2 Unix SMB/CIFS implementation.
3 handle unexpected packets
4 Copyright (C) Andrew Tridgell 2000
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 3 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "lib/async_req/async_sock.h"
24 static const char *nmbd_socket_dir(void)
26 return lp_parm_const_string(-1, "nmbd", "socket dir",
27 get_dyn_NMBDSOCKETDIR());
30 struct nb_packet_query {
31 enum packet_type type;
32 size_t mailslot_namelen;
36 struct nb_packet_client;
38 struct nb_packet_server {
39 struct tevent_context *ev;
43 struct nb_packet_client *clients;
46 struct nb_packet_client {
47 struct nb_packet_client *prev, *next;
48 struct nb_packet_server *server;
50 enum packet_type type;
55 struct tevent_req *read_req;
56 struct tevent_queue *out_queue;
59 static int nb_packet_server_destructor(struct nb_packet_server *s);
60 static void nb_packet_server_listener(struct tevent_context *ev,
61 struct tevent_fd *fde,
65 NTSTATUS nb_packet_server_create(TALLOC_CTX *mem_ctx,
66 struct tevent_context *ev,
68 struct nb_packet_server **presult)
70 struct nb_packet_server *result;
71 struct tevent_fd *fde;
74 result = TALLOC_ZERO_P(mem_ctx, struct nb_packet_server);
76 status = NT_STATUS_NO_MEMORY;
80 result->max_clients = max_clients;
82 result->listen_sock = create_pipe_sock(
83 nmbd_socket_dir(), "unexpected", 0755);
84 if (result->listen_sock == -1) {
85 status = map_nt_error_from_unix(errno);
88 talloc_set_destructor(result, nb_packet_server_destructor);
90 fde = tevent_add_fd(ev, result, result->listen_sock, TEVENT_FD_READ,
91 nb_packet_server_listener, result);
93 status = NT_STATUS_NO_MEMORY;
104 static int nb_packet_server_destructor(struct nb_packet_server *s)
106 if (s->listen_sock != -1) {
107 close(s->listen_sock);
113 static int nb_packet_client_destructor(struct nb_packet_client *c);
114 static ssize_t nb_packet_client_more(uint8_t *buf, size_t buflen,
116 static void nb_packet_got_query(struct tevent_req *req);
117 static void nb_packet_client_read_done(struct tevent_req *req);
119 static void nb_packet_server_listener(struct tevent_context *ev,
120 struct tevent_fd *fde,
124 struct nb_packet_server *server = talloc_get_type_abort(
125 private_data, struct nb_packet_server);
126 struct nb_packet_client *client;
127 struct tevent_req *req;
128 struct sockaddr_un sunaddr;
132 len = sizeof(sunaddr);
134 sock = accept(server->listen_sock, (struct sockaddr *)(void *)&sunaddr,
139 DEBUG(6,("accepted socket %d\n", sock));
141 client = TALLOC_ZERO_P(server, struct nb_packet_client);
142 if (client == NULL) {
143 DEBUG(10, ("talloc failed\n"));
148 client->server = server;
149 talloc_set_destructor(client, nb_packet_client_destructor);
151 client->out_queue = tevent_queue_create(
152 client, "unexpected packet output");
153 if (client->out_queue == NULL) {
154 DEBUG(10, ("tevent_queue_create failed\n"));
159 req = read_packet_send(client, ev, client->sock,
160 sizeof(struct nb_packet_query),
161 nb_packet_client_more, NULL);
163 DEBUG(10, ("read_packet_send failed\n"));
167 tevent_req_set_callback(req, nb_packet_got_query, client);
169 DLIST_ADD(server->clients, client);
170 server->num_clients += 1;
172 if (server->num_clients > server->max_clients) {
173 DEBUG(10, ("Too many clients, dropping oldest\n"));
176 * no TALLOC_FREE here, don't mess with the list structs
178 talloc_free(server->clients->prev);
182 static ssize_t nb_packet_client_more(uint8_t *buf, size_t buflen,
185 struct nb_packet_query q;
186 if (buflen > sizeof(struct nb_packet_query)) {
189 /* Take care of alignment */
190 memcpy(&q, buf, sizeof(q));
191 if (q.mailslot_namelen > 1024) {
192 DEBUG(10, ("Got invalid mailslot namelen %d\n",
193 (int)q.mailslot_namelen));
196 return q.mailslot_namelen;
199 static int nb_packet_client_destructor(struct nb_packet_client *c)
205 DLIST_REMOVE(c->server->clients, c);
206 c->server->num_clients -= 1;
210 static void nb_packet_got_query(struct tevent_req *req)
212 struct nb_packet_client *client = tevent_req_callback_data(
213 req, struct nb_packet_client);
214 struct nb_packet_query q;
216 ssize_t nread, nwritten;
220 nread = read_packet_recv(req, talloc_tos(), &buf, &err);
222 if (nread < sizeof(struct nb_packet_query)) {
223 DEBUG(10, ("read_packet_recv returned %d (%s)\n",
225 (nread == -1) ? strerror(err) : "wrong length"));
230 /* Take care of alignment */
231 memcpy(&q, buf, sizeof(q));
233 if (nread != sizeof(struct nb_packet_query) + q.mailslot_namelen) {
234 DEBUG(10, ("nb_packet_got_query: Invalid mailslot namelength\n"));
239 client->trn_id = q.trn_id;
240 client->type = q.type;
241 if (q.mailslot_namelen > 0) {
242 client->mailslot_name = talloc_strndup(
243 client, (char *)buf + sizeof(q),
245 if (client->mailslot_name == NULL) {
252 * Yes, this is a blocking write of 1 byte into a unix
253 * domain socket that has never been written to. Highly
254 * unlikely that this actually blocks.
257 nwritten = sys_write(client->sock, &c, sizeof(c));
258 if (nwritten != sizeof(c)) {
259 DEBUG(10, ("Could not write success indicator to client: %s\n",
265 client->read_req = read_packet_send(client, client->server->ev,
266 client->sock, 1, NULL, NULL);
267 if (client->read_req == NULL) {
268 DEBUG(10, ("Could not activate reader for client exit "
273 tevent_req_set_callback(client->read_req, nb_packet_client_read_done,
277 static void nb_packet_client_read_done(struct tevent_req *req)
279 struct nb_packet_client *client = tevent_req_callback_data(
280 req, struct nb_packet_client);
285 nread = read_packet_recv(req, talloc_tos(), &buf, &err);
288 DEBUG(10, ("Protocol error, received data on write-only "
289 "unexpected socket: 0x%2.2x\n", (*buf)));
294 static void nb_packet_client_send(struct nb_packet_client *client,
295 struct packet_struct *p);
297 void nb_packet_dispatch(struct nb_packet_server *server,
298 struct packet_struct *p)
300 struct nb_packet_client *c;
303 switch (p->packet_type) {
305 trn_id = p->packet.nmb.header.name_trn_id;
308 trn_id = p->packet.dgram.header.dgm_id;
311 DEBUG(10, ("Got invalid packet type %d\n",
312 (int)p->packet_type));
315 for (c = server->clients; c != NULL; c = c->next) {
317 if (c->type != p->packet_type) {
318 DEBUG(10, ("client expects packet %d, got %d\n",
319 c->type, p->packet_type));
323 if (p->packet_type == NMB_PACKET) {
325 * See if the client specified transaction
326 * ID. Filter if it did.
328 if ((c->trn_id != -1) &&
329 (c->trn_id != trn_id)) {
330 DEBUG(10, ("client expects trn %d, got %d\n",
336 * See if the client specified a mailslot
337 * name. Filter if it did.
339 if ((c->mailslot_name != NULL) &&
340 !match_mailslot_name(p, c->mailslot_name)) {
344 nb_packet_client_send(c, p);
348 struct nb_packet_client_header {
350 enum packet_type type;
356 struct nb_packet_client_state {
357 struct nb_packet_client *client;
359 struct nb_packet_client_header hdr;
363 static void nb_packet_client_send_done(struct tevent_req *req);
365 static void nb_packet_client_send(struct nb_packet_client *client,
366 struct packet_struct *p)
368 struct nb_packet_client_state *state;
369 struct tevent_req *req;
371 if (tevent_queue_length(client->out_queue) > 10) {
373 * Skip clients that don't listen anyway, some form of DoS
379 state = TALLOC_ZERO_P(client, struct nb_packet_client_state);
381 DEBUG(10, ("talloc failed\n"));
385 state->client = client;
387 state->hdr.ip = p->ip;
388 state->hdr.port = p->port;
389 state->hdr.timestamp = p->timestamp;
390 state->hdr.type = p->packet_type;
391 state->hdr.len = build_packet(state->buf, sizeof(state->buf), p);
393 state->iov[0].iov_base = &state->hdr;
394 state->iov[0].iov_len = sizeof(state->hdr);
395 state->iov[1].iov_base = state->buf;
396 state->iov[1].iov_len = state->hdr.len;
398 TALLOC_FREE(client->read_req);
400 req = writev_send(client, client->server->ev, client->out_queue,
401 client->sock, true, state->iov, 2);
403 DEBUG(10, ("writev_send failed\n"));
406 tevent_req_set_callback(req, nb_packet_client_send_done, state);
409 static void nb_packet_client_send_done(struct tevent_req *req)
411 struct nb_packet_client_state *state = tevent_req_callback_data(
412 req, struct nb_packet_client_state);
413 struct nb_packet_client *client = state->client;
417 nwritten = writev_recv(req, &err);
422 if (nwritten == -1) {
423 DEBUG(10, ("writev failed: %s\n", strerror(err)));
427 if (tevent_queue_length(client->out_queue) == 0) {
428 client->read_req = read_packet_send(client, client->server->ev,
431 if (client->read_req == NULL) {
432 DEBUG(10, ("Could not activate reader for client exit "
437 tevent_req_set_callback(client->read_req,
438 nb_packet_client_read_done,
443 struct nb_packet_reader {
447 struct nb_packet_reader_state {
448 struct tevent_context *ev;
449 struct sockaddr_un addr;
450 struct nb_packet_query query;
451 const char *mailslot_name;
454 struct nb_packet_reader *reader;
457 static int nb_packet_reader_destructor(struct nb_packet_reader *r);
458 static void nb_packet_reader_connected(struct tevent_req *subreq);
459 static void nb_packet_reader_sent_query(struct tevent_req *subreq);
460 static void nb_packet_reader_got_ack(struct tevent_req *subreq);
462 struct tevent_req *nb_packet_reader_send(TALLOC_CTX *mem_ctx,
463 struct tevent_context *ev,
464 enum packet_type type,
466 const char *mailslot_name)
468 struct tevent_req *req, *subreq;
469 struct nb_packet_reader_state *state;
472 req = tevent_req_create(mem_ctx, &state,
473 struct nb_packet_reader_state);
478 state->query.trn_id = trn_id;
479 state->query.type = type;
480 state->mailslot_name = mailslot_name;
482 if (mailslot_name != NULL) {
483 state->query.mailslot_namelen = strlen(mailslot_name);
486 state->reader = TALLOC_ZERO_P(state, struct nb_packet_reader);
487 if (tevent_req_nomem(state->reader, req)) {
488 return tevent_req_post(req, ev);
491 path = talloc_asprintf(talloc_tos(), "%s/%s", nmbd_socket_dir(),
493 if (tevent_req_nomem(path, req)) {
494 return tevent_req_post(req, ev);
496 state->addr.sun_family = AF_UNIX;
497 strlcpy(state->addr.sun_path, path, sizeof(state->addr.sun_path));
500 state->reader->sock = socket(AF_UNIX, SOCK_STREAM, 0);
501 if (state->reader->sock == -1) {
502 tevent_req_nterror(req, map_nt_error_from_unix(errno));
503 return tevent_req_post(req, ev);
505 talloc_set_destructor(state->reader, nb_packet_reader_destructor);
507 subreq = async_connect_send(state, ev, state->reader->sock,
508 (struct sockaddr *)(void *)&state->addr,
509 sizeof(state->addr));
510 if (tevent_req_nomem(subreq, req)) {
511 return tevent_req_post(req, ev);
513 tevent_req_set_callback(subreq, nb_packet_reader_connected, req);
517 static int nb_packet_reader_destructor(struct nb_packet_reader *r)
526 static void nb_packet_reader_connected(struct tevent_req *subreq)
528 struct tevent_req *req = tevent_req_callback_data(
529 subreq, struct tevent_req);
530 struct nb_packet_reader_state *state = tevent_req_data(
531 req, struct nb_packet_reader_state);
535 res = async_connect_recv(subreq, &err);
538 DEBUG(10, ("async_connect failed: %s\n", strerror(err)));
539 tevent_req_nterror(req, map_nt_error_from_unix(err));
543 state->iov[0].iov_base = &state->query;
544 state->iov[0].iov_len = sizeof(state->query);
546 if (state->mailslot_name != NULL) {
548 state->iov[1].iov_base = discard_const_p(
549 char, state->mailslot_name);
550 state->iov[1].iov_len = state->query.mailslot_namelen;
553 subreq = writev_send(state, state->ev, NULL, state->reader->sock,
554 true, state->iov, num_iovecs);
555 if (tevent_req_nomem(subreq, req)) {
558 tevent_req_set_callback(subreq, nb_packet_reader_sent_query, req);
561 static void nb_packet_reader_sent_query(struct tevent_req *subreq)
563 struct tevent_req *req = tevent_req_callback_data(
564 subreq, struct tevent_req);
565 struct nb_packet_reader_state *state = tevent_req_data(
566 req, struct nb_packet_reader_state);
570 written = writev_recv(subreq, &err);
573 tevent_req_nterror(req, map_nt_error_from_unix(err));
576 if (written != sizeof(state->query) + state->query.mailslot_namelen) {
577 tevent_req_nterror(req, NT_STATUS_UNEXPECTED_IO_ERROR);
580 subreq = read_packet_send(state, state->ev, state->reader->sock,
581 sizeof(state->c), NULL, NULL);
582 if (tevent_req_nomem(subreq, req)) {
585 tevent_req_set_callback(subreq, nb_packet_reader_got_ack, req);
588 static void nb_packet_reader_got_ack(struct tevent_req *subreq)
590 struct tevent_req *req = tevent_req_callback_data(
591 subreq, struct tevent_req);
592 struct nb_packet_reader_state *state = tevent_req_data(
593 req, struct nb_packet_reader_state);
598 nread = read_packet_recv(subreq, state, &buf, &err);
601 DEBUG(10, ("read_packet_recv returned %s\n",
603 tevent_req_nterror(req, map_nt_error_from_unix(err));
606 if (nread != sizeof(state->c)) {
607 DEBUG(10, ("read = %d, expected %d\n", (int)nread,
608 (int)sizeof(state->c)));
609 tevent_req_nterror(req, NT_STATUS_UNEXPECTED_IO_ERROR);
612 tevent_req_done(req);
615 NTSTATUS nb_packet_reader_recv(struct tevent_req *req, TALLOC_CTX *mem_ctx,
616 struct nb_packet_reader **preader)
618 struct nb_packet_reader_state *state = tevent_req_data(
619 req, struct nb_packet_reader_state);
622 if (tevent_req_is_nterror(req, &status)) {
625 *preader = talloc_move(mem_ctx, &state->reader);
629 struct nb_packet_read_state {
630 struct nb_packet_client_header hdr;
635 static ssize_t nb_packet_read_more(uint8_t *buf, size_t buflen, void *p);
636 static void nb_packet_read_done(struct tevent_req *subreq);
638 struct tevent_req *nb_packet_read_send(TALLOC_CTX *mem_ctx,
639 struct tevent_context *ev,
640 struct nb_packet_reader *reader)
642 struct tevent_req *req, *subreq;
643 struct nb_packet_read_state *state;
645 req = tevent_req_create(mem_ctx, &state, struct nb_packet_read_state);
649 subreq = read_packet_send(state, ev, reader->sock,
650 sizeof(struct nb_packet_client_header),
651 nb_packet_read_more, state);
652 if (tevent_req_nomem(subreq, req)) {
653 return tevent_req_post(req, ev);
655 tevent_req_set_callback(subreq, nb_packet_read_done, req);
659 static ssize_t nb_packet_read_more(uint8_t *buf, size_t buflen, void *p)
661 struct nb_packet_read_state *state = talloc_get_type_abort(
662 p, struct nb_packet_read_state);
664 if (buflen > sizeof(struct nb_packet_client_header)) {
670 memcpy(&state->hdr, buf, sizeof(struct nb_packet_client_header));
671 return state->hdr.len;
674 static void nb_packet_read_done(struct tevent_req *subreq)
676 struct tevent_req *req = tevent_req_callback_data(
677 subreq, struct tevent_req);
678 struct nb_packet_read_state *state = tevent_req_data(
679 req, struct nb_packet_read_state);
683 nread = read_packet_recv(subreq, state, &state->buf, &err);
685 tevent_req_nterror(req, map_nt_error_from_unix(err));
688 state->buflen = nread;
689 tevent_req_done(req);
692 NTSTATUS nb_packet_read_recv(struct tevent_req *req,
693 struct packet_struct **ppacket)
695 struct nb_packet_read_state *state = tevent_req_data(
696 req, struct nb_packet_read_state);
697 struct nb_packet_client_header hdr;
698 struct packet_struct *packet;
701 if (tevent_req_is_nterror(req, &status)) {
705 memcpy(&hdr, state->buf, sizeof(hdr));
707 packet = parse_packet(
708 (char *)state->buf + sizeof(struct nb_packet_client_header),
709 state->buflen - sizeof(struct nb_packet_client_header),
710 state->hdr.type, state->hdr.ip, state->hdr.port);
711 if (packet == NULL) {
712 return NT_STATUS_INVALID_NETWORK_RESPONSE;