2 Unix SMB/CIFS implementation.
3 SMB NT transaction handling
4 Copyright (C) Jeremy Allison 1994-2007
5 Copyright (C) Stefan (metze) Metzmacher 2003
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "system/filesys.h"
23 #include "smbd/smbd.h"
24 #include "smbd/globals.h"
25 #include "fake_file.h"
26 #include "../libcli/security/security.h"
27 #include "../librpc/gen_ndr/ndr_security.h"
28 #include "passdb/lookup_sid.h"
30 #include "smbprofile.h"
31 #include "libsmb/libsmb.h"
32 #include "lib/util_ea.h"
33 #include "librpc/gen_ndr/ndr_quota.h"
34 #include "librpc/gen_ndr/ndr_security.h"
36 static char *nttrans_realloc(char **ptr, size_t size)
39 smb_panic("nttrans_realloc() called with NULL ptr");
42 *ptr = (char *)SMB_REALLOC(*ptr, size);
46 memset(*ptr,'\0',size);
50 /****************************************************************************
51 Send the required number of replies back.
52 We assume all fields other than the data fields are
53 set correctly for the type of call.
54 HACK ! Always assumes smb_setup field is zero.
55 ****************************************************************************/
57 static void send_nt_replies(connection_struct *conn,
58 struct smb_request *req, NTSTATUS nt_error,
59 char *params, int paramsize,
60 char *pdata, int datasize)
62 int data_to_send = datasize;
63 int params_to_send = paramsize;
67 int params_sent_thistime, data_sent_thistime, total_sent_thistime;
68 int alignment_offset = 1;
69 int data_alignment_offset = 0;
70 struct smbXsrv_connection *xconn = req->xconn;
71 int max_send = xconn->smb1.sessions.max_send;
74 * If there genuinely are no parameters or data to send just send
78 if(params_to_send == 0 && data_to_send == 0) {
79 reply_smb1_outbuf(req, 18, 0);
80 if (NT_STATUS_V(nt_error)) {
81 error_packet_set((char *)req->outbuf,
85 show_msg((char *)req->outbuf);
86 if (!smb1_srv_send(xconn,
90 IS_CONN_ENCRYPTED(conn))) {
91 exit_server_cleanly("send_nt_replies: smb1_srv_send failed.");
93 TALLOC_FREE(req->outbuf);
98 * When sending params and data ensure that both are nicely aligned.
99 * Only do this alignment when there is also data to send - else
100 * can cause NT redirector problems.
103 if (((params_to_send % 4) != 0) && (data_to_send != 0)) {
104 data_alignment_offset = 4 - (params_to_send % 4);
108 * Space is bufsize minus Netbios over TCP header minus SMB header.
109 * The alignment_offset is to align the param bytes on a four byte
110 * boundary (2 bytes for data len, one byte pad).
111 * NT needs this to work correctly.
114 useable_space = max_send - (smb_size
117 + data_alignment_offset);
119 if (useable_space < 0) {
120 char *msg = talloc_asprintf(
122 "send_nt_replies failed sanity useable_space = %d!!!",
124 DEBUG(0, ("%s\n", msg));
125 exit_server_cleanly(msg);
128 while (params_to_send || data_to_send) {
131 * Calculate whether we will totally or partially fill this packet.
134 total_sent_thistime = params_to_send + data_to_send;
137 * We can never send more than useable_space.
140 total_sent_thistime = MIN(total_sent_thistime, useable_space);
142 reply_smb1_outbuf(req, 18,
143 total_sent_thistime + alignment_offset
144 + data_alignment_offset);
147 * Set total params and data to be sent.
150 SIVAL(req->outbuf,smb_ntr_TotalParameterCount,paramsize);
151 SIVAL(req->outbuf,smb_ntr_TotalDataCount,datasize);
154 * Calculate how many parameters and data we can fit into
155 * this packet. Parameters get precedence.
158 params_sent_thistime = MIN(params_to_send,useable_space);
159 data_sent_thistime = useable_space - params_sent_thistime;
160 data_sent_thistime = MIN(data_sent_thistime,data_to_send);
162 SIVAL(req->outbuf, smb_ntr_ParameterCount,
163 params_sent_thistime);
165 if(params_sent_thistime == 0) {
166 SIVAL(req->outbuf,smb_ntr_ParameterOffset,0);
167 SIVAL(req->outbuf,smb_ntr_ParameterDisplacement,0);
170 * smb_ntr_ParameterOffset is the offset from the start of the SMB header to the
171 * parameter bytes, however the first 4 bytes of outbuf are
172 * the Netbios over TCP header. Thus use smb_base() to subtract
173 * them from the calculation.
176 SIVAL(req->outbuf,smb_ntr_ParameterOffset,
177 ((smb_buf(req->outbuf)+alignment_offset)
178 - smb_base(req->outbuf)));
180 * Absolute displacement of param bytes sent in this packet.
183 SIVAL(req->outbuf, smb_ntr_ParameterDisplacement,
188 * Deal with the data portion.
191 SIVAL(req->outbuf, smb_ntr_DataCount, data_sent_thistime);
193 if(data_sent_thistime == 0) {
194 SIVAL(req->outbuf,smb_ntr_DataOffset,0);
195 SIVAL(req->outbuf,smb_ntr_DataDisplacement, 0);
198 * The offset of the data bytes is the offset of the
199 * parameter bytes plus the number of parameters being sent this time.
202 SIVAL(req->outbuf, smb_ntr_DataOffset,
203 ((smb_buf(req->outbuf)+alignment_offset) -
204 smb_base(req->outbuf))
205 + params_sent_thistime + data_alignment_offset);
206 SIVAL(req->outbuf,smb_ntr_DataDisplacement, pd - pdata);
210 * Copy the param bytes into the packet.
213 if(params_sent_thistime) {
214 if (alignment_offset != 0) {
215 memset(smb_buf(req->outbuf), 0,
218 memcpy((smb_buf(req->outbuf)+alignment_offset), pp,
219 params_sent_thistime);
223 * Copy in the data bytes
226 if(data_sent_thistime) {
227 if (data_alignment_offset != 0) {
228 memset((smb_buf(req->outbuf)+alignment_offset+
229 params_sent_thistime), 0,
230 data_alignment_offset);
232 memcpy(smb_buf(req->outbuf)+alignment_offset
233 +params_sent_thistime+data_alignment_offset,
234 pd,data_sent_thistime);
237 DEBUG(9,("nt_rep: params_sent_thistime = %d, data_sent_thistime = %d, useable_space = %d\n",
238 params_sent_thistime, data_sent_thistime, useable_space));
239 DEBUG(9,("nt_rep: params_to_send = %d, data_to_send = %d, paramsize = %d, datasize = %d\n",
240 params_to_send, data_to_send, paramsize, datasize));
242 if (NT_STATUS_V(nt_error)) {
243 error_packet_set((char *)req->outbuf,
248 /* Send the packet */
249 show_msg((char *)req->outbuf);
250 if (!smb1_srv_send(xconn,
254 IS_CONN_ENCRYPTED(conn))) {
255 exit_server_cleanly("send_nt_replies: smb1_srv_send failed.");
258 TALLOC_FREE(req->outbuf);
260 pp += params_sent_thistime;
261 pd += data_sent_thistime;
263 params_to_send -= params_sent_thistime;
264 data_to_send -= data_sent_thistime;
270 if(params_to_send < 0 || data_to_send < 0) {
271 DEBUG(0,("send_nt_replies failed sanity check pts = %d, dts = %d\n!!!",
272 params_to_send, data_to_send));
273 exit_server_cleanly("send_nt_replies: internal error");
278 /****************************************************************************
279 Reply to an NT create and X call on a pipe
280 ****************************************************************************/
282 static void nt_open_pipe(char *fname, connection_struct *conn,
283 struct smb_request *req, uint16_t *ppnum)
288 DEBUG(4,("nt_open_pipe: Opening pipe %s.\n", fname));
290 /* Strip \\ off the name if present. */
291 while (fname[0] == '\\') {
295 status = open_np_file(req, fname, &fsp);
296 if (!NT_STATUS_IS_OK(status)) {
297 if (NT_STATUS_EQUAL(status, NT_STATUS_OBJECT_NAME_NOT_FOUND)) {
298 reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND,
302 reply_nterror(req, status);
310 /****************************************************************************
311 Reply to an NT create and X call for pipes.
312 ****************************************************************************/
314 static void do_ntcreate_pipe_open(connection_struct *conn,
315 struct smb_request *req)
318 uint16_t pnum = FNUM_FIELD_INVALID;
320 uint32_t flags = IVAL(req->vwv+3, 1);
321 TALLOC_CTX *ctx = talloc_tos();
323 srvstr_pull_req_talloc(ctx, req, &fname, req->buf, STR_TERMINATE);
326 reply_botherror(req, NT_STATUS_OBJECT_NAME_NOT_FOUND,
330 nt_open_pipe(fname, conn, req, &pnum);
338 * Deal with pipe return.
341 if (flags & EXTENDED_RESPONSE_REQUIRED) {
342 /* This is very strange. We
343 * return 50 words, but only set
344 * the wcnt to 42 ? It's definitely
345 * what happens on the wire....
347 reply_smb1_outbuf(req, 50, 0);
348 SCVAL(req->outbuf,smb_wct,42);
350 reply_smb1_outbuf(req, 34, 0);
353 SSVAL(req->outbuf, smb_vwv0, 0xff); /* andx chain ends */
354 SSVAL(req->outbuf, smb_vwv1, 0); /* no andx offset */
356 p = (char *)req->outbuf + smb_vwv2;
360 SIVAL(p,0,FILE_WAS_OPENED);
363 SIVAL(p,0,FILE_ATTRIBUTE_NORMAL); /* File Attributes. */
366 SSVAL(p,0,FILE_TYPE_MESSAGE_MODE_PIPE);
368 SSVAL(p,2, 0x5FF); /* ? */
371 if (flags & EXTENDED_RESPONSE_REQUIRED) {
373 SIVAL(p,0,FILE_GENERIC_ALL);
375 * For pipes W2K3 seems to return
377 * This is ((FILE_GENERIC_READ|FILE_GENERIC_WRITE) & ~FILE_APPEND_DATA)
379 SIVAL(p,4,(FILE_GENERIC_READ|FILE_GENERIC_WRITE)&~FILE_APPEND_DATA);
382 DEBUG(5,("do_ntcreate_pipe_open: open pipe = %s\n", fname));
385 struct case_semantics_state {
386 connection_struct *conn;
389 bool short_case_preserve;
392 /****************************************************************************
393 Restore case semantics.
394 ****************************************************************************/
396 static int restore_case_semantics(struct case_semantics_state *state)
398 state->conn->case_sensitive = state->case_sensitive;
399 state->conn->case_preserve = state->case_preserve;
400 state->conn->short_case_preserve = state->short_case_preserve;
404 /****************************************************************************
406 ****************************************************************************/
408 static struct case_semantics_state *set_posix_case_semantics(TALLOC_CTX *mem_ctx,
409 connection_struct *conn)
411 struct case_semantics_state *result;
413 if (!(result = talloc(mem_ctx, struct case_semantics_state))) {
418 result->case_sensitive = conn->case_sensitive;
419 result->case_preserve = conn->case_preserve;
420 result->short_case_preserve = conn->short_case_preserve;
423 conn->case_sensitive = True;
424 conn->case_preserve = True;
425 conn->short_case_preserve = True;
427 talloc_set_destructor(result, restore_case_semantics);
433 * Calculate the full path name given a relative fid.
435 static NTSTATUS get_relative_fid_filename(connection_struct *conn,
436 struct smb_request *req,
437 uint16_t root_dir_fid,
441 struct files_struct *dir_fsp = NULL;
442 char *new_path = NULL;
444 if (root_dir_fid == 0 || path == NULL) {
445 return NT_STATUS_INTERNAL_ERROR;
448 dir_fsp = file_fsp(req, root_dir_fid);
449 if (dir_fsp == NULL) {
450 return NT_STATUS_INVALID_HANDLE;
453 if (fsp_is_alternate_stream(dir_fsp)) {
454 return NT_STATUS_INVALID_HANDLE;
457 if (!dir_fsp->fsp_flags.is_directory) {
459 * Check to see if this is a mac fork of some kind.
461 if (conn->fs_capabilities & FILE_NAMED_STREAMS) {
464 stream = strchr_m(path, ':');
465 if (stream != NULL) {
466 return NT_STATUS_OBJECT_PATH_NOT_FOUND;
471 * We need to handle the case when we get a relative open
472 * relative to a file and the pathname is blank - this is a
473 * reopen! (hint from demyn plantenberg)
475 return NT_STATUS_INVALID_HANDLE;
478 if (ISDOT(dir_fsp->fsp_name->base_name)) {
480 * We're at the toplevel dir, the final file name
481 * must not contain ./, as this is filtered out
482 * normally by srvstr_get_path and unix_convert
483 * explicitly rejects paths containing ./.
485 new_path = talloc_strdup(talloc_tos(), path);
488 * Copy in the base directory name.
491 new_path = talloc_asprintf(talloc_tos(),
493 dir_fsp->fsp_name->base_name,
496 if (new_path == NULL) {
497 return NT_STATUS_NO_MEMORY;
500 *path_out = new_path;
504 /****************************************************************************
505 Reply to an NT create and X call.
506 ****************************************************************************/
508 void reply_ntcreate_and_X(struct smb_request *req)
510 connection_struct *conn = req->conn;
511 struct files_struct *dirfsp = NULL;
512 struct smb_filename *smb_fname = NULL;
515 uint32_t access_mask;
516 uint32_t file_attributes;
517 uint32_t share_access;
518 uint32_t create_disposition;
519 uint32_t create_options;
520 uint16_t root_dir_fid;
521 uint64_t allocation_size;
522 /* Breakout the oplock request bits so we can set the
523 reply bits separately. */
527 files_struct *fsp = NULL;
529 struct timespec create_timespec;
530 struct timespec c_timespec;
531 struct timespec a_timespec;
532 struct timespec m_timespec;
535 uint8_t oplock_granted = NO_OPLOCK_RETURN;
536 struct case_semantics_state *case_state = NULL;
539 TALLOC_CTX *ctx = talloc_tos();
541 START_PROFILE(SMBntcreateX);
544 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
548 flags = IVAL(req->vwv+3, 1);
549 access_mask = IVAL(req->vwv+7, 1);
550 file_attributes = IVAL(req->vwv+13, 1);
551 share_access = IVAL(req->vwv+15, 1);
552 create_disposition = IVAL(req->vwv+17, 1);
553 create_options = IVAL(req->vwv+19, 1);
554 root_dir_fid = (uint16_t)IVAL(req->vwv+5, 1);
556 allocation_size = BVAL(req->vwv+9, 1);
558 srvstr_get_path_req(ctx, req, &fname, (const char *)req->buf,
559 STR_TERMINATE, &status);
561 if (!NT_STATUS_IS_OK(status)) {
562 reply_nterror(req, status);
566 DEBUG(10,("reply_ntcreate_and_X: flags = 0x%x, access_mask = 0x%x "
567 "file_attributes = 0x%x, share_access = 0x%x, "
568 "create_disposition = 0x%x create_options = 0x%x "
569 "root_dir_fid = 0x%x, fname = %s\n",
571 (unsigned int)access_mask,
572 (unsigned int)file_attributes,
573 (unsigned int)share_access,
574 (unsigned int)create_disposition,
575 (unsigned int)create_options,
576 (unsigned int)root_dir_fid,
580 * we need to remove ignored bits when they come directly from the client
581 * because we reuse some of them for internal stuff
583 create_options &= ~NTCREATEX_OPTIONS_MUST_IGNORE_MASK;
586 * If it's an IPC, use the pipe handler.
590 if (lp_nt_pipe_support()) {
591 do_ntcreate_pipe_open(conn, req);
594 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
598 oplock_request = (flags & REQUEST_OPLOCK) ? EXCLUSIVE_OPLOCK : 0;
599 if (oplock_request) {
600 oplock_request |= (flags & REQUEST_BATCH_OPLOCK)
604 if (file_attributes & FILE_FLAG_POSIX_SEMANTICS) {
605 case_state = set_posix_case_semantics(ctx, conn);
607 reply_nterror(req, NT_STATUS_NO_MEMORY);
612 if (root_dir_fid != 0) {
613 char *new_fname = NULL;
615 status = get_relative_fid_filename(conn,
620 if (!NT_STATUS_IS_OK(status)) {
621 reply_nterror(req, status);
627 ucf_flags = filename_create_ucf_flags(req, create_disposition);
628 if (ucf_flags & UCF_GMT_PATHNAME) {
629 extract_snapshot_token(fname, &twrp);
631 status = smb1_strip_dfs_path(ctx, &ucf_flags, &fname);
632 if (!NT_STATUS_IS_OK(status)) {
633 reply_nterror(req, status);
637 status = filename_convert_dirfsp(
638 ctx, conn, fname, ucf_flags, twrp, &dirfsp, &smb_fname);
640 TALLOC_FREE(case_state);
642 if (!NT_STATUS_IS_OK(status)) {
643 if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
645 NT_STATUS_PATH_NOT_COVERED,
649 reply_nterror(req, status);
654 * Bug #6898 - clients using Windows opens should
655 * never be able to set this attribute into the
658 file_attributes &= ~FILE_FLAG_POSIX_SEMANTICS;
660 status = SMB_VFS_CREATE_FILE(
664 smb_fname, /* fname */
665 access_mask, /* access_mask */
666 share_access, /* share_access */
667 create_disposition, /* create_disposition*/
668 create_options, /* create_options */
669 file_attributes, /* file_attributes */
670 oplock_request, /* oplock_request */
672 allocation_size, /* allocation_size */
673 0, /* private_flags */
678 NULL, NULL); /* create context */
680 if (!NT_STATUS_IS_OK(status)) {
681 if (open_was_deferred(req->xconn, req->mid)) {
682 /* We have re-scheduled this call, no error. */
685 if (NT_STATUS_EQUAL(status, NT_STATUS_SHARING_VIOLATION)) {
686 bool ok = defer_smb1_sharing_violation(req);
691 reply_openerror(req, status);
695 /* Ensure we're pointing at the correct stat struct. */
696 smb_fname = fsp->fsp_name;
699 * If the caller set the extended oplock request bit
700 * and we granted one (by whatever means) - set the
701 * correct bit for extended oplock reply.
704 if (oplock_request &&
705 (lp_fake_oplocks(SNUM(conn))
706 || EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type))) {
709 * Exclusive oplock granted
712 if (flags & REQUEST_BATCH_OPLOCK) {
713 oplock_granted = BATCH_OPLOCK_RETURN;
715 oplock_granted = EXCLUSIVE_OPLOCK_RETURN;
717 } else if (fsp->oplock_type == LEVEL_II_OPLOCK) {
718 oplock_granted = LEVEL_II_OPLOCK_RETURN;
720 oplock_granted = NO_OPLOCK_RETURN;
723 file_len = smb_fname->st.st_ex_size;
725 if (flags & EXTENDED_RESPONSE_REQUIRED) {
726 /* This is very strange. We
727 * return 50 words, but only set
728 * the wcnt to 42 ? It's definitely
729 * what happens on the wire....
731 reply_smb1_outbuf(req, 50, 0);
732 SCVAL(req->outbuf,smb_wct,42);
734 reply_smb1_outbuf(req, 34, 0);
737 SSVAL(req->outbuf, smb_vwv0, 0xff); /* andx chain ends */
738 SSVAL(req->outbuf, smb_vwv1, 0); /* no andx offset */
740 p = (char *)req->outbuf + smb_vwv2;
742 SCVAL(p, 0, oplock_granted);
745 SSVAL(p,0,fsp->fnum);
747 if ((create_disposition == FILE_SUPERSEDE)
748 && (info == FILE_WAS_OVERWRITTEN)) {
749 SIVAL(p,0,FILE_WAS_SUPERSEDED);
755 fattr = fdos_mode(fsp);
757 fattr = FILE_ATTRIBUTE_NORMAL;
761 create_timespec = get_create_timespec(conn, fsp, smb_fname);
762 a_timespec = smb_fname->st.st_ex_atime;
763 m_timespec = smb_fname->st.st_ex_mtime;
764 c_timespec = get_change_timespec(conn, fsp, smb_fname);
766 if (lp_dos_filetime_resolution(SNUM(conn))) {
767 dos_filetime_timespec(&create_timespec);
768 dos_filetime_timespec(&a_timespec);
769 dos_filetime_timespec(&m_timespec);
770 dos_filetime_timespec(&c_timespec);
773 put_long_date_full_timespec(conn->ts_res, p, &create_timespec); /* create time. */
775 put_long_date_full_timespec(conn->ts_res, p, &a_timespec); /* access time */
777 put_long_date_full_timespec(conn->ts_res, p, &m_timespec); /* write time */
779 put_long_date_full_timespec(conn->ts_res, p, &c_timespec); /* change time */
781 SIVAL(p,0,fattr); /* File Attributes. */
783 SOFF_T(p, 0, SMB_VFS_GET_ALLOC_SIZE(conn,fsp,&smb_fname->st));
785 SOFF_T(p,0,file_len);
787 if (flags & EXTENDED_RESPONSE_REQUIRED) {
788 uint16_t file_status = (NO_EAS|NO_SUBSTREAMS|NO_REPARSETAG);
789 unsigned int num_streams = 0;
790 struct stream_struct *streams = NULL;
792 if (lp_ea_support(SNUM(conn))) {
793 size_t num_names = 0;
794 /* Do we have any EA's ? */
795 status = get_ea_names_from_fsp(
796 ctx, smb_fname->fsp, NULL, &num_names);
797 if (NT_STATUS_IS_OK(status) && num_names) {
798 file_status &= ~NO_EAS;
802 status = vfs_fstreaminfo(smb_fname->fsp, ctx,
803 &num_streams, &streams);
804 /* There is always one stream, ::$DATA. */
805 if (NT_STATUS_IS_OK(status) && num_streams > 1) {
806 file_status &= ~NO_SUBSTREAMS;
808 TALLOC_FREE(streams);
809 SSVAL(p,2,file_status);
812 SCVAL(p,0,fsp->fsp_flags.is_directory ? 1 : 0);
814 if (flags & EXTENDED_RESPONSE_REQUIRED) {
817 if (fsp->fsp_flags.is_directory ||
818 fsp->fsp_flags.can_write ||
819 can_write_to_fsp(fsp))
821 perms = FILE_GENERIC_ALL;
823 perms = FILE_GENERIC_READ|FILE_EXECUTE;
828 DEBUG(5,("reply_ntcreate_and_X: %s, open name = %s\n",
829 fsp_fnum_dbg(fsp), smb_fname_str_dbg(smb_fname)));
832 END_PROFILE(SMBntcreateX);
836 /****************************************************************************
837 Reply to a NT_TRANSACT_CREATE call to open a pipe.
838 ****************************************************************************/
840 static void do_nt_transact_create_pipe(connection_struct *conn,
841 struct smb_request *req,
842 uint16_t **ppsetup, uint32_t setup_count,
843 char **ppparams, uint32_t parameter_count,
844 char **ppdata, uint32_t data_count)
847 char *params = *ppparams;
848 uint16_t pnum = FNUM_FIELD_INVALID;
853 TALLOC_CTX *ctx = talloc_tos();
856 * Ensure minimum number of parameters sent.
859 if(parameter_count < 54) {
860 DEBUG(0,("do_nt_transact_create_pipe - insufficient parameters (%u)\n", (unsigned int)parameter_count));
861 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
865 flags = IVAL(params,0);
867 if (req->posix_pathnames) {
868 srvstr_get_path_posix(ctx,
886 if (!NT_STATUS_IS_OK(status)) {
887 reply_nterror(req, status);
891 nt_open_pipe(fname, conn, req, &pnum);
898 /* Realloc the size of parameters and data we will return */
899 if (flags & EXTENDED_RESPONSE_REQUIRED) {
900 /* Extended response is 32 more byyes. */
905 params = nttrans_realloc(ppparams, param_len);
907 reply_nterror(req, NT_STATUS_NO_MEMORY);
912 SCVAL(p,0,NO_OPLOCK_RETURN);
917 SIVAL(p,0,FILE_WAS_OPENED);
921 SIVAL(p,0,FILE_ATTRIBUTE_NORMAL); /* File Attributes. */
924 SSVAL(p,0,FILE_TYPE_MESSAGE_MODE_PIPE);
926 SSVAL(p,2, 0x5FF); /* ? */
929 if (flags & EXTENDED_RESPONSE_REQUIRED) {
931 SIVAL(p,0,FILE_GENERIC_ALL);
933 * For pipes W2K3 seems to return
935 * This is ((FILE_GENERIC_READ|FILE_GENERIC_WRITE) & ~FILE_APPEND_DATA)
937 SIVAL(p,4,(FILE_GENERIC_READ|FILE_GENERIC_WRITE)&~FILE_APPEND_DATA);
940 DEBUG(5,("do_nt_transact_create_pipe: open name = %s\n", fname));
942 /* Send the required number of replies */
943 send_nt_replies(conn, req, NT_STATUS_OK, params, param_len, *ppdata, 0);
948 /****************************************************************************
949 Reply to a NT_TRANSACT_CREATE call (needs to process SD's).
950 ****************************************************************************/
952 static void call_nt_transact_create(connection_struct *conn,
953 struct smb_request *req,
954 uint16_t **ppsetup, uint32_t setup_count,
955 char **ppparams, uint32_t parameter_count,
956 char **ppdata, uint32_t data_count,
957 uint32_t max_data_count)
959 struct smb_filename *smb_fname = NULL;
961 char *params = *ppparams;
962 char *data = *ppdata;
963 /* Breakout the oplock request bits so we can set the reply bits separately. */
967 struct files_struct *dirfsp = NULL;
968 files_struct *fsp = NULL;
971 uint32_t access_mask;
972 uint32_t file_attributes;
973 uint32_t share_access;
974 uint32_t create_disposition;
975 uint32_t create_options;
977 struct security_descriptor *sd = NULL;
979 uint16_t root_dir_fid;
980 struct timespec create_timespec;
981 struct timespec c_timespec;
982 struct timespec a_timespec;
983 struct timespec m_timespec;
984 struct ea_list *ea_list = NULL;
987 uint64_t allocation_size;
989 uint8_t oplock_granted;
990 struct case_semantics_state *case_state = NULL;
993 TALLOC_CTX *ctx = talloc_tos();
995 DEBUG(5,("call_nt_transact_create\n"));
998 * If it's an IPC, use the pipe handler.
1002 if (lp_nt_pipe_support()) {
1003 do_nt_transact_create_pipe(
1005 ppsetup, setup_count,
1006 ppparams, parameter_count,
1007 ppdata, data_count);
1010 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1015 * Ensure minimum number of parameters sent.
1018 if(parameter_count < 54) {
1019 DEBUG(0,("call_nt_transact_create - insufficient parameters (%u)\n", (unsigned int)parameter_count));
1020 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1024 flags = IVAL(params,0);
1025 access_mask = IVAL(params,8);
1026 file_attributes = IVAL(params,20);
1027 share_access = IVAL(params,24);
1028 create_disposition = IVAL(params,28);
1029 create_options = IVAL(params,32);
1030 sd_len = IVAL(params,36);
1031 ea_len = IVAL(params,40);
1032 root_dir_fid = (uint16_t)IVAL(params,4);
1033 allocation_size = BVAL(params,12);
1036 * we need to remove ignored bits when they come directly from the client
1037 * because we reuse some of them for internal stuff
1039 create_options &= ~NTCREATEX_OPTIONS_MUST_IGNORE_MASK;
1041 if (req->posix_pathnames) {
1042 srvstr_get_path_posix(ctx,
1051 srvstr_get_path(ctx,
1060 if (!NT_STATUS_IS_OK(status)) {
1061 reply_nterror(req, status);
1065 if (file_attributes & FILE_FLAG_POSIX_SEMANTICS) {
1066 case_state = set_posix_case_semantics(ctx, conn);
1068 reply_nterror(req, NT_STATUS_NO_MEMORY);
1073 if (root_dir_fid != 0) {
1074 char *new_fname = NULL;
1076 status = get_relative_fid_filename(conn,
1081 if (!NT_STATUS_IS_OK(status)) {
1082 reply_nterror(req, status);
1088 ucf_flags = filename_create_ucf_flags(req, create_disposition);
1089 if (ucf_flags & UCF_GMT_PATHNAME) {
1090 extract_snapshot_token(fname, &twrp);
1092 status = smb1_strip_dfs_path(ctx, &ucf_flags, &fname);
1093 if (!NT_STATUS_IS_OK(status)) {
1094 reply_nterror(req, status);
1098 status = filename_convert_dirfsp(ctx,
1106 TALLOC_FREE(case_state);
1108 if (!NT_STATUS_IS_OK(status)) {
1109 if (NT_STATUS_EQUAL(status,NT_STATUS_PATH_NOT_COVERED)) {
1110 reply_botherror(req,
1111 NT_STATUS_PATH_NOT_COVERED,
1112 ERRSRV, ERRbadpath);
1115 reply_nterror(req, status);
1119 /* Ensure the data_len is correct for the sd and ea values given. */
1120 if ((ea_len + sd_len > data_count)
1121 || (ea_len > data_count) || (sd_len > data_count)
1122 || (ea_len + sd_len < ea_len) || (ea_len + sd_len < sd_len)) {
1123 DEBUG(10, ("call_nt_transact_create - ea_len = %u, sd_len = "
1124 "%u, data_count = %u\n", (unsigned int)ea_len,
1125 (unsigned int)sd_len, (unsigned int)data_count));
1126 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1131 DEBUG(10, ("call_nt_transact_create - sd_len = %d\n",
1134 status = unmarshall_sec_desc(ctx, (uint8_t *)data, sd_len,
1136 if (!NT_STATUS_IS_OK(status)) {
1137 DEBUG(10, ("call_nt_transact_create: "
1138 "unmarshall_sec_desc failed: %s\n",
1139 nt_errstr(status)));
1140 reply_nterror(req, status);
1146 if (!lp_ea_support(SNUM(conn))) {
1147 DEBUG(10, ("call_nt_transact_create - ea_len = %u but "
1148 "EA's not supported.\n",
1149 (unsigned int)ea_len));
1150 reply_nterror(req, NT_STATUS_EAS_NOT_SUPPORTED);
1155 DEBUG(10,("call_nt_transact_create - ea_len = %u - "
1156 "too small (should be more than 10)\n",
1157 (unsigned int)ea_len ));
1158 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1162 /* We have already checked that ea_len <= data_count here. */
1163 ea_list = read_nttrans_ea_list(talloc_tos(), data + sd_len,
1165 if (ea_list == NULL) {
1166 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1170 if (!req->posix_pathnames &&
1171 ea_list_has_invalid_name(ea_list)) {
1172 /* Realloc the size of parameters and data we will return */
1173 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1174 /* Extended response is 32 more bytes. */
1179 params = nttrans_realloc(ppparams, param_len);
1180 if(params == NULL) {
1181 reply_nterror(req, NT_STATUS_NO_MEMORY);
1185 memset(params, '\0', param_len);
1186 send_nt_replies(conn, req, STATUS_INVALID_EA_NAME,
1187 params, param_len, NULL, 0);
1192 oplock_request = (flags & REQUEST_OPLOCK) ? EXCLUSIVE_OPLOCK : 0;
1193 if (oplock_request) {
1194 oplock_request |= (flags & REQUEST_BATCH_OPLOCK)
1199 * Bug #6898 - clients using Windows opens should
1200 * never be able to set this attribute into the
1203 file_attributes &= ~FILE_FLAG_POSIX_SEMANTICS;
1205 status = SMB_VFS_CREATE_FILE(
1208 dirfsp, /* dirfsp */
1209 smb_fname, /* fname */
1210 access_mask, /* access_mask */
1211 share_access, /* share_access */
1212 create_disposition, /* create_disposition*/
1213 create_options, /* create_options */
1214 file_attributes, /* file_attributes */
1215 oplock_request, /* oplock_request */
1217 allocation_size, /* allocation_size */
1218 0, /* private_flags */
1220 ea_list, /* ea_list */
1223 NULL, NULL); /* create context */
1225 if(!NT_STATUS_IS_OK(status)) {
1226 if (open_was_deferred(req->xconn, req->mid)) {
1227 /* We have re-scheduled this call, no error. */
1230 if (NT_STATUS_EQUAL(status, NT_STATUS_SHARING_VIOLATION)) {
1231 bool ok = defer_smb1_sharing_violation(req);
1236 reply_openerror(req, status);
1240 /* Ensure we're pointing at the correct stat struct. */
1241 TALLOC_FREE(smb_fname);
1242 smb_fname = fsp->fsp_name;
1245 * If the caller set the extended oplock request bit
1246 * and we granted one (by whatever means) - set the
1247 * correct bit for extended oplock reply.
1250 if (oplock_request &&
1251 (lp_fake_oplocks(SNUM(conn))
1252 || EXCLUSIVE_OPLOCK_TYPE(fsp->oplock_type))) {
1255 * Exclusive oplock granted
1258 if (flags & REQUEST_BATCH_OPLOCK) {
1259 oplock_granted = BATCH_OPLOCK_RETURN;
1261 oplock_granted = EXCLUSIVE_OPLOCK_RETURN;
1263 } else if (fsp->oplock_type == LEVEL_II_OPLOCK) {
1264 oplock_granted = LEVEL_II_OPLOCK_RETURN;
1266 oplock_granted = NO_OPLOCK_RETURN;
1269 file_len = smb_fname->st.st_ex_size;
1271 /* Realloc the size of parameters and data we will return */
1272 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1273 /* Extended response is 32 more byyes. */
1278 params = nttrans_realloc(ppparams, param_len);
1279 if(params == NULL) {
1280 reply_nterror(req, NT_STATUS_NO_MEMORY);
1285 SCVAL(p, 0, oplock_granted);
1288 SSVAL(p,0,fsp->fnum);
1290 if ((create_disposition == FILE_SUPERSEDE)
1291 && (info == FILE_WAS_OVERWRITTEN)) {
1292 SIVAL(p,0,FILE_WAS_SUPERSEDED);
1298 fattr = fdos_mode(fsp);
1300 fattr = FILE_ATTRIBUTE_NORMAL;
1304 create_timespec = get_create_timespec(conn, fsp, smb_fname);
1305 a_timespec = smb_fname->st.st_ex_atime;
1306 m_timespec = smb_fname->st.st_ex_mtime;
1307 c_timespec = get_change_timespec(conn, fsp, smb_fname);
1309 if (lp_dos_filetime_resolution(SNUM(conn))) {
1310 dos_filetime_timespec(&create_timespec);
1311 dos_filetime_timespec(&a_timespec);
1312 dos_filetime_timespec(&m_timespec);
1313 dos_filetime_timespec(&c_timespec);
1316 put_long_date_full_timespec(conn->ts_res, p, &create_timespec); /* create time. */
1318 put_long_date_full_timespec(conn->ts_res, p, &a_timespec); /* access time */
1320 put_long_date_full_timespec(conn->ts_res, p, &m_timespec); /* write time */
1322 put_long_date_full_timespec(conn->ts_res, p, &c_timespec); /* change time */
1324 SIVAL(p,0,fattr); /* File Attributes. */
1326 SOFF_T(p, 0, SMB_VFS_GET_ALLOC_SIZE(conn, fsp, &smb_fname->st));
1328 SOFF_T(p,0,file_len);
1330 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1331 uint16_t file_status = (NO_EAS|NO_SUBSTREAMS|NO_REPARSETAG);
1332 unsigned int num_streams = 0;
1333 struct stream_struct *streams = NULL;
1335 if (lp_ea_support(SNUM(conn))) {
1336 size_t num_names = 0;
1337 /* Do we have any EA's ? */
1338 status = get_ea_names_from_fsp(
1339 ctx, smb_fname->fsp, NULL, &num_names);
1340 if (NT_STATUS_IS_OK(status) && num_names) {
1341 file_status &= ~NO_EAS;
1345 status = vfs_fstreaminfo(smb_fname->fsp, ctx,
1346 &num_streams, &streams);
1347 /* There is always one stream, ::$DATA. */
1348 if (NT_STATUS_IS_OK(status) && num_streams > 1) {
1349 file_status &= ~NO_SUBSTREAMS;
1351 TALLOC_FREE(streams);
1352 SSVAL(p,2,file_status);
1355 SCVAL(p,0,fsp->fsp_flags.is_directory ? 1 : 0);
1357 if (flags & EXTENDED_RESPONSE_REQUIRED) {
1360 if (fsp->fsp_flags.is_directory ||
1361 fsp->fsp_flags.can_write ||
1362 can_write_to_fsp(fsp))
1364 perms = FILE_GENERIC_ALL;
1366 perms = FILE_GENERIC_READ|FILE_EXECUTE;
1371 DEBUG(5,("call_nt_transact_create: open name = %s\n",
1372 smb_fname_str_dbg(smb_fname)));
1374 /* Send the required number of replies */
1375 send_nt_replies(conn, req, NT_STATUS_OK, params, param_len, *ppdata, 0);
1380 /****************************************************************************
1381 Reply to a NT CANCEL request.
1382 conn POINTER CAN BE NULL HERE !
1383 ****************************************************************************/
1385 void reply_ntcancel(struct smb_request *req)
1387 struct smbXsrv_connection *xconn = req->xconn;
1388 struct smbd_server_connection *sconn = req->sconn;
1392 * Go through and cancel any pending change notifies.
1395 START_PROFILE(SMBntcancel);
1396 smb1_srv_cancel_sign_response(xconn);
1397 found = remove_pending_change_notify_requests_by_mid(sconn, req->mid);
1399 smbd_smb1_brl_finish_by_mid(sconn, req->mid);
1402 DEBUG(3,("reply_ntcancel: cancel called on mid = %llu.\n",
1403 (unsigned long long)req->mid));
1405 END_PROFILE(SMBntcancel);
1409 /****************************************************************************
1410 Reply to a NT rename request.
1411 ****************************************************************************/
1413 void reply_ntrename(struct smb_request *req)
1415 connection_struct *conn = req->conn;
1416 struct files_struct *src_dirfsp = NULL;
1417 struct smb_filename *smb_fname_old = NULL;
1418 struct files_struct *dst_dirfsp = NULL;
1419 struct smb_filename *smb_fname_new = NULL;
1420 char *oldname = NULL;
1421 char *newname = NULL;
1422 const char *dst_original_lcomp = NULL;
1426 uint32_t ucf_flags_src = ucf_flags_from_smb_request(req);
1427 NTTIME src_twrp = 0;
1428 uint32_t ucf_flags_dst = ucf_flags_from_smb_request(req);
1429 NTTIME dst_twrp = 0;
1430 uint16_t rename_type;
1431 TALLOC_CTX *ctx = talloc_tos();
1432 bool stream_rename = false;
1434 START_PROFILE(SMBntrename);
1437 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1441 attrs = SVAL(req->vwv+0, 0);
1442 rename_type = SVAL(req->vwv+1, 0);
1444 p = (const char *)req->buf + 1;
1445 p += srvstr_get_path_req(ctx, req, &oldname, p, STR_TERMINATE,
1447 if (!NT_STATUS_IS_OK(status)) {
1448 reply_nterror(req, status);
1452 if (!req->posix_pathnames && ms_has_wild(oldname)) {
1453 reply_nterror(req, NT_STATUS_OBJECT_PATH_SYNTAX_BAD);
1458 p += srvstr_get_path_req(ctx, req, &newname, p, STR_TERMINATE,
1460 if (!NT_STATUS_IS_OK(status)) {
1461 reply_nterror(req, status);
1465 if (!req->posix_pathnames && ms_has_wild(newname)) {
1466 reply_nterror(req, NT_STATUS_OBJECT_PATH_SYNTAX_BAD);
1470 if (!req->posix_pathnames) {
1471 /* The newname must begin with a ':' if the
1472 oldname contains a ':'. */
1473 if (strchr_m(oldname, ':')) {
1474 if (newname[0] != ':') {
1475 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1478 stream_rename = true;
1482 if (ucf_flags_src & UCF_GMT_PATHNAME) {
1483 extract_snapshot_token(oldname, &src_twrp);
1485 status = smb1_strip_dfs_path(ctx, &ucf_flags_src, &oldname);
1486 if (!NT_STATUS_IS_OK(status)) {
1487 reply_nterror(req, status);
1491 status = filename_convert_dirfsp(ctx,
1498 if (!NT_STATUS_IS_OK(status)) {
1499 if (NT_STATUS_EQUAL(status,
1500 NT_STATUS_PATH_NOT_COVERED)) {
1501 reply_botherror(req,
1502 NT_STATUS_PATH_NOT_COVERED,
1503 ERRSRV, ERRbadpath);
1506 reply_nterror(req, status);
1510 if (stream_rename) {
1512 * No point in calling filename_convert()
1513 * on a raw stream name. It can never find
1514 * the file anyway. Use the same logic as
1515 * SMB2_FILE_RENAME_INFORMATION_INTERNAL
1516 * and generate smb_fname_new directly.
1518 smb_fname_new = synthetic_smb_fname(talloc_tos(),
1519 smb_fname_old->base_name,
1522 smb_fname_old->twrp,
1523 smb_fname_old->flags);
1524 if (smb_fname_new == NULL) {
1525 reply_nterror(req, NT_STATUS_NO_MEMORY);
1529 if (ucf_flags_dst & UCF_GMT_PATHNAME) {
1530 extract_snapshot_token(newname,
1533 status = smb1_strip_dfs_path(ctx, &ucf_flags_dst, &newname);
1534 if (!NT_STATUS_IS_OK(status)) {
1535 reply_nterror(req, status);
1538 status = filename_convert_dirfsp(ctx,
1545 if (!NT_STATUS_IS_OK(status)) {
1546 if (NT_STATUS_EQUAL(status,
1547 NT_STATUS_PATH_NOT_COVERED)) {
1548 reply_botherror(req,
1549 NT_STATUS_PATH_NOT_COVERED,
1550 ERRSRV, ERRbadpath);
1553 reply_nterror(req, status);
1558 /* Get the last component of the destination for rename_internals(). */
1559 dst_original_lcomp = get_original_lcomp(ctx,
1563 if (dst_original_lcomp == NULL) {
1564 reply_nterror(req, NT_STATUS_NO_MEMORY);
1569 DEBUG(3,("reply_ntrename: %s -> %s\n",
1570 smb_fname_str_dbg(smb_fname_old),
1571 smb_fname_str_dbg(smb_fname_new)));
1573 switch(rename_type) {
1574 case RENAME_FLAG_RENAME:
1575 status = rename_internals(ctx,
1586 case RENAME_FLAG_HARD_LINK:
1587 status = hardlink_internals(ctx,
1594 case RENAME_FLAG_COPY:
1595 status = copy_internals(ctx,
1604 case RENAME_FLAG_MOVE_CLUSTER_INFORMATION:
1605 status = NT_STATUS_INVALID_PARAMETER;
1608 status = NT_STATUS_ACCESS_DENIED; /* Default error. */
1612 if (!NT_STATUS_IS_OK(status)) {
1613 if (open_was_deferred(req->xconn, req->mid)) {
1614 /* We have re-scheduled this call. */
1617 if (NT_STATUS_EQUAL(status, NT_STATUS_SHARING_VIOLATION)) {
1618 bool ok = defer_smb1_sharing_violation(req);
1624 reply_nterror(req, status);
1628 reply_smb1_outbuf(req, 0, 0);
1630 END_PROFILE(SMBntrename);
1634 /****************************************************************************
1635 Reply to a notify change - queue the request and
1636 don't allow a directory to be opened.
1637 ****************************************************************************/
1639 static void smbd_smb1_notify_reply(struct smb_request *req,
1640 NTSTATUS error_code,
1641 uint8_t *buf, size_t len)
1643 send_nt_replies(req->conn, req, error_code, (char *)buf, len, NULL, 0);
1646 static void call_nt_transact_notify_change(connection_struct *conn,
1647 struct smb_request *req,
1649 uint32_t setup_count,
1651 uint32_t parameter_count,
1652 char **ppdata, uint32_t data_count,
1653 uint32_t max_data_count,
1654 uint32_t max_param_count)
1656 uint16_t *setup = *ppsetup;
1662 if(setup_count < 6) {
1663 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1667 fsp = file_fsp(req, SVAL(setup,4));
1668 filter = IVAL(setup, 0);
1669 recursive = (SVAL(setup, 6) != 0) ? True : False;
1671 DEBUG(3,("call_nt_transact_notify_change\n"));
1674 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
1679 char *filter_string;
1681 if (!(filter_string = notify_filter_string(NULL, filter))) {
1682 reply_nterror(req,NT_STATUS_NO_MEMORY);
1686 DEBUG(3,("call_nt_transact_notify_change: notify change "
1687 "called on %s, filter = %s, recursive = %d\n",
1688 fsp_str_dbg(fsp), filter_string, recursive));
1690 TALLOC_FREE(filter_string);
1693 if((!fsp->fsp_flags.is_directory) || (conn != fsp->conn)) {
1694 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1698 if (fsp->notify == NULL) {
1700 status = change_notify_create(fsp,
1704 if (!NT_STATUS_IS_OK(status)) {
1705 DEBUG(10, ("change_notify_create returned %s\n",
1706 nt_errstr(status)));
1707 reply_nterror(req, status);
1712 if (change_notify_fsp_has_changes(fsp)) {
1715 * We've got changes pending, respond immediately
1719 * TODO: write a torture test to check the filtering behaviour
1723 change_notify_reply(req,
1727 smbd_smb1_notify_reply);
1730 * change_notify_reply() above has independently sent its
1737 * No changes pending, queue the request
1740 status = change_notify_add_request(req,
1744 smbd_smb1_notify_reply);
1745 if (!NT_STATUS_IS_OK(status)) {
1746 reply_nterror(req, status);
1751 /****************************************************************************
1752 Reply to an NT transact rename command.
1753 ****************************************************************************/
1755 static void call_nt_transact_rename(connection_struct *conn,
1756 struct smb_request *req,
1757 uint16_t **ppsetup, uint32_t setup_count,
1758 char **ppparams, uint32_t parameter_count,
1759 char **ppdata, uint32_t data_count,
1760 uint32_t max_data_count)
1762 char *params = *ppparams;
1763 char *new_name = NULL;
1764 files_struct *fsp = NULL;
1766 TALLOC_CTX *ctx = talloc_tos();
1768 if(parameter_count < 5) {
1769 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1773 fsp = file_fsp(req, SVAL(params, 0));
1774 if (!check_fsp(conn, req, fsp)) {
1777 if (req->posix_pathnames) {
1778 srvstr_get_path_posix(ctx,
1783 parameter_count - 4,
1787 srvstr_get_path(ctx,
1792 parameter_count - 4,
1797 if (!NT_STATUS_IS_OK(status)) {
1798 reply_nterror(req, status);
1803 * W2K3 ignores this request as the RAW-RENAME test
1804 * demonstrates, so we do.
1806 send_nt_replies(conn, req, NT_STATUS_OK, NULL, 0, NULL, 0);
1808 DEBUG(3,("nt transact rename from = %s, to = %s ignored!\n",
1809 fsp_str_dbg(fsp), new_name));
1814 /****************************************************************************
1815 SMB1 reply to query a security descriptor.
1816 ****************************************************************************/
1818 static void call_nt_transact_query_security_desc(connection_struct *conn,
1819 struct smb_request *req,
1821 uint32_t setup_count,
1823 uint32_t parameter_count,
1825 uint32_t data_count,
1826 uint32_t max_data_count)
1828 char *params = *ppparams;
1829 char *data = *ppdata;
1831 uint32_t security_info_wanted;
1832 files_struct *fsp = NULL;
1834 uint8_t *marshalled_sd = NULL;
1836 if(parameter_count < 8) {
1837 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1841 fsp = file_fsp(req, SVAL(params,0));
1843 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
1847 security_info_wanted = IVAL(params,4);
1849 DEBUG(3,("call_nt_transact_query_security_desc: file = %s, "
1850 "info_wanted = 0x%x\n", fsp_str_dbg(fsp),
1851 (unsigned int)security_info_wanted));
1853 params = nttrans_realloc(ppparams, 4);
1854 if(params == NULL) {
1855 reply_nterror(req, NT_STATUS_NO_MEMORY);
1860 * Get the permissions to return.
1863 status = smbd_do_query_security_desc(conn,
1866 security_info_wanted &
1867 SMB_SUPPORTED_SECINFO_FLAGS,
1872 if (NT_STATUS_EQUAL(status, NT_STATUS_BUFFER_TOO_SMALL)) {
1873 SIVAL(params,0,(uint32_t)sd_size);
1874 send_nt_replies(conn, req, NT_STATUS_BUFFER_TOO_SMALL,
1875 params, 4, NULL, 0);
1879 if (!NT_STATUS_IS_OK(status)) {
1880 reply_nterror(req, status);
1884 SMB_ASSERT(sd_size > 0);
1886 SIVAL(params,0,(uint32_t)sd_size);
1888 if (max_data_count < sd_size) {
1889 send_nt_replies(conn, req, NT_STATUS_BUFFER_TOO_SMALL,
1890 params, 4, NULL, 0);
1895 * Allocate the data we will return.
1898 data = nttrans_realloc(ppdata, sd_size);
1900 reply_nterror(req, NT_STATUS_NO_MEMORY);
1904 memcpy(data, marshalled_sd, sd_size);
1906 send_nt_replies(conn, req, NT_STATUS_OK, params, 4, data, (int)sd_size);
1911 /****************************************************************************
1912 Reply to set a security descriptor. Map to UNIX perms or POSIX ACLs.
1913 ****************************************************************************/
1915 static void call_nt_transact_set_security_desc(connection_struct *conn,
1916 struct smb_request *req,
1918 uint32_t setup_count,
1920 uint32_t parameter_count,
1922 uint32_t data_count,
1923 uint32_t max_data_count)
1925 char *params= *ppparams;
1926 char *data = *ppdata;
1927 files_struct *fsp = NULL;
1928 uint32_t security_info_sent = 0;
1931 if(parameter_count < 8) {
1932 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1936 if((fsp = file_fsp(req, SVAL(params,0))) == NULL) {
1937 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
1941 if (!CAN_WRITE(fsp->conn)) {
1942 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1946 if(!lp_nt_acl_support(SNUM(conn))) {
1950 security_info_sent = IVAL(params,4);
1952 DEBUG(3,("call_nt_transact_set_security_desc: file = %s, sent 0x%x\n",
1953 fsp_str_dbg(fsp), (unsigned int)security_info_sent));
1955 if (data_count == 0) {
1956 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
1960 status = set_sd_blob(fsp, (uint8_t *)data, data_count,
1961 security_info_sent & SMB_SUPPORTED_SECINFO_FLAGS);
1962 if (!NT_STATUS_IS_OK(status)) {
1963 reply_nterror(req, status);
1968 send_nt_replies(conn, req, NT_STATUS_OK, NULL, 0, NULL, 0);
1972 /****************************************************************************
1974 ****************************************************************************/
1976 static void call_nt_transact_ioctl(connection_struct *conn,
1977 struct smb_request *req,
1978 uint16_t **ppsetup, uint32_t setup_count,
1979 char **ppparams, uint32_t parameter_count,
1980 char **ppdata, uint32_t data_count,
1981 uint32_t max_data_count)
1989 char *out_data = NULL;
1990 uint32_t out_data_len = 0;
1991 char *pdata = *ppdata;
1992 TALLOC_CTX *ctx = talloc_tos();
1994 if (setup_count != 8) {
1995 DEBUG(3,("call_nt_transact_ioctl: invalid setup count %d\n", setup_count));
1996 reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
2000 function = IVAL(*ppsetup, 0);
2001 fidnum = SVAL(*ppsetup, 4);
2002 isFSctl = CVAL(*ppsetup, 6);
2003 compfilter = CVAL(*ppsetup, 7);
2005 DEBUG(10, ("call_nt_transact_ioctl: function[0x%08X] FID[0x%04X] isFSctl[0x%02X] compfilter[0x%02X]\n",
2006 function, fidnum, isFSctl, compfilter));
2008 fsp=file_fsp(req, fidnum);
2011 * We don't really implement IOCTLs, especially on files.
2014 DEBUG(10, ("isFSctl: 0x%02X indicates IOCTL, not FSCTL!\n",
2016 reply_nterror(req, NT_STATUS_NOT_SUPPORTED);
2020 /* Has to be for an open file! */
2021 if (!check_fsp_open(conn, req, fsp)) {
2026 * out_data might be allocated by the VFS module, but talloc should be
2027 * used, and should be cleaned up when the request ends.
2029 status = SMB_VFS_FSCTL(fsp,
2035 (uint8_t **)&out_data,
2038 if (!NT_STATUS_IS_OK(status)) {
2039 reply_nterror(req, status);
2041 send_nt_replies(conn, req, NT_STATUS_OK, NULL, 0, out_data, out_data_len);
2046 #ifdef HAVE_SYS_QUOTAS
2047 /****************************************************************************
2048 Reply to get user quota
2049 ****************************************************************************/
2051 static void call_nt_transact_get_user_quota(connection_struct *conn,
2052 struct smb_request *req,
2054 uint32_t setup_count,
2056 uint32_t parameter_count,
2058 uint32_t data_count,
2059 uint32_t max_data_count)
2061 const struct loadparm_substitution *lp_sub =
2062 loadparm_s3_global_substitution();
2063 NTSTATUS nt_status = NT_STATUS_OK;
2064 char *params = *ppparams;
2065 char *pdata = *ppdata;
2068 files_struct *fsp = NULL;
2069 DATA_BLOB blob = data_blob_null;
2070 struct nttrans_query_quota_params info = {0};
2071 enum ndr_err_code err;
2072 TALLOC_CTX *tmp_ctx = NULL;
2073 uint32_t resp_len = 0;
2074 uint8_t *resp_data = 0;
2076 tmp_ctx = talloc_init("ntquota_list");
2078 nt_status = NT_STATUS_NO_MEMORY;
2083 if (get_current_uid(conn) != sec_initial_uid()) {
2084 DEBUG(1,("get_user_quota: access_denied service [%s] user "
2085 "[%s]\n", lp_servicename(talloc_tos(), lp_sub, SNUM(conn)),
2086 conn->session_info->unix_info->unix_name));
2087 nt_status = NT_STATUS_ACCESS_DENIED;
2091 blob.data = (uint8_t*)params;
2092 blob.length = parameter_count;
2094 err = ndr_pull_struct_blob(&blob, tmp_ctx, &info,
2095 (ndr_pull_flags_fn_t)ndr_pull_nttrans_query_quota_params);
2097 if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
2098 DEBUG(0,("TRANSACT_GET_USER_QUOTA: failed to pull "
2099 "query_quota_params.\n"));
2100 nt_status = NT_STATUS_INVALID_PARAMETER;
2103 DBG_DEBUG("info.return_single_entry = %u, info.restart_scan = %u, "
2104 "info.sid_list_length = %u, info.start_sid_length = %u, "
2105 "info.start_sid_offset = %u\n",
2106 (unsigned int)info.return_single_entry,
2107 (unsigned int)info.restart_scan,
2108 (unsigned int)info.sid_list_length,
2109 (unsigned int)info.start_sid_length,
2110 (unsigned int)info.start_sid_offset);
2112 /* set blob to point at data for further parsing */
2113 blob.data = (uint8_t*)pdata;
2114 blob.length = data_count;
2116 * Although MS-SMB ref is ambiguous here, a microsoft client will
2117 * only ever send a start sid (as part of a list) with
2118 * sid_list_length & start_sid_offset both set to the actual list
2119 * length. Note: Only a single result is returned in this case
2120 * In the case where either start_sid_offset or start_sid_length
2121 * are set alone or if both set (but have different values) then
2122 * it seems windows will return a number of entries from the start
2123 * of the list of users with quotas set. This behaviour is undocumented
2124 * and windows clients do not send messages of that type. As such we
2125 * currently will reject these requests.
2127 if (info.start_sid_length
2128 || (info.sid_list_length != info.start_sid_offset)) {
2129 DBG_ERR("TRANSACT_GET_USER_QUOTA: unsupported single or "
2130 "compound sid format\n");
2131 nt_status = NT_STATUS_INVALID_PARAMETER;
2135 /* maybe we can check the quota_fnum */
2136 fsp = file_fsp(req, info.fid);
2137 if (!check_fsp_ntquota_handle(conn, req, fsp)) {
2138 DEBUG(3,("TRANSACT_GET_USER_QUOTA: no valid QUOTA HANDLE\n"));
2139 nt_status = NT_STATUS_INVALID_HANDLE;
2142 nt_status = smbd_do_query_getinfo_quota(tmp_ctx,
2145 info.return_single_entry,
2146 info.sid_list_length,
2151 if (!NT_STATUS_IS_OK(nt_status)) {
2152 if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_NO_MORE_ENTRIES)) {
2155 nt_status = NT_STATUS_OK;
2159 params = nttrans_realloc(ppparams, param_len);
2160 if(params == NULL) {
2161 nt_status = NT_STATUS_NO_MEMORY;
2165 data_len = resp_len;
2166 SIVAL(params, 0, data_len);
2167 pdata = nttrans_realloc(ppdata, data_len);
2168 memcpy(pdata, resp_data, data_len);
2170 TALLOC_FREE(tmp_ctx);
2171 send_nt_replies(conn, req, nt_status, params, param_len,
2175 TALLOC_FREE(tmp_ctx);
2176 reply_nterror(req, nt_status);
2179 /****************************************************************************
2180 Reply to set user quota
2181 ****************************************************************************/
2183 static void call_nt_transact_set_user_quota(connection_struct *conn,
2184 struct smb_request *req,
2186 uint32_t setup_count,
2188 uint32_t parameter_count,
2190 uint32_t data_count,
2191 uint32_t max_data_count)
2193 const struct loadparm_substitution *lp_sub =
2194 loadparm_s3_global_substitution();
2195 char *params = *ppparams;
2196 char *pdata = *ppdata;
2197 int data_len=0,param_len=0;
2198 SMB_NTQUOTA_STRUCT qt;
2199 struct file_quota_information info = {0};
2200 enum ndr_err_code err;
2203 files_struct *fsp = NULL;
2204 TALLOC_CTX *ctx = NULL;
2205 NTSTATUS status = NT_STATUS_OK;
2209 if (get_current_uid(conn) != sec_initial_uid()) {
2210 DEBUG(1,("set_user_quota: access_denied service [%s] user "
2211 "[%s]\n", lp_servicename(talloc_tos(), lp_sub, SNUM(conn)),
2212 conn->session_info->unix_info->unix_name));
2213 status = NT_STATUS_ACCESS_DENIED;
2218 * Ensure minimum number of parameters sent.
2221 if (parameter_count < 2) {
2222 DEBUG(0,("TRANSACT_SET_USER_QUOTA: requires %d >= 2 bytes parameters\n",parameter_count));
2223 status = NT_STATUS_INVALID_PARAMETER;
2227 /* maybe we can check the quota_fnum */
2228 fsp = file_fsp(req, SVAL(params,0));
2229 if (!check_fsp_ntquota_handle(conn, req, fsp)) {
2230 DEBUG(3,("TRANSACT_GET_USER_QUOTA: no valid QUOTA HANDLE\n"));
2231 status = NT_STATUS_INVALID_HANDLE;
2235 ctx = talloc_init("set_user_quota");
2237 status = NT_STATUS_NO_MEMORY;
2240 inblob.data = (uint8_t*)pdata;
2241 inblob.length = data_count;
2243 err = ndr_pull_struct_blob(
2247 (ndr_pull_flags_fn_t)ndr_pull_file_quota_information);
2249 if (!NDR_ERR_CODE_IS_SUCCESS(err)) {
2250 DEBUG(0,("TRANSACT_SET_USER_QUOTA: failed to pull "
2251 "file_quota_information\n"));
2252 status = NT_STATUS_INVALID_PARAMETER;
2255 qt.usedspace = info.quota_used;
2257 qt.softlim = info.quota_threshold;
2259 qt.hardlim = info.quota_limit;
2263 if (vfs_set_ntquota(fsp, SMB_USER_QUOTA_TYPE, &sid, &qt)!=0) {
2264 status = NT_STATUS_INTERNAL_ERROR;
2268 send_nt_replies(conn, req, NT_STATUS_OK, params, param_len,
2274 reply_nterror(req, status);
2276 #endif /* HAVE_SYS_QUOTAS */
2278 static void handle_nttrans(connection_struct *conn,
2279 struct trans_state *state,
2280 struct smb_request *req)
2282 struct smbXsrv_connection *xconn = req->xconn;
2284 if (xconn->protocol >= PROTOCOL_NT1) {
2285 req->flags2 |= 0x40; /* IS_LONG_NAME */
2286 SSVAL(discard_const_p(uint8_t, req->inbuf),smb_flg2,req->flags2);
2290 /* Now we must call the relevant NT_TRANS function */
2291 switch(state->call) {
2292 case NT_TRANSACT_CREATE:
2294 START_PROFILE(NT_transact_create);
2295 call_nt_transact_create(
2297 &state->setup, state->setup_count,
2298 &state->param, state->total_param,
2299 &state->data, state->total_data,
2300 state->max_data_return);
2301 END_PROFILE(NT_transact_create);
2305 case NT_TRANSACT_IOCTL:
2307 START_PROFILE(NT_transact_ioctl);
2308 call_nt_transact_ioctl(
2310 &state->setup, state->setup_count,
2311 &state->param, state->total_param,
2312 &state->data, state->total_data,
2313 state->max_data_return);
2314 END_PROFILE(NT_transact_ioctl);
2318 case NT_TRANSACT_SET_SECURITY_DESC:
2320 START_PROFILE(NT_transact_set_security_desc);
2321 call_nt_transact_set_security_desc(
2323 &state->setup, state->setup_count,
2324 &state->param, state->total_param,
2325 &state->data, state->total_data,
2326 state->max_data_return);
2327 END_PROFILE(NT_transact_set_security_desc);
2331 case NT_TRANSACT_NOTIFY_CHANGE:
2333 START_PROFILE(NT_transact_notify_change);
2334 call_nt_transact_notify_change(
2336 &state->setup, state->setup_count,
2337 &state->param, state->total_param,
2338 &state->data, state->total_data,
2339 state->max_data_return,
2340 state->max_param_return);
2341 END_PROFILE(NT_transact_notify_change);
2345 case NT_TRANSACT_RENAME:
2347 START_PROFILE(NT_transact_rename);
2348 call_nt_transact_rename(
2350 &state->setup, state->setup_count,
2351 &state->param, state->total_param,
2352 &state->data, state->total_data,
2353 state->max_data_return);
2354 END_PROFILE(NT_transact_rename);
2358 case NT_TRANSACT_QUERY_SECURITY_DESC:
2360 START_PROFILE(NT_transact_query_security_desc);
2361 call_nt_transact_query_security_desc(
2363 &state->setup, state->setup_count,
2364 &state->param, state->total_param,
2365 &state->data, state->total_data,
2366 state->max_data_return);
2367 END_PROFILE(NT_transact_query_security_desc);
2371 #ifdef HAVE_SYS_QUOTAS
2372 case NT_TRANSACT_GET_USER_QUOTA:
2374 START_PROFILE(NT_transact_get_user_quota);
2375 call_nt_transact_get_user_quota(
2377 &state->setup, state->setup_count,
2378 &state->param, state->total_param,
2379 &state->data, state->total_data,
2380 state->max_data_return);
2381 END_PROFILE(NT_transact_get_user_quota);
2385 case NT_TRANSACT_SET_USER_QUOTA:
2387 START_PROFILE(NT_transact_set_user_quota);
2388 call_nt_transact_set_user_quota(
2390 &state->setup, state->setup_count,
2391 &state->param, state->total_param,
2392 &state->data, state->total_data,
2393 state->max_data_return);
2394 END_PROFILE(NT_transact_set_user_quota);
2397 #endif /* HAVE_SYS_QUOTAS */
2400 /* Error in request */
2401 DEBUG(0,("handle_nttrans: Unknown request %d in "
2402 "nttrans call\n", state->call));
2403 reply_nterror(req, NT_STATUS_INVALID_LEVEL);
2409 /****************************************************************************
2410 Reply to a SMBNTtrans.
2411 ****************************************************************************/
2413 void reply_nttrans(struct smb_request *req)
2415 connection_struct *conn = req->conn;
2420 uint16_t function_code;
2422 struct trans_state *state;
2424 START_PROFILE(SMBnttrans);
2426 if (req->wct < 19) {
2427 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2428 END_PROFILE(SMBnttrans);
2432 pscnt = IVAL(req->vwv+9, 1);
2433 psoff = IVAL(req->vwv+11, 1);
2434 dscnt = IVAL(req->vwv+13, 1);
2435 dsoff = IVAL(req->vwv+15, 1);
2436 function_code = SVAL(req->vwv+18, 0);
2438 if (IS_IPC(conn) && (function_code != NT_TRANSACT_CREATE)) {
2439 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
2440 END_PROFILE(SMBnttrans);
2444 result = allow_new_trans(conn->pending_trans, req->mid);
2445 if (!NT_STATUS_IS_OK(result)) {
2446 DEBUG(2, ("Got invalid nttrans request: %s\n", nt_errstr(result)));
2447 reply_nterror(req, result);
2448 END_PROFILE(SMBnttrans);
2452 if ((state = talloc(conn, struct trans_state)) == NULL) {
2453 reply_nterror(req, NT_STATUS_NO_MEMORY);
2454 END_PROFILE(SMBnttrans);
2458 state->cmd = SMBnttrans;
2460 state->mid = req->mid;
2461 state->vuid = req->vuid;
2462 state->total_data = IVAL(req->vwv+3, 1);
2464 state->total_param = IVAL(req->vwv+1, 1);
2465 state->param = NULL;
2466 state->max_data_return = IVAL(req->vwv+7, 1);
2467 state->max_param_return = IVAL(req->vwv+5, 1);
2469 /* setup count is in *words* */
2470 state->setup_count = 2*CVAL(req->vwv+17, 1);
2471 state->setup = NULL;
2472 state->call = function_code;
2474 DEBUG(10, ("num_setup=%u, "
2475 "param_total=%u, this_param=%u, max_param=%u, "
2476 "data_total=%u, this_data=%u, max_data=%u, "
2477 "param_offset=%u, data_offset=%u\n",
2478 (unsigned)state->setup_count,
2479 (unsigned)state->total_param, (unsigned)pscnt,
2480 (unsigned)state->max_param_return,
2481 (unsigned)state->total_data, (unsigned)dscnt,
2482 (unsigned)state->max_data_return,
2483 (unsigned)psoff, (unsigned)dsoff));
2486 * All nttrans messages we handle have smb_wct == 19 +
2487 * state->setup_count. Ensure this is so as a sanity check.
2490 if(req->wct != 19 + (state->setup_count/2)) {
2491 DEBUG(2,("Invalid smb_wct %d in nttrans call (should be %d)\n",
2492 req->wct, 19 + (state->setup_count/2)));
2496 /* Don't allow more than 128mb for each value. */
2497 if ((state->total_data > (1024*1024*128)) ||
2498 (state->total_param > (1024*1024*128))) {
2499 reply_nterror(req, NT_STATUS_NO_MEMORY);
2500 END_PROFILE(SMBnttrans);
2504 if ((dscnt > state->total_data) || (pscnt > state->total_param))
2507 if (state->total_data) {
2509 if (smb_buffer_oob(state->total_data, 0, dscnt)
2510 || smb_buffer_oob(smb_len(req->inbuf), dsoff, dscnt)) {
2514 /* Can't use talloc here, the core routines do realloc on the
2515 * params and data. */
2516 if ((state->data = (char *)SMB_MALLOC(state->total_data)) == NULL) {
2517 DEBUG(0,("reply_nttrans: data malloc fail for %u "
2518 "bytes !\n", (unsigned int)state->total_data));
2520 reply_nterror(req, NT_STATUS_NO_MEMORY);
2521 END_PROFILE(SMBnttrans);
2525 memcpy(state->data,smb_base(req->inbuf)+dsoff,dscnt);
2528 if (state->total_param) {
2530 if (smb_buffer_oob(state->total_param, 0, pscnt)
2531 || smb_buffer_oob(smb_len(req->inbuf), psoff, pscnt)) {
2535 /* Can't use talloc here, the core routines do realloc on the
2536 * params and data. */
2537 if ((state->param = (char *)SMB_MALLOC(state->total_param)) == NULL) {
2538 DEBUG(0,("reply_nttrans: param malloc fail for %u "
2539 "bytes !\n", (unsigned int)state->total_param));
2540 SAFE_FREE(state->data);
2542 reply_nterror(req, NT_STATUS_NO_MEMORY);
2543 END_PROFILE(SMBnttrans);
2547 memcpy(state->param,smb_base(req->inbuf)+psoff,pscnt);
2550 state->received_data = dscnt;
2551 state->received_param = pscnt;
2553 if(state->setup_count > 0) {
2554 DEBUG(10,("reply_nttrans: state->setup_count = %d\n",
2555 state->setup_count));
2558 * No overflow possible here, state->setup_count is an
2559 * unsigned int, being filled by a single byte from
2560 * CVAL(req->vwv+13, 0) above. The cast in the comparison
2561 * below is not necessary, it's here to clarify things. The
2562 * validity of req->vwv and req->wct has been checked in
2563 * init_smb1_request already.
2565 if ((state->setup_count/2) + 19 > (unsigned int)req->wct) {
2569 state->setup = (uint16_t *)TALLOC(state, state->setup_count);
2570 if (state->setup == NULL) {
2571 DEBUG(0,("reply_nttrans : Out of memory\n"));
2572 SAFE_FREE(state->data);
2573 SAFE_FREE(state->param);
2575 reply_nterror(req, NT_STATUS_NO_MEMORY);
2576 END_PROFILE(SMBnttrans);
2580 memcpy(state->setup, req->vwv+19, state->setup_count);
2581 dump_data(10, (uint8_t *)state->setup, state->setup_count);
2584 if ((state->received_data == state->total_data) &&
2585 (state->received_param == state->total_param)) {
2586 handle_nttrans(conn, state, req);
2587 SAFE_FREE(state->param);
2588 SAFE_FREE(state->data);
2590 END_PROFILE(SMBnttrans);
2594 DLIST_ADD(conn->pending_trans, state);
2596 /* We need to send an interim response then receive the rest
2597 of the parameter/data bytes */
2598 reply_smb1_outbuf(req, 0, 0);
2599 show_msg((char *)req->outbuf);
2600 END_PROFILE(SMBnttrans);
2605 DEBUG(0,("reply_nttrans: invalid trans parameters\n"));
2606 SAFE_FREE(state->data);
2607 SAFE_FREE(state->param);
2609 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2610 END_PROFILE(SMBnttrans);
2614 /****************************************************************************
2615 Reply to a SMBnttranss
2616 ****************************************************************************/
2618 void reply_nttranss(struct smb_request *req)
2620 connection_struct *conn = req->conn;
2621 uint32_t pcnt,poff,dcnt,doff,pdisp,ddisp;
2622 struct trans_state *state;
2624 START_PROFILE(SMBnttranss);
2626 show_msg((const char *)req->inbuf);
2628 /* Windows clients expect all replies to
2629 an NT transact secondary (SMBnttranss 0xA1)
2630 to have a command code of NT transact
2631 (SMBnttrans 0xA0). See bug #8989 for details. */
2632 req->cmd = SMBnttrans;
2634 if (req->wct < 18) {
2635 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2636 END_PROFILE(SMBnttranss);
2640 for (state = conn->pending_trans; state != NULL;
2641 state = state->next) {
2642 if (state->mid == req->mid) {
2647 if ((state == NULL) || (state->cmd != SMBnttrans)) {
2648 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2649 END_PROFILE(SMBnttranss);
2653 /* Revise state->total_param and state->total_data in case they have
2654 changed downwards */
2655 if (IVAL(req->vwv+1, 1) < state->total_param) {
2656 state->total_param = IVAL(req->vwv+1, 1);
2658 if (IVAL(req->vwv+3, 1) < state->total_data) {
2659 state->total_data = IVAL(req->vwv+3, 1);
2662 pcnt = IVAL(req->vwv+5, 1);
2663 poff = IVAL(req->vwv+7, 1);
2664 pdisp = IVAL(req->vwv+9, 1);
2666 dcnt = IVAL(req->vwv+11, 1);
2667 doff = IVAL(req->vwv+13, 1);
2668 ddisp = IVAL(req->vwv+15, 1);
2670 state->received_param += pcnt;
2671 state->received_data += dcnt;
2673 if ((state->received_data > state->total_data) ||
2674 (state->received_param > state->total_param))
2678 if (smb_buffer_oob(state->total_param, pdisp, pcnt)
2679 || smb_buffer_oob(smb_len(req->inbuf), poff, pcnt)) {
2682 memcpy(state->param+pdisp, smb_base(req->inbuf)+poff,pcnt);
2686 if (smb_buffer_oob(state->total_data, ddisp, dcnt)
2687 || smb_buffer_oob(smb_len(req->inbuf), doff, dcnt)) {
2690 memcpy(state->data+ddisp, smb_base(req->inbuf)+doff,dcnt);
2693 if ((state->received_param < state->total_param) ||
2694 (state->received_data < state->total_data)) {
2695 END_PROFILE(SMBnttranss);
2699 handle_nttrans(conn, state, req);
2701 DLIST_REMOVE(conn->pending_trans, state);
2702 SAFE_FREE(state->data);
2703 SAFE_FREE(state->param);
2705 END_PROFILE(SMBnttranss);
2710 DEBUG(0,("reply_nttranss: invalid trans parameters\n"));
2711 DLIST_REMOVE(conn->pending_trans, state);
2712 SAFE_FREE(state->data);
2713 SAFE_FREE(state->param);
2715 reply_nterror(req, NT_STATUS_INVALID_PARAMETER);
2716 END_PROFILE(SMBnttranss);