/* [<][>][^][v][top][bottom][index][help] */
DEFINITIONS
This source file includes following definitions.
- cli_pull_error
- cli_set_error
- cli_new_mid
- cli_request_print
- cli_request_destructor
- cli_in_chain
- find_andx_cmd_ofs
- smb_splice_chain
- cli_async_req_destructor
- cli_request_chain
- request_timeout_handler
- cli_chain_cork
- cli_chain_uncork
- cli_request_send
- cli_wct_ofs
- have_andx_command
- cli_pull_reply
- validate_smb_crypto
- handle_incoming_pdu
- cli_state_handler
1 /*
2 Unix SMB/CIFS implementation.
3 Infrastructure for async SMB client requests
4 Copyright (C) Volker Lendecke 2008
5
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
10
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
15
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
18 */
19
20 #include "includes.h"
21
22 static void cli_state_handler(struct event_context *event_ctx,
23 struct fd_event *event, uint16 flags, void *p);
24
25 /**
26 * Fetch an error out of a NBT packet
27 * @param[in] buf The SMB packet
28 * @retval The error, converted to NTSTATUS
29 */
30
31 NTSTATUS cli_pull_error(char *buf)
/* [<][>][^][v][top][bottom][index][help] */
32 {
33 uint32_t flags2 = SVAL(buf, smb_flg2);
34
35 if (flags2 & FLAGS2_32_BIT_ERROR_CODES) {
36 return NT_STATUS(IVAL(buf, smb_rcls));
37 }
38
39 /* if the client uses dos errors, but there is no error,
40 we should return no error here, otherwise it looks
41 like an unknown bad NT_STATUS. jmcd */
42 if (CVAL(buf, smb_rcls) == 0)
43 return NT_STATUS_OK;
44
45 return NT_STATUS_DOS(CVAL(buf, smb_rcls), SVAL(buf,smb_err));
46 }
47
48 /**
49 * Compatibility helper for the sync APIs: Fake NTSTATUS in cli->inbuf
50 * @param[in] cli The client connection that just received an error
51 * @param[in] status The error to set on "cli"
52 */
53
54 void cli_set_error(struct cli_state *cli, NTSTATUS status)
/* [<][>][^][v][top][bottom][index][help] */
55 {
56 uint32_t flags2 = SVAL(cli->inbuf, smb_flg2);
57
58 if (NT_STATUS_IS_DOS(status)) {
59 SSVAL(cli->inbuf, smb_flg2,
60 flags2 & ~FLAGS2_32_BIT_ERROR_CODES);
61 SCVAL(cli->inbuf, smb_rcls, NT_STATUS_DOS_CLASS(status));
62 SSVAL(cli->inbuf, smb_err, NT_STATUS_DOS_CODE(status));
63 return;
64 }
65
66 SSVAL(cli->inbuf, smb_flg2, flags2 | FLAGS2_32_BIT_ERROR_CODES);
67 SIVAL(cli->inbuf, smb_rcls, NT_STATUS_V(status));
68 return;
69 }
70
71 /**
72 * Allocate a new mid
73 * @param[in] cli The client connection
74 * @retval The new, unused mid
75 */
76
77 static uint16_t cli_new_mid(struct cli_state *cli)
/* [<][>][^][v][top][bottom][index][help] */
78 {
79 uint16_t result;
80 struct cli_request *req;
81
82 while (true) {
83 result = cli->mid++;
84 if (result == 0) {
85 continue;
86 }
87
88 for (req = cli->outstanding_requests; req; req = req->next) {
89 if (result == req->mid) {
90 break;
91 }
92 }
93
94 if (req == NULL) {
95 return result;
96 }
97 }
98 }
99
100 /**
101 * Print an async req that happens to be a cli_request
102 * @param[in] mem_ctx The TALLOC_CTX to put the result on
103 * @param[in] req The request to print
104 * @retval The string representation of "req"
105 */
106
107 static char *cli_request_print(TALLOC_CTX *mem_ctx, struct async_req *req)
/* [<][>][^][v][top][bottom][index][help] */
108 {
109 char *result = async_req_print(mem_ctx, req);
110 struct cli_request *cli_req = talloc_get_type_abort(
111 req->private_data, struct cli_request);
112
113 if (result == NULL) {
114 return NULL;
115 }
116
117 return talloc_asprintf_append_buffer(
118 result, "mid=%d\n", cli_req->mid);
119 }
120
121 /**
122 * Destroy a cli_request
123 * @param[in] req The cli_request to kill
124 * @retval Can't fail
125 */
126
127 static int cli_request_destructor(struct cli_request *req)
/* [<][>][^][v][top][bottom][index][help] */
128 {
129 if (req->enc_state != NULL) {
130 common_free_enc_buffer(req->enc_state, (char *)req->outbuf);
131 }
132 DLIST_REMOVE(req->cli->outstanding_requests, req);
133 if (req->cli->outstanding_requests == NULL) {
134 TALLOC_FREE(req->cli->fd_event);
135 }
136 return 0;
137 }
138
139 /**
140 * Are there already requests waiting in the chain_accumulator?
141 * @param[in] cli The cli_state we want to check
142 * @retval reply :-)
143 */
144
145 bool cli_in_chain(struct cli_state *cli)
/* [<][>][^][v][top][bottom][index][help] */
146 {
147 if (cli->chain_accumulator == NULL) {
148 return false;
149 }
150
151 return (cli->chain_accumulator->num_async != 0);
152 }
153
154 /**
155 * @brief Find the smb_cmd offset of the last command pushed
156 * @param[in] buf The buffer we're building up
157 * @retval Where can we put our next andx cmd?
158 *
159 * While chaining requests, the "next" request we're looking at needs to put
160 * its SMB_Command before the data the previous request already built up added
161 * to the chain. Find the offset to the place where we have to put our cmd.
162 */
163
164 static bool find_andx_cmd_ofs(uint8_t *buf, size_t *pofs)
/* [<][>][^][v][top][bottom][index][help] */
165 {
166 uint8_t cmd;
167 size_t ofs;
168
169 cmd = CVAL(buf, smb_com);
170
171 SMB_ASSERT(is_andx_req(cmd));
172
173 ofs = smb_vwv0;
174
175 while (CVAL(buf, ofs) != 0xff) {
176
177 if (!is_andx_req(CVAL(buf, ofs))) {
178 return false;
179 }
180
181 /*
182 * ofs is from start of smb header, so add the 4 length
183 * bytes. The next cmd is right after the wct field.
184 */
185 ofs = SVAL(buf, ofs+2) + 4 + 1;
186
187 SMB_ASSERT(ofs+4 < talloc_get_size(buf));
188 }
189
190 *pofs = ofs;
191 return true;
192 }
193
194 /**
195 * @brief Do the smb chaining at a buffer level
196 * @param[in] poutbuf Pointer to the talloc'ed buffer to be modified
197 * @param[in] smb_command The command that we want to issue
198 * @param[in] wct How many words?
199 * @param[in] vwv The words, already in network order
200 * @param[in] bytes_alignment How shall we align "bytes"?
201 * @param[in] num_bytes How many bytes?
202 * @param[in] bytes The data the request ships
203 *
204 * smb_splice_chain() adds the vwv and bytes to the request already present in
205 * *poutbuf.
206 */
207
208 bool smb_splice_chain(uint8_t **poutbuf, uint8_t smb_command,
/* [<][>][^][v][top][bottom][index][help] */
209 uint8_t wct, const uint16_t *vwv,
210 size_t bytes_alignment,
211 uint32_t num_bytes, const uint8_t *bytes)
212 {
213 uint8_t *outbuf;
214 size_t old_size, new_size;
215 size_t ofs;
216 size_t chain_padding = 0;
217 size_t bytes_padding = 0;
218 bool first_request;
219
220 old_size = talloc_get_size(*poutbuf);
221
222 /*
223 * old_size == smb_wct means we're pushing the first request in for
224 * libsmb/
225 */
226
227 first_request = (old_size == smb_wct);
228
229 if (!first_request && ((old_size % 4) != 0)) {
230 /*
231 * Align the wct field of subsequent requests to a 4-byte
232 * boundary
233 */
234 chain_padding = 4 - (old_size % 4);
235 }
236
237 /*
238 * After the old request comes the new wct field (1 byte), the vwv's
239 * and the num_bytes field. After at we might need to align the bytes
240 * given to us to "bytes_alignment", increasing the num_bytes value.
241 */
242
243 new_size = old_size + chain_padding + 1 + wct * sizeof(uint16_t) + 2;
244
245 if ((bytes_alignment != 0) && ((new_size % bytes_alignment) != 0)) {
246 bytes_padding = bytes_alignment - (new_size % bytes_alignment);
247 }
248
249 new_size += bytes_padding + num_bytes;
250
251 if ((smb_command != SMBwriteX) && (new_size > 0xffff)) {
252 DEBUG(1, ("splice_chain: %u bytes won't fit\n",
253 (unsigned)new_size));
254 return false;
255 }
256
257 outbuf = TALLOC_REALLOC_ARRAY(NULL, *poutbuf, uint8_t, new_size);
258 if (outbuf == NULL) {
259 DEBUG(0, ("talloc failed\n"));
260 return false;
261 }
262 *poutbuf = outbuf;
263
264 if (first_request) {
265 SCVAL(outbuf, smb_com, smb_command);
266 } else {
267 size_t andx_cmd_ofs;
268
269 if (!find_andx_cmd_ofs(outbuf, &andx_cmd_ofs)) {
270 DEBUG(1, ("invalid command chain\n"));
271 *poutbuf = TALLOC_REALLOC_ARRAY(
272 NULL, *poutbuf, uint8_t, old_size);
273 return false;
274 }
275
276 if (chain_padding != 0) {
277 memset(outbuf + old_size, 0, chain_padding);
278 old_size += chain_padding;
279 }
280
281 SCVAL(outbuf, andx_cmd_ofs, smb_command);
282 SSVAL(outbuf, andx_cmd_ofs + 2, old_size - 4);
283 }
284
285 ofs = old_size;
286
287 /*
288 * Push the chained request:
289 *
290 * wct field
291 */
292
293 SCVAL(outbuf, ofs, wct);
294 ofs += 1;
295
296 /*
297 * vwv array
298 */
299
300 memcpy(outbuf + ofs, vwv, sizeof(uint16_t) * wct);
301 ofs += sizeof(uint16_t) * wct;
302
303 /*
304 * bcc (byte count)
305 */
306
307 SSVAL(outbuf, ofs, num_bytes + bytes_padding);
308 ofs += sizeof(uint16_t);
309
310 /*
311 * padding
312 */
313
314 if (bytes_padding != 0) {
315 memset(outbuf + ofs, 0, bytes_padding);
316 ofs += bytes_padding;
317 }
318
319 /*
320 * The bytes field
321 */
322
323 memcpy(outbuf + ofs, bytes, num_bytes);
324
325 return true;
326 }
327
328 /**
329 * @brief Destroy an async_req that is the visible part of a cli_request
330 * @param[in] req The request to kill
331 * @retval Return 0 to make talloc happy
332 *
333 * This destructor is a bit tricky: Because a cli_request can host more than
334 * one async_req for chained requests, we need to make sure that the
335 * "cli_request" that we were part of is correctly destroyed at the right
336 * time. This is done by NULLing out ourself from the "async" member of our
337 * "cli_request". If there is none left, then also TALLOC_FREE() the
338 * cli_request, which was a talloc child of the client connection cli_state.
339 */
340
341 static int cli_async_req_destructor(struct async_req *req)
/* [<][>][^][v][top][bottom][index][help] */
342 {
343 struct cli_request *cli_req = talloc_get_type_abort(
344 req->private_data, struct cli_request);
345 int i, pending;
346 bool found = false;
347
348 pending = 0;
349
350 for (i=0; i<cli_req->num_async; i++) {
351 if (cli_req->async[i] == req) {
352 cli_req->async[i] = NULL;
353 found = true;
354 }
355 if (cli_req->async[i] != NULL) {
356 pending += 1;
357 }
358 }
359
360 SMB_ASSERT(found);
361
362 if (pending == 0) {
363 TALLOC_FREE(cli_req);
364 }
365
366 return 0;
367 }
368
369 /**
370 * @brief Chain up a request
371 * @param[in] mem_ctx The TALLOC_CTX for the result
372 * @param[in] ev The event context that will call us back
373 * @param[in] cli The cli_state we queue the request up for
374 * @param[in] smb_command The command that we want to issue
375 * @param[in] additional_flags open_and_x wants to add oplock header flags
376 * @param[in] wct How many words?
377 * @param[in] vwv The words, already in network order
378 * @param[in] bytes_alignment How shall we align "bytes"?
379 * @param[in] num_bytes How many bytes?
380 * @param[in] bytes The data the request ships
381 *
382 * cli_request_chain() is the core of the SMB request marshalling routine. It
383 * will create a new async_req structure in the cli->chain_accumulator->async
384 * array and marshall the smb_cmd, the vwv array and the bytes into
385 * cli->chain_accumulator->outbuf.
386 */
387
388 static struct async_req *cli_request_chain(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
389 struct event_context *ev,
390 struct cli_state *cli,
391 uint8_t smb_command,
392 uint8_t additional_flags,
393 uint8_t wct, const uint16_t *vwv,
394 size_t bytes_alignment,
395 uint32_t num_bytes,
396 const uint8_t *bytes)
397 {
398 struct async_req **tmp_reqs;
399 struct cli_request *req;
400
401 req = cli->chain_accumulator;
402
403 tmp_reqs = TALLOC_REALLOC_ARRAY(req, req->async, struct async_req *,
404 req->num_async + 1);
405 if (tmp_reqs == NULL) {
406 DEBUG(0, ("talloc failed\n"));
407 return NULL;
408 }
409 req->async = tmp_reqs;
410 req->num_async += 1;
411
412 req->async[req->num_async-1] = async_req_new(mem_ctx);
413 if (req->async[req->num_async-1] == NULL) {
414 DEBUG(0, ("async_req_new failed\n"));
415 req->num_async -= 1;
416 return NULL;
417 }
418 req->async[req->num_async-1]->private_data = req;
419 req->async[req->num_async-1]->print = cli_request_print;
420 talloc_set_destructor(req->async[req->num_async-1],
421 cli_async_req_destructor);
422
423 if (!smb_splice_chain(&req->outbuf, smb_command, wct, vwv,
424 bytes_alignment, num_bytes, bytes)) {
425 goto fail;
426 }
427
428 return req->async[req->num_async-1];
429
430 fail:
431 TALLOC_FREE(req->async[req->num_async-1]);
432 req->num_async -= 1;
433 return NULL;
434 }
435
436 static void request_timeout_handler(struct event_context *ctx,
/* [<][>][^][v][top][bottom][index][help] */
437 struct timed_event *te,
438 struct timeval now,
439 void *private_data)
440 {
441 struct cli_request *cli_req = talloc_get_type_abort(private_data, struct cli_request);
442 int num_async = cli_req->num_async;
443 int i;
444 TALLOC_FREE(cli_req->timer);
445 for (i = 0; i < num_async; i++) {
446 if (cli_req->async[i]) {
447 async_req_nterror(cli_req->async[i], NT_STATUS_IO_TIMEOUT);
448 return;
449 }
450 }
451 return;
452 }
453
454 /**
455 * @brief prepare a cli_state to accept a chain of requests
456 * @param[in] cli The cli_state we want to queue up in
457 * @param[in] ev The event_context that will call us back for the socket
458 * @param[in] size_hint How many bytes are expected, just an optimization
459 * @retval Did we have enough memory?
460 *
461 * cli_chain_cork() sets up a new cli_request in cli->chain_accumulator. If
462 * cli is used in an async fashion, i.e. if we have outstanding requests, then
463 * we do not have to create a fd event. If cli is used only with the sync
464 * helpers, we need to create the fd_event here.
465 *
466 * If you want to issue a chained request to the server, do a
467 * cli_chain_cork(), then do you cli_open_send(), cli_read_and_x_send(),
468 * cli_close_send() and so on. The async requests that come out of
469 * cli_xxx_send() are normal async requests with the difference that they
470 * won't be shipped individually. But the event_context will still trigger the
471 * req->async.fn to be called on every single request.
472 *
473 * You have to take care yourself that you only issue chainable requests in
474 * the middle of the chain.
475 */
476
477 bool cli_chain_cork(struct cli_state *cli, struct event_context *ev,
/* [<][>][^][v][top][bottom][index][help] */
478 size_t size_hint)
479 {
480 struct cli_request *req = NULL;
481 struct timeval endtime;
482
483 SMB_ASSERT(cli->chain_accumulator == NULL);
484
485 if (cli->fd == -1) {
486 DEBUG(10, ("cli->fd closed\n"));
487 return false;
488 }
489
490 if (cli->fd_event == NULL) {
491 SMB_ASSERT(cli->outstanding_requests == NULL);
492 cli->fd_event = event_add_fd(ev, cli, cli->fd,
493 EVENT_FD_READ,
494 cli_state_handler, cli);
495 if (cli->fd_event == NULL) {
496 return false;
497 }
498 }
499
500 req = talloc(cli, struct cli_request);
501 if (req == NULL) {
502 goto fail;
503 }
504 req->cli = cli;
505
506 if (size_hint == 0) {
507 size_hint = 100;
508 }
509 req->outbuf = talloc_array(req, uint8_t, smb_wct + size_hint);
510 if (req->outbuf == NULL) {
511 goto fail;
512 }
513 req->outbuf = TALLOC_REALLOC_ARRAY(NULL, req->outbuf, uint8_t,
514 smb_wct);
515
516 req->num_async = 0;
517 req->async = NULL;
518
519 req->enc_state = NULL;
520 req->recv_helper.fn = NULL;
521 endtime = timeval_current_ofs(0, cli->timeout * 1000);
522 req->timer = event_add_timed(ev, req, endtime, request_timeout_handler, req);
523 if (!req->timer) {
524 goto fail;
525 }
526
527 SSVAL(req->outbuf, smb_tid, cli->cnum);
528 cli_setup_packet_buf(cli, (char *)req->outbuf);
529
530 req->mid = cli_new_mid(cli);
531
532 cli->chain_accumulator = req;
533
534 DEBUG(10, ("cli_chain_cork: mid=%d\n", req->mid));
535
536 return true;
537 fail:
538 TALLOC_FREE(req);
539 if (cli->outstanding_requests == NULL) {
540 TALLOC_FREE(cli->fd_event);
541 }
542 return false;
543 }
544
545 /**
546 * Ship a request queued up via cli_request_chain()
547 * @param[in] cl The connection
548 */
549
550 void cli_chain_uncork(struct cli_state *cli)
/* [<][>][^][v][top][bottom][index][help] */
551 {
552 struct cli_request *req = cli->chain_accumulator;
553 size_t smblen;
554
555 SMB_ASSERT(req != NULL);
556
557 DLIST_ADD_END(cli->outstanding_requests, req, struct cli_request *);
558 talloc_set_destructor(req, cli_request_destructor);
559
560 cli->chain_accumulator = NULL;
561
562 SSVAL(req->outbuf, smb_mid, req->mid);
563
564 smblen = talloc_get_size(req->outbuf) - 4;
565
566 smb_setlen((char *)req->outbuf, smblen);
567
568 if (smblen > 0x1ffff) {
569 /*
570 * This is a POSIX 14 word large write. Overwrite just the
571 * size field, the '0xFFSMB' has been set by smb_setlen which
572 * _smb_setlen_large does not do.
573 */
574 _smb_setlen_large(((char *)req->outbuf), smblen);
575 }
576
577 cli_calculate_sign_mac(cli, (char *)req->outbuf);
578
579 if (cli_encryption_on(cli)) {
580 NTSTATUS status;
581 char *enc_buf;
582
583 status = cli_encrypt_message(cli, (char *)req->outbuf,
584 &enc_buf);
585 if (!NT_STATUS_IS_OK(status)) {
586 DEBUG(0, ("Error in encrypting client message. "
587 "Error %s\n", nt_errstr(status)));
588 TALLOC_FREE(req);
589 return;
590 }
591 req->outbuf = (uint8_t *)enc_buf;
592 req->enc_state = cli->trans_enc_state;
593 }
594
595 req->sent = 0;
596
597 event_fd_set_writeable(cli->fd_event);
598 }
599
600 /**
601 * @brief Send a request to the server
602 * @param[in] mem_ctx The TALLOC_CTX for the result
603 * @param[in] ev The event context that will call us back
604 * @param[in] cli The cli_state we queue the request up for
605 * @param[in] smb_command The command that we want to issue
606 * @param[in] additional_flags open_and_x wants to add oplock header flags
607 * @param[in] wct How many words?
608 * @param[in] vwv The words, already in network order
609 * @param[in] bytes_alignment How shall we align "bytes"?
610 * @param[in] num_bytes How many bytes?
611 * @param[in] bytes The data the request ships
612 *
613 * This is the generic routine to be used by the cli_xxx_send routines.
614 */
615
616 struct async_req *cli_request_send(TALLOC_CTX *mem_ctx,
/* [<][>][^][v][top][bottom][index][help] */
617 struct event_context *ev,
618 struct cli_state *cli,
619 uint8_t smb_command,
620 uint8_t additional_flags,
621 uint8_t wct, const uint16_t *vwv,
622 size_t bytes_alignment,
623 uint32_t num_bytes, const uint8_t *bytes)
624 {
625 struct async_req *result;
626 bool uncork = false;
627
628 if (cli->chain_accumulator == NULL) {
629 if (!cli_chain_cork(cli, ev,
630 wct * sizeof(uint16_t) + num_bytes + 3)) {
631 DEBUG(1, ("cli_chain_cork failed\n"));
632 return NULL;
633 }
634 uncork = true;
635 }
636
637 result = cli_request_chain(mem_ctx, ev, cli, smb_command,
638 additional_flags, wct, vwv, bytes_alignment,
639 num_bytes, bytes);
640
641 if (result == NULL) {
642 DEBUG(1, ("cli_request_chain failed\n"));
643 }
644
645 if (uncork) {
646 cli_chain_uncork(cli);
647 }
648
649 return result;
650 }
651
652 /**
653 * Calculate the current ofs to wct for requests like write&x
654 * @param[in] req The smb request we're currently building
655 * @retval how many bytes offset have we accumulated?
656 */
657
658 uint16_t cli_wct_ofs(const struct cli_state *cli)
/* [<][>][^][v][top][bottom][index][help] */
659 {
660 size_t buf_size;
661
662 if (cli->chain_accumulator == NULL) {
663 return smb_wct - 4;
664 }
665
666 buf_size = talloc_get_size(cli->chain_accumulator->outbuf);
667
668 if (buf_size == smb_wct) {
669 return smb_wct - 4;
670 }
671
672 /*
673 * Add alignment for subsequent requests
674 */
675
676 if ((buf_size % 4) != 0) {
677 buf_size += (4 - (buf_size % 4));
678 }
679
680 return buf_size - 4;
681 }
682
683 /**
684 * Figure out if there is an andx command behind the current one
685 * @param[in] buf The smb buffer to look at
686 * @param[in] ofs The offset to the wct field that is followed by the cmd
687 * @retval Is there a command following?
688 */
689
690 static bool have_andx_command(const char *buf, uint16_t ofs)
/* [<][>][^][v][top][bottom][index][help] */
691 {
692 uint8_t wct;
693 size_t buflen = talloc_get_size(buf);
694
695 if ((ofs == buflen-1) || (ofs == buflen)) {
696 return false;
697 }
698
699 wct = CVAL(buf, ofs);
700 if (wct < 2) {
701 /*
702 * Not enough space for the command and a following pointer
703 */
704 return false;
705 }
706 return (CVAL(buf, ofs+1) != 0xff);
707 }
708
709 /**
710 * @brief Pull reply data out of a request
711 * @param[in] req The request that we just received a reply for
712 * @param[out] pwct How many words did the server send?
713 * @param[out] pvwv The words themselves
714 * @param[out] pnum_bytes How many bytes did the server send?
715 * @param[out] pbytes The bytes themselves
716 * @retval Was the reply formally correct?
717 */
718
719 NTSTATUS cli_pull_reply(struct async_req *req,
/* [<][>][^][v][top][bottom][index][help] */
720 uint8_t *pwct, uint16_t **pvwv,
721 uint16_t *pnum_bytes, uint8_t **pbytes)
722 {
723 struct cli_request *cli_req = talloc_get_type_abort(
724 req->private_data, struct cli_request);
725 uint8_t wct, cmd;
726 uint16_t num_bytes;
727 size_t wct_ofs, bytes_offset;
728 int i, j;
729 NTSTATUS status;
730
731 for (i = 0; i < cli_req->num_async; i++) {
732 if (req == cli_req->async[i]) {
733 break;
734 }
735 }
736
737 if (i == cli_req->num_async) {
738 cli_set_error(cli_req->cli, NT_STATUS_INVALID_PARAMETER);
739 return NT_STATUS_INVALID_PARAMETER;
740 }
741
742 /**
743 * The status we pull here is only relevant for the last reply in the
744 * chain.
745 */
746
747 status = cli_pull_error(cli_req->inbuf);
748
749 if (i == 0) {
750 if (NT_STATUS_IS_ERR(status)
751 && !have_andx_command(cli_req->inbuf, smb_wct)) {
752 cli_set_error(cli_req->cli, status);
753 return status;
754 }
755 wct_ofs = smb_wct;
756 goto done;
757 }
758
759 cmd = CVAL(cli_req->inbuf, smb_com);
760 wct_ofs = smb_wct;
761
762 for (j = 0; j < i; j++) {
763 if (j < i-1) {
764 if (cmd == 0xff) {
765 return NT_STATUS_REQUEST_ABORTED;
766 }
767 if (!is_andx_req(cmd)) {
768 return NT_STATUS_INVALID_NETWORK_RESPONSE;
769 }
770 }
771
772 if (!have_andx_command(cli_req->inbuf, wct_ofs)) {
773 /*
774 * This request was not completed because a previous
775 * request in the chain had received an error.
776 */
777 return NT_STATUS_REQUEST_ABORTED;
778 }
779
780 wct_ofs = SVAL(cli_req->inbuf, wct_ofs + 3);
781
782 /*
783 * Skip the all-present length field. No overflow, we've just
784 * put a 16-bit value into a size_t.
785 */
786 wct_ofs += 4;
787
788 if (wct_ofs+2 > talloc_get_size(cli_req->inbuf)) {
789 return NT_STATUS_INVALID_NETWORK_RESPONSE;
790 }
791
792 cmd = CVAL(cli_req->inbuf, wct_ofs + 1);
793 }
794
795 if (!have_andx_command(cli_req->inbuf, wct_ofs)
796 && NT_STATUS_IS_ERR(status)) {
797 /*
798 * The last command takes the error code. All further commands
799 * down the requested chain will get a
800 * NT_STATUS_REQUEST_ABORTED.
801 */
802 return status;
803 }
804
805 done:
806 wct = CVAL(cli_req->inbuf, wct_ofs);
807
808 bytes_offset = wct_ofs + 1 + wct * sizeof(uint16_t);
809 num_bytes = SVAL(cli_req->inbuf, bytes_offset);
810
811 /*
812 * wct_ofs is a 16-bit value plus 4, wct is a 8-bit value, num_bytes
813 * is a 16-bit value. So bytes_offset being size_t should be far from
814 * wrapping.
815 */
816
817 if ((bytes_offset + 2 > talloc_get_size(cli_req->inbuf))
818 || (bytes_offset > 0xffff)) {
819 return NT_STATUS_INVALID_NETWORK_RESPONSE;
820 }
821
822 *pwct = wct;
823 *pvwv = (uint16_t *)(cli_req->inbuf + wct_ofs + 1);
824 *pnum_bytes = num_bytes;
825 *pbytes = (uint8_t *)cli_req->inbuf + bytes_offset + 2;
826
827 return NT_STATUS_OK;
828 }
829
830 /**
831 * Decrypt a PDU, check the signature
832 * @param[in] cli The cli_state that received something
833 * @param[in] pdu The incoming bytes
834 * @retval error code
835 */
836
837
838 static NTSTATUS validate_smb_crypto(struct cli_state *cli, char *pdu)
/* [<][>][^][v][top][bottom][index][help] */
839 {
840 NTSTATUS status;
841
842 if ((IVAL(pdu, 4) != 0x424d53ff) /* 0xFF"SMB" */
843 && (SVAL(pdu, 4) != 0x45ff)) /* 0xFF"E" */ {
844 DEBUG(10, ("Got non-SMB PDU\n"));
845 return NT_STATUS_INVALID_NETWORK_RESPONSE;
846 }
847
848 if (cli_encryption_on(cli) && CVAL(pdu, 0) == 0) {
849 uint16_t enc_ctx_num;
850
851 status = get_enc_ctx_num((uint8_t *)pdu, &enc_ctx_num);
852 if (!NT_STATUS_IS_OK(status)) {
853 DEBUG(10, ("get_enc_ctx_num returned %s\n",
854 nt_errstr(status)));
855 return status;
856 }
857
858 if (enc_ctx_num != cli->trans_enc_state->enc_ctx_num) {
859 DEBUG(10, ("wrong enc_ctx %d, expected %d\n",
860 enc_ctx_num,
861 cli->trans_enc_state->enc_ctx_num));
862 return NT_STATUS_INVALID_HANDLE;
863 }
864
865 status = common_decrypt_buffer(cli->trans_enc_state, pdu);
866 if (!NT_STATUS_IS_OK(status)) {
867 DEBUG(10, ("common_decrypt_buffer returned %s\n",
868 nt_errstr(status)));
869 return status;
870 }
871 }
872
873 if (!cli_check_sign_mac(cli, pdu)) {
874 DEBUG(10, ("cli_check_sign_mac failed\n"));
875 return NT_STATUS_ACCESS_DENIED;
876 }
877
878 return NT_STATUS_OK;
879 }
880
881 /**
882 * A PDU has arrived on cli->evt_inbuf
883 * @param[in] cli The cli_state that received something
884 */
885
886 static void handle_incoming_pdu(struct cli_state *cli)
/* [<][>][^][v][top][bottom][index][help] */
887 {
888 struct cli_request *req, *next;
889 uint16_t mid;
890 size_t raw_pdu_len, buf_len, pdu_len, rest_len;
891 char *pdu;
892 int i;
893 NTSTATUS status;
894
895 int num_async;
896
897 /*
898 * The encrypted PDU len might differ from the unencrypted one
899 */
900 raw_pdu_len = smb_len(cli->evt_inbuf) + 4;
901 buf_len = talloc_get_size(cli->evt_inbuf);
902 rest_len = buf_len - raw_pdu_len;
903
904 if (buf_len == raw_pdu_len) {
905 /*
906 * Optimal case: Exactly one PDU was in the socket buffer
907 */
908 pdu = cli->evt_inbuf;
909 cli->evt_inbuf = NULL;
910 }
911 else {
912 DEBUG(11, ("buf_len = %d, raw_pdu_len = %d, splitting "
913 "buffer\n", (int)buf_len, (int)raw_pdu_len));
914
915 if (raw_pdu_len < rest_len) {
916 /*
917 * The PDU is shorter, talloc_memdup that one.
918 */
919 pdu = (char *)talloc_memdup(
920 cli, cli->evt_inbuf, raw_pdu_len);
921
922 memmove(cli->evt_inbuf, cli->evt_inbuf + raw_pdu_len,
923 buf_len - raw_pdu_len);
924
925 cli->evt_inbuf = TALLOC_REALLOC_ARRAY(
926 NULL, cli->evt_inbuf, char, rest_len);
927
928 if (pdu == NULL) {
929 status = NT_STATUS_NO_MEMORY;
930 goto invalidate_requests;
931 }
932 }
933 else {
934 /*
935 * The PDU is larger than the rest, talloc_memdup the
936 * rest
937 */
938 pdu = cli->evt_inbuf;
939
940 cli->evt_inbuf = (char *)talloc_memdup(
941 cli, pdu + raw_pdu_len, rest_len);
942
943 if (cli->evt_inbuf == NULL) {
944 status = NT_STATUS_NO_MEMORY;
945 goto invalidate_requests;
946 }
947 }
948 }
949
950 if ((raw_pdu_len == 4) && (CVAL(pdu, 0) == SMBkeepalive)) {
951 DEBUG(10, ("Got keepalive\n"));
952 TALLOC_FREE(pdu);
953 return;
954 }
955
956 status = validate_smb_crypto(cli, pdu);
957 if (!NT_STATUS_IS_OK(status)) {
958 goto invalidate_requests;
959 }
960
961 mid = SVAL(pdu, smb_mid);
962
963 DEBUG(10, ("handle_incoming_pdu: got mid %d\n", mid));
964
965 for (req = cli->outstanding_requests; req; req = req->next) {
966 if (req->mid == mid) {
967 break;
968 }
969 }
970
971 pdu_len = smb_len(pdu) + 4;
972
973 if (req == NULL) {
974 DEBUG(3, ("Request for mid %d not found, dumping PDU\n", mid));
975
976 TALLOC_FREE(pdu);
977 return;
978 }
979
980 req->inbuf = talloc_move(req, &pdu);
981
982 /*
983 * Freeing the last async_req will free the req (see
984 * cli_async_req_destructor). So make a copy of req->num_async, we
985 * can't reference it in the last round.
986 */
987
988 num_async = req->num_async;
989
990 for (i=0; i<num_async; i++) {
991 /**
992 * A request might have been talloc_free()'ed before we arrive
993 * here. It will have removed itself from req->async via its
994 * destructor cli_async_req_destructor().
995 */
996 if (req->async[i] != NULL) {
997 if (req->recv_helper.fn != NULL) {
998 req->recv_helper.fn(req->async[i]);
999 } else {
1000 async_req_done(req->async[i]);
1001 }
1002 }
1003 }
1004 return;
1005
1006 invalidate_requests:
1007
1008 DEBUG(10, ("handle_incoming_pdu: Aborting with %s\n",
1009 nt_errstr(status)));
1010
1011 for (req = cli->outstanding_requests; req; req = next) {
1012 next = req->next;
1013 if (req->num_async) {
1014 async_req_nterror(req->async[0], status);
1015 }
1016 }
1017 return;
1018 }
1019
1020 /**
1021 * fd event callback. This is the basic connection to the socket
1022 * @param[in] event_ctx The event context that called us
1023 * @param[in] event The event that fired
1024 * @param[in] flags EVENT_FD_READ | EVENT_FD_WRITE
1025 * @param[in] p private_data, in this case the cli_state
1026 */
1027
1028 static void cli_state_handler(struct event_context *event_ctx,
/* [<][>][^][v][top][bottom][index][help] */
1029 struct fd_event *event, uint16 flags, void *p)
1030 {
1031 struct cli_state *cli = (struct cli_state *)p;
1032 struct cli_request *req, *next;
1033 NTSTATUS status;
1034
1035 DEBUG(11, ("cli_state_handler called with flags %d\n", flags));
1036
1037 if (flags & EVENT_FD_WRITE) {
1038 size_t to_send;
1039 ssize_t sent;
1040
1041 for (req = cli->outstanding_requests; req; req = req->next) {
1042 to_send = smb_len(req->outbuf)+4;
1043 if (to_send > req->sent) {
1044 break;
1045 }
1046 }
1047
1048 if (req == NULL) {
1049 if (cli->fd_event != NULL) {
1050 event_fd_set_not_writeable(cli->fd_event);
1051 }
1052 return;
1053 }
1054
1055 sent = sys_send(cli->fd, req->outbuf + req->sent,
1056 to_send - req->sent, 0);
1057
1058 if (sent < 0) {
1059 status = map_nt_error_from_unix(errno);
1060 goto sock_error;
1061 }
1062
1063 req->sent += sent;
1064
1065 if (req->sent == to_send) {
1066 return;
1067 }
1068 }
1069
1070 if (flags & EVENT_FD_READ) {
1071 int res, available;
1072 size_t old_size, new_size;
1073 char *tmp;
1074
1075 res = ioctl(cli->fd, FIONREAD, &available);
1076 if (res == -1) {
1077 DEBUG(10, ("ioctl(FIONREAD) failed: %s\n",
1078 strerror(errno)));
1079 status = map_nt_error_from_unix(errno);
1080 goto sock_error;
1081 }
1082
1083 if (available == 0) {
1084 /* EOF */
1085 status = NT_STATUS_END_OF_FILE;
1086 goto sock_error;
1087 }
1088
1089 old_size = talloc_get_size(cli->evt_inbuf);
1090 new_size = old_size + available;
1091
1092 if (new_size < old_size) {
1093 /* wrap */
1094 status = NT_STATUS_UNEXPECTED_IO_ERROR;
1095 goto sock_error;
1096 }
1097
1098 tmp = TALLOC_REALLOC_ARRAY(cli, cli->evt_inbuf, char,
1099 new_size);
1100 if (tmp == NULL) {
1101 /* nomem */
1102 status = NT_STATUS_NO_MEMORY;
1103 goto sock_error;
1104 }
1105 cli->evt_inbuf = tmp;
1106
1107 res = sys_recv(cli->fd, cli->evt_inbuf + old_size, available, 0);
1108 if (res == -1) {
1109 DEBUG(10, ("recv failed: %s\n", strerror(errno)));
1110 status = map_nt_error_from_unix(errno);
1111 goto sock_error;
1112 }
1113
1114 DEBUG(11, ("cli_state_handler: received %d bytes, "
1115 "smb_len(evt_inbuf) = %d\n", (int)res,
1116 smb_len(cli->evt_inbuf)));
1117
1118 /* recv *might* have returned less than announced */
1119 new_size = old_size + res;
1120
1121 /* shrink, so I don't expect errors here */
1122 cli->evt_inbuf = TALLOC_REALLOC_ARRAY(cli, cli->evt_inbuf,
1123 char, new_size);
1124
1125 while ((cli->evt_inbuf != NULL)
1126 && ((smb_len(cli->evt_inbuf) + 4) <= new_size)) {
1127 /*
1128 * we've got a complete NBT level PDU in evt_inbuf
1129 */
1130 handle_incoming_pdu(cli);
1131 new_size = talloc_get_size(cli->evt_inbuf);
1132 }
1133 }
1134
1135 return;
1136
1137 sock_error:
1138
1139 for (req = cli->outstanding_requests; req; req = next) {
1140 int i, num_async;
1141
1142 next = req->next;
1143 num_async = req->num_async;
1144
1145 for (i=0; i<num_async; i++) {
1146 async_req_nterror(req->async[i], status);
1147 }
1148 }
1149 TALLOC_FREE(cli->fd_event);
1150 close(cli->fd);
1151 cli->fd = -1;
1152 }