2 Unix SMB/CIFS implementation.
5 Copyright (C) Stefan Metzmacher 2009
7 This program is free software; you can redistribute it and/or modify
8 it under the terms of the GNU General Public License as published by
9 the Free Software Foundation; either version 3 of the License, or
10 (at your option) any later version.
12 This program is distributed in the hope that it will be useful,
13 but WITHOUT ANY WARRANTY; without even the implied warranty of
14 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 GNU General Public License for more details.
17 You should have received a copy of the GNU General Public License
18 along with this program. If not, see <http://www.gnu.org/licenses/>.
22 #include "smbd/smbd.h"
23 #include "smbd/globals.h"
24 #include "../libcli/smb/smb_common.h"
25 #include "../lib/util/tevent_ntstatus.h"
27 static struct tevent_req *smbd_smb2_ioctl_send(TALLOC_CTX *mem_ctx,
28 struct tevent_context *ev,
29 struct smbd_smb2_request *smb2req,
31 uint64_t in_file_id_volatile,
33 uint32_t in_max_output,
35 static NTSTATUS smbd_smb2_ioctl_recv(struct tevent_req *req,
37 DATA_BLOB *out_output);
39 static void smbd_smb2_request_ioctl_done(struct tevent_req *subreq);
40 NTSTATUS smbd_smb2_request_process_ioctl(struct smbd_smb2_request *req)
43 const uint8_t *inbody;
44 int i = req->current_idx;
45 size_t expected_body_size = 0x39;
48 uint64_t in_file_id_persistent;
49 uint64_t in_file_id_volatile;
50 uint32_t in_input_offset;
51 uint32_t in_input_length;
52 DATA_BLOB in_input_buffer;
53 uint32_t in_max_output_length;
55 struct tevent_req *subreq;
57 inhdr = (const uint8_t *)req->in.vector[i+0].iov_base;
58 if (req->in.vector[i+1].iov_len != (expected_body_size & 0xFFFFFFFE)) {
59 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
62 inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
64 body_size = SVAL(inbody, 0x00);
65 if (body_size != expected_body_size) {
66 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
69 in_ctl_code = IVAL(inbody, 0x04);
70 in_file_id_persistent = BVAL(inbody, 0x08);
71 in_file_id_volatile = BVAL(inbody, 0x10);
72 in_input_offset = IVAL(inbody, 0x18);
73 in_input_length = IVAL(inbody, 0x1C);
74 in_max_output_length = IVAL(inbody, 0x2C);
75 in_flags = IVAL(inbody, 0x30);
77 if (in_input_offset != (SMB2_HDR_BODY + (body_size & 0xFFFFFFFE))) {
78 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
81 if (in_input_length > req->in.vector[i+2].iov_len) {
82 return smbd_smb2_request_error(req, NT_STATUS_INVALID_PARAMETER);
85 in_input_buffer.data = (uint8_t *)req->in.vector[i+2].iov_base;
86 in_input_buffer.length = in_input_length;
88 if (req->compat_chain_fsp) {
90 } else if (in_file_id_persistent == UINT64_MAX &&
91 in_file_id_volatile == UINT64_MAX) {
92 /* without a handle */
93 } else if (in_file_id_persistent != in_file_id_volatile) {
94 return smbd_smb2_request_error(req, NT_STATUS_FILE_CLOSED);
97 subreq = smbd_smb2_ioctl_send(req,
98 req->sconn->smb2.event_ctx,
103 in_max_output_length,
105 if (subreq == NULL) {
106 return smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
108 tevent_req_set_callback(subreq, smbd_smb2_request_ioctl_done, req);
110 return smbd_smb2_request_pending_queue(req, subreq);
113 static void smbd_smb2_request_ioctl_done(struct tevent_req *subreq)
115 struct smbd_smb2_request *req = tevent_req_callback_data(subreq,
116 struct smbd_smb2_request);
117 const uint8_t *inbody;
118 int i = req->current_idx;
122 uint32_t in_ctl_code;
123 uint64_t in_file_id_persistent;
124 uint64_t in_file_id_volatile;
125 uint32_t out_input_offset;
126 uint32_t out_output_offset;
127 DATA_BLOB out_output_buffer = data_blob_null;
129 NTSTATUS error; /* transport error */
131 status = smbd_smb2_ioctl_recv(subreq, req, &out_output_buffer);
133 DEBUG(10,("smbd_smb2_request_ioctl_done: smbd_smb2_ioctl_recv returned "
135 (unsigned int)out_output_buffer.length,
136 nt_errstr(status) ));
139 if (NT_STATUS_EQUAL(status, STATUS_BUFFER_OVERFLOW)) {
141 } else if (!NT_STATUS_IS_OK(status)) {
142 error = smbd_smb2_request_error(req, status);
143 if (!NT_STATUS_IS_OK(error)) {
144 smbd_server_connection_terminate(req->sconn,
151 out_input_offset = SMB2_HDR_BODY + 0x30;
152 out_output_offset = SMB2_HDR_BODY + 0x30;
154 inbody = (const uint8_t *)req->in.vector[i+1].iov_base;
156 in_ctl_code = IVAL(inbody, 0x04);
157 in_file_id_persistent = BVAL(inbody, 0x08);
158 in_file_id_volatile = BVAL(inbody, 0x10);
160 outhdr = (uint8_t *)req->out.vector[i].iov_base;
162 outbody = data_blob_talloc(req->out.vector, NULL, 0x30);
163 if (outbody.data == NULL) {
164 error = smbd_smb2_request_error(req, NT_STATUS_NO_MEMORY);
165 if (!NT_STATUS_IS_OK(error)) {
166 smbd_server_connection_terminate(req->sconn,
173 SSVAL(outbody.data, 0x00, 0x30 + 1); /* struct size */
174 SSVAL(outbody.data, 0x02, 0); /* reserved */
175 SIVAL(outbody.data, 0x04,
176 in_ctl_code); /* ctl code */
177 SBVAL(outbody.data, 0x08,
178 in_file_id_persistent); /* file id (persistent) */
179 SBVAL(outbody.data, 0x10,
180 in_file_id_volatile); /* file id (volatile) */
181 SIVAL(outbody.data, 0x18,
182 out_input_offset); /* input offset */
183 SIVAL(outbody.data, 0x1C, 0); /* input count */
184 SIVAL(outbody.data, 0x20,
185 out_output_offset); /* output offset */
186 SIVAL(outbody.data, 0x24,
187 out_output_buffer.length); /* output count */
188 SIVAL(outbody.data, 0x28, 0); /* flags */
189 SIVAL(outbody.data, 0x2C, 0); /* reserved */
192 * Note: Windows Vista and 2008 send back also the
193 * input from the request. But it was fixed in
196 outdyn = out_output_buffer;
198 error = smbd_smb2_request_done_ex(req, status, outbody, &outdyn,
200 if (!NT_STATUS_IS_OK(error)) {
201 smbd_server_connection_terminate(req->sconn,
207 struct smbd_smb2_ioctl_state {
208 struct smbd_smb2_request *smb2req;
209 struct smb_request *smbreq;
212 uint32_t in_max_output;
213 DATA_BLOB out_output;
216 static void smbd_smb2_ioctl_pipe_write_done(struct tevent_req *subreq);
217 static void smbd_smb2_ioctl_pipe_read_done(struct tevent_req *subreq);
219 static struct tevent_req *smbd_smb2_ioctl_send(TALLOC_CTX *mem_ctx,
220 struct tevent_context *ev,
221 struct smbd_smb2_request *smb2req,
222 uint32_t in_ctl_code,
223 uint64_t in_file_id_volatile,
225 uint32_t in_max_output,
228 struct tevent_req *req;
229 struct smbd_smb2_ioctl_state *state;
230 struct smb_request *smbreq;
231 files_struct *fsp = NULL;
232 struct tevent_req *subreq;
234 req = tevent_req_create(mem_ctx, &state,
235 struct smbd_smb2_ioctl_state);
239 state->smb2req = smb2req;
240 state->smbreq = NULL;
242 state->in_input = in_input;
243 state->in_max_output = in_max_output;
244 state->out_output = data_blob_null;
246 DEBUG(10,("smbd_smb2_ioctl: file_id[0x%016llX]\n",
247 (unsigned long long)in_file_id_volatile));
249 smbreq = smbd_smb2_fake_smb_request(smb2req);
250 if (tevent_req_nomem(smbreq, req)) {
251 return tevent_req_post(req, ev);
253 state->smbreq = smbreq;
255 if (in_file_id_volatile != UINT64_MAX) {
256 fsp = file_fsp(smbreq, (uint16_t)in_file_id_volatile);
258 tevent_req_nterror(req, NT_STATUS_FILE_CLOSED);
259 return tevent_req_post(req, ev);
261 if (smbreq->conn != fsp->conn) {
262 tevent_req_nterror(req, NT_STATUS_FILE_CLOSED);
263 return tevent_req_post(req, ev);
265 if (smb2req->session->vuid != fsp->vuid) {
266 tevent_req_nterror(req, NT_STATUS_FILE_CLOSED);
267 return tevent_req_post(req, ev);
272 switch (in_ctl_code) {
273 case 0x00060194: /* FSCTL_DFS_GET_REFERRALS */
275 uint16_t in_max_referral_level;
276 DATA_BLOB in_file_name_buffer;
277 char *in_file_name_string;
278 size_t in_file_name_string_size;
280 bool overflow = false;
283 char *dfs_data = NULL;
285 if (!IS_IPC(smbreq->conn)) {
286 tevent_req_nterror(req, NT_STATUS_INVALID_DEVICE_REQUEST);
287 return tevent_req_post(req, ev);
290 if (!lp_host_msdfs()) {
291 tevent_req_nterror(req, NT_STATUS_FS_DRIVER_REQUIRED);
292 return tevent_req_post(req, ev);
295 if (in_input.length < (2 + 2)) {
296 tevent_req_nterror(req, NT_STATUS_INVALID_PARAMETER);
297 return tevent_req_post(req, ev);
300 in_max_referral_level = SVAL(in_input.data, 0);
301 in_file_name_buffer.data = in_input.data + 2;
302 in_file_name_buffer.length = in_input.length - 2;
304 ok = convert_string_talloc(state, CH_UTF16, CH_UNIX,
305 in_file_name_buffer.data,
306 in_file_name_buffer.length,
307 &in_file_name_string,
308 &in_file_name_string_size);
310 tevent_req_nterror(req, NT_STATUS_ILLEGAL_CHARACTER);
311 return tevent_req_post(req, ev);
314 dfs_size = setup_dfs_referral(smbreq->conn,
316 in_max_referral_level,
319 tevent_req_nterror(req, status);
320 return tevent_req_post(req, ev);
323 if (dfs_size > in_max_output) {
325 * TODO: we need a testsuite for this
328 dfs_size = in_max_output;
331 state->out_output = data_blob_talloc(state,
336 tevent_req_nomem(state->out_output.data, req)) {
337 return tevent_req_post(req, ev);
341 tevent_req_nterror(req, STATUS_BUFFER_OVERFLOW);
343 tevent_req_done(req);
345 return tevent_req_post(req, ev);
347 case 0x0011C017: /* FSCTL_PIPE_TRANSCEIVE */
349 if (!IS_IPC(smbreq->conn)) {
350 tevent_req_nterror(req, NT_STATUS_NOT_SUPPORTED);
351 return tevent_req_post(req, ev);
355 tevent_req_nterror(req, NT_STATUS_FILE_CLOSED);
356 return tevent_req_post(req, ev);
359 if (!fsp_is_np(fsp)) {
360 tevent_req_nterror(req, NT_STATUS_FILE_CLOSED);
361 return tevent_req_post(req, ev);
364 DEBUG(10,("smbd_smb2_ioctl_send: np_write_send of size %u\n",
365 (unsigned int)in_input.length ));
367 subreq = np_write_send(state, ev,
368 fsp->fake_file_handle,
371 if (tevent_req_nomem(subreq, req)) {
372 return tevent_req_post(req, ev);
374 tevent_req_set_callback(subreq,
375 smbd_smb2_ioctl_pipe_write_done,
380 if (IS_IPC(smbreq->conn)) {
381 tevent_req_nterror(req, NT_STATUS_FS_DRIVER_REQUIRED);
382 return tevent_req_post(req, ev);
384 tevent_req_nterror(req, NT_STATUS_INVALID_DEVICE_REQUEST);
385 return tevent_req_post(req, ev);
388 tevent_req_nterror(req, NT_STATUS_INTERNAL_ERROR);
389 return tevent_req_post(req, ev);
392 static void smbd_smb2_ioctl_pipe_write_done(struct tevent_req *subreq)
394 struct tevent_req *req = tevent_req_callback_data(subreq,
396 struct smbd_smb2_ioctl_state *state = tevent_req_data(req,
397 struct smbd_smb2_ioctl_state);
399 ssize_t nwritten = -1;
401 status = np_write_recv(subreq, &nwritten);
403 DEBUG(10,("smbd_smb2_ioctl_pipe_write_done: received %ld\n",
404 (long int)nwritten ));
407 if (!NT_STATUS_IS_OK(status)) {
408 tevent_req_nterror(req, status);
412 if (nwritten != state->in_input.length) {
413 tevent_req_nterror(req, NT_STATUS_PIPE_NOT_AVAILABLE);
417 state->out_output = data_blob_talloc(state, NULL, state->in_max_output);
418 if (state->in_max_output > 0 &&
419 tevent_req_nomem(state->out_output.data, req)) {
423 DEBUG(10,("smbd_smb2_ioctl_pipe_write_done: issuing np_read_send "
425 (unsigned int)state->out_output.length ));
428 subreq = np_read_send(state->smbreq->conn,
429 state->smb2req->sconn->smb2.event_ctx,
430 state->fsp->fake_file_handle,
431 state->out_output.data,
432 state->out_output.length);
433 if (tevent_req_nomem(subreq, req)) {
436 tevent_req_set_callback(subreq, smbd_smb2_ioctl_pipe_read_done, req);
439 static void smbd_smb2_ioctl_pipe_read_done(struct tevent_req *subreq)
441 struct tevent_req *req = tevent_req_callback_data(subreq,
443 struct smbd_smb2_ioctl_state *state = tevent_req_data(req,
444 struct smbd_smb2_ioctl_state);
447 bool is_data_outstanding = false;
449 status = np_read_recv(subreq, &nread, &is_data_outstanding);
451 DEBUG(10,("smbd_smb2_ioctl_pipe_read_done: np_read_recv nread = %d "
452 "is_data_outstanding = %d, status = %s\n",
454 (int)is_data_outstanding,
455 nt_errstr(status) ));
458 if (!NT_STATUS_IS_OK(status)) {
459 tevent_req_nterror(req, status);
463 state->out_output.length = nread;
465 tevent_req_done(req);
468 static NTSTATUS smbd_smb2_ioctl_recv(struct tevent_req *req,
470 DATA_BLOB *out_output)
472 NTSTATUS status = NT_STATUS_OK;
473 struct smbd_smb2_ioctl_state *state = tevent_req_data(req,
474 struct smbd_smb2_ioctl_state);
476 if (tevent_req_is_nterror(req, &status)) {
477 if (!NT_STATUS_EQUAL(status, STATUS_BUFFER_OVERFLOW)) {
478 tevent_req_received(req);
483 *out_output = state->out_output;
484 talloc_steal(mem_ctx, out_output->data);
486 tevent_req_received(req);