2 Unix SMB/CIFS implementation.
3 Inter-process communication and named pipe handling
4 Copyright (C) Andrew Tridgell 1992-1998
7 Copyright (C) John H Terpstra 1995-1998
9 This program is free software; you can redistribute it and/or modify
10 it under the terms of the GNU General Public License as published by
11 the Free Software Foundation; either version 2 of the License, or
12 (at your option) any later version.
14 This program is distributed in the hope that it will be useful,
15 but WITHOUT ANY WARRANTY; without even the implied warranty of
16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 GNU General Public License for more details.
19 You should have received a copy of the GNU General Public License
20 along with this program; if not, write to the Free Software
21 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
24 This file handles the named pipe and mailslot calls
25 in the SMBtrans protocol
32 #define NERR_notsupported 50
34 extern int smb_read_error;
36 /*******************************************************************
37 copies parameters and data, as needed, into the smb buffer
39 *both* the data and params sections should be aligned. this
40 is fudged in the rpc pipes by
41 at present, only the data section is. this may be a possible
42 cause of some of the ipc problems being experienced. lkcl26dec97
44 ******************************************************************/
46 static void copy_trans_params_and_data(char *outbuf, int align,
47 char *rparam, int param_offset, int param_len,
48 char *rdata, int data_offset, int data_len)
50 char *copy_into = smb_buf(outbuf)+1;
58 DEBUG(5,("copy_trans_params_and_data: params[%d..%d] data[%d..%d]\n",
59 param_offset, param_offset + param_len,
60 data_offset , data_offset + data_len));
63 memcpy(copy_into, &rparam[param_offset], param_len);
65 copy_into += param_len + align;
68 memcpy(copy_into, &rdata[data_offset], data_len);
71 /****************************************************************************
73 ****************************************************************************/
75 void send_trans_reply(char *outbuf,
76 char *rparam, int rparam_len,
77 char *rdata, int rdata_len,
78 BOOL buffer_too_large)
80 int this_ldata,this_lparam;
81 int tot_data_sent = 0;
82 int tot_param_sent = 0;
85 int ldata = rdata ? rdata_len : 0;
86 int lparam = rparam ? rparam_len : 0;
89 DEBUG(5,("send_trans_reply: buffer %d too large\n", ldata ));
91 this_lparam = MIN(lparam,max_send - 500); /* hack */
92 this_ldata = MIN(ldata,max_send - (500+this_lparam));
94 align = ((this_lparam)%4);
96 if (buffer_too_large) {
97 ERROR_BOTH(STATUS_BUFFER_OVERFLOW,ERRDOS,ERRmoredata);
100 set_message(outbuf,10,1+align+this_ldata+this_lparam,True);
102 copy_trans_params_and_data(outbuf, align,
103 rparam, tot_param_sent, this_lparam,
104 rdata, tot_data_sent, this_ldata);
106 SSVAL(outbuf,smb_vwv0,lparam);
107 SSVAL(outbuf,smb_vwv1,ldata);
108 SSVAL(outbuf,smb_vwv3,this_lparam);
109 SSVAL(outbuf,smb_vwv4,smb_offset(smb_buf(outbuf)+1,outbuf));
110 SSVAL(outbuf,smb_vwv5,0);
111 SSVAL(outbuf,smb_vwv6,this_ldata);
112 SSVAL(outbuf,smb_vwv7,smb_offset(smb_buf(outbuf)+1+this_lparam+align,outbuf));
113 SSVAL(outbuf,smb_vwv8,0);
114 SSVAL(outbuf,smb_vwv9,0);
117 if (!send_smb(smbd_server_fd(),outbuf))
118 exit_server("send_trans_reply: send_smb failed.");
120 tot_data_sent = this_ldata;
121 tot_param_sent = this_lparam;
123 while (tot_data_sent < ldata || tot_param_sent < lparam)
125 this_lparam = MIN(lparam-tot_param_sent, max_send - 500); /* hack */
126 this_ldata = MIN(ldata -tot_data_sent, max_send - (500+this_lparam));
134 align = (this_lparam%4);
136 set_message(outbuf,10,1+this_ldata+this_lparam+align,False);
138 copy_trans_params_and_data(outbuf, align,
139 rparam, tot_param_sent, this_lparam,
140 rdata, tot_data_sent, this_ldata);
142 SSVAL(outbuf,smb_vwv3,this_lparam);
143 SSVAL(outbuf,smb_vwv4,smb_offset(smb_buf(outbuf)+1,outbuf));
144 SSVAL(outbuf,smb_vwv5,tot_param_sent);
145 SSVAL(outbuf,smb_vwv6,this_ldata);
146 SSVAL(outbuf,smb_vwv7,smb_offset(smb_buf(outbuf)+1+this_lparam+align,outbuf));
147 SSVAL(outbuf,smb_vwv8,tot_data_sent);
148 SSVAL(outbuf,smb_vwv9,0);
151 if (!send_smb(smbd_server_fd(),outbuf))
152 exit_server("send_trans_reply: send_smb failed.");
154 tot_data_sent += this_ldata;
155 tot_param_sent += this_lparam;
159 /****************************************************************************
160 Start the first part of an RPC reply which began with an SMBtrans request.
161 ****************************************************************************/
163 static BOOL api_rpc_trans_reply(char *outbuf, smb_np_struct *p)
165 BOOL is_data_outstanding;
166 char *rdata = (char *)SMB_MALLOC(p->max_trans_reply);
170 DEBUG(0,("api_rpc_trans_reply: malloc fail.\n"));
174 if((data_len = read_from_pipe( p, rdata, p->max_trans_reply,
175 &is_data_outstanding)) < 0) {
180 send_trans_reply(outbuf, NULL, 0, rdata, data_len, is_data_outstanding);
186 /****************************************************************************
187 WaitNamedPipeHandleState
188 ****************************************************************************/
190 static BOOL api_WNPHS(char *outbuf, smb_np_struct *p, char *param, int param_len)
194 if (!param || param_len < 2)
197 priority = SVAL(param,0);
198 DEBUG(4,("WaitNamedPipeHandleState priority %x\n", priority));
200 if (wait_rpc_pipe_hnd_state(p, priority)) {
201 /* now send the reply */
202 send_trans_reply(outbuf, NULL, 0, NULL, 0, False);
209 /****************************************************************************
210 SetNamedPipeHandleState
211 ****************************************************************************/
213 static BOOL api_SNPHS(char *outbuf, smb_np_struct *p, char *param, int param_len)
217 if (!param || param_len < 2)
221 DEBUG(4,("SetNamedPipeHandleState to code %x\n", id));
223 if (set_rpc_pipe_hnd_state(p, id)) {
224 /* now send the reply */
225 send_trans_reply(outbuf, NULL, 0, NULL, 0, False);
232 /****************************************************************************
233 When no reply is generated, indicate unsupported.
234 ****************************************************************************/
236 static BOOL api_no_reply(char *outbuf, int max_rdata_len)
241 SSVAL(rparam,0,NERR_notsupported);
242 SSVAL(rparam,2,0); /* converter word */
244 DEBUG(3,("Unsupported API fd command\n"));
246 /* now send the reply */
247 send_trans_reply(outbuf, rparam, 4, NULL, 0, False);
252 /****************************************************************************
253 Handle remote api calls delivered to a named pipe already opened.
254 ****************************************************************************/
256 static int api_fd_reply(connection_struct *conn,uint16 vuid,char *outbuf,
257 uint16 *setup,char *data,char *params,
258 int suwcnt,int tdscnt,int tpscnt,int mdrcnt,int mprcnt)
261 smb_np_struct *p = NULL;
265 DEBUG(5,("api_fd_reply\n"));
267 /* First find out the name of this file. */
269 DEBUG(0,("Unexpected named pipe transaction.\n"));
270 return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
273 /* Get the file handle and hence the file name. */
275 * NB. The setup array has already been transformed
276 * via SVAL and so is in gost byte order.
278 pnum = ((int)setup[1]) & 0xFFFF;
279 subcommand = ((int)setup[0]) & 0xFFFF;
281 if(!(p = get_rpc_pipe(pnum))) {
282 if (subcommand == TRANSACT_WAITNAMEDPIPEHANDLESTATE) {
283 /* Win9x does this call with a unicode pipe name, not a pnum. */
284 /* Just return success for now... */
285 DEBUG(3,("Got TRANSACT_WAITNAMEDPIPEHANDLESTATE on text pipe name\n"));
286 send_trans_reply(outbuf, NULL, 0, NULL, 0, False);
290 DEBUG(1,("api_fd_reply: INVALID PIPE HANDLE: %x\n", pnum));
291 return ERROR_NT(NT_STATUS_INVALID_HANDLE);
294 if (vuid != p->vuid) {
295 DEBUG(1, ("Got pipe request (pnum %x) using invalid VUID %d, "
296 "expected %d\n", pnum, vuid, p->vuid));
297 return ERROR_NT(NT_STATUS_INVALID_HANDLE);
300 DEBUG(3,("Got API command 0x%x on pipe \"%s\" (pnum %x)\n", subcommand, p->name, pnum));
302 /* record maximum data length that can be transmitted in an SMBtrans */
303 p->max_trans_reply = mdrcnt;
305 DEBUG(10,("api_fd_reply: p:%p max_trans_reply: %d\n", p, p->max_trans_reply));
307 switch (subcommand) {
308 case TRANSACT_DCERPCCMD:
309 /* dce/rpc command */
310 reply = write_to_pipe(p, data, tdscnt);
312 reply = api_rpc_trans_reply(outbuf, p);
314 case TRANSACT_WAITNAMEDPIPEHANDLESTATE:
315 /* Wait Named Pipe Handle state */
316 reply = api_WNPHS(outbuf, p, params, tpscnt);
318 case TRANSACT_SETNAMEDPIPEHANDLESTATE:
319 /* Set Named Pipe Handle state */
320 reply = api_SNPHS(outbuf, p, params, tpscnt);
323 return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
327 return api_no_reply(outbuf, mdrcnt);
332 /****************************************************************************
333 handle named pipe commands
334 ****************************************************************************/
335 static int named_pipe(connection_struct *conn,uint16 vuid, char *outbuf,char *name,
336 uint16 *setup,char *data,char *params,
337 int suwcnt,int tdscnt,int tpscnt,
338 int msrcnt,int mdrcnt,int mprcnt)
340 DEBUG(3,("named pipe command on <%s> name\n", name));
342 if (strequal(name,"LANMAN"))
343 return api_reply(conn,vuid,outbuf,data,params,tdscnt,tpscnt,mdrcnt,mprcnt);
345 if (strequal(name,"WKSSVC") ||
346 strequal(name,"SRVSVC") ||
347 strequal(name,"WINREG") ||
348 strequal(name,"SAMR") ||
349 strequal(name,"LSARPC"))
351 DEBUG(4,("named pipe command from Win95 (wow!)\n"));
352 return api_fd_reply(conn,vuid,outbuf,setup,data,params,suwcnt,tdscnt,tpscnt,mdrcnt,mprcnt);
355 if (strlen(name) < 1)
356 return api_fd_reply(conn,vuid,outbuf,setup,data,params,suwcnt,tdscnt,tpscnt,mdrcnt,mprcnt);
359 DEBUG(3,("unknown named pipe: setup 0x%X setup1=%d\n", (int)setup[0],(int)setup[1]));
364 static NTSTATUS handle_trans(connection_struct *conn,
365 struct trans_state *state,
366 char *outbuf, int *outsize)
368 char *local_machine_name;
371 DEBUG(3,("trans <%s> data=%u params=%u setup=%u\n",
372 state->name,(unsigned int)state->total_data,(unsigned int)state->total_param,
373 (unsigned int)state->setup_count));
376 * WinCE wierdness....
379 local_machine_name = talloc_asprintf(state, "\\%s\\",
380 get_local_machine_name());
382 if (local_machine_name == NULL) {
383 return NT_STATUS_NO_MEMORY;
386 if (strnequal(state->name, local_machine_name,
387 strlen(local_machine_name))) {
388 name_offset = strlen(local_machine_name)-1;
391 if (!strnequal(&state->name[name_offset], "\\PIPE",
393 return NT_STATUS_NOT_SUPPORTED;
396 name_offset += strlen("\\PIPE");
398 /* Win9x weirdness. When talking to a unicode server Win9x
399 only sends \PIPE instead of \PIPE\ */
401 if (state->name[name_offset] == '\\')
404 DEBUG(5,("calling named_pipe\n"));
405 *outsize = named_pipe(conn, state->vuid, outbuf,
406 state->name+name_offset,
407 state->setup,state->data,
409 state->setup_count,state->total_data,
411 state->max_setup_return,
412 state->max_data_return,
413 state->max_param_return);
416 return NT_STATUS_NOT_SUPPORTED;
419 if (state->close_on_completion)
420 close_cnum(conn,state->vuid);
425 /****************************************************************************
427 ****************************************************************************/
429 int reply_trans(connection_struct *conn, char *inbuf,char *outbuf,
430 int size, int bufsize)
433 unsigned int dsoff = SVAL(inbuf, smb_dsoff);
434 unsigned int dscnt = SVAL(inbuf, smb_dscnt);
435 unsigned int psoff = SVAL(inbuf, smb_psoff);
436 unsigned int pscnt = SVAL(inbuf, smb_pscnt);
437 struct trans_state *state;
440 START_PROFILE(SMBtrans);
442 result = allow_new_trans(conn->pending_trans, SVAL(inbuf, smb_mid));
443 if (!NT_STATUS_IS_OK(result)) {
444 DEBUG(2, ("Got invalid trans request: %s\n",
446 END_PROFILE(SMBtrans);
447 return ERROR_NT(result);
450 if ((state = TALLOC_P(NULL, struct trans_state)) == NULL) {
451 DEBUG(0, ("talloc failed\n"));
452 END_PROFILE(SMBtrans);
453 return ERROR_NT(NT_STATUS_NO_MEMORY);
456 state->cmd = SMBtrans;
458 state->mid = SVAL(inbuf, smb_mid);
459 state->vuid = SVAL(inbuf, smb_uid);
460 state->setup_count = CVAL(inbuf, smb_suwcnt);
461 state->total_param = SVAL(inbuf, smb_tpscnt);
463 state->total_data = SVAL(inbuf, smb_tdscnt);
465 state->max_param_return = SVAL(inbuf, smb_mprcnt);
466 state->max_data_return = SVAL(inbuf, smb_mdrcnt);
467 state->max_setup_return = CVAL(inbuf, smb_msrcnt);
468 state->close_on_completion = BITSETW(inbuf+smb_vwv5,0);
469 state->one_way = BITSETW(inbuf+smb_vwv5,1);
471 memset(state->name, '\0',sizeof(state->name));
472 srvstr_pull_buf(inbuf, state->name, smb_buf(inbuf),
473 sizeof(state->name), STR_TERMINATE);
475 if ((dscnt > state->total_data) || (pscnt > state->total_param))
478 if (state->total_data) {
479 /* Can't use talloc here, the core routines do realloc on the
480 * params and data. */
481 state->data = (char *)SMB_MALLOC(state->total_data);
482 if (state->data == NULL) {
483 DEBUG(0,("reply_trans: data malloc fail for %u "
484 "bytes !\n", (unsigned int)state->total_data));
486 END_PROFILE(SMBtrans);
487 return(ERROR_DOS(ERRDOS,ERRnomem));
489 if ((dsoff+dscnt < dsoff) || (dsoff+dscnt < dscnt))
491 if ((smb_base(inbuf)+dsoff+dscnt > inbuf + size) ||
492 (smb_base(inbuf)+dsoff+dscnt < smb_base(inbuf)))
495 memcpy(state->data,smb_base(inbuf)+dsoff,dscnt);
498 if (state->total_param) {
499 /* Can't use talloc here, the core routines do realloc on the
500 * params and data. */
501 state->param = (char *)SMB_MALLOC(state->total_param);
502 if (state->param == NULL) {
503 DEBUG(0,("reply_trans: param malloc fail for %u "
504 "bytes !\n", (unsigned int)state->total_param));
505 SAFE_FREE(state->data);
507 END_PROFILE(SMBtrans);
508 return(ERROR_DOS(ERRDOS,ERRnomem));
510 if ((psoff+pscnt < psoff) || (psoff+pscnt < pscnt))
512 if ((smb_base(inbuf)+psoff+pscnt > inbuf + size) ||
513 (smb_base(inbuf)+psoff+pscnt < smb_base(inbuf)))
516 memcpy(state->param,smb_base(inbuf)+psoff,pscnt);
519 state->received_data = dscnt;
520 state->received_param = pscnt;
522 if (state->setup_count) {
524 if((state->setup = TALLOC_ARRAY(
525 state, uint16, state->setup_count)) == NULL) {
526 DEBUG(0,("reply_trans: setup malloc fail for %u "
527 "bytes !\n", (unsigned int)
528 (state->setup_count * sizeof(uint16))));
530 END_PROFILE(SMBtrans);
531 return(ERROR_DOS(ERRDOS,ERRnomem));
533 if (inbuf+smb_vwv14+(state->setup_count*SIZEOFWORD) >
536 if ((smb_vwv14+(state->setup_count*SIZEOFWORD) < smb_vwv14) ||
537 (smb_vwv14+(state->setup_count*SIZEOFWORD) <
538 (state->setup_count*SIZEOFWORD)))
541 for (i=0;i<state->setup_count;i++)
542 state->setup[i] = SVAL(inbuf,smb_vwv14+i*SIZEOFWORD);
545 state->received_param = pscnt;
547 if ((state->received_param == state->total_param) &&
548 (state->received_data == state->total_data)) {
550 result = handle_trans(conn, state, outbuf, &outsize);
552 SAFE_FREE(state->data);
553 SAFE_FREE(state->param);
556 if (!NT_STATUS_IS_OK(result)) {
557 END_PROFILE(SMBtrans);
558 return ERROR_NT(result);
562 END_PROFILE(SMBtrans);
563 return ERROR_NT(NT_STATUS_INTERNAL_ERROR);
566 END_PROFILE(SMBtrans);
570 DLIST_ADD(conn->pending_trans, state);
572 /* We need to send an interim response then receive the rest
573 of the parameter/data bytes */
574 outsize = set_message(outbuf,0,0,True);
576 END_PROFILE(SMBtrans);
581 DEBUG(0,("reply_trans: invalid trans parameters\n"));
582 SAFE_FREE(state->data);
583 SAFE_FREE(state->param);
585 END_PROFILE(SMBtrans);
586 return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
589 /****************************************************************************
590 Reply to a secondary SMBtrans.
591 ****************************************************************************/
593 int reply_transs(connection_struct *conn, char *inbuf,char *outbuf,
594 int size, int bufsize)
597 unsigned int pcnt,poff,dcnt,doff,pdisp,ddisp;
598 struct trans_state *state;
601 START_PROFILE(SMBtranss);
605 for (state = conn->pending_trans; state != NULL;
606 state = state->next) {
607 if (state->mid == SVAL(inbuf,smb_mid)) {
612 if ((state == NULL) || (state->cmd != SMBtrans)) {
613 END_PROFILE(SMBtranss);
614 return ERROR_NT(NT_STATUS_INVALID_PARAMETER);
617 /* Revise total_params and total_data in case they have changed
620 if (SVAL(inbuf, smb_vwv0) < state->total_param)
621 state->total_param = SVAL(inbuf,smb_vwv0);
622 if (SVAL(inbuf, smb_vwv1) < state->total_data)
623 state->total_data = SVAL(inbuf,smb_vwv1);
625 pcnt = SVAL(inbuf, smb_spscnt);
626 poff = SVAL(inbuf, smb_spsoff);
627 pdisp = SVAL(inbuf, smb_spsdisp);
629 dcnt = SVAL(inbuf, smb_sdscnt);
630 doff = SVAL(inbuf, smb_sdsoff);
631 ddisp = SVAL(inbuf, smb_sdsdisp);
633 state->received_param += pcnt;
634 state->received_data += dcnt;
636 if ((state->received_data > state->total_data) ||
637 (state->received_param > state->total_param))
641 if (pdisp+pcnt > state->total_param)
643 if ((pdisp+pcnt < pdisp) || (pdisp+pcnt < pcnt))
645 if (pdisp > state->total_param)
647 if ((smb_base(inbuf) + poff + pcnt > inbuf + size) ||
648 (smb_base(inbuf) + poff + pcnt < smb_base(inbuf)))
650 if (state->param + pdisp < state->param)
653 memcpy(state->param+pdisp,smb_base(inbuf)+poff,
658 if (ddisp+dcnt > state->total_data)
660 if ((ddisp+dcnt < ddisp) || (ddisp+dcnt < dcnt))
662 if (ddisp > state->total_data)
664 if ((smb_base(inbuf) + doff + dcnt > inbuf + size) ||
665 (smb_base(inbuf) + doff + dcnt < smb_base(inbuf)))
667 if (state->data + ddisp < state->data)
670 memcpy(state->data+ddisp, smb_base(inbuf)+doff,
674 if ((state->received_param < state->total_param) ||
675 (state->received_data < state->total_data)) {
676 END_PROFILE(SMBtranss);
680 /* construct_reply_common has done us the favor to pre-fill the
681 * command field with SMBtranss which is wrong :-)
683 SCVAL(outbuf,smb_com,SMBtrans);
685 result = handle_trans(conn, state, outbuf, &outsize);
687 DLIST_REMOVE(conn->pending_trans, state);
688 SAFE_FREE(state->data);
689 SAFE_FREE(state->param);
692 if ((outsize == 0) || !NT_STATUS_IS_OK(result)) {
693 END_PROFILE(SMBtranss);
694 return(ERROR_DOS(ERRSRV,ERRnosupport));
697 END_PROFILE(SMBtranss);
702 DEBUG(0,("reply_transs: invalid trans parameters\n"));
703 DLIST_REMOVE(conn->pending_trans, state);
704 SAFE_FREE(state->data);
705 SAFE_FREE(state->param);
707 END_PROFILE(SMBtranss);
708 return ERROR_NT(NT_STATUS_INVALID_PARAMETER);