root/source3/libsmb/async_smb.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. cli_pull_error
  2. cli_set_error
  3. cli_new_mid
  4. cli_request_print
  5. cli_request_destructor
  6. cli_in_chain
  7. find_andx_cmd_ofs
  8. smb_splice_chain
  9. cli_async_req_destructor
  10. cli_request_chain
  11. request_timeout_handler
  12. cli_chain_cork
  13. cli_chain_uncork
  14. cli_request_send
  15. cli_wct_ofs
  16. have_andx_command
  17. cli_pull_reply
  18. validate_smb_crypto
  19. handle_incoming_pdu
  20. cli_state_handler

   1 /*
   2    Unix SMB/CIFS implementation.
   3    Infrastructure for async SMB client requests
   4    Copyright (C) Volker Lendecke 2008
   5 
   6    This program is free software; you can redistribute it and/or modify
   7    it under the terms of the GNU General Public License as published by
   8    the Free Software Foundation; either version 3 of the License, or
   9    (at your option) any later version.
  10 
  11    This program is distributed in the hope that it will be useful,
  12    but WITHOUT ANY WARRANTY; without even the implied warranty of
  13    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  14    GNU General Public License for more details.
  15 
  16    You should have received a copy of the GNU General Public License
  17    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  18 */
  19 
  20 #include "includes.h"
  21 
  22 static void cli_state_handler(struct event_context *event_ctx,
  23                               struct fd_event *event, uint16 flags, void *p);
  24 
  25 /**
  26  * Fetch an error out of a NBT packet
  27  * @param[in] buf       The SMB packet
  28  * @retval              The error, converted to NTSTATUS
  29  */
  30 
  31 NTSTATUS cli_pull_error(char *buf)
     /* [<][>][^][v][top][bottom][index][help] */
  32 {
  33         uint32_t flags2 = SVAL(buf, smb_flg2);
  34 
  35         if (flags2 & FLAGS2_32_BIT_ERROR_CODES) {
  36                 return NT_STATUS(IVAL(buf, smb_rcls));
  37         }
  38 
  39         /* if the client uses dos errors, but there is no error,
  40            we should return no error here, otherwise it looks
  41            like an unknown bad NT_STATUS. jmcd */
  42         if (CVAL(buf, smb_rcls) == 0)
  43                 return NT_STATUS_OK;
  44 
  45         return NT_STATUS_DOS(CVAL(buf, smb_rcls), SVAL(buf,smb_err));
  46 }
  47 
  48 /**
  49  * Compatibility helper for the sync APIs: Fake NTSTATUS in cli->inbuf
  50  * @param[in] cli       The client connection that just received an error
  51  * @param[in] status    The error to set on "cli"
  52  */
  53 
  54 void cli_set_error(struct cli_state *cli, NTSTATUS status)
     /* [<][>][^][v][top][bottom][index][help] */
  55 {
  56         uint32_t flags2 = SVAL(cli->inbuf, smb_flg2);
  57 
  58         if (NT_STATUS_IS_DOS(status)) {
  59                 SSVAL(cli->inbuf, smb_flg2,
  60                       flags2 & ~FLAGS2_32_BIT_ERROR_CODES);
  61                 SCVAL(cli->inbuf, smb_rcls, NT_STATUS_DOS_CLASS(status));
  62                 SSVAL(cli->inbuf, smb_err, NT_STATUS_DOS_CODE(status));
  63                 return;
  64         }
  65 
  66         SSVAL(cli->inbuf, smb_flg2, flags2 | FLAGS2_32_BIT_ERROR_CODES);
  67         SIVAL(cli->inbuf, smb_rcls, NT_STATUS_V(status));
  68         return;
  69 }
  70 
  71 /**
  72  * Allocate a new mid
  73  * @param[in] cli       The client connection
  74  * @retval              The new, unused mid
  75  */
  76 
  77 static uint16_t cli_new_mid(struct cli_state *cli)
     /* [<][>][^][v][top][bottom][index][help] */
  78 {
  79         uint16_t result;
  80         struct cli_request *req;
  81 
  82         while (true) {
  83                 result = cli->mid++;
  84                 if (result == 0) {
  85                         continue;
  86                 }
  87 
  88                 for (req = cli->outstanding_requests; req; req = req->next) {
  89                         if (result == req->mid) {
  90                                 break;
  91                         }
  92                 }
  93 
  94                 if (req == NULL) {
  95                         return result;
  96                 }
  97         }
  98 }
  99 
 100 /**
 101  * Print an async req that happens to be a cli_request
 102  * @param[in] mem_ctx   The TALLOC_CTX to put the result on
 103  * @param[in] req       The request to print
 104  * @retval              The string representation of "req"
 105  */
 106 
 107 static char *cli_request_print(TALLOC_CTX *mem_ctx, struct async_req *req)
     /* [<][>][^][v][top][bottom][index][help] */
 108 {
 109         char *result = async_req_print(mem_ctx, req);
 110         struct cli_request *cli_req = talloc_get_type_abort(
 111                 req->private_data, struct cli_request);
 112 
 113         if (result == NULL) {
 114                 return NULL;
 115         }
 116 
 117         return talloc_asprintf_append_buffer(
 118                 result, "mid=%d\n", cli_req->mid);
 119 }
 120 
 121 /**
 122  * Destroy a cli_request
 123  * @param[in] req       The cli_request to kill
 124  * @retval Can't fail
 125  */
 126 
 127 static int cli_request_destructor(struct cli_request *req)
     /* [<][>][^][v][top][bottom][index][help] */
 128 {
 129         if (req->enc_state != NULL) {
 130                 common_free_enc_buffer(req->enc_state, (char *)req->outbuf);
 131         }
 132         DLIST_REMOVE(req->cli->outstanding_requests, req);
 133         if (req->cli->outstanding_requests == NULL) {
 134                 TALLOC_FREE(req->cli->fd_event);
 135         }
 136         return 0;
 137 }
 138 
 139 /**
 140  * Are there already requests waiting in the chain_accumulator?
 141  * @param[in] cli       The cli_state we want to check
 142  * @retval reply :-)
 143  */
 144 
 145 bool cli_in_chain(struct cli_state *cli)
     /* [<][>][^][v][top][bottom][index][help] */
 146 {
 147         if (cli->chain_accumulator == NULL) {
 148                 return false;
 149         }
 150 
 151         return (cli->chain_accumulator->num_async != 0);
 152 }
 153 
 154 /**
 155  * @brief Find the smb_cmd offset of the last command pushed
 156  * @param[in] buf       The buffer we're building up
 157  * @retval              Where can we put our next andx cmd?
 158  *
 159  * While chaining requests, the "next" request we're looking at needs to put
 160  * its SMB_Command before the data the previous request already built up added
 161  * to the chain. Find the offset to the place where we have to put our cmd.
 162  */
 163 
 164 static bool find_andx_cmd_ofs(uint8_t *buf, size_t *pofs)
     /* [<][>][^][v][top][bottom][index][help] */
 165 {
 166         uint8_t cmd;
 167         size_t ofs;
 168 
 169         cmd = CVAL(buf, smb_com);
 170 
 171         SMB_ASSERT(is_andx_req(cmd));
 172 
 173         ofs = smb_vwv0;
 174 
 175         while (CVAL(buf, ofs) != 0xff) {
 176 
 177                 if (!is_andx_req(CVAL(buf, ofs))) {
 178                         return false;
 179                 }
 180 
 181                 /*
 182                  * ofs is from start of smb header, so add the 4 length
 183                  * bytes. The next cmd is right after the wct field.
 184                  */
 185                 ofs = SVAL(buf, ofs+2) + 4 + 1;
 186 
 187                 SMB_ASSERT(ofs+4 < talloc_get_size(buf));
 188         }
 189 
 190         *pofs = ofs;
 191         return true;
 192 }
 193 
 194 /**
 195  * @brief Do the smb chaining at a buffer level
 196  * @param[in] poutbuf           Pointer to the talloc'ed buffer to be modified
 197  * @param[in] smb_command       The command that we want to issue
 198  * @param[in] wct               How many words?
 199  * @param[in] vwv               The words, already in network order
 200  * @param[in] bytes_alignment   How shall we align "bytes"?
 201  * @param[in] num_bytes         How many bytes?
 202  * @param[in] bytes             The data the request ships
 203  *
 204  * smb_splice_chain() adds the vwv and bytes to the request already present in
 205  * *poutbuf.
 206  */
 207 
 208 bool smb_splice_chain(uint8_t **poutbuf, uint8_t smb_command,
     /* [<][>][^][v][top][bottom][index][help] */
 209                       uint8_t wct, const uint16_t *vwv,
 210                       size_t bytes_alignment,
 211                       uint32_t num_bytes, const uint8_t *bytes)
 212 {
 213         uint8_t *outbuf;
 214         size_t old_size, new_size;
 215         size_t ofs;
 216         size_t chain_padding = 0;
 217         size_t bytes_padding = 0;
 218         bool first_request;
 219 
 220         old_size = talloc_get_size(*poutbuf);
 221 
 222         /*
 223          * old_size == smb_wct means we're pushing the first request in for
 224          * libsmb/
 225          */
 226 
 227         first_request = (old_size == smb_wct);
 228 
 229         if (!first_request && ((old_size % 4) != 0)) {
 230                 /*
 231                  * Align the wct field of subsequent requests to a 4-byte
 232                  * boundary
 233                  */
 234                 chain_padding = 4 - (old_size % 4);
 235         }
 236 
 237         /*
 238          * After the old request comes the new wct field (1 byte), the vwv's
 239          * and the num_bytes field. After at we might need to align the bytes
 240          * given to us to "bytes_alignment", increasing the num_bytes value.
 241          */
 242 
 243         new_size = old_size + chain_padding + 1 + wct * sizeof(uint16_t) + 2;
 244 
 245         if ((bytes_alignment != 0) && ((new_size % bytes_alignment) != 0)) {
 246                 bytes_padding = bytes_alignment - (new_size % bytes_alignment);
 247         }
 248 
 249         new_size += bytes_padding + num_bytes;
 250 
 251         if ((smb_command != SMBwriteX) && (new_size > 0xffff)) {
 252                 DEBUG(1, ("splice_chain: %u bytes won't fit\n",
 253                           (unsigned)new_size));
 254                 return false;
 255         }
 256 
 257         outbuf = TALLOC_REALLOC_ARRAY(NULL, *poutbuf, uint8_t, new_size);
 258         if (outbuf == NULL) {
 259                 DEBUG(0, ("talloc failed\n"));
 260                 return false;
 261         }
 262         *poutbuf = outbuf;
 263 
 264         if (first_request) {
 265                 SCVAL(outbuf, smb_com, smb_command);
 266         } else {
 267                 size_t andx_cmd_ofs;
 268 
 269                 if (!find_andx_cmd_ofs(outbuf, &andx_cmd_ofs)) {
 270                         DEBUG(1, ("invalid command chain\n"));
 271                         *poutbuf = TALLOC_REALLOC_ARRAY(
 272                                 NULL, *poutbuf, uint8_t, old_size);
 273                         return false;
 274                 }
 275 
 276                 if (chain_padding != 0) {
 277                         memset(outbuf + old_size, 0, chain_padding);
 278                         old_size += chain_padding;
 279                 }
 280 
 281                 SCVAL(outbuf, andx_cmd_ofs, smb_command);
 282                 SSVAL(outbuf, andx_cmd_ofs + 2, old_size - 4);
 283         }
 284 
 285         ofs = old_size;
 286 
 287         /*
 288          * Push the chained request:
 289          *
 290          * wct field
 291          */
 292 
 293         SCVAL(outbuf, ofs, wct);
 294         ofs += 1;
 295 
 296         /*
 297          * vwv array
 298          */
 299 
 300         memcpy(outbuf + ofs, vwv, sizeof(uint16_t) * wct);
 301         ofs += sizeof(uint16_t) * wct;
 302 
 303         /*
 304          * bcc (byte count)
 305          */
 306 
 307         SSVAL(outbuf, ofs, num_bytes + bytes_padding);
 308         ofs += sizeof(uint16_t);
 309 
 310         /*
 311          * padding
 312          */
 313 
 314         if (bytes_padding != 0) {
 315                 memset(outbuf + ofs, 0, bytes_padding);
 316                 ofs += bytes_padding;
 317         }
 318 
 319         /*
 320          * The bytes field
 321          */
 322 
 323         memcpy(outbuf + ofs, bytes, num_bytes);
 324 
 325         return true;
 326 }
 327 
 328 /**
 329  * @brief Destroy an async_req that is the visible part of a cli_request
 330  * @param[in] req       The request to kill
 331  * @retval Return 0 to make talloc happy
 332  *
 333  * This destructor is a bit tricky: Because a cli_request can host more than
 334  * one async_req for chained requests, we need to make sure that the
 335  * "cli_request" that we were part of is correctly destroyed at the right
 336  * time. This is done by NULLing out ourself from the "async" member of our
 337  * "cli_request". If there is none left, then also TALLOC_FREE() the
 338  * cli_request, which was a talloc child of the client connection cli_state.
 339  */
 340 
 341 static int cli_async_req_destructor(struct async_req *req)
     /* [<][>][^][v][top][bottom][index][help] */
 342 {
 343         struct cli_request *cli_req = talloc_get_type_abort(
 344                 req->private_data, struct cli_request);
 345         int i, pending;
 346         bool found = false;
 347 
 348         pending = 0;
 349 
 350         for (i=0; i<cli_req->num_async; i++) {
 351                 if (cli_req->async[i] == req) {
 352                         cli_req->async[i] = NULL;
 353                         found = true;
 354                 }
 355                 if (cli_req->async[i] != NULL) {
 356                         pending += 1;
 357                 }
 358         }
 359 
 360         SMB_ASSERT(found);
 361 
 362         if (pending == 0) {
 363                 TALLOC_FREE(cli_req);
 364         }
 365 
 366         return 0;
 367 }
 368 
 369 /**
 370  * @brief Chain up a request
 371  * @param[in] mem_ctx           The TALLOC_CTX for the result
 372  * @param[in] ev                The event context that will call us back
 373  * @param[in] cli               The cli_state we queue the request up for
 374  * @param[in] smb_command       The command that we want to issue
 375  * @param[in] additional_flags  open_and_x wants to add oplock header flags
 376  * @param[in] wct               How many words?
 377  * @param[in] vwv               The words, already in network order
 378  * @param[in] bytes_alignment   How shall we align "bytes"?
 379  * @param[in] num_bytes         How many bytes?
 380  * @param[in] bytes             The data the request ships
 381  *
 382  * cli_request_chain() is the core of the SMB request marshalling routine. It
 383  * will create a new async_req structure in the cli->chain_accumulator->async
 384  * array and marshall the smb_cmd, the vwv array and the bytes into
 385  * cli->chain_accumulator->outbuf.
 386  */
 387 
 388 static struct async_req *cli_request_chain(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
 389                                            struct event_context *ev,
 390                                            struct cli_state *cli,
 391                                            uint8_t smb_command,
 392                                            uint8_t additional_flags,
 393                                            uint8_t wct, const uint16_t *vwv,
 394                                            size_t bytes_alignment,
 395                                            uint32_t num_bytes,
 396                                            const uint8_t *bytes)
 397 {
 398         struct async_req **tmp_reqs;
 399         struct cli_request *req;
 400 
 401         req = cli->chain_accumulator;
 402 
 403         tmp_reqs = TALLOC_REALLOC_ARRAY(req, req->async, struct async_req *,
 404                                         req->num_async + 1);
 405         if (tmp_reqs == NULL) {
 406                 DEBUG(0, ("talloc failed\n"));
 407                 return NULL;
 408         }
 409         req->async = tmp_reqs;
 410         req->num_async += 1;
 411 
 412         req->async[req->num_async-1] = async_req_new(mem_ctx);
 413         if (req->async[req->num_async-1] == NULL) {
 414                 DEBUG(0, ("async_req_new failed\n"));
 415                 req->num_async -= 1;
 416                 return NULL;
 417         }
 418         req->async[req->num_async-1]->private_data = req;
 419         req->async[req->num_async-1]->print = cli_request_print;
 420         talloc_set_destructor(req->async[req->num_async-1],
 421                               cli_async_req_destructor);
 422 
 423         if (!smb_splice_chain(&req->outbuf, smb_command, wct, vwv,
 424                               bytes_alignment, num_bytes, bytes)) {
 425                 goto fail;
 426         }
 427 
 428         return req->async[req->num_async-1];
 429 
 430  fail:
 431         TALLOC_FREE(req->async[req->num_async-1]);
 432         req->num_async -= 1;
 433         return NULL;
 434 }
 435 
 436 static void request_timeout_handler(struct event_context *ctx,
     /* [<][>][^][v][top][bottom][index][help] */
 437                                     struct timed_event *te,
 438                                     struct timeval now,
 439                                     void *private_data)
 440 {
 441         struct cli_request *cli_req = talloc_get_type_abort(private_data, struct cli_request);
 442         int num_async = cli_req->num_async;
 443         int i;
 444         TALLOC_FREE(cli_req->timer);
 445         for (i = 0; i < num_async; i++) {
 446                 if (cli_req->async[i]) {
 447                         async_req_nterror(cli_req->async[i], NT_STATUS_IO_TIMEOUT);
 448                         return;
 449                 }
 450         }
 451         return;
 452 }
 453 
 454 /**
 455  * @brief prepare a cli_state to accept a chain of requests
 456  * @param[in] cli       The cli_state we want to queue up in
 457  * @param[in] ev        The event_context that will call us back for the socket
 458  * @param[in] size_hint How many bytes are expected, just an optimization
 459  * @retval Did we have enough memory?
 460  *
 461  * cli_chain_cork() sets up a new cli_request in cli->chain_accumulator. If
 462  * cli is used in an async fashion, i.e. if we have outstanding requests, then
 463  * we do not have to create a fd event. If cli is used only with the sync
 464  * helpers, we need to create the fd_event here.
 465  *
 466  * If you want to issue a chained request to the server, do a
 467  * cli_chain_cork(), then do you cli_open_send(), cli_read_and_x_send(),
 468  * cli_close_send() and so on. The async requests that come out of
 469  * cli_xxx_send() are normal async requests with the difference that they
 470  * won't be shipped individually. But the event_context will still trigger the
 471  * req->async.fn to be called on every single request.
 472  *
 473  * You have to take care yourself that you only issue chainable requests in
 474  * the middle of the chain.
 475  */
 476 
 477 bool cli_chain_cork(struct cli_state *cli, struct event_context *ev,
     /* [<][>][^][v][top][bottom][index][help] */
 478                     size_t size_hint)
 479 {
 480         struct cli_request *req = NULL;
 481         struct timeval endtime;
 482 
 483         SMB_ASSERT(cli->chain_accumulator == NULL);
 484 
 485         if (cli->fd == -1) {
 486                 DEBUG(10, ("cli->fd closed\n"));
 487                 return false;
 488         }
 489 
 490         if (cli->fd_event == NULL) {
 491                 SMB_ASSERT(cli->outstanding_requests == NULL);
 492                 cli->fd_event = event_add_fd(ev, cli, cli->fd,
 493                                              EVENT_FD_READ,
 494                                              cli_state_handler, cli);
 495                 if (cli->fd_event == NULL) {
 496                         return false;
 497                 }
 498         }
 499 
 500         req = talloc(cli, struct cli_request);
 501         if (req == NULL) {
 502                 goto fail;
 503         }
 504         req->cli = cli;
 505 
 506         if (size_hint == 0) {
 507                 size_hint = 100;
 508         }
 509         req->outbuf = talloc_array(req, uint8_t, smb_wct + size_hint);
 510         if (req->outbuf == NULL) {
 511                 goto fail;
 512         }
 513         req->outbuf = TALLOC_REALLOC_ARRAY(NULL, req->outbuf, uint8_t,
 514                                            smb_wct);
 515 
 516         req->num_async = 0;
 517         req->async = NULL;
 518 
 519         req->enc_state = NULL;
 520         req->recv_helper.fn = NULL;
 521         endtime = timeval_current_ofs(0, cli->timeout * 1000);
 522         req->timer = event_add_timed(ev, req, endtime, request_timeout_handler, req);
 523         if (!req->timer) {
 524                 goto fail;
 525         }
 526 
 527         SSVAL(req->outbuf, smb_tid, cli->cnum);
 528         cli_setup_packet_buf(cli, (char *)req->outbuf);
 529 
 530         req->mid = cli_new_mid(cli);
 531 
 532         cli->chain_accumulator = req;
 533 
 534         DEBUG(10, ("cli_chain_cork: mid=%d\n", req->mid));
 535 
 536         return true;
 537  fail:
 538         TALLOC_FREE(req);
 539         if (cli->outstanding_requests == NULL) {
 540                 TALLOC_FREE(cli->fd_event);
 541         }
 542         return false;
 543 }
 544 
 545 /**
 546  * Ship a request queued up via cli_request_chain()
 547  * @param[in] cl        The connection
 548  */
 549 
 550 void cli_chain_uncork(struct cli_state *cli)
     /* [<][>][^][v][top][bottom][index][help] */
 551 {
 552         struct cli_request *req = cli->chain_accumulator;
 553         size_t smblen;
 554 
 555         SMB_ASSERT(req != NULL);
 556 
 557         DLIST_ADD_END(cli->outstanding_requests, req, struct cli_request *);
 558         talloc_set_destructor(req, cli_request_destructor);
 559 
 560         cli->chain_accumulator = NULL;
 561 
 562         SSVAL(req->outbuf, smb_mid, req->mid);
 563 
 564         smblen = talloc_get_size(req->outbuf) - 4;
 565 
 566         smb_setlen((char *)req->outbuf, smblen);
 567 
 568         if (smblen > 0x1ffff) {
 569                 /*
 570                  * This is a POSIX 14 word large write. Overwrite just the
 571                  * size field, the '0xFFSMB' has been set by smb_setlen which
 572                  * _smb_setlen_large does not do.
 573                  */
 574                 _smb_setlen_large(((char *)req->outbuf), smblen);
 575         }
 576 
 577         cli_calculate_sign_mac(cli, (char *)req->outbuf);
 578 
 579         if (cli_encryption_on(cli)) {
 580                 NTSTATUS status;
 581                 char *enc_buf;
 582 
 583                 status = cli_encrypt_message(cli, (char *)req->outbuf,
 584                                              &enc_buf);
 585                 if (!NT_STATUS_IS_OK(status)) {
 586                         DEBUG(0, ("Error in encrypting client message. "
 587                                   "Error %s\n", nt_errstr(status)));
 588                         TALLOC_FREE(req);
 589                         return;
 590                 }
 591                 req->outbuf = (uint8_t *)enc_buf;
 592                 req->enc_state = cli->trans_enc_state;
 593         }
 594 
 595         req->sent = 0;
 596 
 597         event_fd_set_writeable(cli->fd_event);
 598 }
 599 
 600 /**
 601  * @brief Send a request to the server
 602  * @param[in] mem_ctx           The TALLOC_CTX for the result
 603  * @param[in] ev                The event context that will call us back
 604  * @param[in] cli               The cli_state we queue the request up for
 605  * @param[in] smb_command       The command that we want to issue
 606  * @param[in] additional_flags  open_and_x wants to add oplock header flags
 607  * @param[in] wct               How many words?
 608  * @param[in] vwv               The words, already in network order
 609  * @param[in] bytes_alignment   How shall we align "bytes"?
 610  * @param[in] num_bytes         How many bytes?
 611  * @param[in] bytes             The data the request ships
 612  *
 613  * This is the generic routine to be used by the cli_xxx_send routines.
 614  */
 615 
 616 struct async_req *cli_request_send(TALLOC_CTX *mem_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
 617                                    struct event_context *ev,
 618                                    struct cli_state *cli,
 619                                    uint8_t smb_command,
 620                                    uint8_t additional_flags,
 621                                    uint8_t wct, const uint16_t *vwv,
 622                                    size_t bytes_alignment,
 623                                    uint32_t num_bytes, const uint8_t *bytes)
 624 {
 625         struct async_req *result;
 626         bool uncork = false;
 627 
 628         if (cli->chain_accumulator == NULL) {
 629                 if (!cli_chain_cork(cli, ev,
 630                                     wct * sizeof(uint16_t) + num_bytes + 3)) {
 631                         DEBUG(1, ("cli_chain_cork failed\n"));
 632                         return NULL;
 633                 }
 634                 uncork = true;
 635         }
 636 
 637         result = cli_request_chain(mem_ctx, ev, cli, smb_command,
 638                                    additional_flags, wct, vwv, bytes_alignment,
 639                                    num_bytes, bytes);
 640 
 641         if (result == NULL) {
 642                 DEBUG(1, ("cli_request_chain failed\n"));
 643         }
 644 
 645         if (uncork) {
 646                 cli_chain_uncork(cli);
 647         }
 648 
 649         return result;
 650 }
 651 
 652 /**
 653  * Calculate the current ofs to wct for requests like write&x
 654  * @param[in] req       The smb request we're currently building
 655  * @retval how many bytes offset have we accumulated?
 656  */
 657 
 658 uint16_t cli_wct_ofs(const struct cli_state *cli)
     /* [<][>][^][v][top][bottom][index][help] */
 659 {
 660         size_t buf_size;
 661 
 662         if (cli->chain_accumulator == NULL) {
 663                 return smb_wct - 4;
 664         }
 665 
 666         buf_size = talloc_get_size(cli->chain_accumulator->outbuf);
 667 
 668         if (buf_size == smb_wct) {
 669                 return smb_wct - 4;
 670         }
 671 
 672         /*
 673          * Add alignment for subsequent requests
 674          */
 675 
 676         if ((buf_size % 4) != 0) {
 677                 buf_size += (4 - (buf_size % 4));
 678         }
 679 
 680         return buf_size - 4;
 681 }
 682 
 683 /**
 684  * Figure out if there is an andx command behind the current one
 685  * @param[in] buf       The smb buffer to look at
 686  * @param[in] ofs       The offset to the wct field that is followed by the cmd
 687  * @retval Is there a command following?
 688  */
 689 
 690 static bool have_andx_command(const char *buf, uint16_t ofs)
     /* [<][>][^][v][top][bottom][index][help] */
 691 {
 692         uint8_t wct;
 693         size_t buflen = talloc_get_size(buf);
 694 
 695         if ((ofs == buflen-1) || (ofs == buflen)) {
 696                 return false;
 697         }
 698 
 699         wct = CVAL(buf, ofs);
 700         if (wct < 2) {
 701                 /*
 702                  * Not enough space for the command and a following pointer
 703                  */
 704                 return false;
 705         }
 706         return (CVAL(buf, ofs+1) != 0xff);
 707 }
 708 
 709 /**
 710  * @brief Pull reply data out of a request
 711  * @param[in] req               The request that we just received a reply for
 712  * @param[out] pwct             How many words did the server send?
 713  * @param[out] pvwv             The words themselves
 714  * @param[out] pnum_bytes       How many bytes did the server send?
 715  * @param[out] pbytes           The bytes themselves
 716  * @retval Was the reply formally correct?
 717  */
 718 
 719 NTSTATUS cli_pull_reply(struct async_req *req,
     /* [<][>][^][v][top][bottom][index][help] */
 720                         uint8_t *pwct, uint16_t **pvwv,
 721                         uint16_t *pnum_bytes, uint8_t **pbytes)
 722 {
 723         struct cli_request *cli_req = talloc_get_type_abort(
 724                 req->private_data, struct cli_request);
 725         uint8_t wct, cmd;
 726         uint16_t num_bytes;
 727         size_t wct_ofs, bytes_offset;
 728         int i, j;
 729         NTSTATUS status;
 730 
 731         for (i = 0; i < cli_req->num_async; i++) {
 732                 if (req == cli_req->async[i]) {
 733                         break;
 734                 }
 735         }
 736 
 737         if (i == cli_req->num_async) {
 738                 cli_set_error(cli_req->cli, NT_STATUS_INVALID_PARAMETER);
 739                 return NT_STATUS_INVALID_PARAMETER;
 740         }
 741 
 742         /**
 743          * The status we pull here is only relevant for the last reply in the
 744          * chain.
 745          */
 746 
 747         status = cli_pull_error(cli_req->inbuf);
 748 
 749         if (i == 0) {
 750                 if (NT_STATUS_IS_ERR(status)
 751                     && !have_andx_command(cli_req->inbuf, smb_wct)) {
 752                         cli_set_error(cli_req->cli, status);
 753                         return status;
 754                 }
 755                 wct_ofs = smb_wct;
 756                 goto done;
 757         }
 758 
 759         cmd = CVAL(cli_req->inbuf, smb_com);
 760         wct_ofs = smb_wct;
 761 
 762         for (j = 0; j < i; j++) {
 763                 if (j < i-1) {
 764                         if (cmd == 0xff) {
 765                                 return NT_STATUS_REQUEST_ABORTED;
 766                         }
 767                         if (!is_andx_req(cmd)) {
 768                                 return NT_STATUS_INVALID_NETWORK_RESPONSE;
 769                         }
 770                 }
 771 
 772                 if (!have_andx_command(cli_req->inbuf, wct_ofs)) {
 773                         /*
 774                          * This request was not completed because a previous
 775                          * request in the chain had received an error.
 776                          */
 777                         return NT_STATUS_REQUEST_ABORTED;
 778                 }
 779 
 780                 wct_ofs = SVAL(cli_req->inbuf, wct_ofs + 3);
 781 
 782                 /*
 783                  * Skip the all-present length field. No overflow, we've just
 784                  * put a 16-bit value into a size_t.
 785                  */
 786                 wct_ofs += 4;
 787 
 788                 if (wct_ofs+2 > talloc_get_size(cli_req->inbuf)) {
 789                         return NT_STATUS_INVALID_NETWORK_RESPONSE;
 790                 }
 791 
 792                 cmd = CVAL(cli_req->inbuf, wct_ofs + 1);
 793         }
 794 
 795         if (!have_andx_command(cli_req->inbuf, wct_ofs)
 796             && NT_STATUS_IS_ERR(status)) {
 797                 /*
 798                  * The last command takes the error code. All further commands
 799                  * down the requested chain will get a
 800                  * NT_STATUS_REQUEST_ABORTED.
 801                  */
 802                 return status;
 803         }
 804 
 805  done:
 806         wct = CVAL(cli_req->inbuf, wct_ofs);
 807 
 808         bytes_offset = wct_ofs + 1 + wct * sizeof(uint16_t);
 809         num_bytes = SVAL(cli_req->inbuf, bytes_offset);
 810 
 811         /*
 812          * wct_ofs is a 16-bit value plus 4, wct is a 8-bit value, num_bytes
 813          * is a 16-bit value. So bytes_offset being size_t should be far from
 814          * wrapping.
 815          */
 816 
 817         if ((bytes_offset + 2 > talloc_get_size(cli_req->inbuf))
 818             || (bytes_offset > 0xffff)) {
 819                 return NT_STATUS_INVALID_NETWORK_RESPONSE;
 820         }
 821 
 822         *pwct = wct;
 823         *pvwv = (uint16_t *)(cli_req->inbuf + wct_ofs + 1);
 824         *pnum_bytes = num_bytes;
 825         *pbytes = (uint8_t *)cli_req->inbuf + bytes_offset + 2;
 826 
 827         return NT_STATUS_OK;
 828 }
 829 
 830 /**
 831  * Decrypt a PDU, check the signature
 832  * @param[in] cli       The cli_state that received something
 833  * @param[in] pdu       The incoming bytes
 834  * @retval error code
 835  */
 836 
 837 
 838 static NTSTATUS validate_smb_crypto(struct cli_state *cli, char *pdu)
     /* [<][>][^][v][top][bottom][index][help] */
 839 {
 840         NTSTATUS status;
 841 
 842         if ((IVAL(pdu, 4) != 0x424d53ff) /* 0xFF"SMB" */
 843             && (SVAL(pdu, 4) != 0x45ff)) /* 0xFF"E" */ {
 844                 DEBUG(10, ("Got non-SMB PDU\n"));
 845                 return NT_STATUS_INVALID_NETWORK_RESPONSE;
 846         }
 847 
 848         if (cli_encryption_on(cli) && CVAL(pdu, 0) == 0) {
 849                 uint16_t enc_ctx_num;
 850 
 851                 status = get_enc_ctx_num((uint8_t *)pdu, &enc_ctx_num);
 852                 if (!NT_STATUS_IS_OK(status)) {
 853                         DEBUG(10, ("get_enc_ctx_num returned %s\n",
 854                                    nt_errstr(status)));
 855                         return status;
 856                 }
 857 
 858                 if (enc_ctx_num != cli->trans_enc_state->enc_ctx_num) {
 859                         DEBUG(10, ("wrong enc_ctx %d, expected %d\n",
 860                                    enc_ctx_num,
 861                                    cli->trans_enc_state->enc_ctx_num));
 862                         return NT_STATUS_INVALID_HANDLE;
 863                 }
 864 
 865                 status = common_decrypt_buffer(cli->trans_enc_state, pdu);
 866                 if (!NT_STATUS_IS_OK(status)) {
 867                         DEBUG(10, ("common_decrypt_buffer returned %s\n",
 868                                    nt_errstr(status)));
 869                         return status;
 870                 }
 871         }
 872 
 873         if (!cli_check_sign_mac(cli, pdu)) {
 874                 DEBUG(10, ("cli_check_sign_mac failed\n"));
 875                 return NT_STATUS_ACCESS_DENIED;
 876         }
 877 
 878         return NT_STATUS_OK;
 879 }
 880 
 881 /**
 882  * A PDU has arrived on cli->evt_inbuf
 883  * @param[in] cli       The cli_state that received something
 884  */
 885 
 886 static void handle_incoming_pdu(struct cli_state *cli)
     /* [<][>][^][v][top][bottom][index][help] */
 887 {
 888         struct cli_request *req, *next;
 889         uint16_t mid;
 890         size_t raw_pdu_len, buf_len, pdu_len, rest_len;
 891         char *pdu;
 892         int i;
 893         NTSTATUS status;
 894 
 895         int num_async;
 896 
 897         /*
 898          * The encrypted PDU len might differ from the unencrypted one
 899          */
 900         raw_pdu_len = smb_len(cli->evt_inbuf) + 4;
 901         buf_len = talloc_get_size(cli->evt_inbuf);
 902         rest_len = buf_len - raw_pdu_len;
 903 
 904         if (buf_len == raw_pdu_len) {
 905                 /*
 906                  * Optimal case: Exactly one PDU was in the socket buffer
 907                  */
 908                 pdu = cli->evt_inbuf;
 909                 cli->evt_inbuf = NULL;
 910         }
 911         else {
 912                 DEBUG(11, ("buf_len = %d, raw_pdu_len = %d, splitting "
 913                            "buffer\n", (int)buf_len, (int)raw_pdu_len));
 914 
 915                 if (raw_pdu_len < rest_len) {
 916                         /*
 917                          * The PDU is shorter, talloc_memdup that one.
 918                          */
 919                         pdu = (char *)talloc_memdup(
 920                                 cli, cli->evt_inbuf, raw_pdu_len);
 921 
 922                         memmove(cli->evt_inbuf, cli->evt_inbuf + raw_pdu_len,
 923                                 buf_len - raw_pdu_len);
 924 
 925                         cli->evt_inbuf = TALLOC_REALLOC_ARRAY(
 926                                 NULL, cli->evt_inbuf, char, rest_len);
 927 
 928                         if (pdu == NULL) {
 929                                 status = NT_STATUS_NO_MEMORY;
 930                                 goto invalidate_requests;
 931                         }
 932                 }
 933                 else {
 934                         /*
 935                          * The PDU is larger than the rest, talloc_memdup the
 936                          * rest
 937                          */
 938                         pdu = cli->evt_inbuf;
 939 
 940                         cli->evt_inbuf = (char *)talloc_memdup(
 941                                 cli, pdu + raw_pdu_len, rest_len);
 942 
 943                         if (cli->evt_inbuf == NULL) {
 944                                 status = NT_STATUS_NO_MEMORY;
 945                                 goto invalidate_requests;
 946                         }
 947                 }
 948         }
 949 
 950         if ((raw_pdu_len == 4) && (CVAL(pdu, 0) == SMBkeepalive)) {
 951                 DEBUG(10, ("Got keepalive\n"));
 952                 TALLOC_FREE(pdu);
 953                 return;
 954         }
 955 
 956         status = validate_smb_crypto(cli, pdu);
 957         if (!NT_STATUS_IS_OK(status)) {
 958                 goto invalidate_requests;
 959         }
 960 
 961         mid = SVAL(pdu, smb_mid);
 962 
 963         DEBUG(10, ("handle_incoming_pdu: got mid %d\n", mid));
 964 
 965         for (req = cli->outstanding_requests; req; req = req->next) {
 966                 if (req->mid == mid) {
 967                         break;
 968                 }
 969         }
 970 
 971         pdu_len = smb_len(pdu) + 4;
 972 
 973         if (req == NULL) {
 974                 DEBUG(3, ("Request for mid %d not found, dumping PDU\n", mid));
 975 
 976                 TALLOC_FREE(pdu);
 977                 return;
 978         }
 979 
 980         req->inbuf = talloc_move(req, &pdu);
 981 
 982         /*
 983          * Freeing the last async_req will free the req (see
 984          * cli_async_req_destructor). So make a copy of req->num_async, we
 985          * can't reference it in the last round.
 986          */
 987 
 988         num_async = req->num_async;
 989 
 990         for (i=0; i<num_async; i++) {
 991                 /**
 992                  * A request might have been talloc_free()'ed before we arrive
 993                  * here. It will have removed itself from req->async via its
 994                  * destructor cli_async_req_destructor().
 995                  */
 996                 if (req->async[i] != NULL) {
 997                         if (req->recv_helper.fn != NULL) {
 998                                 req->recv_helper.fn(req->async[i]);
 999                         } else {
1000                                 async_req_done(req->async[i]);
1001                         }
1002                 }
1003         }
1004         return;
1005 
1006  invalidate_requests:
1007 
1008         DEBUG(10, ("handle_incoming_pdu: Aborting with %s\n",
1009                    nt_errstr(status)));
1010 
1011         for (req = cli->outstanding_requests; req; req = next) {
1012                 next = req->next;
1013                 if (req->num_async) {
1014                         async_req_nterror(req->async[0], status);
1015                 }
1016         }
1017         return;
1018 }
1019 
1020 /**
1021  * fd event callback. This is the basic connection to the socket
1022  * @param[in] event_ctx The event context that called us
1023  * @param[in] event     The event that fired
1024  * @param[in] flags     EVENT_FD_READ | EVENT_FD_WRITE
1025  * @param[in] p         private_data, in this case the cli_state
1026  */
1027 
1028 static void cli_state_handler(struct event_context *event_ctx,
     /* [<][>][^][v][top][bottom][index][help] */
1029                               struct fd_event *event, uint16 flags, void *p)
1030 {
1031         struct cli_state *cli = (struct cli_state *)p;
1032         struct cli_request *req, *next;
1033         NTSTATUS status;
1034 
1035         DEBUG(11, ("cli_state_handler called with flags %d\n", flags));
1036 
1037         if (flags & EVENT_FD_WRITE) {
1038                 size_t to_send;
1039                 ssize_t sent;
1040 
1041                 for (req = cli->outstanding_requests; req; req = req->next) {
1042                         to_send = smb_len(req->outbuf)+4;
1043                         if (to_send > req->sent) {
1044                                 break;
1045                         }
1046                 }
1047 
1048                 if (req == NULL) {
1049                         if (cli->fd_event != NULL) {
1050                                 event_fd_set_not_writeable(cli->fd_event);
1051                         }
1052                         return;
1053                 }
1054 
1055                 sent = sys_send(cli->fd, req->outbuf + req->sent,
1056                             to_send - req->sent, 0);
1057 
1058                 if (sent < 0) {
1059                         status = map_nt_error_from_unix(errno);
1060                         goto sock_error;
1061                 }
1062 
1063                 req->sent += sent;
1064 
1065                 if (req->sent == to_send) {
1066                         return;
1067                 }
1068         }
1069 
1070         if (flags & EVENT_FD_READ) {
1071                 int res, available;
1072                 size_t old_size, new_size;
1073                 char *tmp;
1074 
1075                 res = ioctl(cli->fd, FIONREAD, &available);
1076                 if (res == -1) {
1077                         DEBUG(10, ("ioctl(FIONREAD) failed: %s\n",
1078                                    strerror(errno)));
1079                         status = map_nt_error_from_unix(errno);
1080                         goto sock_error;
1081                 }
1082 
1083                 if (available == 0) {
1084                         /* EOF */
1085                         status = NT_STATUS_END_OF_FILE;
1086                         goto sock_error;
1087                 }
1088 
1089                 old_size = talloc_get_size(cli->evt_inbuf);
1090                 new_size = old_size + available;
1091 
1092                 if (new_size < old_size) {
1093                         /* wrap */
1094                         status = NT_STATUS_UNEXPECTED_IO_ERROR;
1095                         goto sock_error;
1096                 }
1097 
1098                 tmp = TALLOC_REALLOC_ARRAY(cli, cli->evt_inbuf, char,
1099                                            new_size);
1100                 if (tmp == NULL) {
1101                         /* nomem */
1102                         status = NT_STATUS_NO_MEMORY;
1103                         goto sock_error;
1104                 }
1105                 cli->evt_inbuf = tmp;
1106 
1107                 res = sys_recv(cli->fd, cli->evt_inbuf + old_size, available, 0);
1108                 if (res == -1) {
1109                         DEBUG(10, ("recv failed: %s\n", strerror(errno)));
1110                         status = map_nt_error_from_unix(errno);
1111                         goto sock_error;
1112                 }
1113 
1114                 DEBUG(11, ("cli_state_handler: received %d bytes, "
1115                            "smb_len(evt_inbuf) = %d\n", (int)res,
1116                            smb_len(cli->evt_inbuf)));
1117 
1118                 /* recv *might* have returned less than announced */
1119                 new_size = old_size + res;
1120 
1121                 /* shrink, so I don't expect errors here */
1122                 cli->evt_inbuf = TALLOC_REALLOC_ARRAY(cli, cli->evt_inbuf,
1123                                                       char, new_size);
1124 
1125                 while ((cli->evt_inbuf != NULL)
1126                        && ((smb_len(cli->evt_inbuf) + 4) <= new_size)) {
1127                         /*
1128                          * we've got a complete NBT level PDU in evt_inbuf
1129                          */
1130                         handle_incoming_pdu(cli);
1131                         new_size = talloc_get_size(cli->evt_inbuf);
1132                 }
1133         }
1134 
1135         return;
1136 
1137  sock_error:
1138 
1139         for (req = cli->outstanding_requests; req; req = next) {
1140                 int i, num_async;
1141 
1142                 next = req->next;
1143                 num_async = req->num_async;
1144 
1145                 for (i=0; i<num_async; i++) {
1146                         async_req_nterror(req->async[i], status);
1147                 }
1148         }
1149         TALLOC_FREE(cli->fd_event);
1150         close(cli->fd);
1151         cli->fd = -1;
1152 }

/* [<][>][^][v][top][bottom][index][help] */