root/source3/smbd/ipc.c

/* [<][>][^][v][top][bottom][index][help] */

DEFINITIONS

This source file includes following definitions.
  1. copy_trans_params_and_data
  2. send_trans_reply
  3. api_dcerpc_cmd
  4. api_dcerpc_cmd_write_done
  5. api_dcerpc_cmd_read_done
  6. api_WNPHS
  7. api_SNPHS
  8. api_no_reply
  9. api_fd_reply
  10. named_pipe
  11. handle_trans
  12. reply_trans
  13. reply_transs

   1 /* 
   2    Unix SMB/CIFS implementation.
   3    Inter-process communication and named pipe handling
   4    Copyright (C) Andrew Tridgell 1992-1998
   5 
   6    SMB Version handling
   7    Copyright (C) John H Terpstra 1995-1998
   8 
   9    This program is free software; you can redistribute it and/or modify
  10    it under the terms of the GNU General Public License as published by
  11    the Free Software Foundation; either version 3 of the License, or
  12    (at your option) any later version.
  13 
  14    This program is distributed in the hope that it will be useful,
  15    but WITHOUT ANY WARRANTY; without even the implied warranty of
  16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  17    GNU General Public License for more details.
  18 
  19    You should have received a copy of the GNU General Public License
  20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
  21    */
  22 /*
  23    This file handles the named pipe and mailslot calls
  24    in the SMBtrans protocol
  25    */
  26 
  27 #include "includes.h"
  28 #include "smbd/globals.h"
  29 
  30 #define NERR_notsupported 50
  31 
  32 static void api_no_reply(connection_struct *conn, struct smb_request *req);
  33 
  34 /*******************************************************************
  35  copies parameters and data, as needed, into the smb buffer
  36 
  37  *both* the data and params sections should be aligned.  this
  38  is fudged in the rpc pipes by 
  39  at present, only the data section is.  this may be a possible
  40  cause of some of the ipc problems being experienced.  lkcl26dec97
  41 
  42  ******************************************************************/
  43 
  44 static void copy_trans_params_and_data(char *outbuf, int align,
     /* [<][>][^][v][top][bottom][index][help] */
  45                                 char *rparam, int param_offset, int param_len,
  46                                 char *rdata, int data_offset, int data_len)
  47 {
  48         char *copy_into = smb_buf(outbuf);
  49 
  50         if(param_len < 0)
  51                 param_len = 0;
  52 
  53         if(data_len < 0)
  54                 data_len = 0;
  55 
  56         DEBUG(5,("copy_trans_params_and_data: params[%d..%d] data[%d..%d] (align %d)\n",
  57                         param_offset, param_offset + param_len,
  58                         data_offset , data_offset  + data_len,
  59                         align));
  60 
  61         *copy_into = '\0';
  62 
  63         copy_into += 1;
  64 
  65         if (param_len)
  66                 memcpy(copy_into, &rparam[param_offset], param_len);
  67 
  68         copy_into += param_len;
  69         if (align) {
  70                 memset(copy_into, '\0', align);
  71         }
  72 
  73         copy_into += align;
  74 
  75         if (data_len )
  76                 memcpy(copy_into, &rdata[data_offset], data_len);
  77 }
  78 
  79 /****************************************************************************
  80  Send a trans reply.
  81  ****************************************************************************/
  82 
  83 void send_trans_reply(connection_struct *conn,
     /* [<][>][^][v][top][bottom][index][help] */
  84                       struct smb_request *req,
  85                       char *rparam, int rparam_len,
  86                       char *rdata, int rdata_len,
  87                       bool buffer_too_large)
  88 {
  89         int this_ldata,this_lparam;
  90         int tot_data_sent = 0;
  91         int tot_param_sent = 0;
  92         int align;
  93 
  94         int ldata  = rdata  ? rdata_len : 0;
  95         int lparam = rparam ? rparam_len : 0;
  96 
  97         if (buffer_too_large)
  98                 DEBUG(5,("send_trans_reply: buffer %d too large\n", ldata ));
  99 
 100         this_lparam = MIN(lparam,max_send - 500); /* hack */
 101         this_ldata  = MIN(ldata,max_send - (500+this_lparam));
 102 
 103         align = ((this_lparam)%4);
 104 
 105         reply_outbuf(req, 10, 1+align+this_ldata+this_lparam);
 106 
 107         /*
 108          * We might have SMBtranss in req which was transferred to the outbuf,
 109          * fix that.
 110          */
 111         SCVAL(req->outbuf, smb_com, SMBtrans);
 112 
 113         copy_trans_params_and_data((char *)req->outbuf, align,
 114                                 rparam, tot_param_sent, this_lparam,
 115                                 rdata, tot_data_sent, this_ldata);
 116 
 117         SSVAL(req->outbuf,smb_vwv0,lparam);
 118         SSVAL(req->outbuf,smb_vwv1,ldata);
 119         SSVAL(req->outbuf,smb_vwv3,this_lparam);
 120         SSVAL(req->outbuf,smb_vwv4,
 121               smb_offset(smb_buf(req->outbuf)+1, req->outbuf));
 122         SSVAL(req->outbuf,smb_vwv5,0);
 123         SSVAL(req->outbuf,smb_vwv6,this_ldata);
 124         SSVAL(req->outbuf,smb_vwv7,
 125               smb_offset(smb_buf(req->outbuf)+1+this_lparam+align,
 126                          req->outbuf));
 127         SSVAL(req->outbuf,smb_vwv8,0);
 128         SSVAL(req->outbuf,smb_vwv9,0);
 129 
 130         if (buffer_too_large) {
 131                 error_packet_set((char *)req->outbuf, ERRDOS, ERRmoredata,
 132                                  STATUS_BUFFER_OVERFLOW, __LINE__, __FILE__);
 133         }
 134 
 135         show_msg((char *)req->outbuf);
 136         if (!srv_send_smb(smbd_server_fd(), (char *)req->outbuf,
 137                           IS_CONN_ENCRYPTED(conn), &req->pcd)) {
 138                 exit_server_cleanly("send_trans_reply: srv_send_smb failed.");
 139         }
 140 
 141         TALLOC_FREE(req->outbuf);
 142 
 143         tot_data_sent = this_ldata;
 144         tot_param_sent = this_lparam;
 145 
 146         while (tot_data_sent < ldata || tot_param_sent < lparam)
 147         {
 148                 this_lparam = MIN(lparam-tot_param_sent,
 149                                   max_send - 500); /* hack */
 150                 this_ldata  = MIN(ldata -tot_data_sent,
 151                                   max_send - (500+this_lparam));
 152 
 153                 if(this_lparam < 0)
 154                         this_lparam = 0;
 155 
 156                 if(this_ldata < 0)
 157                         this_ldata = 0;
 158 
 159                 align = (this_lparam%4);
 160 
 161                 reply_outbuf(req, 10, 1+align+this_ldata+this_lparam);
 162 
 163                 /*
 164                  * We might have SMBtranss in req which was transferred to the
 165                  * outbuf, fix that.
 166                  */
 167                 SCVAL(req->outbuf, smb_com, SMBtrans);
 168 
 169                 copy_trans_params_and_data((char *)req->outbuf, align,
 170                                            rparam, tot_param_sent, this_lparam,
 171                                            rdata, tot_data_sent, this_ldata);
 172 
 173                 SSVAL(req->outbuf,smb_vwv3,this_lparam);
 174                 SSVAL(req->outbuf,smb_vwv4,
 175                       smb_offset(smb_buf(req->outbuf)+1,req->outbuf));
 176                 SSVAL(req->outbuf,smb_vwv5,tot_param_sent);
 177                 SSVAL(req->outbuf,smb_vwv6,this_ldata);
 178                 SSVAL(req->outbuf,smb_vwv7,
 179                       smb_offset(smb_buf(req->outbuf)+1+this_lparam+align,
 180                                  req->outbuf));
 181                 SSVAL(req->outbuf,smb_vwv8,tot_data_sent);
 182                 SSVAL(req->outbuf,smb_vwv9,0);
 183 
 184                 if (buffer_too_large) {
 185                         error_packet_set((char *)req->outbuf,
 186                                          ERRDOS, ERRmoredata,
 187                                          STATUS_BUFFER_OVERFLOW,
 188                                          __LINE__, __FILE__);
 189                 }
 190 
 191                 show_msg((char *)req->outbuf);
 192                 if (!srv_send_smb(smbd_server_fd(), (char *)req->outbuf,
 193                                   IS_CONN_ENCRYPTED(conn), &req->pcd))
 194                         exit_server_cleanly("send_trans_reply: srv_send_smb "
 195                                             "failed.");
 196 
 197                 tot_data_sent  += this_ldata;
 198                 tot_param_sent += this_lparam;
 199                 TALLOC_FREE(req->outbuf);
 200         }
 201 }
 202 
 203 /****************************************************************************
 204  Start the first part of an RPC reply which began with an SMBtrans request.
 205 ****************************************************************************/
 206 
 207 struct dcerpc_cmd_state {
 208         struct fake_file_handle *handle;
 209         uint8_t *data;
 210         size_t num_data;
 211         size_t max_read;
 212 };
 213 
 214 static void api_dcerpc_cmd_write_done(struct tevent_req *subreq);
 215 static void api_dcerpc_cmd_read_done(struct tevent_req *subreq);
 216 
 217 static void api_dcerpc_cmd(connection_struct *conn, struct smb_request *req,
     /* [<][>][^][v][top][bottom][index][help] */
 218                            files_struct *fsp, uint8_t *data, size_t length,
 219                            size_t max_read)
 220 {
 221         struct tevent_req *subreq;
 222         struct dcerpc_cmd_state *state;
 223 
 224         if (!fsp_is_np(fsp)) {
 225                 api_no_reply(conn, req);
 226                 return;
 227         }
 228 
 229         state = talloc(req, struct dcerpc_cmd_state);
 230         if (state == NULL) {
 231                 reply_nterror(req, NT_STATUS_NO_MEMORY);
 232                 return;
 233         }
 234         req->async_priv = state;
 235 
 236         state->handle = fsp->fake_file_handle;
 237 
 238         /*
 239          * This memdup severely sucks. But doing it properly essentially means
 240          * to rewrite lanman.c, something which I don't really want to do now.
 241          */
 242         state->data = (uint8_t *)talloc_memdup(state, data, length);
 243         if (state->data == NULL) {
 244                 reply_nterror(req, NT_STATUS_NO_MEMORY);
 245                 return;
 246         }
 247         state->num_data = length;
 248         state->max_read = max_read;
 249 
 250         subreq = np_write_send(state, smbd_event_context(), state->handle,
 251                                state->data, length);
 252         if (subreq == NULL) {
 253                 TALLOC_FREE(state);
 254                 reply_nterror(req, NT_STATUS_NO_MEMORY);
 255                 return;
 256         }
 257         tevent_req_set_callback(subreq, api_dcerpc_cmd_write_done,
 258                                 talloc_move(conn, &req));
 259 }
 260 
 261 static void api_dcerpc_cmd_write_done(struct tevent_req *subreq)
     /* [<][>][^][v][top][bottom][index][help] */
 262 {
 263         struct smb_request *req = tevent_req_callback_data(
 264                 subreq, struct smb_request);
 265         struct dcerpc_cmd_state *state = talloc_get_type_abort(
 266                 req->async_priv, struct dcerpc_cmd_state);
 267         NTSTATUS status;
 268         ssize_t nwritten = -1;
 269 
 270         status = np_write_recv(subreq, &nwritten);
 271         TALLOC_FREE(subreq);
 272         if (!NT_STATUS_IS_OK(status) || (nwritten != state->num_data)) {
 273                 DEBUG(10, ("Could not write to pipe: %s (%d/%d)\n",
 274                            nt_errstr(status), (int)state->num_data,
 275                            (int)nwritten));
 276                 reply_nterror(req, NT_STATUS_PIPE_NOT_AVAILABLE);
 277                 goto send;
 278         }
 279 
 280         state->data = TALLOC_REALLOC_ARRAY(state, state->data, uint8_t,
 281                                            state->max_read);
 282         if (state->data == NULL) {
 283                 reply_nterror(req, NT_STATUS_NO_MEMORY);
 284                 goto send;
 285         }
 286 
 287         subreq = np_read_send(req->conn, smbd_event_context(),
 288                               state->handle, state->data, state->max_read);
 289         if (subreq == NULL) {
 290                 reply_nterror(req, NT_STATUS_NO_MEMORY);
 291                 goto send;
 292         }
 293         tevent_req_set_callback(subreq, api_dcerpc_cmd_read_done, req);
 294         return;
 295 
 296  send:
 297         if (!srv_send_smb(
 298                     smbd_server_fd(), (char *)req->outbuf,
 299                     IS_CONN_ENCRYPTED(req->conn) || req->encrypted,
 300                     &req->pcd)) {
 301                 exit_server_cleanly("construct_reply: srv_send_smb failed.");
 302         }
 303         TALLOC_FREE(req);
 304 }
 305 
 306 static void api_dcerpc_cmd_read_done(struct tevent_req *subreq)
     /* [<][>][^][v][top][bottom][index][help] */
 307 {
 308         struct smb_request *req = tevent_req_callback_data(
 309                 subreq, struct smb_request);
 310         struct dcerpc_cmd_state *state = talloc_get_type_abort(
 311                 req->async_priv, struct dcerpc_cmd_state);
 312         NTSTATUS status;
 313         ssize_t nread;
 314         bool is_data_outstanding;
 315 
 316         status = np_read_recv(subreq, &nread, &is_data_outstanding);
 317         TALLOC_FREE(subreq);
 318 
 319         if (!NT_STATUS_IS_OK(status)) {
 320                 DEBUG(10, ("Could not read from to pipe: %s\n",
 321                            nt_errstr(status)));
 322                 reply_nterror(req, status);
 323 
 324                 if (!srv_send_smb(smbd_server_fd(), (char *)req->outbuf,
 325                                   IS_CONN_ENCRYPTED(req->conn)
 326                                   ||req->encrypted, &req->pcd)) {
 327                         exit_server_cleanly("construct_reply: srv_send_smb "
 328                                             "failed.");
 329                 }
 330                 TALLOC_FREE(req);
 331                 return;
 332         }
 333 
 334         send_trans_reply(req->conn, req, NULL, 0, (char *)state->data, nread,
 335                          is_data_outstanding);
 336         TALLOC_FREE(req);
 337 }
 338 
 339 /****************************************************************************
 340  WaitNamedPipeHandleState 
 341 ****************************************************************************/
 342 
 343 static void api_WNPHS(connection_struct *conn, struct smb_request *req,
     /* [<][>][^][v][top][bottom][index][help] */
 344                       struct files_struct *fsp, char *param, int param_len)
 345 {
 346         if (!param || param_len < 2) {
 347                 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
 348                 return;
 349         }
 350 
 351         DEBUG(4,("WaitNamedPipeHandleState priority %x\n",
 352                  (int)SVAL(param,0)));
 353 
 354         send_trans_reply(conn, req, NULL, 0, NULL, 0, False);
 355 }
 356 
 357 
 358 /****************************************************************************
 359  SetNamedPipeHandleState 
 360 ****************************************************************************/
 361 
 362 static void api_SNPHS(connection_struct *conn, struct smb_request *req,
     /* [<][>][^][v][top][bottom][index][help] */
 363                       struct files_struct *fsp, char *param, int param_len)
 364 {
 365         if (!param || param_len < 2) {
 366                 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
 367                 return;
 368         }
 369 
 370         DEBUG(4,("SetNamedPipeHandleState to code %x\n", (int)SVAL(param,0)));
 371 
 372         send_trans_reply(conn, req, NULL, 0, NULL, 0, False);
 373 }
 374 
 375 
 376 /****************************************************************************
 377  When no reply is generated, indicate unsupported.
 378  ****************************************************************************/
 379 
 380 static void api_no_reply(connection_struct *conn, struct smb_request *req)
     /* [<][>][^][v][top][bottom][index][help] */
 381 {
 382         char rparam[4];
 383 
 384         /* unsupported */
 385         SSVAL(rparam,0,NERR_notsupported);
 386         SSVAL(rparam,2,0); /* converter word */
 387 
 388         DEBUG(3,("Unsupported API fd command\n"));
 389 
 390         /* now send the reply */
 391         send_trans_reply(conn, req, rparam, 4, NULL, 0, False);
 392 
 393         return;
 394 }
 395 
 396 /****************************************************************************
 397  Handle remote api calls delivered to a named pipe already opened.
 398  ****************************************************************************/
 399 
 400 static void api_fd_reply(connection_struct *conn, uint16 vuid,
     /* [<][>][^][v][top][bottom][index][help] */
 401                          struct smb_request *req,
 402                          uint16 *setup, uint8_t *data, char *params,
 403                          int suwcnt, int tdscnt, int tpscnt,
 404                          int mdrcnt, int mprcnt)
 405 {
 406         struct files_struct *fsp;
 407         int pnum;
 408         int subcommand;
 409 
 410         DEBUG(5,("api_fd_reply\n"));
 411 
 412         /* First find out the name of this file. */
 413         if (suwcnt != 2) {
 414                 DEBUG(0,("Unexpected named pipe transaction.\n"));
 415                 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
 416                 return;
 417         }
 418 
 419         /* Get the file handle and hence the file name. */
 420         /* 
 421          * NB. The setup array has already been transformed
 422          * via SVAL and so is in host byte order.
 423          */
 424         pnum = ((int)setup[1]) & 0xFFFF;
 425         subcommand = ((int)setup[0]) & 0xFFFF;
 426 
 427         fsp = file_fsp(req, pnum);
 428 
 429         if (!fsp_is_np(fsp)) {
 430                 if (subcommand == TRANSACT_WAITNAMEDPIPEHANDLESTATE) {
 431                         /* Win9x does this call with a unicode pipe name, not a pnum. */
 432                         /* Just return success for now... */
 433                         DEBUG(3,("Got TRANSACT_WAITNAMEDPIPEHANDLESTATE on text pipe name\n"));
 434                         send_trans_reply(conn, req, NULL, 0, NULL, 0, False);
 435                         return;
 436                 }
 437 
 438                 DEBUG(1,("api_fd_reply: INVALID PIPE HANDLE: %x\n", pnum));
 439                 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
 440                 return;
 441         }
 442 
 443         if (vuid != fsp->vuid) {
 444                 DEBUG(1, ("Got pipe request (pnum %x) using invalid VUID %d, "
 445                           "expected %d\n", pnum, vuid, fsp->vuid));
 446                 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
 447                 return;
 448         }
 449 
 450         DEBUG(3,("Got API command 0x%x on pipe \"%s\" (pnum %x)\n",
 451                  subcommand, fsp->fsp_name, pnum));
 452 
 453         DEBUG(10, ("api_fd_reply: p:%p max_trans_reply: %d\n", fsp, mdrcnt));
 454 
 455         switch (subcommand) {
 456         case TRANSACT_DCERPCCMD: {
 457                 /* dce/rpc command */
 458                 api_dcerpc_cmd(conn, req, fsp, (uint8_t *)data, tdscnt,
 459                                mdrcnt);
 460                 break;
 461         }
 462         case TRANSACT_WAITNAMEDPIPEHANDLESTATE:
 463                 /* Wait Named Pipe Handle state */
 464                 api_WNPHS(conn, req, fsp, params, tpscnt);
 465                 break;
 466         case TRANSACT_SETNAMEDPIPEHANDLESTATE:
 467                 /* Set Named Pipe Handle state */
 468                 api_SNPHS(conn, req, fsp, params, tpscnt);
 469                 break;
 470         default:
 471                 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
 472                 return;
 473         }
 474 }
 475 
 476 /****************************************************************************
 477  Handle named pipe commands.
 478 ****************************************************************************/
 479 
 480 static void named_pipe(connection_struct *conn, uint16 vuid,
     /* [<][>][^][v][top][bottom][index][help] */
 481                        struct smb_request *req,
 482                        const char *name, uint16 *setup,
 483                        char *data, char *params,
 484                        int suwcnt, int tdscnt,int tpscnt,
 485                        int msrcnt, int mdrcnt, int mprcnt)
 486 {
 487         DEBUG(3,("named pipe command on <%s> name\n", name));
 488 
 489         if (strequal(name,"LANMAN")) {
 490                 api_reply(conn, vuid, req,
 491                           data, params,
 492                           tdscnt, tpscnt,
 493                           mdrcnt, mprcnt);
 494                 return;
 495         }
 496 
 497         if (strequal(name,"WKSSVC") ||
 498             strequal(name,"SRVSVC") ||
 499             strequal(name,"WINREG") ||
 500             strequal(name,"SAMR") ||
 501             strequal(name,"LSARPC")) {
 502 
 503                 DEBUG(4,("named pipe command from Win95 (wow!)\n"));
 504 
 505                 api_fd_reply(conn, vuid, req,
 506                              setup, (uint8_t *)data, params,
 507                              suwcnt, tdscnt, tpscnt,
 508                              mdrcnt, mprcnt);
 509                 return;
 510         }
 511 
 512         if (strlen(name) < 1) {
 513                 api_fd_reply(conn, vuid, req,
 514                              setup, (uint8_t *)data,
 515                              params, suwcnt, tdscnt,
 516                              tpscnt, mdrcnt, mprcnt);
 517                 return;
 518         }
 519 
 520         if (setup)
 521                 DEBUG(3,("unknown named pipe: setup 0x%X setup1=%d\n",
 522                          (int)setup[0],(int)setup[1]));
 523 
 524         reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
 525         return;
 526 }
 527 
 528 static void handle_trans(connection_struct *conn, struct smb_request *req,
     /* [<][>][^][v][top][bottom][index][help] */
 529                          struct trans_state *state)
 530 {
 531         char *local_machine_name;
 532         int name_offset = 0;
 533 
 534         DEBUG(3,("trans <%s> data=%u params=%u setup=%u\n",
 535                  state->name,(unsigned int)state->total_data,(unsigned int)state->total_param,
 536                  (unsigned int)state->setup_count));
 537 
 538         /*
 539          * WinCE wierdness....
 540          */
 541 
 542         local_machine_name = talloc_asprintf(state, "\\%s\\",
 543                                              get_local_machine_name());
 544 
 545         if (local_machine_name == NULL) {
 546                 reply_nterror(req, NT_STATUS_NO_MEMORY);
 547                 return;
 548         }
 549 
 550         if (strnequal(state->name, local_machine_name,
 551                       strlen(local_machine_name))) {
 552                 name_offset = strlen(local_machine_name)-1;
 553         }
 554 
 555         if (!strnequal(&state->name[name_offset], "\\PIPE",
 556                        strlen("\\PIPE"))) {
 557                 reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
 558                 return;
 559         }
 560 
 561         name_offset += strlen("\\PIPE");
 562 
 563         /* Win9x weirdness.  When talking to a unicode server Win9x
 564            only sends \PIPE instead of \PIPE\ */
 565 
 566         if (state->name[name_offset] == '\\')
 567                 name_offset++;
 568 
 569         DEBUG(5,("calling named_pipe\n"));
 570         named_pipe(conn, state->vuid, req,
 571                    state->name+name_offset,
 572                    state->setup,state->data,
 573                    state->param,
 574                    state->setup_count,state->total_data,
 575                    state->total_param,
 576                    state->max_setup_return,
 577                    state->max_data_return,
 578                    state->max_param_return);
 579 
 580         if (state->close_on_completion) {
 581                 close_cnum(conn,state->vuid);
 582                 req->conn = NULL;
 583         }
 584 
 585         return;
 586 }
 587 
 588 /****************************************************************************
 589  Reply to a SMBtrans.
 590  ****************************************************************************/
 591 
 592 void reply_trans(struct smb_request *req)
     /* [<][>][^][v][top][bottom][index][help] */
 593 {
 594         connection_struct *conn = req->conn;
 595         unsigned int dsoff;
 596         unsigned int dscnt;
 597         unsigned int psoff;
 598         unsigned int pscnt;
 599         struct trans_state *state;
 600         NTSTATUS result;
 601 
 602         START_PROFILE(SMBtrans);
 603 
 604         if (req->wct < 14) {
 605                 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
 606                 END_PROFILE(SMBtrans);
 607                 return;
 608         }
 609 
 610         dsoff = SVAL(req->vwv+12, 0);
 611         dscnt = SVAL(req->vwv+11, 0);
 612         psoff = SVAL(req->vwv+10, 0);
 613         pscnt = SVAL(req->vwv+9, 0);
 614 
 615         result = allow_new_trans(conn->pending_trans, req->mid);
 616         if (!NT_STATUS_IS_OK(result)) {
 617                 DEBUG(2, ("Got invalid trans request: %s\n",
 618                           nt_errstr(result)));
 619                 reply_nterror(req, result);
 620                 END_PROFILE(SMBtrans);
 621                 return;
 622         }
 623 
 624         if ((state = TALLOC_P(conn, struct trans_state)) == NULL) {
 625                 DEBUG(0, ("talloc failed\n"));
 626                 reply_nterror(req, NT_STATUS_NO_MEMORY);
 627                 END_PROFILE(SMBtrans);
 628                 return;
 629         }
 630 
 631         state->cmd = SMBtrans;
 632 
 633         state->mid = req->mid;
 634         state->vuid = req->vuid;
 635         state->setup_count = CVAL(req->vwv+13, 0);
 636         state->setup = NULL;
 637         state->total_param = SVAL(req->vwv+0, 0);
 638         state->param = NULL;
 639         state->total_data = SVAL(req->vwv+1, 0);
 640         state->data = NULL;
 641         state->max_param_return = SVAL(req->vwv+2, 0);
 642         state->max_data_return = SVAL(req->vwv+3, 0);
 643         state->max_setup_return = CVAL(req->vwv+4, 0);
 644         state->close_on_completion = BITSETW(req->vwv+5, 0);
 645         state->one_way = BITSETW(req->vwv+5, 1);
 646 
 647         srvstr_pull_req_talloc(state, req, &state->name, req->buf,
 648                                STR_TERMINATE);
 649 
 650         if ((dscnt > state->total_data) || (pscnt > state->total_param) ||
 651                         !state->name)
 652                 goto bad_param;
 653 
 654         if (state->total_data)  {
 655 
 656                 if (trans_oob(state->total_data, 0, dscnt)
 657                     || trans_oob(smb_len(req->inbuf), dsoff, dscnt)) {
 658                         goto bad_param;
 659                 }
 660 
 661                 /* Can't use talloc here, the core routines do realloc on the
 662                  * params and data. Out of paranoia, 100 bytes too many. */
 663                 state->data = (char *)SMB_MALLOC(state->total_data+100);
 664                 if (state->data == NULL) {
 665                         DEBUG(0,("reply_trans: data malloc fail for %u "
 666                                  "bytes !\n", (unsigned int)state->total_data));
 667                         TALLOC_FREE(state);
 668                         reply_nterror(req, NT_STATUS_NO_MEMORY);
 669                         END_PROFILE(SMBtrans);
 670                         return;
 671                 }
 672                 /* null-terminate the slack space */
 673                 memset(&state->data[state->total_data], 0, 100);
 674 
 675                 memcpy(state->data,smb_base(req->inbuf)+dsoff,dscnt);
 676         }
 677 
 678         if (state->total_param) {
 679 
 680                 if (trans_oob(state->total_param, 0, pscnt)
 681                     || trans_oob(smb_len(req->inbuf), psoff, pscnt)) {
 682                         goto bad_param;
 683                 }
 684 
 685                 /* Can't use talloc here, the core routines do realloc on the
 686                  * params and data. Out of paranoia, 100 bytes too many */
 687                 state->param = (char *)SMB_MALLOC(state->total_param+100);
 688                 if (state->param == NULL) {
 689                         DEBUG(0,("reply_trans: param malloc fail for %u "
 690                                  "bytes !\n", (unsigned int)state->total_param));
 691                         SAFE_FREE(state->data);
 692                         TALLOC_FREE(state);
 693                         reply_nterror(req, NT_STATUS_NO_MEMORY);
 694                         END_PROFILE(SMBtrans);
 695                         return;
 696                 } 
 697                 /* null-terminate the slack space */
 698                 memset(&state->param[state->total_param], 0, 100);
 699 
 700                 memcpy(state->param,smb_base(req->inbuf)+psoff,pscnt);
 701         }
 702 
 703         state->received_data  = dscnt;
 704         state->received_param = pscnt;
 705 
 706         if (state->setup_count) {
 707                 unsigned int i;
 708 
 709                 /*
 710                  * No overflow possible here, state->setup_count is an
 711                  * unsigned int, being filled by a single byte from
 712                  * CVAL(req->vwv+13, 0) above. The cast in the comparison
 713                  * below is not necessary, it's here to clarify things. The
 714                  * validity of req->vwv and req->wct has been checked in
 715                  * init_smb_request already.
 716                  */
 717                 if (state->setup_count + 14 > (unsigned int)req->wct) {
 718                         goto bad_param;
 719                 }
 720 
 721                 if((state->setup = TALLOC_ARRAY(
 722                             state, uint16, state->setup_count)) == NULL) {
 723                         DEBUG(0,("reply_trans: setup malloc fail for %u "
 724                                  "bytes !\n", (unsigned int)
 725                                  (state->setup_count * sizeof(uint16))));
 726                         SAFE_FREE(state->data);
 727                         SAFE_FREE(state->param);
 728                         TALLOC_FREE(state);
 729                         reply_nterror(req, NT_STATUS_NO_MEMORY);
 730                         END_PROFILE(SMBtrans);
 731                         return;
 732                 } 
 733 
 734                 for (i=0;i<state->setup_count;i++) {
 735                         state->setup[i] = SVAL(req->vwv + 14 + i, 0);
 736                 }
 737         }
 738 
 739         state->received_param = pscnt;
 740 
 741         if ((state->received_param != state->total_param) ||
 742             (state->received_data != state->total_data)) {
 743                 DLIST_ADD(conn->pending_trans, state);
 744 
 745                 /* We need to send an interim response then receive the rest
 746                    of the parameter/data bytes */
 747                 reply_outbuf(req, 0, 0);
 748                 show_msg((char *)req->outbuf);
 749                 END_PROFILE(SMBtrans);
 750                 return;
 751         }
 752 
 753         talloc_steal(talloc_tos(), state);
 754 
 755         handle_trans(conn, req, state);
 756 
 757         SAFE_FREE(state->data);
 758         SAFE_FREE(state->param);
 759         TALLOC_FREE(state);
 760 
 761         END_PROFILE(SMBtrans);
 762         return;
 763 
 764   bad_param:
 765 
 766         DEBUG(0,("reply_trans: invalid trans parameters\n"));
 767         SAFE_FREE(state->data);
 768         SAFE_FREE(state->param);
 769         TALLOC_FREE(state);
 770         END_PROFILE(SMBtrans);
 771         reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
 772         return;
 773 }
 774 
 775 /****************************************************************************
 776  Reply to a secondary SMBtrans.
 777  ****************************************************************************/
 778 
 779 void reply_transs(struct smb_request *req)
     /* [<][>][^][v][top][bottom][index][help] */
 780 {
 781         connection_struct *conn = req->conn;
 782         unsigned int pcnt,poff,dcnt,doff,pdisp,ddisp;
 783         struct trans_state *state;
 784 
 785         START_PROFILE(SMBtranss);
 786 
 787         show_msg((char *)req->inbuf);
 788 
 789         if (req->wct < 8) {
 790                 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
 791                 END_PROFILE(SMBtranss);
 792                 return;
 793         }
 794 
 795         for (state = conn->pending_trans; state != NULL;
 796              state = state->next) {
 797                 if (state->mid == req->mid) {
 798                         break;
 799                 }
 800         }
 801 
 802         if ((state == NULL) || (state->cmd != SMBtrans)) {
 803                 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
 804                 END_PROFILE(SMBtranss);
 805                 return;
 806         }
 807 
 808         /* Revise total_params and total_data in case they have changed
 809          * downwards */
 810 
 811         if (SVAL(req->vwv+0, 0) < state->total_param)
 812                 state->total_param = SVAL(req->vwv+0, 0);
 813         if (SVAL(req->vwv+1, 0) < state->total_data)
 814                 state->total_data = SVAL(req->vwv+1, 0);
 815 
 816         pcnt = SVAL(req->vwv+2, 0);
 817         poff = SVAL(req->vwv+3, 0);
 818         pdisp = SVAL(req->vwv+4, 0);
 819 
 820         dcnt = SVAL(req->vwv+5, 0);
 821         doff = SVAL(req->vwv+6, 0);
 822         ddisp = SVAL(req->vwv+7, 0);
 823 
 824         state->received_param += pcnt;
 825         state->received_data += dcnt;
 826 
 827         if ((state->received_data > state->total_data) ||
 828             (state->received_param > state->total_param))
 829                 goto bad_param;
 830 
 831         if (pcnt) {
 832                 if (trans_oob(state->total_param, pdisp, pcnt)
 833                     || trans_oob(smb_len(req->inbuf), poff, pcnt)) {
 834                         goto bad_param;
 835                 }
 836                 memcpy(state->param+pdisp,smb_base(req->inbuf)+poff,pcnt);
 837         }
 838 
 839         if (dcnt) {
 840                 if (trans_oob(state->total_data, ddisp, dcnt)
 841                     || trans_oob(smb_len(req->inbuf), doff, dcnt)) {
 842                         goto bad_param;
 843                 }
 844                 memcpy(state->data+ddisp, smb_base(req->inbuf)+doff,dcnt);
 845         }
 846 
 847         if ((state->received_param < state->total_param) ||
 848             (state->received_data < state->total_data)) {
 849                 END_PROFILE(SMBtranss);
 850                 return;
 851         }
 852 
 853         talloc_steal(talloc_tos(), state);
 854 
 855         handle_trans(conn, req, state);
 856 
 857         DLIST_REMOVE(conn->pending_trans, state);
 858         SAFE_FREE(state->data);
 859         SAFE_FREE(state->param);
 860         TALLOC_FREE(state);
 861 
 862         END_PROFILE(SMBtranss);
 863         return;
 864 
 865   bad_param:
 866 
 867         DEBUG(0,("reply_transs: invalid trans parameters\n"));
 868         DLIST_REMOVE(conn->pending_trans, state);
 869         SAFE_FREE(state->data);
 870         SAFE_FREE(state->param);
 871         TALLOC_FREE(state);
 872         reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
 873         END_PROFILE(SMBtranss);
 874         return;
 875 }

/* [<][>][^][v][top][bottom][index][help] */