/* [<][>][^][v][top][bottom][index][help] */
DEFINITIONS
This source file includes following definitions.
- open_np_file
- reply_open_pipe_and_X
- reply_pipe_write
- pipe_write_done
- reply_pipe_write_and_X
- pipe_write_andx_done
- reply_pipe_read_and_X
- pipe_read_andx_done
1 /*
2 Unix SMB/CIFS implementation.
3 Pipe SMB reply routines
4 Copyright (C) Andrew Tridgell 1992-1998
5 Copyright (C) Luke Kenneth Casson Leighton 1996-1998
6 Copyright (C) Paul Ashton 1997-1998.
7 Copyright (C) Jeremy Allison 2005.
8
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 3 of the License, or
12 (at your option) any later version.
13
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
18
19 You should have received a copy of the GNU General Public License
20 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 */
22 /*
23 This file handles reply_ calls on named pipes that the server
24 makes to handle specific protocols
25 */
26
27
28 #include "includes.h"
29
30 #define PIPE "\\PIPE\\"
31 #define PIPELEN strlen(PIPE)
32
33 #define MAX_PIPE_NAME_LEN 24
34
35 NTSTATUS open_np_file(struct smb_request *smb_req, const char *name,
/* [<][>][^][v][top][bottom][index][help] */
36 struct files_struct **pfsp)
37 {
38 struct connection_struct *conn = smb_req->conn;
39 struct files_struct *fsp;
40 NTSTATUS status;
41
42 status = file_new(smb_req, conn, &fsp);
43 if (!NT_STATUS_IS_OK(status)) {
44 DEBUG(0, ("file_new failed: %s\n", nt_errstr(status)));
45 return status;
46 }
47
48 fsp->conn = conn;
49 fsp->fh->fd = -1;
50 fsp->vuid = smb_req->vuid;
51 fsp->can_lock = false;
52 fsp->access_mask = FILE_READ_DATA | FILE_WRITE_DATA;
53 string_set(&fsp->fsp_name, name);
54
55 status = np_open(NULL, name, conn->client_address,
56 conn->server_info, &fsp->fake_file_handle);
57 if (!NT_STATUS_IS_OK(status)) {
58 DEBUG(10, ("np_open(%s) returned %s\n", name,
59 nt_errstr(status)));
60 file_free(smb_req, fsp);
61 return status;
62 }
63
64 *pfsp = fsp;
65
66 return NT_STATUS_OK;
67 }
68
69 /****************************************************************************
70 Reply to an open and X on a named pipe.
71 This code is basically stolen from reply_open_and_X with some
72 wrinkles to handle pipes.
73 ****************************************************************************/
74
75 void reply_open_pipe_and_X(connection_struct *conn, struct smb_request *req)
/* [<][>][^][v][top][bottom][index][help] */
76 {
77 const char *fname = NULL;
78 char *pipe_name = NULL;
79 files_struct *fsp;
80 TALLOC_CTX *ctx = talloc_tos();
81 NTSTATUS status;
82
83 /* XXXX we need to handle passed times, sattr and flags */
84 srvstr_pull_req_talloc(ctx, req, &pipe_name, req->buf, STR_TERMINATE);
85 if (!pipe_name) {
86 reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND,
87 ERRDOS, ERRbadpipe);
88 return;
89 }
90
91 /* If the name doesn't start \PIPE\ then this is directed */
92 /* at a mailslot or something we really, really don't understand, */
93 /* not just something we really don't understand. */
94 if ( strncmp(pipe_name,PIPE,PIPELEN) != 0 ) {
95 reply_doserror(req, ERRSRV, ERRaccess);
96 return;
97 }
98
99 DEBUG(4,("Opening pipe %s.\n", pipe_name));
100
101 /* Strip \PIPE\ off the name. */
102 fname = pipe_name + PIPELEN;
103
104 #if 0
105 /*
106 * Hack for NT printers... JRA.
107 */
108 if(should_fail_next_srvsvc_open(fname)) {
109 reply_doserror(req, ERRSRV, ERRaccess);
110 return;
111 }
112 #endif
113
114 status = open_np_file(req, fname, &fsp);
115 if (!NT_STATUS_IS_OK(status)) {
116 if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
117 reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND,
118 ERRDOS, ERRbadpipe);
119 return;
120 }
121 reply_nterror(req, status);
122 return;
123 }
124
125 /* Prepare the reply */
126 reply_outbuf(req, 15, 0);
127
128 /* Mark the opened file as an existing named pipe in message mode. */
129 SSVAL(req->outbuf,smb_vwv9,2);
130 SSVAL(req->outbuf,smb_vwv10,0xc700);
131
132 SSVAL(req->outbuf, smb_vwv2, fsp->fnum);
133 SSVAL(req->outbuf, smb_vwv3, 0); /* fmode */
134 srv_put_dos_date3((char *)req->outbuf, smb_vwv4, 0); /* mtime */
135 SIVAL(req->outbuf, smb_vwv6, 0); /* size */
136 SSVAL(req->outbuf, smb_vwv8, 0); /* rmode */
137 SSVAL(req->outbuf, smb_vwv11, 0x0001);
138
139 chain_reply(req);
140 return;
141 }
142
143 /****************************************************************************
144 Reply to a write on a pipe.
145 ****************************************************************************/
146
147 struct pipe_write_state {
148 size_t numtowrite;
149 };
150
151 static void pipe_write_done(struct tevent_req *subreq);
152
153 void reply_pipe_write(struct smb_request *req)
/* [<][>][^][v][top][bottom][index][help] */
154 {
155 files_struct *fsp = file_fsp(req, SVAL(req->vwv+0, 0));
156 const uint8_t *data;
157 struct pipe_write_state *state;
158 struct tevent_req *subreq;
159
160 if (!fsp_is_np(fsp)) {
161 reply_doserror(req, ERRDOS, ERRbadfid);
162 return;
163 }
164
165 if (fsp->vuid != req->vuid) {
166 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
167 return;
168 }
169
170 state = talloc(req, struct pipe_write_state);
171 if (state == NULL) {
172 reply_nterror(req, NT_STATUS_NO_MEMORY);
173 return;
174 }
175 req->async_priv = state;
176
177 state->numtowrite = SVAL(req->vwv+1, 0);
178
179 data = req->buf + 3;
180
181 DEBUG(6, ("reply_pipe_write: %x name: %s len: %d\n", (int)fsp->fnum,
182 fsp->fsp_name, (int)state->numtowrite));
183
184 subreq = np_write_send(state, smbd_event_context(),
185 fsp->fake_file_handle, data, state->numtowrite);
186 if (subreq == NULL) {
187 TALLOC_FREE(state);
188 reply_nterror(req, NT_STATUS_NO_MEMORY);
189 return;
190 }
191 tevent_req_set_callback(subreq, pipe_write_done,
192 talloc_move(req->conn, &req));
193 }
194
195 static void pipe_write_done(struct tevent_req *subreq)
/* [<][>][^][v][top][bottom][index][help] */
196 {
197 struct smb_request *req = tevent_req_callback_data(
198 subreq, struct smb_request);
199 struct pipe_write_state *state = talloc_get_type_abort(
200 req->async_priv, struct pipe_write_state);
201 NTSTATUS status;
202 ssize_t nwritten = -1;
203
204 status = np_write_recv(subreq, &nwritten);
205 TALLOC_FREE(subreq);
206 if ((nwritten == 0 && state->numtowrite != 0) || (nwritten < 0)) {
207 reply_unixerror(req, ERRDOS, ERRnoaccess);
208 goto send;
209 }
210
211 reply_outbuf(req, 1, 0);
212
213 SSVAL(req->outbuf,smb_vwv0,nwritten);
214
215 DEBUG(3,("write-IPC nwritten=%d\n", (int)nwritten));
216
217 send:
218 if (!srv_send_smb(smbd_server_fd(), (char *)req->outbuf,
219 IS_CONN_ENCRYPTED(req->conn)||req->encrypted,
220 &req->pcd)) {
221 exit_server_cleanly("construct_reply: srv_send_smb failed.");
222 }
223 TALLOC_FREE(req);
224 }
225
226 /****************************************************************************
227 Reply to a write and X.
228
229 This code is basically stolen from reply_write_and_X with some
230 wrinkles to handle pipes.
231 ****************************************************************************/
232
233 struct pipe_write_andx_state {
234 bool pipe_start_message_raw;
235 size_t numtowrite;
236 };
237
238 static void pipe_write_andx_done(struct tevent_req *subreq);
239
240 void reply_pipe_write_and_X(struct smb_request *req)
/* [<][>][^][v][top][bottom][index][help] */
241 {
242 files_struct *fsp = file_fsp(req, SVAL(req->vwv+2, 0));
243 int smb_doff = SVAL(req->vwv+11, 0);
244 uint8_t *data;
245 struct pipe_write_andx_state *state;
246 struct tevent_req *subreq;
247
248 if (!fsp_is_np(fsp)) {
249 reply_doserror(req, ERRDOS, ERRbadfid);
250 return;
251 }
252
253 if (fsp->vuid != req->vuid) {
254 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
255 return;
256 }
257
258 state = talloc(req, struct pipe_write_andx_state);
259 if (state == NULL) {
260 reply_nterror(req, NT_STATUS_NO_MEMORY);
261 return;
262 }
263 req->async_priv = state;
264
265 state->numtowrite = SVAL(req->vwv+10, 0);
266 state->pipe_start_message_raw =
267 ((SVAL(req->vwv+7, 0) & (PIPE_START_MESSAGE|PIPE_RAW_MODE))
268 == (PIPE_START_MESSAGE|PIPE_RAW_MODE));
269
270 DEBUG(6, ("reply_pipe_write_and_X: %x name: %s len: %d\n",
271 (int)fsp->fnum, fsp->fsp_name, (int)state->numtowrite));
272
273 data = (uint8_t *)smb_base(req->inbuf) + smb_doff;
274
275 if (state->pipe_start_message_raw) {
276 /*
277 * For the start of a message in named pipe byte mode,
278 * the first two bytes are a length-of-pdu field. Ignore
279 * them (we don't trust the client). JRA.
280 */
281 if (state->numtowrite < 2) {
282 DEBUG(0,("reply_pipe_write_and_X: start of message "
283 "set and not enough data sent.(%u)\n",
284 (unsigned int)state->numtowrite ));
285 reply_unixerror(req, ERRDOS, ERRnoaccess);
286 return;
287 }
288
289 data += 2;
290 state->numtowrite -= 2;
291 }
292
293 subreq = np_write_send(state, smbd_event_context(),
294 fsp->fake_file_handle, data, state->numtowrite);
295 if (subreq == NULL) {
296 TALLOC_FREE(state);
297 reply_nterror(req, NT_STATUS_NO_MEMORY);
298 return;
299 }
300 tevent_req_set_callback(subreq, pipe_write_andx_done,
301 talloc_move(req->conn, &req));
302 }
303
304 static void pipe_write_andx_done(struct tevent_req *subreq)
/* [<][>][^][v][top][bottom][index][help] */
305 {
306 struct smb_request *req = tevent_req_callback_data(
307 subreq, struct smb_request);
308 struct pipe_write_andx_state *state = talloc_get_type_abort(
309 req->async_priv, struct pipe_write_andx_state);
310 NTSTATUS status;
311 ssize_t nwritten = -1;
312
313 status = np_write_recv(subreq, &nwritten);
314 TALLOC_FREE(subreq);
315 if (!NT_STATUS_IS_OK(status) || (nwritten != state->numtowrite)) {
316 reply_unixerror(req, ERRDOS,ERRnoaccess);
317 goto done;
318 }
319
320 reply_outbuf(req, 6, 0);
321
322 nwritten = (state->pipe_start_message_raw ? nwritten + 2 : nwritten);
323 SSVAL(req->outbuf,smb_vwv2,nwritten);
324
325 DEBUG(3,("writeX-IPC nwritten=%d\n", (int)nwritten));
326
327 done:
328 chain_reply(req);
329 /*
330 * We must free here as the ownership of req was
331 * moved to the connection struct in reply_pipe_write_and_X().
332 */
333 TALLOC_FREE(req);
334 }
335
336 /****************************************************************************
337 Reply to a read and X.
338 This code is basically stolen from reply_read_and_X with some
339 wrinkles to handle pipes.
340 ****************************************************************************/
341
342 struct pipe_read_andx_state {
343 uint8_t *outbuf;
344 int smb_mincnt;
345 int smb_maxcnt;
346 };
347
348 static void pipe_read_andx_done(struct tevent_req *subreq);
349
350 void reply_pipe_read_and_X(struct smb_request *req)
/* [<][>][^][v][top][bottom][index][help] */
351 {
352 files_struct *fsp = file_fsp(req, SVAL(req->vwv+0, 0));
353 uint8_t *data;
354 struct pipe_read_andx_state *state;
355 struct tevent_req *subreq;
356
357 /* we don't use the offset given to use for pipe reads. This
358 is deliberate, instead we always return the next lump of
359 data on the pipe */
360 #if 0
361 uint32 smb_offs = IVAL(req->vwv+3, 0);
362 #endif
363
364 if (!fsp_is_np(fsp)) {
365 reply_doserror(req, ERRDOS, ERRbadfid);
366 return;
367 }
368
369 if (fsp->vuid != req->vuid) {
370 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
371 return;
372 }
373
374 state = talloc(req, struct pipe_read_andx_state);
375 if (state == NULL) {
376 reply_nterror(req, NT_STATUS_NO_MEMORY);
377 return;
378 }
379 req->async_priv = state;
380
381 state->smb_maxcnt = SVAL(req->vwv+5, 0);
382 state->smb_mincnt = SVAL(req->vwv+6, 0);
383
384 reply_outbuf(req, 12, state->smb_maxcnt);
385 data = (uint8_t *)smb_buf(req->outbuf);
386
387 /*
388 * We have to tell the upper layers that we're async.
389 */
390 state->outbuf = req->outbuf;
391 req->outbuf = NULL;
392
393 subreq = np_read_send(state, smbd_event_context(),
394 fsp->fake_file_handle, data,
395 state->smb_maxcnt);
396 if (subreq == NULL) {
397 reply_nterror(req, NT_STATUS_NO_MEMORY);
398 return;
399 }
400 tevent_req_set_callback(subreq, pipe_read_andx_done,
401 talloc_move(req->conn, &req));
402 }
403
404 static void pipe_read_andx_done(struct tevent_req *subreq)
/* [<][>][^][v][top][bottom][index][help] */
405 {
406 struct smb_request *req = tevent_req_callback_data(
407 subreq, struct smb_request);
408 struct pipe_read_andx_state *state = talloc_get_type_abort(
409 req->async_priv, struct pipe_read_andx_state);
410 NTSTATUS status;
411 ssize_t nread;
412 bool is_data_outstanding;
413
414 status = np_read_recv(subreq, &nread, &is_data_outstanding);
415 TALLOC_FREE(subreq);
416 if (!NT_STATUS_IS_OK(status)) {
417 reply_nterror(req, status);
418 goto done;
419 }
420
421 req->outbuf = state->outbuf;
422 state->outbuf = NULL;
423
424 srv_set_message((char *)req->outbuf, 12, nread, False);
425
426 SSVAL(req->outbuf,smb_vwv5,nread);
427 SSVAL(req->outbuf,smb_vwv6,
428 req_wct_ofs(req)
429 + 1 /* the wct field */
430 + 12 * sizeof(uint16_t) /* vwv */
431 + 2); /* the buflen field */
432 SSVAL(req->outbuf,smb_vwv11,state->smb_maxcnt);
433
434 DEBUG(3,("readX-IPC min=%d max=%d nread=%d\n",
435 state->smb_mincnt, state->smb_maxcnt, (int)nread));
436
437 done:
438 chain_reply(req);
439 /*
440 * We must free here as the ownership of req was
441 * moved to the connection struct in reply_pipe_read_and_X().
442 */
443 TALLOC_FREE(req);
444 }