS2_32_BIT_ERROR_CODES flg2 field in req->chain_outbuf 2006 * to the value req->outbuf carries 2007 */ 2008 SSVAL(req->chain_outbuf, smb_flg2, 2009 (SVAL(req->chain_outbuf, smb_flg2) & ~FLAGS2_32_BIT_ERROR_CODES) 2010 | (SVAL(req->outbuf, smb_flg2) & FLAGS2_32_BIT_ERROR_CODES)); 2011 2012 /* 2013 * Transfer the error codes from the subrequest to the main one 2014 */ 2015 SSVAL(req->chain_outbuf, smb_rcls, SVAL(req->outbuf, smb_rcls)); 2016 SSVAL(req->chain_outbuf, smb_err, SVAL(req->outbuf, smb_err)); 2017 2018 if (!smb_splice_chain(&req->chain_outbuf, 2019 CVAL(req->outbuf, smb_com), 2020 CVAL(req->outbuf, smb_wct), 2021 (uint16_t *)(req->outbuf + smb_vwv), 2022 0, smb_buflen(req->outbuf), 2023 (uint8_t *)smb_buf(req->outbuf))) { 2024 exit_server_cleanly("chain_reply: smb_splice_chain failed\n"); 2025 } 2026 TALLOC_FREE(req->outbuf); 2027 2028 smb_setlen((char *)(req->chain_outbuf), 2029 talloc_get_size(req->chain_outbuf) - 4); 2030 2031 show_msg((char *)(req->chain_outbuf)); 2032 2033 if (!srv_send_smb(smbd_server_fd(), (char *)req->chain_outbuf, 2034 true, req->seqnum+1, 2035 IS_CONN_ENCRYPTED(req->conn)||req->encrypted, 2036 &req->pcd)) { 2037 exit_server_cleanly("construct_reply: srv_send_smb failed."); 2038 } 2039 TALLOC_FREE(req->chain_outbuf); 2040 req->done = true; 2041} 2042 2043/**************************************************************************** 2044 Check if services need reloading. 2045****************************************************************************/ 2046 2047void check_reload(time_t t) 2048{ 2049 time_t printcap_cache_time = (time_t)lp_printcap_cache_time(); 2050 2051 if(last_smb_conf_reload_time == 0) { 2052 last_smb_conf_reload_time = t; 2053 /* Our printing subsystem might not be ready at smbd start up. 2054 Then no printer is available till the first printers check 2055 is performed. A lower initial interval circumvents this. */ 2056 if ( printcap_cache_time > 60 ) 2057 last_printer_reload_time = t - printcap_cache_time + 60; 2058 else 2059 last_printer_reload_time = t; 2060 } 2061 2062 if (mypid != getpid()) { /* First time or fork happened meanwhile */ 2063 /* randomize over 60 second the printcap reload to avoid all 2064 * process hitting cupsd at the same time */ 2065 int time_range = 60; 2066 2067 last_printer_reload_time += random() % time_range; 2068 mypid = getpid(); 2069 } 2070 2071 if (t >= last_smb_conf_reload_time+SMBD_RELOAD_CHECK) { 2072 reload_services(True); 2073 last_smb_conf_reload_time = t; 2074 } 2075 2076 /* 'printcap cache time = 0' disable the feature */ 2077 2078 if ( printcap_cache_time != 0 ) 2079 { 2080 /* see if it's time to reload or if the clock has been set back */ 2081 2082 if ( (t >= last_printer_reload_time+printcap_cache_time) 2083 || (t-last_printer_reload_time < 0) ) 2084 { 2085 DEBUG( 3,( "Printcap cache time expired.\n")); 2086 reload_printers(); 2087 last_printer_reload_time = t; 2088 } 2089 } 2090} 2091 2092static void smbd_server_connection_write_handler(struct smbd_server_connection *conn) 2093{ 2094 /* TODO: make write nonblocking */ 2095} 2096 2097static void smbd_server_connection_read_handler(struct smbd_server_connection *conn) 2098{ 2099 uint8_t *inbuf = NULL; 2100 size_t inbuf_len = 0; 2101 size_t unread_bytes = 0; 2102 bool encrypted = false; 2103 TALLOC_CTX *mem_ctx = talloc_tos(); 2104 NTSTATUS status; 2105 uint32_t seqnum; 2106 2107 /* TODO: make this completely nonblocking */ 2108 2109 status = receive_smb_talloc(mem_ctx, smbd_server_fd(), 2110 (char **)(void *)&inbuf, 2111 0, /* timeout */ 2112 &unread_bytes, 2113 &encrypted, 2114 &inbuf_len, &seqnum); 2115 if (NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) { 2116 goto process; 2117 } 2118 if (NT_STATUS_IS_ERR(status)) { 2119 exit_server_cleanly("failed to receive smb request"); 2120 } 2121 if (!NT_STATUS_IS_OK(status)) { 2122 return; 2123 } 2124 2125process: 2126 process_smb(conn, inbuf, inbuf_len, unread_bytes, 2127 seqnum, encrypted, NULL); 2128} 2129 2130static void smbd_server_connection_handler(struct event_context *ev, 2131 struct fd_event *fde, 2132 uint16_t flags, 2133 void *private_data) 2134{ 2135 struct smbd_server_connection *conn = talloc_get_type(private_data, 2136 struct smbd_server_connection); 2137 2138 if (flags & EVENT_FD_WRITE) { 2139 smbd_server_connection_write_handler(conn); 2140 } else if (flags & EVENT_FD_READ) { 2141 smbd_server_connection_read_handler(conn); 2142 } 2143} 2144 2145 2146/**************************************************************************** 2147received when we should release a specific IP 2148****************************************************************************/ 2149static void release_ip(const char *ip, void *priv) 2150{ 2151 char addr[INET6_ADDRSTRLEN]; 2152 char *p = addr; 2153 2154 client_socket_addr(get_client_fd(),addr,sizeof(addr)); 2155 2156 if (strncmp("::ffff:", addr, 7) == 0) { 2157 p = addr + 7; 2158 } 2159 2160 if ((strcmp(p, ip) == 0) || ((p != addr) && strcmp(addr, ip) == 0)) { 2161 /* we can't afford to do a clean exit - that involves 2162 database writes, which would potentially mean we 2163 are still running after the failover has finished - 2164 we have to get rid of this process ID straight 2165 away */ 2166 DEBUG(0,("Got release IP message for our IP %s - exiting immediately\n", 2167 ip)); 2168 /* note we must exit with non-zero status so the unclean handler gets 2169 called in the parent, so that the brl database is tickled */ 2170 _exit(1); 2171 } 2172} 2173 2174static void msg_release_ip(struct messaging_context *msg_ctx, void *private_data, 2175 uint32_t msg_type, struct server_id server_id, DATA_BLOB *data) 2176{ 2177 release_ip((char *)data->data, NULL); 2178} 2179 2180#ifdef CLUSTER_SUPPORT 2181static int client_get_tcp_info(struct sockaddr_storage *server, 2182 struct sockaddr_storage *client) 2183{ 2184 socklen_t length; 2185 if (server_fd == -1) { 2186 return -1; 2187 } 2188 length = sizeof(*server); 2189 if (getsockname(server_fd, (struct sockaddr *)server, &length) != 0) { 2190 return -1; 2191 } 2192 length = sizeof(*client); 2193 if (getpeername(server_fd, (struct sockaddr *)client, &length) != 0) { 2194 return -1; 2195 } 2196 return 0; 2197} 2198#endif 2199 2200/* 2201 * Send keepalive packets to our client 2202 */ 2203static bool keepalive_fn(const struct timeval *now, void *private_data) 2204{ 2205 if (!send_keepalive(smbd_server_fd())) { 2206 DEBUG( 2, ( "Keepalive failed - exiting.\n" ) ); 2207 return False; 2208 } 2209 return True; 2210} 2211 2212/* 2213 * Do the recurring check if we're idle 2214 */ 2215static bool deadtime_fn(const struct timeval *now, void *private_data) 2216{ 2217 struct smbd_server_connection *sconn = smbd_server_conn; 2218 if ((conn_num_open(sconn) == 0) 2219 || (conn_idle_all(sconn, now->tv_sec))) { 2220 DEBUG( 2, ( "Closing idle connection\n" ) ); 2221 messaging_send(smbd_messaging_context(), procid_self(), 2222 MSG_SHUTDOWN, &data_blob_null); 2223 return False; 2224 } 2225 2226 return True; 2227} 2228 2229/* 2230 * Do the recurring log file and smb.conf reload checks. 2231 */ 2232 2233static bool housekeeping_fn(const struct timeval *now, void *private_data) 2234{ 2235 change_to_root_user(); 2236 2237 /* update printer queue caches if necessary */ 2238 update_monitored_printq_cache(); 2239 2240 /* check if we need to reload services */ 2241 check_reload(time(NULL)); 2242 2243 /* Change machine password if neccessary. */ 2244 attempt_machine_password_change(); 2245 2246 /* 2247 * Force a log file check. 2248 */ 2249 force_check_log_size(); 2250 check_log_size(); 2251 return true; 2252} 2253 2254/**************************************************************************** 2255 Process commands from the client 2256****************************************************************************/ 2257 2258void smbd_process(void) 2259{ 2260 TALLOC_CTX *frame = talloc_stackframe(); 2261 char remaddr[INET6_ADDRSTRLEN]; 2262 2263 if (lp_maxprotocol() == PROTOCOL_SMB2 && 2264 lp_security() != SEC_SHARE) { 2265 smbd_server_conn->allow_smb2 = true; 2266 } 2267 2268 /* Ensure child is set to blocking mode */ 2269 set_blocking(smbd_server_fd(),True); 2270 2271 set_socket_options(smbd_server_fd(),"SO_KEEPALIVE"); 2272 set_socket_options(smbd_server_fd(), lp_socket_options()); 2273 2274 /* this is needed so that we get decent entries 2275 in smbstatus for port 445 connects */ 2276 set_remote_machine_name(get_peer_addr(smbd_server_fd(), 2277 remaddr, 2278 sizeof(remaddr)), 2279 false); 2280 reload_services(true); 2281 2282 /* 2283 * Before the first packet, check the global hosts allow/ hosts deny 2284 * parameters before doing any parsing of packets passed to us by the 2285 * client. This prevents attacks on our parsing code from hosts not in 2286 * the hosts allow list. 2287 */ 2288 2289 if (!check_access(smbd_server_fd(), lp_hostsallow(-1), 2290 lp_hostsdeny(-1))) { 2291 char addr[INET6_ADDRSTRLEN]; 2292 2293 /* 2294 * send a negative session response "not listening on calling 2295 * name" 2296 */ 2297 unsigned char buf[5] = {0x83, 0, 0, 1, 0x81}; 2298 DEBUG( 1, ("Connection denied from %s\n", 2299 client_addr(get_client_fd(),addr,sizeof(addr)) ) ); 2300 (void)srv_send_smb(smbd_server_fd(),(char *)buf, false, 2301 0, false, NULL); 2302 exit_server_cleanly("connection denied"); 2303 } 2304 2305 static_init_rpc; 2306 2307 init_modules(); 2308 2309 smb_perfcount_init(); 2310 2311 if (!init_account_policy()) { 2312 exit_server("Could not open account policy tdb.\n"); 2313 } 2314 2315 if (*lp_rootdir()) { 2316 if (chroot(lp_rootdir()) != 0) { 2317 DEBUG(0,("Failed to change root to %s\n", lp_rootdir())); 2318 exit_server("Failed to chroot()"); 2319 } 2320 if (chdir("/") == -1) { 2321 DEBUG(0,("Failed to chdir to / on chroot to %s\n", lp_rootdir())); 2322 exit_server("Failed to chroot()"); 2323 } 2324 DEBUG(0,("Changed root to %s\n", lp_rootdir())); 2325 } 2326 2327 if (!srv_init_signing(smbd_server_conn)) { 2328 exit_server("Failed to init smb_signing"); 2329 } 2330 2331 /* Setup oplocks */ 2332 if (!init_oplocks(smbd_messaging_context())) 2333 exit_server("Failed to init oplocks"); 2334 2335 /* Setup aio signal handler. */ 2336 initialize_async_io_handler(); 2337 2338 /* register our message handlers */ 2339 messaging_register(smbd_messaging_context(), NULL, 2340 MSG_SMB_FORCE_TDIS, msg_force_tdis); 2341 messaging_register(smbd_messaging_context(), NULL, 2342 MSG_SMB_RELEASE_IP, msg_release_ip); 2343 messaging_register(smbd_messaging_context(), NULL, 2344 MSG_SMB_CLOSE_FILE, msg_close_file); 2345 2346 /* 2347 * Use the default MSG_DEBUG handler to avoid rebroadcasting 2348 * MSGs to all child processes 2349 */ 2350 messaging_deregister(smbd_messaging_context(), 2351 MSG_DEBUG, NULL); 2352 messaging_register(smbd_messaging_context(), NULL, 2353 MSG_DEBUG, debug_message); 2354 2355 if ((lp_keepalive() != 0) 2356 && !(event_add_idle(smbd_event_context(), NULL, 2357 timeval_set(lp_keepalive(), 0), 2358 "keepalive", keepalive_fn, 2359 NULL))) { 2360 DEBUG(0, ("Could not add keepalive event\n")); 2361 exit(1); 2362 } 2363 2364 if (!(event_add_idle(smbd_event_context(), NULL, 2365 timeval_set(IDLE_CLOSED_TIMEOUT, 0), 2366 "deadtime", deadtime_fn, NULL))) { 2367 DEBUG(0, ("Could not add deadtime event\n")); 2368 exit(1); 2369 } 2370 2371 if (!(event_add_idle(smbd_event_context(), NULL, 2372 timeval_set(SMBD_SELECT_TIMEOUT, 0), 2373 "housekeeping", housekeeping_fn, NULL))) { 2374 DEBUG(0, ("Could not add housekeeping event\n")); 2375 exit(1); 2376 } 2377 2378#ifdef CLUSTER_SUPPORT 2379 2380 if (lp_clustering()) { 2381 /* 2382 * We need to tell ctdb about our client's TCP 2383 * connection, so that for failover ctdbd can send 2384 * tickle acks, triggering a reconnection by the 2385 * client. 2386 */ 2387 2388 struct sockaddr_storage srv, clnt; 2389 2390 if (client_get_tcp_info(&srv, &clnt) == 0) { 2391 2392 NTSTATUS status; 2393 2394 status = ctdbd_register_ips( 2395 messaging_ctdbd_connection(), 2396 &srv, &clnt, release_ip, NULL); 2397 2398 if (!NT_STATUS_IS_OK(status)) { 2399 DEBUG(0, ("ctdbd_register_ips failed: %s\n", 2400 nt_errstr(status))); 2401 } 2402 } else 2403 { 2404 DEBUG(0,("Unable to get tcp info for " 2405 "CTDB_CONTROL_TCP_CLIENT: %s\n", 2406 strerror(errno))); 2407 } 2408 } 2409 2410#endif 2411 2412 smbd_server_conn->nbt.got_session = false; 2413 2414 smbd_server_conn->smb1.negprot.max_recv = MIN(lp_maxxmit(),BUFFER_SIZE); 2415 2416 smbd_server_conn->smb1.sessions.done_sesssetup = false; 2417 smbd_server_conn->smb1.sessions.max_send = BUFFER_SIZE; 2418 smbd_server_conn->smb1.sessions.last_session_tag = UID_FIELD_INVALID; 2419 /* users from session setup */ 2420 smbd_server_conn->smb1.sessions.session_userlist = NULL; 2421 /* workgroup from session setup. */ 2422 smbd_server_conn->smb1.sessions.session_workgroup = NULL; 2423 /* this holds info on user ids that are already validated for this VC */ 2424 smbd_server_conn->smb1.sessions.validated_users = NULL; 2425 smbd_server_conn->smb1.sessions.next_vuid = VUID_OFFSET; 2426 smbd_server_conn->smb1.sessions.num_validated_vuids = 0; 2427#ifdef HAVE_NETGROUP 2428 smbd_server_conn->smb1.sessions.my_yp_domain = NULL; 2429#endif 2430 2431 conn_init(smbd_server_conn); 2432 if (!init_dptrs(smbd_server_conn)) { 2433 exit_server("init_dptrs() failed"); 2434 } 2435 2436 smbd_server_conn->smb1.fde = event_add_fd(smbd_event_context(), 2437 smbd_server_conn, 2438 smbd_server_fd(), 2439 EVENT_FD_READ, 2440 smbd_server_connection_handler, 2441 smbd_server_conn); 2442 if (!smbd_server_conn->smb1.fde) { 2443 exit_server("failed to create smbd_server_connection fde"); 2444 } 2445 2446 TALLOC_FREE(frame); 2447 2448 while (True) { 2449 NTSTATUS status; 2450 2451 frame = talloc_stackframe_pool(8192); 2452 2453 errno = 0; 2454 2455 status = smbd_server_connection_loop_once(smbd_server_conn); 2456 if (!NT_STATUS_EQUAL(status, NT_STATUS_RETRY) && 2457 !NT_STATUS_IS_OK(status)) { 2458 DEBUG(3, ("smbd_server_connection_loop_once failed: %s," 2459 " exiting\n", nt_errstr(status))); 2460 break; 2461 } 2462 2463 TALLOC_FREE(frame); 2464 } 2465 2466 exit_server_cleanly(NULL); 2467} 2468 2469bool req_is_in_chain(struct smb_request *req) 2470{ 2471 if (req->vwv != (uint16_t *)(req->inbuf+smb_vwv)) { 2472 /* 2473 * We're right now handling a subsequent request, so we must 2474 * be in a chain 2475 */ 2476 return true; 2477 } 2478 2479 if (!is_andx_req(req->cmd)) { 2480 return false; 2481 } 2482 2483 if (req->wct < 2) { 2484 /* 2485 * Okay, an illegal request, but definitely not chained :-) 2486 */ 2487 return false; 2488 } 2489 2490 return (CVAL(req->vwv+0, 0) != 0xFF); 2491} 2492