/* [<][>][^][v][top][bottom][index][help] */
DEFINITIONS
This source file includes following definitions.
- copy_trans_params_and_data
- send_trans_reply
- api_dcerpc_cmd
- api_dcerpc_cmd_write_done
- api_dcerpc_cmd_read_done
- api_WNPHS
- api_SNPHS
- api_no_reply
- api_fd_reply
- named_pipe
- handle_trans
- reply_trans
- reply_transs
1 /*
2 Unix SMB/CIFS implementation.
3 Inter-process communication and named pipe handling
4 Copyright (C) Andrew Tridgell 1992-1998
5
6 SMB Version handling
7 Copyright (C) John H Terpstra 1995-1998
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22 /*
23 This file handles the named pipe and mailslot calls
24 in the SMBtrans protocol
25 */
26
27 #include "includes.h"
28 #include "smbd/globals.h"
29
30 #define NERR_notsupported 50
31
32 static void api_no_reply(connection_struct *conn, struct smb_request *req);
33
34 /*******************************************************************
35 copies parameters and data, as needed, into the smb buffer
36
37 *both* the data and params sections should be aligned. this
38 is fudged in the rpc pipes by
39 at present, only the data section is. this may be a possible
40 cause of some of the ipc problems being experienced. lkcl26dec97
41
42 ******************************************************************/
43
44 static void copy_trans_params_and_data(char *outbuf, int align,
/* [<][>][^][v][top][bottom][index][help] */
45 char *rparam, int param_offset, int param_len,
46 char *rdata, int data_offset, int data_len)
47 {
48 char *copy_into = smb_buf(outbuf);
49
50 if(param_len < 0)
51 param_len = 0;
52
53 if(data_len < 0)
54 data_len = 0;
55
56 DEBUG(5,("copy_trans_params_and_data: params[%d..%d] data[%d..%d] (align %d)\n",
57 param_offset, param_offset + param_len,
58 data_offset , data_offset + data_len,
59 align));
60
61 *copy_into = '\0';
62
63 copy_into += 1;
64
65 if (param_len)
66 memcpy(copy_into, &rparam[param_offset], param_len);
67
68 copy_into += param_len;
69 if (align) {
70 memset(copy_into, '\0', align);
71 }
72
73 copy_into += align;
74
75 if (data_len )
76 memcpy(copy_into, &rdata[data_offset], data_len);
77 }
78
79 /****************************************************************************
80 Send a trans reply.
81 ****************************************************************************/
82
83 void send_trans_reply(connection_struct *conn,
/* [<][>][^][v][top][bottom][index][help] */
84 struct smb_request *req,
85 char *rparam, int rparam_len,
86 char *rdata, int rdata_len,
87 bool buffer_too_large)
88 {
89 int this_ldata,this_lparam;
90 int tot_data_sent = 0;
91 int tot_param_sent = 0;
92 int align;
93
94 int ldata = rdata ? rdata_len : 0;
95 int lparam = rparam ? rparam_len : 0;
96
97 if (buffer_too_large)
98 DEBUG(5,("send_trans_reply: buffer %d too large\n", ldata ));
99
100 this_lparam = MIN(lparam,max_send - 500); /* hack */
101 this_ldata = MIN(ldata,max_send - (500+this_lparam));
102
103 align = ((this_lparam)%4);
104
105 reply_outbuf(req, 10, 1+align+this_ldata+this_lparam);
106
107 /*
108 * We might have SMBtranss in req which was transferred to the outbuf,
109 * fix that.
110 */
111 SCVAL(req->outbuf, smb_com, SMBtrans);
112
113 copy_trans_params_and_data((char *)req->outbuf, align,
114 rparam, tot_param_sent, this_lparam,
115 rdata, tot_data_sent, this_ldata);
116
117 SSVAL(req->outbuf,smb_vwv0,lparam);
118 SSVAL(req->outbuf,smb_vwv1,ldata);
119 SSVAL(req->outbuf,smb_vwv3,this_lparam);
120 SSVAL(req->outbuf,smb_vwv4,
121 smb_offset(smb_buf(req->outbuf)+1, req->outbuf));
122 SSVAL(req->outbuf,smb_vwv5,0);
123 SSVAL(req->outbuf,smb_vwv6,this_ldata);
124 SSVAL(req->outbuf,smb_vwv7,
125 smb_offset(smb_buf(req->outbuf)+1+this_lparam+align,
126 req->outbuf));
127 SSVAL(req->outbuf,smb_vwv8,0);
128 SSVAL(req->outbuf,smb_vwv9,0);
129
130 if (buffer_too_large) {
131 error_packet_set((char *)req->outbuf, ERRDOS, ERRmoredata,
132 STATUS_BUFFER_OVERFLOW, __LINE__, __FILE__);
133 }
134
135 show_msg((char *)req->outbuf);
136 if (!srv_send_smb(smbd_server_fd(), (char *)req->outbuf,
137 IS_CONN_ENCRYPTED(conn), &req->pcd)) {
138 exit_server_cleanly("send_trans_reply: srv_send_smb failed.");
139 }
140
141 TALLOC_FREE(req->outbuf);
142
143 tot_data_sent = this_ldata;
144 tot_param_sent = this_lparam;
145
146 while (tot_data_sent < ldata || tot_param_sent < lparam)
147 {
148 this_lparam = MIN(lparam-tot_param_sent,
149 max_send - 500); /* hack */
150 this_ldata = MIN(ldata -tot_data_sent,
151 max_send - (500+this_lparam));
152
153 if(this_lparam < 0)
154 this_lparam = 0;
155
156 if(this_ldata < 0)
157 this_ldata = 0;
158
159 align = (this_lparam%4);
160
161 reply_outbuf(req, 10, 1+align+this_ldata+this_lparam);
162
163 /*
164 * We might have SMBtranss in req which was transferred to the
165 * outbuf, fix that.
166 */
167 SCVAL(req->outbuf, smb_com, SMBtrans);
168
169 copy_trans_params_and_data((char *)req->outbuf, align,
170 rparam, tot_param_sent, this_lparam,
171 rdata, tot_data_sent, this_ldata);
172
173 SSVAL(req->outbuf,smb_vwv3,this_lparam);
174 SSVAL(req->outbuf,smb_vwv4,
175 smb_offset(smb_buf(req->outbuf)+1,req->outbuf));
176 SSVAL(req->outbuf,smb_vwv5,tot_param_sent);
177 SSVAL(req->outbuf,smb_vwv6,this_ldata);
178 SSVAL(req->outbuf,smb_vwv7,
179 smb_offset(smb_buf(req->outbuf)+1+this_lparam+align,
180 req->outbuf));
181 SSVAL(req->outbuf,smb_vwv8,tot_data_sent);
182 SSVAL(req->outbuf,smb_vwv9,0);
183
184 if (buffer_too_large) {
185 error_packet_set((char *)req->outbuf,
186 ERRDOS, ERRmoredata,
187 STATUS_BUFFER_OVERFLOW,
188 __LINE__, __FILE__);
189 }
190
191 show_msg((char *)req->outbuf);
192 if (!srv_send_smb(smbd_server_fd(), (char *)req->outbuf,
193 IS_CONN_ENCRYPTED(conn), &req->pcd))
194 exit_server_cleanly("send_trans_reply: srv_send_smb "
195 "failed.");
196
197 tot_data_sent += this_ldata;
198 tot_param_sent += this_lparam;
199 TALLOC_FREE(req->outbuf);
200 }
201 }
202
203 /****************************************************************************
204 Start the first part of an RPC reply which began with an SMBtrans request.
205 ****************************************************************************/
206
207 struct dcerpc_cmd_state {
208 struct fake_file_handle *handle;
209 uint8_t *data;
210 size_t num_data;
211 size_t max_read;
212 };
213
214 static void api_dcerpc_cmd_write_done(struct tevent_req *subreq);
215 static void api_dcerpc_cmd_read_done(struct tevent_req *subreq);
216
217 static void api_dcerpc_cmd(connection_struct *conn, struct smb_request *req,
/* [<][>][^][v][top][bottom][index][help] */
218 files_struct *fsp, uint8_t *data, size_t length,
219 size_t max_read)
220 {
221 struct tevent_req *subreq;
222 struct dcerpc_cmd_state *state;
223
224 if (!fsp_is_np(fsp)) {
225 api_no_reply(conn, req);
226 return;
227 }
228
229 state = talloc(req, struct dcerpc_cmd_state);
230 if (state == NULL) {
231 reply_nterror(req, NT_STATUS_NO_MEMORY);
232 return;
233 }
234 req->async_priv = state;
235
236 state->handle = fsp->fake_file_handle;
237
238 /*
239 * This memdup severely sucks. But doing it properly essentially means
240 * to rewrite lanman.c, something which I don't really want to do now.
241 */
242 state->data = (uint8_t *)talloc_memdup(state, data, length);
243 if (state->data == NULL) {
244 reply_nterror(req, NT_STATUS_NO_MEMORY);
245 return;
246 }
247 state->num_data = length;
248 state->max_read = max_read;
249
250 subreq = np_write_send(state, smbd_event_context(), state->handle,
251 state->data, length);
252 if (subreq == NULL) {
253 TALLOC_FREE(state);
254 reply_nterror(req, NT_STATUS_NO_MEMORY);
255 return;
256 }
257 tevent_req_set_callback(subreq, api_dcerpc_cmd_write_done,
258 talloc_move(conn, &req));
259 }
260
261 static void api_dcerpc_cmd_write_done(struct tevent_req *subreq)
/* [<][>][^][v][top][bottom][index][help] */
262 {
263 struct smb_request *req = tevent_req_callback_data(
264 subreq, struct smb_request);
265 struct dcerpc_cmd_state *state = talloc_get_type_abort(
266 req->async_priv, struct dcerpc_cmd_state);
267 NTSTATUS status;
268 ssize_t nwritten = -1;
269
270 status = np_write_recv(subreq, &nwritten);
271 TALLOC_FREE(subreq);
272 if (!NT_STATUS_IS_OK(status) || (nwritten != state->num_data)) {
273 DEBUG(10, ("Could not write to pipe: %s (%d/%d)\n",
274 nt_errstr(status), (int)state->num_data,
275 (int)nwritten));
276 reply_nterror(req, NT_STATUS_PIPE_NOT_AVAILABLE);
277 goto send;
278 }
279
280 state->data = TALLOC_REALLOC_ARRAY(state, state->data, uint8_t,
281 state->max_read);
282 if (state->data == NULL) {
283 reply_nterror(req, NT_STATUS_NO_MEMORY);
284 goto send;
285 }
286
287 subreq = np_read_send(req->conn, smbd_event_context(),
288 state->handle, state->data, state->max_read);
289 if (subreq == NULL) {
290 reply_nterror(req, NT_STATUS_NO_MEMORY);
291 goto send;
292 }
293 tevent_req_set_callback(subreq, api_dcerpc_cmd_read_done, req);
294 return;
295
296 send:
297 if (!srv_send_smb(
298 smbd_server_fd(), (char *)req->outbuf,
299 IS_CONN_ENCRYPTED(req->conn) || req->encrypted,
300 &req->pcd)) {
301 exit_server_cleanly("construct_reply: srv_send_smb failed.");
302 }
303 TALLOC_FREE(req);
304 }
305
306 static void api_dcerpc_cmd_read_done(struct tevent_req *subreq)
/* [<][>][^][v][top][bottom][index][help] */
307 {
308 struct smb_request *req = tevent_req_callback_data(
309 subreq, struct smb_request);
310 struct dcerpc_cmd_state *state = talloc_get_type_abort(
311 req->async_priv, struct dcerpc_cmd_state);
312 NTSTATUS status;
313 ssize_t nread;
314 bool is_data_outstanding;
315
316 status = np_read_recv(subreq, &nread, &is_data_outstanding);
317 TALLOC_FREE(subreq);
318
319 if (!NT_STATUS_IS_OK(status)) {
320 DEBUG(10, ("Could not read from to pipe: %s\n",
321 nt_errstr(status)));
322 reply_nterror(req, status);
323
324 if (!srv_send_smb(smbd_server_fd(), (char *)req->outbuf,
325 IS_CONN_ENCRYPTED(req->conn)
326 ||req->encrypted, &req->pcd)) {
327 exit_server_cleanly("construct_reply: srv_send_smb "
328 "failed.");
329 }
330 TALLOC_FREE(req);
331 return;
332 }
333
334 send_trans_reply(req->conn, req, NULL, 0, (char *)state->data, nread,
335 is_data_outstanding);
336 TALLOC_FREE(req);
337 }
338
339 /****************************************************************************
340 WaitNamedPipeHandleState
341 ****************************************************************************/
342
343 static void api_WNPHS(connection_struct *conn, struct smb_request *req,
/* [<][>][^][v][top][bottom][index][help] */
344 struct files_struct *fsp, char *param, int param_len)
345 {
346 if (!param || param_len < 2) {
347 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
348 return;
349 }
350
351 DEBUG(4,("WaitNamedPipeHandleState priority %x\n",
352 (int)SVAL(param,0)));
353
354 send_trans_reply(conn, req, NULL, 0, NULL, 0, False);
355 }
356
357
358 /****************************************************************************
359 SetNamedPipeHandleState
360 ****************************************************************************/
361
362 static void api_SNPHS(connection_struct *conn, struct smb_request *req,
/* [<][>][^][v][top][bottom][index][help] */
363 struct files_struct *fsp, char *param, int param_len)
364 {
365 if (!param || param_len < 2) {
366 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
367 return;
368 }
369
370 DEBUG(4,("SetNamedPipeHandleState to code %x\n", (int)SVAL(param,0)));
371
372 send_trans_reply(conn, req, NULL, 0, NULL, 0, False);
373 }
374
375
376 /****************************************************************************
377 When no reply is generated, indicate unsupported.
378 ****************************************************************************/
379
380 static void api_no_reply(connection_struct *conn, struct smb_request *req)
/* [<][>][^][v][top][bottom][index][help] */
381 {
382 char rparam[4];
383
384 /* unsupported */
385 SSVAL(rparam,0,NERR_notsupported);
386 SSVAL(rparam,2,0); /* converter word */
387
388 DEBUG(3,("Unsupported API fd command\n"));
389
390 /* now send the reply */
391 send_trans_reply(conn, req, rparam, 4, NULL, 0, False);
392
393 return;
394 }
395
396 /****************************************************************************
397 Handle remote api calls delivered to a named pipe already opened.
398 ****************************************************************************/
399
400 static void api_fd_reply(connection_struct *conn, uint16 vuid,
/* [<][>][^][v][top][bottom][index][help] */
401 struct smb_request *req,
402 uint16 *setup, uint8_t *data, char *params,
403 int suwcnt, int tdscnt, int tpscnt,
404 int mdrcnt, int mprcnt)
405 {
406 struct files_struct *fsp;
407 int pnum;
408 int subcommand;
409
410 DEBUG(5,("api_fd_reply\n"));
411
412 /* First find out the name of this file. */
413 if (suwcnt != 2) {
414 DEBUG(0,("Unexpected named pipe transaction.\n"));
415 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
416 return;
417 }
418
419 /* Get the file handle and hence the file name. */
420 /*
421 * NB. The setup array has already been transformed
422 * via SVAL and so is in host byte order.
423 */
424 pnum = ((int)setup[1]) & 0xFFFF;
425 subcommand = ((int)setup[0]) & 0xFFFF;
426
427 fsp = file_fsp(req, pnum);
428
429 if (!fsp_is_np(fsp)) {
430 if (subcommand == TRANSACT_WAITNAMEDPIPEHANDLESTATE) {
431 /* Win9x does this call with a unicode pipe name, not a pnum. */
432 /* Just return success for now... */
433 DEBUG(3,("Got TRANSACT_WAITNAMEDPIPEHANDLESTATE on text pipe name\n"));
434 send_trans_reply(conn, req, NULL, 0, NULL, 0, False);
435 return;
436 }
437
438 DEBUG(1,("api_fd_reply: INVALID PIPE HANDLE: %x\n", pnum));
439 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
440 return;
441 }
442
443 if (vuid != fsp->vuid) {
444 DEBUG(1, ("Got pipe request (pnum %x) using invalid VUID %d, "
445 "expected %d\n", pnum, vuid, fsp->vuid));
446 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
447 return;
448 }
449
450 DEBUG(3,("Got API command 0x%x on pipe \"%s\" (pnum %x)\n",
451 subcommand, fsp->fsp_name, pnum));
452
453 DEBUG(10, ("api_fd_reply: p:%p max_trans_reply: %d\n", fsp, mdrcnt));
454
455 switch (subcommand) {
456 case TRANSACT_DCERPCCMD: {
457 /* dce/rpc command */
458 api_dcerpc_cmd(conn, req, fsp, (uint8_t *)data, tdscnt,
459 mdrcnt);
460 break;
461 }
462 case TRANSACT_WAITNAMEDPIPEHANDLESTATE:
463 /* Wait Named Pipe Handle state */
464 api_WNPHS(conn, req, fsp, params, tpscnt);
465 break;
466 case TRANSACT_SETNAMEDPIPEHANDLESTATE:
467 /* Set Named Pipe Handle state */
468 api_SNPHS(conn, req, fsp, params, tpscnt);
469 break;
470 default:
471 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
472 return;
473 }
474 }
475
476 /****************************************************************************
477 Handle named pipe commands.
478 ****************************************************************************/
479
480 static void named_pipe(connection_struct *conn, uint16 vuid,
/* [<][>][^][v][top][bottom][index][help] */
481 struct smb_request *req,
482 const char *name, uint16 *setup,
483 char *data, char *params,
484 int suwcnt, int tdscnt,int tpscnt,
485 int msrcnt, int mdrcnt, int mprcnt)
486 {
487 DEBUG(3,("named pipe command on <%s> name\n", name));
488
489 if (strequal(name,"LANMAN")) {
490 api_reply(conn, vuid, req,
491 data, params,
492 tdscnt, tpscnt,
493 mdrcnt, mprcnt);
494 return;
495 }
496
497 if (strequal(name,"WKSSVC") ||
498 strequal(name,"SRVSVC") ||
499 strequal(name,"WINREG") ||
500 strequal(name,"SAMR") ||
501 strequal(name,"LSARPC")) {
502
503 DEBUG(4,("named pipe command from Win95 (wow!)\n"));
504
505 api_fd_reply(conn, vuid, req,
506 setup, (uint8_t *)data, params,
507 suwcnt, tdscnt, tpscnt,
508 mdrcnt, mprcnt);
509 return;
510 }
511
512 if (strlen(name) < 1) {
513 api_fd_reply(conn, vuid, req,
514 setup, (uint8_t *)data,
515 params, suwcnt, tdscnt,
516 tpscnt, mdrcnt, mprcnt);
517 return;
518 }
519
520 if (setup)
521 DEBUG(3,("unknown named pipe: setup 0x%X setup1=%d\n",
522 (int)setup[0],(int)setup[1]));
523
524 reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
525 return;
526 }
527
528 static void handle_trans(connection_struct *conn, struct smb_request *req,
/* [<][>][^][v][top][bottom][index][help] */
529 struct trans_state *state)
530 {
531 char *local_machine_name;
532 int name_offset = 0;
533
534 DEBUG(3,("trans <%s> data=%u params=%u setup=%u\n",
535 state->name,(unsigned int)state->total_data,(unsigned int)state->total_param,
536 (unsigned int)state->setup_count));
537
538 /*
539 * WinCE wierdness....
540 */
541
542 local_machine_name = talloc_asprintf(state, "\\%s\\",
543 get_local_machine_name());
544
545 if (local_machine_name == NULL) {
546 reply_nterror(req, NT_STATUS_NO_MEMORY);
547 return;
548 }
549
550 if (strnequal(state->name, local_machine_name,
551 strlen(local_machine_name))) {
552 name_offset = strlen(local_machine_name)-1;
553 }
554
555 if (!strnequal(&state->name[name_offset], "\\PIPE",
556 strlen("\\PIPE"))) {
557 reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
558 return;
559 }
560
561 name_offset += strlen("\\PIPE");
562
563 /* Win9x weirdness. When talking to a unicode server Win9x
564 only sends \PIPE instead of \PIPE\ */
565
566 if (state->name[name_offset] == '\\')
567 name_offset++;
568
569 DEBUG(5,("calling named_pipe\n"));
570 named_pipe(conn, state->vuid, req,
571 state->name+name_offset,
572 state->setup,state->data,
573 state->param,
574 state->setup_count,state->total_data,
575 state->total_param,
576 state->max_setup_return,
577 state->max_data_return,
578 state->max_param_return);
579
580 if (state->close_on_completion) {
581 close_cnum(conn,state->vuid);
582 req->conn = NULL;
583 }
584
585 return;
586 }
587
588 /****************************************************************************
589 Reply to a SMBtrans.
590 ****************************************************************************/
591
592 void reply_trans(struct smb_request *req)
/* [<][>][^][v][top][bottom][index][help] */
593 {
594 connection_struct *conn = req->conn;
595 unsigned int dsoff;
596 unsigned int dscnt;
597 unsigned int psoff;
598 unsigned int pscnt;
599 struct trans_state *state;
600 NTSTATUS result;
601
602 START_PROFILE(SMBtrans);
603
604 if (req->wct < 14) {
605 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
606 END_PROFILE(SMBtrans);
607 return;
608 }
609
610 dsoff = SVAL(req->vwv+12, 0);
611 dscnt = SVAL(req->vwv+11, 0);
612 psoff = SVAL(req->vwv+10, 0);
613 pscnt = SVAL(req->vwv+9, 0);
614
615 result = allow_new_trans(conn->pending_trans, req->mid);
616 if (!NT_STATUS_IS_OK(result)) {
617 DEBUG(2, ("Got invalid trans request: %s\n",
618 nt_errstr(result)));
619 reply_nterror(req, result);
620 END_PROFILE(SMBtrans);
621 return;
622 }
623
624 if ((state = TALLOC_P(conn, struct trans_state)) == NULL) {
625 DEBUG(0, ("talloc failed\n"));
626 reply_nterror(req, NT_STATUS_NO_MEMORY);
627 END_PROFILE(SMBtrans);
628 return;
629 }
630
631 state->cmd = SMBtrans;
632
633 state->mid = req->mid;
634 state->vuid = req->vuid;
635 state->setup_count = CVAL(req->vwv+13, 0);
636 state->setup = NULL;
637 state->total_param = SVAL(req->vwv+0, 0);
638 state->param = NULL;
639 state->total_data = SVAL(req->vwv+1, 0);
640 state->data = NULL;
641 state->max_param_return = SVAL(req->vwv+2, 0);
642 state->max_data_return = SVAL(req->vwv+3, 0);
643 state->max_setup_return = CVAL(req->vwv+4, 0);
644 state->close_on_completion = BITSETW(req->vwv+5, 0);
645 state->one_way = BITSETW(req->vwv+5, 1);
646
647 srvstr_pull_req_talloc(state, req, &state->name, req->buf,
648 STR_TERMINATE);
649
650 if ((dscnt > state->total_data) || (pscnt > state->total_param) ||
651 !state->name)
652 goto bad_param;
653
654 if (state->total_data) {
655
656 if (trans_oob(state->total_data, 0, dscnt)
657 || trans_oob(smb_len(req->inbuf), dsoff, dscnt)) {
658 goto bad_param;
659 }
660
661 /* Can't use talloc here, the core routines do realloc on the
662 * params and data. Out of paranoia, 100 bytes too many. */
663 state->data = (char *)SMB_MALLOC(state->total_data+100);
664 if (state->data == NULL) {
665 DEBUG(0,("reply_trans: data malloc fail for %u "
666 "bytes !\n", (unsigned int)state->total_data));
667 TALLOC_FREE(state);
668 reply_nterror(req, NT_STATUS_NO_MEMORY);
669 END_PROFILE(SMBtrans);
670 return;
671 }
672 /* null-terminate the slack space */
673 memset(&state->data[state->total_data], 0, 100);
674
675 memcpy(state->data,smb_base(req->inbuf)+dsoff,dscnt);
676 }
677
678 if (state->total_param) {
679
680 if (trans_oob(state->total_param, 0, pscnt)
681 || trans_oob(smb_len(req->inbuf), psoff, pscnt)) {
682 goto bad_param;
683 }
684
685 /* Can't use talloc here, the core routines do realloc on the
686 * params and data. Out of paranoia, 100 bytes too many */
687 state->param = (char *)SMB_MALLOC(state->total_param+100);
688 if (state->param == NULL) {
689 DEBUG(0,("reply_trans: param malloc fail for %u "
690 "bytes !\n", (unsigned int)state->total_param));
691 SAFE_FREE(state->data);
692 TALLOC_FREE(state);
693 reply_nterror(req, NT_STATUS_NO_MEMORY);
694 END_PROFILE(SMBtrans);
695 return;
696 }
697 /* null-terminate the slack space */
698 memset(&state->param[state->total_param], 0, 100);
699
700 memcpy(state->param,smb_base(req->inbuf)+psoff,pscnt);
701 }
702
703 state->received_data = dscnt;
704 state->received_param = pscnt;
705
706 if (state->setup_count) {
707 unsigned int i;
708
709 /*
710 * No overflow possible here, state->setup_count is an
711 * unsigned int, being filled by a single byte from
712 * CVAL(req->vwv+13, 0) above. The cast in the comparison
713 * below is not necessary, it's here to clarify things. The
714 * validity of req->vwv and req->wct has been checked in
715 * init_smb_request already.
716 */
717 if (state->setup_count + 14 > (unsigned int)req->wct) {
718 goto bad_param;
719 }
720
721 if((state->setup = TALLOC_ARRAY(
722 state, uint16, state->setup_count)) == NULL) {
723 DEBUG(0,("reply_trans: setup malloc fail for %u "
724 "bytes !\n", (unsigned int)
725 (state->setup_count * sizeof(uint16))));
726 SAFE_FREE(state->data);
727 SAFE_FREE(state->param);
728 TALLOC_FREE(state);
729 reply_nterror(req, NT_STATUS_NO_MEMORY);
730 END_PROFILE(SMBtrans);
731 return;
732 }
733
734 for (i=0;i<state->setup_count;i++) {
735 state->setup[i] = SVAL(req->vwv + 14 + i, 0);
736 }
737 }
738
739 state->received_param = pscnt;
740
741 if ((state->received_param != state->total_param) ||
742 (state->received_data != state->total_data)) {
743 DLIST_ADD(conn->pending_trans, state);
744
745 /* We need to send an interim response then receive the rest
746 of the parameter/data bytes */
747 reply_outbuf(req, 0, 0);
748 show_msg((char *)req->outbuf);
749 END_PROFILE(SMBtrans);
750 return;
751 }
752
753 talloc_steal(talloc_tos(), state);
754
755 handle_trans(conn, req, state);
756
757 SAFE_FREE(state->data);
758 SAFE_FREE(state->param);
759 TALLOC_FREE(state);
760
761 END_PROFILE(SMBtrans);
762 return;
763
764 bad_param:
765
766 DEBUG(0,("reply_trans: invalid trans parameters\n"));
767 SAFE_FREE(state->data);
768 SAFE_FREE(state->param);
769 TALLOC_FREE(state);
770 END_PROFILE(SMBtrans);
771 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
772 return;
773 }
774
775 /****************************************************************************
776 Reply to a secondary SMBtrans.
777 ****************************************************************************/
778
779 void reply_transs(struct smb_request *req)
/* [<][>][^][v][top][bottom][index][help] */
780 {
781 connection_struct *conn = req->conn;
782 unsigned int pcnt,poff,dcnt,doff,pdisp,ddisp;
783 struct trans_state *state;
784
785 START_PROFILE(SMBtranss);
786
787 show_msg((char *)req->inbuf);
788
789 if (req->wct < 8) {
790 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
791 END_PROFILE(SMBtranss);
792 return;
793 }
794
795 for (state = conn->pending_trans; state != NULL;
796 state = state->next) {
797 if (state->mid == req->mid) {
798 break;
799 }
800 }
801
802 if ((state == NULL) || (state->cmd != SMBtrans)) {
803 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
804 END_PROFILE(SMBtranss);
805 return;
806 }
807
808 /* Revise total_params and total_data in case they have changed
809 * downwards */
810
811 if (SVAL(req->vwv+0, 0) < state->total_param)
812 state->total_param = SVAL(req->vwv+0, 0);
813 if (SVAL(req->vwv+1, 0) < state->total_data)
814 state->total_data = SVAL(req->vwv+1, 0);
815
816 pcnt = SVAL(req->vwv+2, 0);
817 poff = SVAL(req->vwv+3, 0);
818 pdisp = SVAL(req->vwv+4, 0);
819
820 dcnt = SVAL(req->vwv+5, 0);
821 doff = SVAL(req->vwv+6, 0);
822 ddisp = SVAL(req->vwv+7, 0);
823
824 state->received_param += pcnt;
825 state->received_data += dcnt;
826
827 if ((state->received_data > state->total_data) ||
828 (state->received_param > state->total_param))
829 goto bad_param;
830
831 if (pcnt) {
832 if (trans_oob(state->total_param, pdisp, pcnt)
833 || trans_oob(smb_len(req->inbuf), poff, pcnt)) {
834 goto bad_param;
835 }
836 memcpy(state->param+pdisp,smb_base(req->inbuf)+poff,pcnt);
837 }
838
839 if (dcnt) {
840 if (trans_oob(state->total_data, ddisp, dcnt)
841 || trans_oob(smb_len(req->inbuf), doff, dcnt)) {
842 goto bad_param;
843 }
844 memcpy(state->data+ddisp, smb_base(req->inbuf)+doff,dcnt);
845 }
846
847 if ((state->received_param < state->total_param) ||
848 (state->received_data < state->total_data)) {
849 END_PROFILE(SMBtranss);
850 return;
851 }
852
853 talloc_steal(talloc_tos(), state);
854
855 handle_trans(conn, req, state);
856
857 DLIST_REMOVE(conn->pending_trans, state);
858 SAFE_FREE(state->data);
859 SAFE_FREE(state->param);
860 TALLOC_FREE(state);
861
862 END_PROFILE(SMBtranss);
863 return;
864
865 bad_param:
866
867 DEBUG(0,("reply_transs: invalid trans parameters\n"));
868 DLIST_REMOVE(conn->pending_trans, state);
869 SAFE_FREE(state->data);
870 SAFE_FREE(state->param);
871 TALLOC_FREE(state);
872 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
873 END_PROFILE(SMBtranss);
874 return;
875 }