s3:smbd make yp cache local.
[idra/samba.git] / source3 / smbd / process.c
1 /* 
2    Unix SMB/CIFS implementation.
3    process incoming packets - main loop
4    Copyright (C) Andrew Tridgell 1992-1998
5    Copyright (C) Volker Lendecke 2005-2007
6    
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License as published by
9    the Free Software Foundation; either version 3 of the License, or
10    (at your option) any later version.
11    
12    This program is distributed in the hope that it will be useful,
13    but WITHOUT ANY WARRANTY; without even the implied warranty of
14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15    GNU General Public License for more details.
16    
17    You should have received a copy of the GNU General Public License
18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "smbd/globals.h"
23 #include "../librpc/gen_ndr/srv_dfs.h"
24 #include "../librpc/gen_ndr/srv_dssetup.h"
25 #include "../librpc/gen_ndr/srv_echo.h"
26 #include "../librpc/gen_ndr/srv_eventlog.h"
27 #include "../librpc/gen_ndr/srv_initshutdown.h"
28 #include "../librpc/gen_ndr/srv_lsa.h"
29 #include "../librpc/gen_ndr/srv_netlogon.h"
30 #include "../librpc/gen_ndr/srv_ntsvcs.h"
31 #include "../librpc/gen_ndr/srv_samr.h"
32 #include "../librpc/gen_ndr/srv_spoolss.h"
33 #include "../librpc/gen_ndr/srv_srvsvc.h"
34 #include "../librpc/gen_ndr/srv_svcctl.h"
35 #include "../librpc/gen_ndr/srv_winreg.h"
36 #include "../librpc/gen_ndr/srv_wkssvc.h"
37 #include "librpc/gen_ndr/messaging.h"
38
39 extern bool global_machine_password_needs_changing;
40
41 static void construct_reply_common(struct smb_request *req, const char *inbuf,
42                                    char *outbuf);
43 static struct pending_message_list *get_deferred_open_message_smb(uint64_t mid);
44
45 static bool smbd_lock_socket_internal(struct smbd_server_connection *sconn)
46 {
47         bool ok;
48
49         if (smbd_server_conn->smb1.echo_handler.socket_lock_fd == -1) {
50                 return true;
51         }
52
53         smbd_server_conn->smb1.echo_handler.ref_count++;
54
55         if (smbd_server_conn->smb1.echo_handler.ref_count > 1) {
56                 return true;
57         }
58
59         DEBUG(10,("pid[%d] wait for socket lock\n", (int)sys_getpid()));
60
61         ok = fcntl_lock(smbd_server_conn->smb1.echo_handler.socket_lock_fd,
62                         SMB_F_SETLKW, 0, 0, F_WRLCK);
63         if (!ok) {
64                 return false;
65         }
66
67         DEBUG(10,("pid[%d] got for socket lock\n", (int)sys_getpid()));
68
69         return true;
70 }
71
72 void smbd_lock_socket(struct smbd_server_connection *sconn)
73 {
74         if (!smbd_lock_socket_internal(sconn)) {
75                 exit_server_cleanly("failed to lock socket");
76         }
77 }
78
79 static bool smbd_unlock_socket_internal(struct smbd_server_connection *sconn)
80 {
81         bool ok;
82
83         if (smbd_server_conn->smb1.echo_handler.socket_lock_fd == -1) {
84                 return true;
85         }
86
87         smbd_server_conn->smb1.echo_handler.ref_count--;
88
89         if (smbd_server_conn->smb1.echo_handler.ref_count > 0) {
90                 return true;
91         }
92
93         ok = fcntl_lock(smbd_server_conn->smb1.echo_handler.socket_lock_fd,
94                         SMB_F_SETLKW, 0, 0, F_UNLCK);
95         if (!ok) {
96                 return false;
97         }
98
99         DEBUG(10,("pid[%d] unlocked socket\n", (int)sys_getpid()));
100
101         return true;
102 }
103
104 void smbd_unlock_socket(struct smbd_server_connection *sconn)
105 {
106         if (!smbd_unlock_socket_internal(sconn)) {
107                 exit_server_cleanly("failed to unlock socket");
108         }
109 }
110
111 /* Accessor function for smb_read_error for smbd functions. */
112
113 /****************************************************************************
114  Send an smb to a fd.
115 ****************************************************************************/
116
117 bool srv_send_smb(int fd, char *buffer,
118                   bool do_signing, uint32_t seqnum,
119                   bool do_encrypt,
120                   struct smb_perfcount_data *pcd)
121 {
122         size_t len = 0;
123         size_t nwritten=0;
124         ssize_t ret;
125         char *buf_out = buffer;
126
127         smbd_lock_socket(smbd_server_conn);
128
129         if (do_signing) {
130                 /* Sign the outgoing packet if required. */
131                 srv_calculate_sign_mac(smbd_server_conn, buf_out, seqnum);
132         }
133
134         if (do_encrypt) {
135                 NTSTATUS status = srv_encrypt_buffer(buffer, &buf_out);
136                 if (!NT_STATUS_IS_OK(status)) {
137                         DEBUG(0, ("send_smb: SMB encryption failed "
138                                 "on outgoing packet! Error %s\n",
139                                 nt_errstr(status) ));
140                         goto out;
141                 }
142         }
143
144         len = smb_len(buf_out) + 4;
145
146         ret = write_data(fd,buf_out+nwritten,len - nwritten);
147         if (ret <= 0) {
148                 DEBUG(0,("pid[%d] Error writing %d bytes to client. %d. (%s)\n",
149                         (int)sys_getpid(), (int)len,(int)ret, strerror(errno) ));
150                 srv_free_enc_buffer(buf_out);
151                 goto out;
152         }
153
154         SMB_PERFCOUNT_SET_MSGLEN_OUT(pcd, len);
155         srv_free_enc_buffer(buf_out);
156 out:
157         SMB_PERFCOUNT_END(pcd);
158
159         smbd_unlock_socket(smbd_server_conn);
160         return true;
161 }
162
163 /*******************************************************************
164  Setup the word count and byte count for a smb message.
165 ********************************************************************/
166
167 int srv_set_message(char *buf,
168                         int num_words,
169                         int num_bytes,
170                         bool zero)
171 {
172         if (zero && (num_words || num_bytes)) {
173                 memset(buf + smb_size,'\0',num_words*2 + num_bytes);
174         }
175         SCVAL(buf,smb_wct,num_words);
176         SSVAL(buf,smb_vwv + num_words*SIZEOFWORD,num_bytes);
177         smb_setlen(buf,(smb_size + num_words*2 + num_bytes - 4));
178         return (smb_size + num_words*2 + num_bytes);
179 }
180
181 static bool valid_smb_header(const uint8_t *inbuf)
182 {
183         if (is_encrypted_packet(inbuf)) {
184                 return true;
185         }
186         /*
187          * This used to be (strncmp(smb_base(inbuf),"\377SMB",4) == 0)
188          * but it just looks weird to call strncmp for this one.
189          */
190         return (IVAL(smb_base(inbuf), 0) == 0x424D53FF);
191 }
192
193 /* Socket functions for smbd packet processing. */
194
195 static bool valid_packet_size(size_t len)
196 {
197         /*
198          * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
199          * of header. Don't print the error if this fits.... JRA.
200          */
201
202         if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
203                 DEBUG(0,("Invalid packet length! (%lu bytes).\n",
204                                         (unsigned long)len));
205                 return false;
206         }
207         return true;
208 }
209
210 static NTSTATUS read_packet_remainder(int fd, char *buffer,
211                                       unsigned int timeout, ssize_t len)
212 {
213         if (len <= 0) {
214                 return NT_STATUS_OK;
215         }
216
217         return read_fd_with_timeout(fd, buffer, len, len, timeout, NULL);
218 }
219
220 /****************************************************************************
221  Attempt a zerocopy writeX read. We know here that len > smb_size-4
222 ****************************************************************************/
223
224 /*
225  * Unfortunately, earlier versions of smbclient/libsmbclient
226  * don't send this "standard" writeX header. I've fixed this
227  * for 3.2 but we'll use the old method with earlier versions.
228  * Windows and CIFSFS at least use this standard size. Not
229  * sure about MacOSX.
230  */
231
232 #define STANDARD_WRITE_AND_X_HEADER_SIZE (smb_size - 4 + /* basic header */ \
233                                 (2*14) + /* word count (including bcc) */ \
234                                 1 /* pad byte */)
235
236 static NTSTATUS receive_smb_raw_talloc_partial_read(TALLOC_CTX *mem_ctx,
237                                                     const char lenbuf[4],
238                                                     int fd, char **buffer,
239                                                     unsigned int timeout,
240                                                     size_t *p_unread,
241                                                     size_t *len_ret)
242 {
243         /* Size of a WRITEX call (+4 byte len). */
244         char writeX_header[4 + STANDARD_WRITE_AND_X_HEADER_SIZE];
245         ssize_t len = smb_len_large(lenbuf); /* Could be a UNIX large writeX. */
246         ssize_t toread;
247         NTSTATUS status;
248
249         memcpy(writeX_header, lenbuf, 4);
250
251         status = read_fd_with_timeout(
252                 fd, writeX_header + 4,
253                 STANDARD_WRITE_AND_X_HEADER_SIZE,
254                 STANDARD_WRITE_AND_X_HEADER_SIZE,
255                 timeout, NULL);
256
257         if (!NT_STATUS_IS_OK(status)) {
258                 return status;
259         }
260
261         /*
262          * Ok - now try and see if this is a possible
263          * valid writeX call.
264          */
265
266         if (is_valid_writeX_buffer((uint8_t *)writeX_header)) {
267                 /*
268                  * If the data offset is beyond what
269                  * we've read, drain the extra bytes.
270                  */
271                 uint16_t doff = SVAL(writeX_header,smb_vwv11);
272                 ssize_t newlen;
273
274                 if (doff > STANDARD_WRITE_AND_X_HEADER_SIZE) {
275                         size_t drain = doff - STANDARD_WRITE_AND_X_HEADER_SIZE;
276                         if (drain_socket(smbd_server_fd(), drain) != drain) {
277                                 smb_panic("receive_smb_raw_talloc_partial_read:"
278                                         " failed to drain pending bytes");
279                         }
280                 } else {
281                         doff = STANDARD_WRITE_AND_X_HEADER_SIZE;
282                 }
283
284                 /* Spoof down the length and null out the bcc. */
285                 set_message_bcc(writeX_header, 0);
286                 newlen = smb_len(writeX_header);
287
288                 /* Copy the header we've written. */
289
290                 *buffer = (char *)TALLOC_MEMDUP(mem_ctx,
291                                 writeX_header,
292                                 sizeof(writeX_header));
293
294                 if (*buffer == NULL) {
295                         DEBUG(0, ("Could not allocate inbuf of length %d\n",
296                                   (int)sizeof(writeX_header)));
297                         return NT_STATUS_NO_MEMORY;
298                 }
299
300                 /* Work out the remaining bytes. */
301                 *p_unread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
302                 *len_ret = newlen + 4;
303                 return NT_STATUS_OK;
304         }
305
306         if (!valid_packet_size(len)) {
307                 return NT_STATUS_INVALID_PARAMETER;
308         }
309
310         /*
311          * Not a valid writeX call. Just do the standard
312          * talloc and return.
313          */
314
315         *buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
316
317         if (*buffer == NULL) {
318                 DEBUG(0, ("Could not allocate inbuf of length %d\n",
319                           (int)len+4));
320                 return NT_STATUS_NO_MEMORY;
321         }
322
323         /* Copy in what we already read. */
324         memcpy(*buffer,
325                 writeX_header,
326                 4 + STANDARD_WRITE_AND_X_HEADER_SIZE);
327         toread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
328
329         if(toread > 0) {
330                 status = read_packet_remainder(
331                         fd, (*buffer) + 4 + STANDARD_WRITE_AND_X_HEADER_SIZE,
332                         timeout, toread);
333
334                 if (!NT_STATUS_IS_OK(status)) {
335                         DEBUG(10, ("receive_smb_raw_talloc_partial_read: %s\n",
336                                    nt_errstr(status)));
337                         return status;
338                 }
339         }
340
341         *len_ret = len + 4;
342         return NT_STATUS_OK;
343 }
344
345 static NTSTATUS receive_smb_raw_talloc(TALLOC_CTX *mem_ctx, int fd,
346                                        char **buffer, unsigned int timeout,
347                                        size_t *p_unread, size_t *plen)
348 {
349         char lenbuf[4];
350         size_t len;
351         int min_recv_size = lp_min_receive_file_size();
352         NTSTATUS status;
353
354         *p_unread = 0;
355
356         status = read_smb_length_return_keepalive(fd, lenbuf, timeout, &len);
357         if (!NT_STATUS_IS_OK(status)) {
358                 DEBUG(10, ("receive_smb_raw: %s\n", nt_errstr(status)));
359                 return status;
360         }
361
362         if (CVAL(lenbuf,0) == 0 && min_recv_size &&
363             (smb_len_large(lenbuf) > /* Could be a UNIX large writeX. */
364                 (min_recv_size + STANDARD_WRITE_AND_X_HEADER_SIZE)) &&
365             !srv_is_signing_active(smbd_server_conn) &&
366             smbd_server_conn->smb1.echo_handler.trusted_fde == NULL) {
367
368                 return receive_smb_raw_talloc_partial_read(
369                         mem_ctx, lenbuf, fd, buffer, timeout, p_unread, plen);
370         }
371
372         if (!valid_packet_size(len)) {
373                 return NT_STATUS_INVALID_PARAMETER;
374         }
375
376         /*
377          * The +4 here can't wrap, we've checked the length above already.
378          */
379
380         *buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
381
382         if (*buffer == NULL) {
383                 DEBUG(0, ("Could not allocate inbuf of length %d\n",
384                           (int)len+4));
385                 return NT_STATUS_NO_MEMORY;
386         }
387
388         memcpy(*buffer, lenbuf, sizeof(lenbuf));
389
390         status = read_packet_remainder(fd, (*buffer)+4, timeout, len);
391         if (!NT_STATUS_IS_OK(status)) {
392                 return status;
393         }
394
395         *plen = len + 4;
396         return NT_STATUS_OK;
397 }
398
399 static NTSTATUS receive_smb_talloc(TALLOC_CTX *mem_ctx, int fd,
400                                    char **buffer, unsigned int timeout,
401                                    size_t *p_unread, bool *p_encrypted,
402                                    size_t *p_len,
403                                    uint32_t *seqnum,
404                                    bool trusted_channel)
405 {
406         size_t len = 0;
407         NTSTATUS status;
408
409         *p_encrypted = false;
410
411         status = receive_smb_raw_talloc(mem_ctx, fd, buffer, timeout,
412                                         p_unread, &len);
413         if (!NT_STATUS_IS_OK(status)) {
414                 return status;
415         }
416
417         if (is_encrypted_packet((uint8_t *)*buffer)) {
418                 status = srv_decrypt_buffer(*buffer);
419                 if (!NT_STATUS_IS_OK(status)) {
420                         DEBUG(0, ("receive_smb_talloc: SMB decryption failed on "
421                                 "incoming packet! Error %s\n",
422                                 nt_errstr(status) ));
423                         return status;
424                 }
425                 *p_encrypted = true;
426         }
427
428         /* Check the incoming SMB signature. */
429         if (!srv_check_sign_mac(smbd_server_conn, *buffer, seqnum, trusted_channel)) {
430                 DEBUG(0, ("receive_smb: SMB Signature verification failed on "
431                           "incoming packet!\n"));
432                 return NT_STATUS_INVALID_NETWORK_RESPONSE;
433         }
434
435         *p_len = len;
436         return NT_STATUS_OK;
437 }
438
439 /*
440  * Initialize a struct smb_request from an inbuf
441  */
442
443 static bool init_smb_request(struct smb_request *req, const uint8 *inbuf,
444                              size_t unread_bytes, bool encrypted,
445                              uint32_t seqnum)
446 {
447         struct smbd_server_connection *sconn = smbd_server_conn;
448         size_t req_size = smb_len(inbuf) + 4;
449         /* Ensure we have at least smb_size bytes. */
450         if (req_size < smb_size) {
451                 DEBUG(0,("init_smb_request: invalid request size %u\n",
452                         (unsigned int)req_size ));
453                 return false;
454         }
455         req->cmd    = CVAL(inbuf, smb_com);
456         req->flags2 = SVAL(inbuf, smb_flg2);
457         req->smbpid = SVAL(inbuf, smb_pid);
458         req->mid    = (uint64_t)SVAL(inbuf, smb_mid);
459         req->seqnum = seqnum;
460         req->vuid   = SVAL(inbuf, smb_uid);
461         req->tid    = SVAL(inbuf, smb_tid);
462         req->wct    = CVAL(inbuf, smb_wct);
463         req->vwv    = (uint16_t *)(inbuf+smb_vwv);
464         req->buflen = smb_buflen(inbuf);
465         req->buf    = (const uint8_t *)smb_buf(inbuf);
466         req->unread_bytes = unread_bytes;
467         req->encrypted = encrypted;
468         req->conn = conn_find(sconn,req->tid);
469         req->chain_fsp = NULL;
470         req->chain_outbuf = NULL;
471         req->done = false;
472         req->smb2req = NULL;
473         smb_init_perfcount_data(&req->pcd);
474
475         /* Ensure we have at least wct words and 2 bytes of bcc. */
476         if (smb_size + req->wct*2 > req_size) {
477                 DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n",
478                         (unsigned int)req->wct,
479                         (unsigned int)req_size));
480                 return false;
481         }
482         /* Ensure bcc is correct. */
483         if (((uint8 *)smb_buf(inbuf)) + req->buflen > inbuf + req_size) {
484                 DEBUG(0,("init_smb_request: invalid bcc number %u "
485                         "(wct = %u, size %u)\n",
486                         (unsigned int)req->buflen,
487                         (unsigned int)req->wct,
488                         (unsigned int)req_size));
489                 return false;
490         }
491
492         req->outbuf = NULL;
493         return true;
494 }
495
496 static void process_smb(struct smbd_server_connection *conn,
497                         uint8_t *inbuf, size_t nread, size_t unread_bytes,
498                         uint32_t seqnum, bool encrypted,
499                         struct smb_perfcount_data *deferred_pcd);
500
501 static void smbd_deferred_open_timer(struct event_context *ev,
502                                      struct timed_event *te,
503                                      struct timeval _tval,
504                                      void *private_data)
505 {
506         struct pending_message_list *msg = talloc_get_type(private_data,
507                                            struct pending_message_list);
508         TALLOC_CTX *mem_ctx = talloc_tos();
509         uint64_t mid = (uint64_t)SVAL(msg->buf.data,smb_mid);
510         uint8_t *inbuf;
511
512         inbuf = (uint8_t *)talloc_memdup(mem_ctx, msg->buf.data,
513                                          msg->buf.length);
514         if (inbuf == NULL) {
515                 exit_server("smbd_deferred_open_timer: talloc failed\n");
516                 return;
517         }
518
519         /* We leave this message on the queue so the open code can
520            know this is a retry. */
521         DEBUG(5,("smbd_deferred_open_timer: trigger mid %llu.\n",
522                 (unsigned long long)mid ));
523
524         /* Mark the message as processed so this is not
525          * re-processed in error. */
526         msg->processed = true;
527
528         process_smb(smbd_server_conn, inbuf,
529                     msg->buf.length, 0,
530                     msg->seqnum, msg->encrypted, &msg->pcd);
531
532         /* If it's still there and was processed, remove it. */
533         msg = get_deferred_open_message_smb(mid);
534         if (msg && msg->processed) {
535                 remove_deferred_open_message_smb(mid);
536         }
537 }
538
539 /****************************************************************************
540  Function to push a message onto the tail of a linked list of smb messages ready
541  for processing.
542 ****************************************************************************/
543
544 static bool push_queued_message(struct smb_request *req,
545                                 struct timeval request_time,
546                                 struct timeval end_time,
547                                 char *private_data, size_t private_len)
548 {
549         int msg_len = smb_len(req->inbuf) + 4;
550         struct pending_message_list *msg;
551
552         msg = TALLOC_ZERO_P(NULL, struct pending_message_list);
553
554         if(msg == NULL) {
555                 DEBUG(0,("push_message: malloc fail (1)\n"));
556                 return False;
557         }
558
559         msg->buf = data_blob_talloc(msg, req->inbuf, msg_len);
560         if(msg->buf.data == NULL) {
561                 DEBUG(0,("push_message: malloc fail (2)\n"));
562                 TALLOC_FREE(msg);
563                 return False;
564         }
565
566         msg->request_time = request_time;
567         msg->seqnum = req->seqnum;
568         msg->encrypted = req->encrypted;
569         msg->processed = false;
570         SMB_PERFCOUNT_DEFER_OP(&req->pcd, &msg->pcd);
571
572         if (private_data) {
573                 msg->private_data = data_blob_talloc(msg, private_data,
574                                                      private_len);
575                 if (msg->private_data.data == NULL) {
576                         DEBUG(0,("push_message: malloc fail (3)\n"));
577                         TALLOC_FREE(msg);
578                         return False;
579                 }
580         }
581
582         msg->te = event_add_timed(smbd_event_context(),
583                                   msg,
584                                   end_time,
585                                   smbd_deferred_open_timer,
586                                   msg);
587         if (!msg->te) {
588                 DEBUG(0,("push_message: event_add_timed failed\n"));
589                 TALLOC_FREE(msg);
590                 return false;
591         }
592
593         DLIST_ADD_END(deferred_open_queue, msg, struct pending_message_list *);
594
595         DEBUG(10,("push_message: pushed message length %u on "
596                   "deferred_open_queue\n", (unsigned int)msg_len));
597
598         return True;
599 }
600
601 /****************************************************************************
602  Function to delete a sharing violation open message by mid.
603 ****************************************************************************/
604
605 void remove_deferred_open_message_smb(uint64_t mid)
606 {
607         struct pending_message_list *pml;
608
609         if (smbd_server_conn->allow_smb2) {
610                 remove_deferred_open_message_smb2(mid);
611                 return;
612         }
613
614         for (pml = deferred_open_queue; pml; pml = pml->next) {
615                 if (mid == (uint64_t)SVAL(pml->buf.data,smb_mid)) {
616                         DEBUG(10,("remove_deferred_open_message_smb: "
617                                   "deleting mid %llu len %u\n",
618                                   (unsigned long long)mid,
619                                   (unsigned int)pml->buf.length ));
620                         DLIST_REMOVE(deferred_open_queue, pml);
621                         TALLOC_FREE(pml);
622                         return;
623                 }
624         }
625 }
626
627 /****************************************************************************
628  Move a sharing violation open retry message to the front of the list and
629  schedule it for immediate processing.
630 ****************************************************************************/
631
632 void schedule_deferred_open_message_smb(uint64_t mid)
633 {
634         struct pending_message_list *pml;
635         int i = 0;
636
637         if (smbd_server_conn->allow_smb2) {
638                 schedule_deferred_open_message_smb2(mid);
639                 return;
640         }
641
642         for (pml = deferred_open_queue; pml; pml = pml->next) {
643                 uint64_t msg_mid = (uint64_t)SVAL(pml->buf.data,smb_mid);
644
645                 DEBUG(10,("schedule_deferred_open_message_smb: [%d] "
646                         "msg_mid = %llu\n",
647                         i++,
648                         (unsigned long long)msg_mid ));
649
650                 if (mid == msg_mid) {
651                         struct timed_event *te;
652
653                         if (pml->processed) {
654                                 /* A processed message should not be
655                                  * rescheduled. */
656                                 DEBUG(0,("schedule_deferred_open_message_smb: LOGIC ERROR "
657                                         "message mid %llu was already processed\n",
658                                         (unsigned long long)msg_mid ));
659                                 continue;
660                         }
661
662                         DEBUG(10,("schedule_deferred_open_message_smb: "
663                                 "scheduling mid %llu\n",
664                                 (unsigned long long)mid ));
665
666                         te = event_add_timed(smbd_event_context(),
667                                              pml,
668                                              timeval_zero(),
669                                              smbd_deferred_open_timer,
670                                              pml);
671                         if (!te) {
672                                 DEBUG(10,("schedule_deferred_open_message_smb: "
673                                         "event_add_timed() failed, "
674                                         "skipping mid %llu\n",
675                                         (unsigned long long)msg_mid ));
676                         }
677
678                         TALLOC_FREE(pml->te);
679                         pml->te = te;
680                         DLIST_PROMOTE(deferred_open_queue, pml);
681                         return;
682                 }
683         }
684
685         DEBUG(10,("schedule_deferred_open_message_smb: failed to "
686                 "find message mid %llu\n",
687                 (unsigned long long)mid ));
688 }
689
690 /****************************************************************************
691  Return true if this mid is on the deferred queue and was not yet processed.
692 ****************************************************************************/
693
694 bool open_was_deferred(uint64_t mid)
695 {
696         struct pending_message_list *pml;
697
698         if (smbd_server_conn->allow_smb2) {
699                 return open_was_deferred_smb2(mid);
700         }
701
702         for (pml = deferred_open_queue; pml; pml = pml->next) {
703                 if (((uint64_t)SVAL(pml->buf.data,smb_mid)) == mid && !pml->processed) {
704                         return True;
705                 }
706         }
707         return False;
708 }
709
710 /****************************************************************************
711  Return the message queued by this mid.
712 ****************************************************************************/
713
714 static struct pending_message_list *get_deferred_open_message_smb(uint64_t mid)
715 {
716         struct pending_message_list *pml;
717
718         for (pml = deferred_open_queue; pml; pml = pml->next) {
719                 if (((uint64_t)SVAL(pml->buf.data,smb_mid)) == mid) {
720                         return pml;
721                 }
722         }
723         return NULL;
724 }
725
726 /****************************************************************************
727  Get the state data queued by this mid.
728 ****************************************************************************/
729
730 bool get_deferred_open_message_state(struct smb_request *smbreq,
731                                 struct timeval *p_request_time,
732                                 void **pp_state)
733 {
734         struct pending_message_list *pml;
735
736         if (smbd_server_conn->allow_smb2) {
737                 return get_deferred_open_message_state_smb2(smbreq->smb2req,
738                                         p_request_time,
739                                         pp_state);
740         }
741
742         pml = get_deferred_open_message_smb(smbreq->mid);
743         if (!pml) {
744                 return false;
745         }
746         if (p_request_time) {
747                 *p_request_time = pml->request_time;
748         }
749         if (pp_state) {
750                 *pp_state = (void *)pml->private_data.data;
751         }
752         return true;
753 }
754
755 /****************************************************************************
756  Function to push a deferred open smb message onto a linked list of local smb
757  messages ready for processing.
758 ****************************************************************************/
759
760 bool push_deferred_open_message_smb(struct smb_request *req,
761                                struct timeval request_time,
762                                struct timeval timeout,
763                                struct file_id id,
764                                char *private_data, size_t priv_len)
765 {
766         struct timeval end_time;
767
768         if (req->smb2req) {
769                 return push_deferred_open_message_smb2(req->smb2req,
770                                                 request_time,
771                                                 timeout,
772                                                 id,
773                                                 private_data,
774                                                 priv_len);
775         }
776
777         if (req->unread_bytes) {
778                 DEBUG(0,("push_deferred_open_message_smb: logic error ! "
779                         "unread_bytes = %u\n",
780                         (unsigned int)req->unread_bytes ));
781                 smb_panic("push_deferred_open_message_smb: "
782                         "logic error unread_bytes != 0" );
783         }
784
785         end_time = timeval_sum(&request_time, &timeout);
786
787         DEBUG(10,("push_deferred_open_message_smb: pushing message "
788                 "len %u mid %llu timeout time [%u.%06u]\n",
789                 (unsigned int) smb_len(req->inbuf)+4,
790                 (unsigned long long)req->mid,
791                 (unsigned int)end_time.tv_sec,
792                 (unsigned int)end_time.tv_usec));
793
794         return push_queued_message(req, request_time, end_time,
795                                    private_data, priv_len);
796 }
797
798 struct idle_event {
799         struct timed_event *te;
800         struct timeval interval;
801         char *name;
802         bool (*handler)(const struct timeval *now, void *private_data);
803         void *private_data;
804 };
805
806 static void smbd_idle_event_handler(struct event_context *ctx,
807                                     struct timed_event *te,
808                                     struct timeval now,
809                                     void *private_data)
810 {
811         struct idle_event *event =
812                 talloc_get_type_abort(private_data, struct idle_event);
813
814         TALLOC_FREE(event->te);
815
816         DEBUG(10,("smbd_idle_event_handler: %s %p called\n",
817                   event->name, event->te));
818
819         if (!event->handler(&now, event->private_data)) {
820                 DEBUG(10,("smbd_idle_event_handler: %s %p stopped\n",
821                           event->name, event->te));
822                 /* Don't repeat, delete ourselves */
823                 TALLOC_FREE(event);
824                 return;
825         }
826
827         DEBUG(10,("smbd_idle_event_handler: %s %p rescheduled\n",
828                   event->name, event->te));
829
830         event->te = event_add_timed(ctx, event,
831                                     timeval_sum(&now, &event->interval),
832                                     smbd_idle_event_handler, event);
833
834         /* We can't do much but fail here. */
835         SMB_ASSERT(event->te != NULL);
836 }
837
838 struct idle_event *event_add_idle(struct event_context *event_ctx,
839                                   TALLOC_CTX *mem_ctx,
840                                   struct timeval interval,
841                                   const char *name,
842                                   bool (*handler)(const struct timeval *now,
843                                                   void *private_data),
844                                   void *private_data)
845 {
846         struct idle_event *result;
847         struct timeval now = timeval_current();
848
849         result = TALLOC_P(mem_ctx, struct idle_event);
850         if (result == NULL) {
851                 DEBUG(0, ("talloc failed\n"));
852                 return NULL;
853         }
854
855         result->interval = interval;
856         result->handler = handler;
857         result->private_data = private_data;
858
859         if (!(result->name = talloc_asprintf(result, "idle_evt(%s)", name))) {
860                 DEBUG(0, ("talloc failed\n"));
861                 TALLOC_FREE(result);
862                 return NULL;
863         }
864
865         result->te = event_add_timed(event_ctx, result,
866                                      timeval_sum(&now, &interval),
867                                      smbd_idle_event_handler, result);
868         if (result->te == NULL) {
869                 DEBUG(0, ("event_add_timed failed\n"));
870                 TALLOC_FREE(result);
871                 return NULL;
872         }
873
874         DEBUG(10,("event_add_idle: %s %p\n", result->name, result->te));
875         return result;
876 }
877
878 static void smbd_sig_term_handler(struct tevent_context *ev,
879                                   struct tevent_signal *se,
880                                   int signum,
881                                   int count,
882                                   void *siginfo,
883                                   void *private_data)
884 {
885         exit_server_cleanly("termination signal");
886 }
887
888 void smbd_setup_sig_term_handler(void)
889 {
890         struct tevent_signal *se;
891
892         se = tevent_add_signal(smbd_event_context(),
893                                smbd_event_context(),
894                                SIGTERM, 0,
895                                smbd_sig_term_handler,
896                                NULL);
897         if (!se) {
898                 exit_server("failed to setup SIGTERM handler");
899         }
900 }
901
902 static void smbd_sig_hup_handler(struct tevent_context *ev,
903                                   struct tevent_signal *se,
904                                   int signum,
905                                   int count,
906                                   void *siginfo,
907                                   void *private_data)
908 {
909         change_to_root_user();
910         DEBUG(1,("Reloading services after SIGHUP\n"));
911         reload_services(False);
912 }
913
914 void smbd_setup_sig_hup_handler(void)
915 {
916         struct tevent_signal *se;
917
918         se = tevent_add_signal(smbd_event_context(),
919                                smbd_event_context(),
920                                SIGHUP, 0,
921                                smbd_sig_hup_handler,
922                                NULL);
923         if (!se) {
924                 exit_server("failed to setup SIGHUP handler");
925         }
926 }
927
928 static NTSTATUS smbd_server_connection_loop_once(struct smbd_server_connection *conn)
929 {
930         fd_set r_fds, w_fds;
931         int selrtn;
932         struct timeval to;
933         int maxfd = 0;
934
935         to.tv_sec = SMBD_SELECT_TIMEOUT;
936         to.tv_usec = 0;
937
938         /*
939          * Setup the select fd sets.
940          */
941
942         FD_ZERO(&r_fds);
943         FD_ZERO(&w_fds);
944
945         /*
946          * Are there any timed events waiting ? If so, ensure we don't
947          * select for longer than it would take to wait for them.
948          */
949
950         {
951                 struct timeval now;
952                 GetTimeOfDay(&now);
953
954                 event_add_to_select_args(smbd_event_context(), &now,
955                                          &r_fds, &w_fds, &to, &maxfd);
956         }
957
958         /* Process a signal and timed events now... */
959         if (run_events(smbd_event_context(), 0, NULL, NULL)) {
960                 return NT_STATUS_RETRY;
961         }
962
963         {
964                 int sav;
965                 START_PROFILE(smbd_idle);
966
967                 selrtn = sys_select(maxfd+1,&r_fds,&w_fds,NULL,&to);
968                 sav = errno;
969
970                 END_PROFILE(smbd_idle);
971                 errno = sav;
972         }
973
974         if (run_events(smbd_event_context(), selrtn, &r_fds, &w_fds)) {
975                 return NT_STATUS_RETRY;
976         }
977
978         /* Check if error */
979         if (selrtn == -1) {
980                 /* something is wrong. Maybe the socket is dead? */
981                 return map_nt_error_from_unix(errno);
982         }
983
984         /* Did we timeout ? */
985         if (selrtn == 0) {
986                 return NT_STATUS_RETRY;
987         }
988
989         /* should not be reached */
990         return NT_STATUS_INTERNAL_ERROR;
991 }
992
993 /*
994  * Only allow 5 outstanding trans requests. We're allocating memory, so
995  * prevent a DoS.
996  */
997
998 NTSTATUS allow_new_trans(struct trans_state *list, uint64_t mid)
999 {
1000         int count = 0;
1001         for (; list != NULL; list = list->next) {
1002
1003                 if (list->mid == mid) {
1004                         return NT_STATUS_INVALID_PARAMETER;
1005                 }
1006
1007                 count += 1;
1008         }
1009         if (count > 5) {
1010                 return NT_STATUS_INSUFFICIENT_RESOURCES;
1011         }
1012
1013         return NT_STATUS_OK;
1014 }
1015
1016 /*
1017 These flags determine some of the permissions required to do an operation 
1018
1019 Note that I don't set NEED_WRITE on some write operations because they
1020 are used by some brain-dead clients when printing, and I don't want to
1021 force write permissions on print services.
1022 */
1023 #define AS_USER (1<<0)
1024 #define NEED_WRITE (1<<1) /* Must be paired with AS_USER */
1025 #define TIME_INIT (1<<2)
1026 #define CAN_IPC (1<<3) /* Must be paired with AS_USER */
1027 #define AS_GUEST (1<<5) /* Must *NOT* be paired with AS_USER */
1028 #define DO_CHDIR (1<<6)
1029
1030 /* 
1031    define a list of possible SMB messages and their corresponding
1032    functions. Any message that has a NULL function is unimplemented -
1033    please feel free to contribute implementations!
1034 */
1035 static const struct smb_message_struct {
1036         const char *name;
1037         void (*fn)(struct smb_request *req);
1038         int flags;
1039 } smb_messages[256] = {
1040
1041 /* 0x00 */ { "SMBmkdir",reply_mkdir,AS_USER | NEED_WRITE},
1042 /* 0x01 */ { "SMBrmdir",reply_rmdir,AS_USER | NEED_WRITE},
1043 /* 0x02 */ { "SMBopen",reply_open,AS_USER },
1044 /* 0x03 */ { "SMBcreate",reply_mknew,AS_USER},
1045 /* 0x04 */ { "SMBclose",reply_close,AS_USER | CAN_IPC },
1046 /* 0x05 */ { "SMBflush",reply_flush,AS_USER},
1047 /* 0x06 */ { "SMBunlink",reply_unlink,AS_USER | NEED_WRITE },
1048 /* 0x07 */ { "SMBmv",reply_mv,AS_USER | NEED_WRITE },
1049 /* 0x08 */ { "SMBgetatr",reply_getatr,AS_USER},
1050 /* 0x09 */ { "SMBsetatr",reply_setatr,AS_USER | NEED_WRITE},
1051 /* 0x0a */ { "SMBread",reply_read,AS_USER},
1052 /* 0x0b */ { "SMBwrite",reply_write,AS_USER | CAN_IPC },
1053 /* 0x0c */ { "SMBlock",reply_lock,AS_USER},
1054 /* 0x0d */ { "SMBunlock",reply_unlock,AS_USER},
1055 /* 0x0e */ { "SMBctemp",reply_ctemp,AS_USER },
1056 /* 0x0f */ { "SMBmknew",reply_mknew,AS_USER},
1057 /* 0x10 */ { "SMBcheckpath",reply_checkpath,AS_USER},
1058 /* 0x11 */ { "SMBexit",reply_exit,DO_CHDIR},
1059 /* 0x12 */ { "SMBlseek",reply_lseek,AS_USER},
1060 /* 0x13 */ { "SMBlockread",reply_lockread,AS_USER},
1061 /* 0x14 */ { "SMBwriteunlock",reply_writeunlock,AS_USER},
1062 /* 0x15 */ { NULL, NULL, 0 },
1063 /* 0x16 */ { NULL, NULL, 0 },
1064 /* 0x17 */ { NULL, NULL, 0 },
1065 /* 0x18 */ { NULL, NULL, 0 },
1066 /* 0x19 */ { NULL, NULL, 0 },
1067 /* 0x1a */ { "SMBreadbraw",reply_readbraw,AS_USER},
1068 /* 0x1b */ { "SMBreadBmpx",reply_readbmpx,AS_USER},
1069 /* 0x1c */ { "SMBreadBs",reply_readbs,AS_USER },
1070 /* 0x1d */ { "SMBwritebraw",reply_writebraw,AS_USER},
1071 /* 0x1e */ { "SMBwriteBmpx",reply_writebmpx,AS_USER},
1072 /* 0x1f */ { "SMBwriteBs",reply_writebs,AS_USER},
1073 /* 0x20 */ { "SMBwritec", NULL,0},
1074 /* 0x21 */ { NULL, NULL, 0 },
1075 /* 0x22 */ { "SMBsetattrE",reply_setattrE,AS_USER | NEED_WRITE },
1076 /* 0x23 */ { "SMBgetattrE",reply_getattrE,AS_USER },
1077 /* 0x24 */ { "SMBlockingX",reply_lockingX,AS_USER },
1078 /* 0x25 */ { "SMBtrans",reply_trans,AS_USER | CAN_IPC },
1079 /* 0x26 */ { "SMBtranss",reply_transs,AS_USER | CAN_IPC},
1080 /* 0x27 */ { "SMBioctl",reply_ioctl,0},
1081 /* 0x28 */ { "SMBioctls", NULL,AS_USER},
1082 /* 0x29 */ { "SMBcopy",reply_copy,AS_USER | NEED_WRITE },
1083 /* 0x2a */ { "SMBmove", NULL,AS_USER | NEED_WRITE },
1084 /* 0x2b */ { "SMBecho",reply_echo,0},
1085 /* 0x2c */ { "SMBwriteclose",reply_writeclose,AS_USER},
1086 /* 0x2d */ { "SMBopenX",reply_open_and_X,AS_USER | CAN_IPC },
1087 /* 0x2e */ { "SMBreadX",reply_read_and_X,AS_USER | CAN_IPC },
1088 /* 0x2f */ { "SMBwriteX",reply_write_and_X,AS_USER | CAN_IPC },
1089 /* 0x30 */ { NULL, NULL, 0 },
1090 /* 0x31 */ { NULL, NULL, 0 },
1091 /* 0x32 */ { "SMBtrans2",reply_trans2, AS_USER | CAN_IPC },
1092 /* 0x33 */ { "SMBtranss2",reply_transs2, AS_USER | CAN_IPC },
1093 /* 0x34 */ { "SMBfindclose",reply_findclose,AS_USER},
1094 /* 0x35 */ { "SMBfindnclose",reply_findnclose,AS_USER},
1095 /* 0x36 */ { NULL, NULL, 0 },
1096 /* 0x37 */ { NULL, NULL, 0 },
1097 /* 0x38 */ { NULL, NULL, 0 },
1098 /* 0x39 */ { NULL, NULL, 0 },
1099 /* 0x3a */ { NULL, NULL, 0 },
1100 /* 0x3b */ { NULL, NULL, 0 },
1101 /* 0x3c */ { NULL, NULL, 0 },
1102 /* 0x3d */ { NULL, NULL, 0 },
1103 /* 0x3e */ { NULL, NULL, 0 },
1104 /* 0x3f */ { NULL, NULL, 0 },
1105 /* 0x40 */ { NULL, NULL, 0 },
1106 /* 0x41 */ { NULL, NULL, 0 },
1107 /* 0x42 */ { NULL, NULL, 0 },
1108 /* 0x43 */ { NULL, NULL, 0 },
1109 /* 0x44 */ { NULL, NULL, 0 },
1110 /* 0x45 */ { NULL, NULL, 0 },
1111 /* 0x46 */ { NULL, NULL, 0 },
1112 /* 0x47 */ { NULL, NULL, 0 },
1113 /* 0x48 */ { NULL, NULL, 0 },
1114 /* 0x49 */ { NULL, NULL, 0 },
1115 /* 0x4a */ { NULL, NULL, 0 },
1116 /* 0x4b */ { NULL, NULL, 0 },
1117 /* 0x4c */ { NULL, NULL, 0 },
1118 /* 0x4d */ { NULL, NULL, 0 },
1119 /* 0x4e */ { NULL, NULL, 0 },
1120 /* 0x4f */ { NULL, NULL, 0 },
1121 /* 0x50 */ { NULL, NULL, 0 },
1122 /* 0x51 */ { NULL, NULL, 0 },
1123 /* 0x52 */ { NULL, NULL, 0 },
1124 /* 0x53 */ { NULL, NULL, 0 },
1125 /* 0x54 */ { NULL, NULL, 0 },
1126 /* 0x55 */ { NULL, NULL, 0 },
1127 /* 0x56 */ { NULL, NULL, 0 },
1128 /* 0x57 */ { NULL, NULL, 0 },
1129 /* 0x58 */ { NULL, NULL, 0 },
1130 /* 0x59 */ { NULL, NULL, 0 },
1131 /* 0x5a */ { NULL, NULL, 0 },
1132 /* 0x5b */ { NULL, NULL, 0 },
1133 /* 0x5c */ { NULL, NULL, 0 },
1134 /* 0x5d */ { NULL, NULL, 0 },
1135 /* 0x5e */ { NULL, NULL, 0 },
1136 /* 0x5f */ { NULL, NULL, 0 },
1137 /* 0x60 */ { NULL, NULL, 0 },
1138 /* 0x61 */ { NULL, NULL, 0 },
1139 /* 0x62 */ { NULL, NULL, 0 },
1140 /* 0x63 */ { NULL, NULL, 0 },
1141 /* 0x64 */ { NULL, NULL, 0 },
1142 /* 0x65 */ { NULL, NULL, 0 },
1143 /* 0x66 */ { NULL, NULL, 0 },
1144 /* 0x67 */ { NULL, NULL, 0 },
1145 /* 0x68 */ { NULL, NULL, 0 },
1146 /* 0x69 */ { NULL, NULL, 0 },
1147 /* 0x6a */ { NULL, NULL, 0 },
1148 /* 0x6b */ { NULL, NULL, 0 },
1149 /* 0x6c */ { NULL, NULL, 0 },
1150 /* 0x6d */ { NULL, NULL, 0 },
1151 /* 0x6e */ { NULL, NULL, 0 },
1152 /* 0x6f */ { NULL, NULL, 0 },
1153 /* 0x70 */ { "SMBtcon",reply_tcon,0},
1154 /* 0x71 */ { "SMBtdis",reply_tdis,DO_CHDIR},
1155 /* 0x72 */ { "SMBnegprot",reply_negprot,0},
1156 /* 0x73 */ { "SMBsesssetupX",reply_sesssetup_and_X,0},
1157 /* 0x74 */ { "SMBulogoffX",reply_ulogoffX, 0}, /* ulogoff doesn't give a valid TID */
1158 /* 0x75 */ { "SMBtconX",reply_tcon_and_X,0},
1159 /* 0x76 */ { NULL, NULL, 0 },
1160 /* 0x77 */ { NULL, NULL, 0 },
1161 /* 0x78 */ { NULL, NULL, 0 },
1162 /* 0x79 */ { NULL, NULL, 0 },
1163 /* 0x7a */ { NULL, NULL, 0 },
1164 /* 0x7b */ { NULL, NULL, 0 },
1165 /* 0x7c */ { NULL, NULL, 0 },
1166 /* 0x7d */ { NULL, NULL, 0 },
1167 /* 0x7e */ { NULL, NULL, 0 },
1168 /* 0x7f */ { NULL, NULL, 0 },
1169 /* 0x80 */ { "SMBdskattr",reply_dskattr,AS_USER},
1170 /* 0x81 */ { "SMBsearch",reply_search,AS_USER},
1171 /* 0x82 */ { "SMBffirst",reply_search,AS_USER},
1172 /* 0x83 */ { "SMBfunique",reply_search,AS_USER},
1173 /* 0x84 */ { "SMBfclose",reply_fclose,AS_USER},
1174 /* 0x85 */ { NULL, NULL, 0 },
1175 /* 0x86 */ { NULL, NULL, 0 },
1176 /* 0x87 */ { NULL, NULL, 0 },
1177 /* 0x88 */ { NULL, NULL, 0 },
1178 /* 0x89 */ { NULL, NULL, 0 },
1179 /* 0x8a */ { NULL, NULL, 0 },
1180 /* 0x8b */ { NULL, NULL, 0 },
1181 /* 0x8c */ { NULL, NULL, 0 },
1182 /* 0x8d */ { NULL, NULL, 0 },
1183 /* 0x8e */ { NULL, NULL, 0 },
1184 /* 0x8f */ { NULL, NULL, 0 },
1185 /* 0x90 */ { NULL, NULL, 0 },
1186 /* 0x91 */ { NULL, NULL, 0 },
1187 /* 0x92 */ { NULL, NULL, 0 },
1188 /* 0x93 */ { NULL, NULL, 0 },
1189 /* 0x94 */ { NULL, NULL, 0 },
1190 /* 0x95 */ { NULL, NULL, 0 },
1191 /* 0x96 */ { NULL, NULL, 0 },
1192 /* 0x97 */ { NULL, NULL, 0 },
1193 /* 0x98 */ { NULL, NULL, 0 },
1194 /* 0x99 */ { NULL, NULL, 0 },
1195 /* 0x9a */ { NULL, NULL, 0 },
1196 /* 0x9b */ { NULL, NULL, 0 },
1197 /* 0x9c */ { NULL, NULL, 0 },
1198 /* 0x9d */ { NULL, NULL, 0 },
1199 /* 0x9e */ { NULL, NULL, 0 },
1200 /* 0x9f */ { NULL, NULL, 0 },
1201 /* 0xa0 */ { "SMBnttrans",reply_nttrans, AS_USER | CAN_IPC },
1202 /* 0xa1 */ { "SMBnttranss",reply_nttranss, AS_USER | CAN_IPC },
1203 /* 0xa2 */ { "SMBntcreateX",reply_ntcreate_and_X, AS_USER | CAN_IPC },
1204 /* 0xa3 */ { NULL, NULL, 0 },
1205 /* 0xa4 */ { "SMBntcancel",reply_ntcancel, 0 },
1206 /* 0xa5 */ { "SMBntrename",reply_ntrename, AS_USER | NEED_WRITE },
1207 /* 0xa6 */ { NULL, NULL, 0 },
1208 /* 0xa7 */ { NULL, NULL, 0 },
1209 /* 0xa8 */ { NULL, NULL, 0 },
1210 /* 0xa9 */ { NULL, NULL, 0 },
1211 /* 0xaa */ { NULL, NULL, 0 },
1212 /* 0xab */ { NULL, NULL, 0 },
1213 /* 0xac */ { NULL, NULL, 0 },
1214 /* 0xad */ { NULL, NULL, 0 },
1215 /* 0xae */ { NULL, NULL, 0 },
1216 /* 0xaf */ { NULL, NULL, 0 },
1217 /* 0xb0 */ { NULL, NULL, 0 },
1218 /* 0xb1 */ { NULL, NULL, 0 },
1219 /* 0xb2 */ { NULL, NULL, 0 },
1220 /* 0xb3 */ { NULL, NULL, 0 },
1221 /* 0xb4 */ { NULL, NULL, 0 },
1222 /* 0xb5 */ { NULL, NULL, 0 },
1223 /* 0xb6 */ { NULL, NULL, 0 },
1224 /* 0xb7 */ { NULL, NULL, 0 },
1225 /* 0xb8 */ { NULL, NULL, 0 },
1226 /* 0xb9 */ { NULL, NULL, 0 },
1227 /* 0xba */ { NULL, NULL, 0 },
1228 /* 0xbb */ { NULL, NULL, 0 },
1229 /* 0xbc */ { NULL, NULL, 0 },
1230 /* 0xbd */ { NULL, NULL, 0 },
1231 /* 0xbe */ { NULL, NULL, 0 },
1232 /* 0xbf */ { NULL, NULL, 0 },
1233 /* 0xc0 */ { "SMBsplopen",reply_printopen,AS_USER},
1234 /* 0xc1 */ { "SMBsplwr",reply_printwrite,AS_USER},
1235 /* 0xc2 */ { "SMBsplclose",reply_printclose,AS_USER},
1236 /* 0xc3 */ { "SMBsplretq",reply_printqueue,AS_USER},
1237 /* 0xc4 */ { NULL, NULL, 0 },
1238 /* 0xc5 */ { NULL, NULL, 0 },
1239 /* 0xc6 */ { NULL, NULL, 0 },
1240 /* 0xc7 */ { NULL, NULL, 0 },
1241 /* 0xc8 */ { NULL, NULL, 0 },
1242 /* 0xc9 */ { NULL, NULL, 0 },
1243 /* 0xca */ { NULL, NULL, 0 },
1244 /* 0xcb */ { NULL, NULL, 0 },
1245 /* 0xcc */ { NULL, NULL, 0 },
1246 /* 0xcd */ { NULL, NULL, 0 },
1247 /* 0xce */ { NULL, NULL, 0 },
1248 /* 0xcf */ { NULL, NULL, 0 },
1249 /* 0xd0 */ { "SMBsends",reply_sends,AS_GUEST},
1250 /* 0xd1 */ { "SMBsendb", NULL,AS_GUEST},
1251 /* 0xd2 */ { "SMBfwdname", NULL,AS_GUEST},
1252 /* 0xd3 */ { "SMBcancelf", NULL,AS_GUEST},
1253 /* 0xd4 */ { "SMBgetmac", NULL,AS_GUEST},
1254 /* 0xd5 */ { "SMBsendstrt",reply_sendstrt,AS_GUEST},
1255 /* 0xd6 */ { "SMBsendend",reply_sendend,AS_GUEST},
1256 /* 0xd7 */ { "SMBsendtxt",reply_sendtxt,AS_GUEST},
1257 /* 0xd8 */ { NULL, NULL, 0 },
1258 /* 0xd9 */ { NULL, NULL, 0 },
1259 /* 0xda */ { NULL, NULL, 0 },
1260 /* 0xdb */ { NULL, NULL, 0 },
1261 /* 0xdc */ { NULL, NULL, 0 },
1262 /* 0xdd */ { NULL, NULL, 0 },
1263 /* 0xde */ { NULL, NULL, 0 },
1264 /* 0xdf */ { NULL, NULL, 0 },
1265 /* 0xe0 */ { NULL, NULL, 0 },
1266 /* 0xe1 */ { NULL, NULL, 0 },
1267 /* 0xe2 */ { NULL, NULL, 0 },
1268 /* 0xe3 */ { NULL, NULL, 0 },
1269 /* 0xe4 */ { NULL, NULL, 0 },
1270 /* 0xe5 */ { NULL, NULL, 0 },
1271 /* 0xe6 */ { NULL, NULL, 0 },
1272 /* 0xe7 */ { NULL, NULL, 0 },
1273 /* 0xe8 */ { NULL, NULL, 0 },
1274 /* 0xe9 */ { NULL, NULL, 0 },
1275 /* 0xea */ { NULL, NULL, 0 },
1276 /* 0xeb */ { NULL, NULL, 0 },
1277 /* 0xec */ { NULL, NULL, 0 },
1278 /* 0xed */ { NULL, NULL, 0 },
1279 /* 0xee */ { NULL, NULL, 0 },
1280 /* 0xef */ { NULL, NULL, 0 },
1281 /* 0xf0 */ { NULL, NULL, 0 },
1282 /* 0xf1 */ { NULL, NULL, 0 },
1283 /* 0xf2 */ { NULL, NULL, 0 },
1284 /* 0xf3 */ { NULL, NULL, 0 },
1285 /* 0xf4 */ { NULL, NULL, 0 },
1286 /* 0xf5 */ { NULL, NULL, 0 },
1287 /* 0xf6 */ { NULL, NULL, 0 },
1288 /* 0xf7 */ { NULL, NULL, 0 },
1289 /* 0xf8 */ { NULL, NULL, 0 },
1290 /* 0xf9 */ { NULL, NULL, 0 },
1291 /* 0xfa */ { NULL, NULL, 0 },
1292 /* 0xfb */ { NULL, NULL, 0 },
1293 /* 0xfc */ { NULL, NULL, 0 },
1294 /* 0xfd */ { NULL, NULL, 0 },
1295 /* 0xfe */ { NULL, NULL, 0 },
1296 /* 0xff */ { NULL, NULL, 0 }
1297
1298 };
1299
1300 /*******************************************************************
1301  allocate and initialize a reply packet
1302 ********************************************************************/
1303
1304 static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req,
1305                           const char *inbuf, char **outbuf, uint8_t num_words,
1306                           uint32_t num_bytes)
1307 {
1308         /*
1309          * Protect against integer wrap
1310          */
1311         if ((num_bytes > 0xffffff)
1312             || ((num_bytes + smb_size + num_words*2) > 0xffffff)) {
1313                 char *msg;
1314                 if (asprintf(&msg, "num_bytes too large: %u",
1315                              (unsigned)num_bytes) == -1) {
1316                         msg = CONST_DISCARD(char *, "num_bytes too large");
1317                 }
1318                 smb_panic(msg);
1319         }
1320
1321         *outbuf = TALLOC_ARRAY(mem_ctx, char,
1322                                smb_size + num_words*2 + num_bytes);
1323         if (*outbuf == NULL) {
1324                 return false;
1325         }
1326
1327         construct_reply_common(req, inbuf, *outbuf);
1328         srv_set_message(*outbuf, num_words, num_bytes, false);
1329         /*
1330          * Zero out the word area, the caller has to take care of the bcc area
1331          * himself
1332          */
1333         if (num_words != 0) {
1334                 memset(*outbuf + smb_vwv0, 0, num_words*2);
1335         }
1336
1337         return true;
1338 }
1339
1340 void reply_outbuf(struct smb_request *req, uint8 num_words, uint32 num_bytes)
1341 {
1342         char *outbuf;
1343         if (!create_outbuf(req, req, (char *)req->inbuf, &outbuf, num_words,
1344                            num_bytes)) {
1345                 smb_panic("could not allocate output buffer\n");
1346         }
1347         req->outbuf = (uint8_t *)outbuf;
1348 }
1349
1350
1351 /*******************************************************************
1352  Dump a packet to a file.
1353 ********************************************************************/
1354
1355 static void smb_dump(const char *name, int type, const char *data, ssize_t len)
1356 {
1357         int fd, i;
1358         char *fname = NULL;
1359         if (DEBUGLEVEL < 50) {
1360                 return;
1361         }
1362
1363         if (len < 4) len = smb_len(data)+4;
1364         for (i=1;i<100;i++) {
1365                 if (asprintf(&fname, "/tmp/%s.%d.%s", name, i,
1366                              type ? "req" : "resp") == -1) {
1367                         return;
1368                 }
1369                 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
1370                 if (fd != -1 || errno != EEXIST) break;
1371         }
1372         if (fd != -1) {
1373                 ssize_t ret = write(fd, data, len);
1374                 if (ret != len)
1375                         DEBUG(0,("smb_dump: problem: write returned %d\n", (int)ret ));
1376                 close(fd);
1377                 DEBUG(0,("created %s len %lu\n", fname, (unsigned long)len));
1378         }
1379         SAFE_FREE(fname);
1380 }
1381
1382 /****************************************************************************
1383  Prepare everything for calling the actual request function, and potentially
1384  call the request function via the "new" interface.
1385
1386  Return False if the "legacy" function needs to be called, everything is
1387  prepared.
1388
1389  Return True if we're done.
1390
1391  I know this API sucks, but it is the one with the least code change I could
1392  find.
1393 ****************************************************************************/
1394
1395 static connection_struct *switch_message(uint8 type, struct smb_request *req, int size)
1396 {
1397         int flags;
1398         uint16 session_tag;
1399         connection_struct *conn = NULL;
1400         struct smbd_server_connection *sconn = smbd_server_conn;
1401
1402         errno = 0;
1403
1404         /* Make sure this is an SMB packet. smb_size contains NetBIOS header
1405          * so subtract 4 from it. */
1406         if (!valid_smb_header(req->inbuf)
1407             || (size < (smb_size - 4))) {
1408                 DEBUG(2,("Non-SMB packet of length %d. Terminating server\n",
1409                          smb_len(req->inbuf)));
1410                 exit_server_cleanly("Non-SMB packet");
1411         }
1412
1413         if (smb_messages[type].fn == NULL) {
1414                 DEBUG(0,("Unknown message type %d!\n",type));
1415                 smb_dump("Unknown", 1, (char *)req->inbuf, size);
1416                 reply_unknown_new(req, type);
1417                 return NULL;
1418         }
1419
1420         flags = smb_messages[type].flags;
1421
1422         /* In share mode security we must ignore the vuid. */
1423         session_tag = (lp_security() == SEC_SHARE)
1424                 ? UID_FIELD_INVALID : req->vuid;
1425         conn = req->conn;
1426
1427         DEBUG(3,("switch message %s (pid %d) conn 0x%lx\n", smb_fn_name(type),
1428                  (int)sys_getpid(), (unsigned long)conn));
1429
1430         smb_dump(smb_fn_name(type), 1, (char *)req->inbuf, size);
1431
1432         /* Ensure this value is replaced in the incoming packet. */
1433         SSVAL(req->inbuf,smb_uid,session_tag);
1434
1435         /*
1436          * Ensure the correct username is in current_user_info.  This is a
1437          * really ugly bugfix for problems with multiple session_setup_and_X's
1438          * being done and allowing %U and %G substitutions to work correctly.
1439          * There is a reason this code is done here, don't move it unless you
1440          * know what you're doing... :-).
1441          * JRA.
1442          */
1443
1444         if (session_tag != sconn->smb1.sessions.last_session_tag) {
1445                 user_struct *vuser = NULL;
1446
1447                 sconn->smb1.sessions.last_session_tag = session_tag;
1448                 if(session_tag != UID_FIELD_INVALID) {
1449                         vuser = get_valid_user_struct(sconn, session_tag);
1450                         if (vuser) {
1451                                 set_current_user_info(
1452                                         vuser->server_info->sanitized_username,
1453                                         vuser->server_info->unix_name,
1454                                         vuser->server_info->info3->base.domain.string);
1455                         }
1456                 }
1457         }
1458
1459         /* Does this call need to be run as the connected user? */
1460         if (flags & AS_USER) {
1461
1462                 /* Does this call need a valid tree connection? */
1463                 if (!conn) {
1464                         /*
1465                          * Amazingly, the error code depends on the command
1466                          * (from Samba4).
1467                          */
1468                         if (type == SMBntcreateX) {
1469                                 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
1470                         } else {
1471                                 reply_nterror(req, NT_STATUS_NETWORK_NAME_DELETED);
1472                         }
1473                         return NULL;
1474                 }
1475
1476                 if (!change_to_user(conn,session_tag)) {
1477                         DEBUG(0, ("Error: Could not change to user. Removing "
1478                                 "deferred open, mid=%llu.\n",
1479                                 (unsigned long long)req->mid));
1480                         reply_force_doserror(req, ERRSRV, ERRbaduid);
1481                         return conn;
1482                 }
1483
1484                 /* All NEED_WRITE and CAN_IPC flags must also have AS_USER. */
1485
1486                 /* Does it need write permission? */
1487                 if ((flags & NEED_WRITE) && !CAN_WRITE(conn)) {
1488                         reply_nterror(req, NT_STATUS_MEDIA_WRITE_PROTECTED);
1489                         return conn;
1490                 }
1491
1492                 /* IPC services are limited */
1493                 if (IS_IPC(conn) && !(flags & CAN_IPC)) {
1494                         reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1495                         return conn;
1496                 }
1497         } else {
1498                 /* This call needs to be run as root */
1499                 change_to_root_user();
1500         }
1501
1502         /* load service specific parameters */
1503         if (conn) {
1504                 if (req->encrypted) {
1505                         conn->encrypted_tid = true;
1506                         /* encrypted required from now on. */
1507                         conn->encrypt_level = Required;
1508                 } else if (ENCRYPTION_REQUIRED(conn)) {
1509                         if (req->cmd != SMBtrans2 && req->cmd != SMBtranss2) {
1510                                 exit_server_cleanly("encryption required "
1511                                         "on connection");
1512                                 return conn;
1513                         }
1514                 }
1515
1516                 if (!set_current_service(conn,SVAL(req->inbuf,smb_flg),
1517                                          (flags & (AS_USER|DO_CHDIR)
1518                                           ?True:False))) {
1519                         reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1520                         return conn;
1521                 }
1522                 conn->num_smb_operations++;
1523         }
1524
1525         /* does this protocol need to be run as guest? */
1526         if ((flags & AS_GUEST)
1527             && (!change_to_guest() ||
1528                 !check_access(smbd_server_fd(), lp_hostsallow(-1),
1529                               lp_hostsdeny(-1)))) {
1530                 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1531                 return conn;
1532         }
1533
1534         smb_messages[type].fn(req);
1535         return req->conn;
1536 }
1537
1538 /****************************************************************************
1539  Construct a reply to the incoming packet.
1540 ****************************************************************************/
1541
1542 static void construct_reply(char *inbuf, int size, size_t unread_bytes,
1543                             uint32_t seqnum, bool encrypted,
1544                             struct smb_perfcount_data *deferred_pcd)
1545 {
1546         connection_struct *conn;
1547         struct smb_request *req;
1548
1549         if (!(req = talloc(talloc_tos(), struct smb_request))) {
1550                 smb_panic("could not allocate smb_request");
1551         }
1552
1553         if (!init_smb_request(req, (uint8 *)inbuf, unread_bytes, encrypted,
1554                               seqnum)) {
1555                 exit_server_cleanly("Invalid SMB request");
1556         }
1557
1558         req->inbuf  = (uint8_t *)talloc_move(req, &inbuf);
1559
1560         /* we popped this message off the queue - keep original perf data */
1561         if (deferred_pcd)
1562                 req->pcd = *deferred_pcd;
1563         else {
1564                 SMB_PERFCOUNT_START(&req->pcd);
1565                 SMB_PERFCOUNT_SET_OP(&req->pcd, req->cmd);
1566                 SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, size);
1567         }
1568
1569         conn = switch_message(req->cmd, req, size);
1570
1571         if (req->unread_bytes) {
1572                 /* writeX failed. drain socket. */
1573                 if (drain_socket(smbd_server_fd(), req->unread_bytes) !=
1574                                 req->unread_bytes) {
1575                         smb_panic("failed to drain pending bytes");
1576                 }
1577                 req->unread_bytes = 0;
1578         }
1579
1580         if (req->done) {
1581                 TALLOC_FREE(req);
1582                 return;
1583         }
1584
1585         if (req->outbuf == NULL) {
1586                 return;
1587         }
1588
1589         if (CVAL(req->outbuf,0) == 0) {
1590                 show_msg((char *)req->outbuf);
1591         }
1592
1593         if (!srv_send_smb(smbd_server_fd(),
1594                         (char *)req->outbuf,
1595                         true, req->seqnum+1,
1596                         IS_CONN_ENCRYPTED(conn)||req->encrypted,
1597                         &req->pcd)) {
1598                 exit_server_cleanly("construct_reply: srv_send_smb failed.");
1599         }
1600
1601         TALLOC_FREE(req);
1602
1603         return;
1604 }
1605
1606 /****************************************************************************
1607  Process an smb from the client
1608 ****************************************************************************/
1609 static void process_smb(struct smbd_server_connection *conn,
1610                         uint8_t *inbuf, size_t nread, size_t unread_bytes,
1611                         uint32_t seqnum, bool encrypted,
1612                         struct smb_perfcount_data *deferred_pcd)
1613 {
1614         int msg_type = CVAL(inbuf,0);
1615
1616         DO_PROFILE_INC(smb_count);
1617
1618         DEBUG( 6, ( "got message type 0x%x of len 0x%x\n", msg_type,
1619                     smb_len(inbuf) ) );
1620         DEBUG( 3, ( "Transaction %d of length %d (%u toread)\n", trans_num,
1621                                 (int)nread,
1622                                 (unsigned int)unread_bytes ));
1623
1624         if (msg_type != 0) {
1625                 /*
1626                  * NetBIOS session request, keepalive, etc.
1627                  */
1628                 reply_special((char *)inbuf);
1629                 goto done;
1630         }
1631
1632         if (smbd_server_conn->allow_smb2) {
1633                 if (smbd_is_smb2_header(inbuf, nread)) {
1634                         smbd_smb2_first_negprot(smbd_server_conn, inbuf, nread);
1635                         return;
1636                 } else if (nread >= smb_size && valid_smb_header(inbuf)
1637                                 && CVAL(inbuf, smb_com) != 0x72) {
1638                         /* This is a non-negprot SMB1 packet.
1639                            Disable SMB2 from now on. */
1640                         smbd_server_conn->allow_smb2 = false;
1641                 }
1642         }
1643
1644         show_msg((char *)inbuf);
1645
1646         construct_reply((char *)inbuf,nread,unread_bytes,seqnum,encrypted,deferred_pcd);
1647         trans_num++;
1648
1649 done:
1650         conn->smb1.num_requests++;
1651
1652         /* The timeout_processing function isn't run nearly
1653            often enough to implement 'max log size' without
1654            overrunning the size of the file by many megabytes.
1655            This is especially true if we are running at debug
1656            level 10.  Checking every 50 SMBs is a nice
1657            tradeoff of performance vs log file size overrun. */
1658
1659         if ((conn->smb1.num_requests % 50) == 0 &&
1660             need_to_check_log_size()) {
1661                 change_to_root_user();
1662                 check_log_size();
1663         }
1664 }
1665
1666 /****************************************************************************
1667  Return a string containing the function name of a SMB command.
1668 ****************************************************************************/
1669
1670 const char *smb_fn_name(int type)
1671 {
1672         const char *unknown_name = "SMBunknown";
1673
1674         if (smb_messages[type].name == NULL)
1675                 return(unknown_name);
1676
1677         return(smb_messages[type].name);
1678 }
1679
1680 /****************************************************************************
1681  Helper functions for contruct_reply.
1682 ****************************************************************************/
1683
1684 void add_to_common_flags2(uint32 v)
1685 {
1686         common_flags2 |= v;
1687 }
1688
1689 void remove_from_common_flags2(uint32 v)
1690 {
1691         common_flags2 &= ~v;
1692 }
1693
1694 static void construct_reply_common(struct smb_request *req, const char *inbuf,
1695                                    char *outbuf)
1696 {
1697         srv_set_message(outbuf,0,0,false);
1698
1699         SCVAL(outbuf, smb_com, req->cmd);
1700         SIVAL(outbuf,smb_rcls,0);
1701         SCVAL(outbuf,smb_flg, FLAG_REPLY | (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES)); 
1702         SSVAL(outbuf,smb_flg2,
1703                 (SVAL(inbuf,smb_flg2) & FLAGS2_UNICODE_STRINGS) |
1704                 common_flags2);
1705         memset(outbuf+smb_pidhigh,'\0',(smb_tid-smb_pidhigh));
1706
1707         SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid));
1708         SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid));
1709         SSVAL(outbuf,smb_uid,SVAL(inbuf,smb_uid));
1710         SSVAL(outbuf,smb_mid,SVAL(inbuf,smb_mid));
1711 }
1712
1713 void construct_reply_common_req(struct smb_request *req, char *outbuf)
1714 {
1715         construct_reply_common(req, (char *)req->inbuf, outbuf);
1716 }
1717
1718 /*
1719  * How many bytes have we already accumulated up to the current wct field
1720  * offset?
1721  */
1722
1723 size_t req_wct_ofs(struct smb_request *req)
1724 {
1725         size_t buf_size;
1726
1727         if (req->chain_outbuf == NULL) {
1728                 return smb_wct - 4;
1729         }
1730         buf_size = talloc_get_size(req->chain_outbuf);
1731         if ((buf_size % 4) != 0) {
1732                 buf_size += (4 - (buf_size % 4));
1733         }
1734         return buf_size - 4;
1735 }
1736
1737 /*
1738  * Hack around reply_nterror & friends not being aware of chained requests,
1739  * generating illegal (i.e. wct==0) chain replies.
1740  */
1741
1742 static void fixup_chain_error_packet(struct smb_request *req)
1743 {
1744         uint8_t *outbuf = req->outbuf;
1745         req->outbuf = NULL;
1746         reply_outbuf(req, 2, 0);
1747         memcpy(req->outbuf, outbuf, smb_wct);
1748         TALLOC_FREE(outbuf);
1749         SCVAL(req->outbuf, smb_vwv0, 0xff);
1750 }
1751
1752 /**
1753  * @brief Find the smb_cmd offset of the last command pushed
1754  * @param[in] buf       The buffer we're building up
1755  * @retval              Where can we put our next andx cmd?
1756  *
1757  * While chaining requests, the "next" request we're looking at needs to put
1758  * its SMB_Command before the data the previous request already built up added
1759  * to the chain. Find the offset to the place where we have to put our cmd.
1760  */
1761
1762 static bool find_andx_cmd_ofs(uint8_t *buf, size_t *pofs)
1763 {
1764         uint8_t cmd;
1765         size_t ofs;
1766
1767         cmd = CVAL(buf, smb_com);
1768
1769         SMB_ASSERT(is_andx_req(cmd));
1770
1771         ofs = smb_vwv0;
1772
1773         while (CVAL(buf, ofs) != 0xff) {
1774
1775                 if (!is_andx_req(CVAL(buf, ofs))) {
1776                         return false;
1777                 }
1778
1779                 /*
1780                  * ofs is from start of smb header, so add the 4 length
1781                  * bytes. The next cmd is right after the wct field.
1782                  */
1783                 ofs = SVAL(buf, ofs+2) + 4 + 1;
1784
1785                 SMB_ASSERT(ofs+4 < talloc_get_size(buf));
1786         }
1787
1788         *pofs = ofs;
1789         return true;
1790 }
1791
1792 /**
1793  * @brief Do the smb chaining at a buffer level
1794  * @param[in] poutbuf           Pointer to the talloc'ed buffer to be modified
1795  * @param[in] smb_command       The command that we want to issue
1796  * @param[in] wct               How many words?
1797  * @param[in] vwv               The words, already in network order
1798  * @param[in] bytes_alignment   How shall we align "bytes"?
1799  * @param[in] num_bytes         How many bytes?
1800  * @param[in] bytes             The data the request ships
1801  *
1802  * smb_splice_chain() adds the vwv and bytes to the request already present in
1803  * *poutbuf.
1804  */
1805
1806 static bool smb_splice_chain(uint8_t **poutbuf, uint8_t smb_command,
1807                              uint8_t wct, const uint16_t *vwv,
1808                              size_t bytes_alignment,
1809                              uint32_t num_bytes, const uint8_t *bytes)
1810 {
1811         uint8_t *outbuf;
1812         size_t old_size, new_size;
1813         size_t ofs;
1814         size_t chain_padding = 0;
1815         size_t bytes_padding = 0;
1816         bool first_request;
1817
1818         old_size = talloc_get_size(*poutbuf);
1819
1820         /*
1821          * old_size == smb_wct means we're pushing the first request in for
1822          * libsmb/
1823          */
1824
1825         first_request = (old_size == smb_wct);
1826
1827         if (!first_request && ((old_size % 4) != 0)) {
1828                 /*
1829                  * Align the wct field of subsequent requests to a 4-byte
1830                  * boundary
1831                  */
1832                 chain_padding = 4 - (old_size % 4);
1833         }
1834
1835         /*
1836          * After the old request comes the new wct field (1 byte), the vwv's
1837          * and the num_bytes field. After at we might need to align the bytes
1838          * given to us to "bytes_alignment", increasing the num_bytes value.
1839          */
1840
1841         new_size = old_size + chain_padding + 1 + wct * sizeof(uint16_t) + 2;
1842
1843         if ((bytes_alignment != 0) && ((new_size % bytes_alignment) != 0)) {
1844                 bytes_padding = bytes_alignment - (new_size % bytes_alignment);
1845         }
1846
1847         new_size += bytes_padding + num_bytes;
1848
1849         if ((smb_command != SMBwriteX) && (new_size > 0xffff)) {
1850                 DEBUG(1, ("splice_chain: %u bytes won't fit\n",
1851                           (unsigned)new_size));
1852                 return false;
1853         }
1854
1855         outbuf = TALLOC_REALLOC_ARRAY(NULL, *poutbuf, uint8_t, new_size);
1856         if (outbuf == NULL) {
1857                 DEBUG(0, ("talloc failed\n"));
1858                 return false;
1859         }
1860         *poutbuf = outbuf;
1861
1862         if (first_request) {
1863                 SCVAL(outbuf, smb_com, smb_command);
1864         } else {
1865                 size_t andx_cmd_ofs;
1866
1867                 if (!find_andx_cmd_ofs(outbuf, &andx_cmd_ofs)) {
1868                         DEBUG(1, ("invalid command chain\n"));
1869                         *poutbuf = TALLOC_REALLOC_ARRAY(
1870                                 NULL, *poutbuf, uint8_t, old_size);
1871                         return false;
1872                 }
1873
1874                 if (chain_padding != 0) {
1875                         memset(outbuf + old_size, 0, chain_padding);
1876                         old_size += chain_padding;
1877                 }
1878
1879                 SCVAL(outbuf, andx_cmd_ofs, smb_command);
1880                 SSVAL(outbuf, andx_cmd_ofs + 2, old_size - 4);
1881         }
1882
1883         ofs = old_size;
1884
1885         /*
1886          * Push the chained request:
1887          *
1888          * wct field
1889          */
1890
1891         SCVAL(outbuf, ofs, wct);
1892         ofs += 1;
1893
1894         /*
1895          * vwv array
1896          */
1897
1898         memcpy(outbuf + ofs, vwv, sizeof(uint16_t) * wct);
1899         ofs += sizeof(uint16_t) * wct;
1900
1901         /*
1902          * bcc (byte count)
1903          */
1904
1905         SSVAL(outbuf, ofs, num_bytes + bytes_padding);
1906         ofs += sizeof(uint16_t);
1907
1908         /*
1909          * padding
1910          */
1911
1912         if (bytes_padding != 0) {
1913                 memset(outbuf + ofs, 0, bytes_padding);
1914                 ofs += bytes_padding;
1915         }
1916
1917         /*
1918          * The bytes field
1919          */
1920
1921         memcpy(outbuf + ofs, bytes, num_bytes);
1922
1923         return true;
1924 }
1925
1926 /****************************************************************************
1927  Construct a chained reply and add it to the already made reply
1928 ****************************************************************************/
1929
1930 void chain_reply(struct smb_request *req)
1931 {
1932         size_t smblen = smb_len(req->inbuf);
1933         size_t already_used, length_needed;
1934         uint8_t chain_cmd;
1935         uint32_t chain_offset;  /* uint32_t to avoid overflow */
1936
1937         uint8_t wct;
1938         uint16_t *vwv;
1939         uint16_t buflen;
1940         uint8_t *buf;
1941
1942         if (IVAL(req->outbuf, smb_rcls) != 0) {
1943                 fixup_chain_error_packet(req);
1944         }
1945
1946         /*
1947          * Any of the AndX requests and replies have at least a wct of
1948          * 2. vwv[0] is the next command, vwv[1] is the offset from the
1949          * beginning of the SMB header to the next wct field.
1950          *
1951          * None of the AndX requests put anything valuable in vwv[0] and [1],
1952          * so we can overwrite it here to form the chain.
1953          */
1954
1955         if ((req->wct < 2) || (CVAL(req->outbuf, smb_wct) < 2)) {
1956                 if (req->chain_outbuf == NULL) {
1957                         req->chain_outbuf = TALLOC_REALLOC_ARRAY(
1958                                 req, req->outbuf, uint8_t,
1959                                 smb_len(req->outbuf) + 4);
1960                         if (req->chain_outbuf == NULL) {
1961                                 smb_panic("talloc failed");
1962                         }
1963                 }
1964                 req->outbuf = NULL;
1965                 goto error;
1966         }
1967
1968         /*
1969          * Here we assume that this is the end of the chain. For that we need
1970          * to set "next command" to 0xff and the offset to 0. If we later find
1971          * more commands in the chain, this will be overwritten again.
1972          */
1973
1974         SCVAL(req->outbuf, smb_vwv0, 0xff);
1975         SCVAL(req->outbuf, smb_vwv0+1, 0);
1976         SSVAL(req->outbuf, smb_vwv1, 0);
1977
1978         if (req->chain_outbuf == NULL) {
1979                 /*
1980                  * In req->chain_outbuf we collect all the replies. Start the
1981                  * chain by copying in the first reply.
1982                  *
1983                  * We do the realloc because later on we depend on
1984                  * talloc_get_size to determine the length of
1985                  * chain_outbuf. The reply_xxx routines might have
1986                  * over-allocated (reply_pipe_read_and_X used to be such an
1987                  * example).
1988                  */
1989                 req->chain_outbuf = TALLOC_REALLOC_ARRAY(
1990                         req, req->outbuf, uint8_t, smb_len(req->outbuf) + 4);
1991                 if (req->chain_outbuf == NULL) {
1992                         smb_panic("talloc failed");
1993                 }
1994                 req->outbuf = NULL;
1995         } else {
1996                 /*
1997                  * Update smb headers where subsequent chained commands
1998                  * may have updated them.
1999                  */
2000                 SCVAL(req->chain_outbuf, smb_tid, CVAL(req->outbuf, smb_tid));
2001                 SCVAL(req->chain_outbuf, smb_uid, CVAL(req->outbuf, smb_uid));
2002
2003                 if (!smb_splice_chain(&req->chain_outbuf,
2004                                       CVAL(req->outbuf, smb_com),
2005                                       CVAL(req->outbuf, smb_wct),
2006                                       (uint16_t *)(req->outbuf + smb_vwv),
2007                                       0, smb_buflen(req->outbuf),
2008                                       (uint8_t *)smb_buf(req->outbuf))) {
2009                         goto error;
2010                 }
2011                 TALLOC_FREE(req->outbuf);
2012         }
2013
2014         /*
2015          * We use the old request's vwv field to grab the next chained command
2016          * and offset into the chained fields.
2017          */
2018
2019         chain_cmd = CVAL(req->vwv+0, 0);
2020         chain_offset = SVAL(req->vwv+1, 0);
2021
2022         if (chain_cmd == 0xff) {
2023                 /*
2024                  * End of chain, no more requests from the client. So ship the
2025                  * replies.
2026                  */
2027                 smb_setlen((char *)(req->chain_outbuf),
2028                            talloc_get_size(req->chain_outbuf) - 4);
2029
2030                 if (!srv_send_smb(smbd_server_fd(), (char *)req->chain_outbuf,
2031                                   true, req->seqnum+1,
2032                                   IS_CONN_ENCRYPTED(req->conn)
2033                                   ||req->encrypted,
2034                                   &req->pcd)) {
2035                         exit_server_cleanly("chain_reply: srv_send_smb "
2036                                             "failed.");
2037                 }
2038                 TALLOC_FREE(req->chain_outbuf);
2039                 req->done = true;
2040                 return;
2041         }
2042
2043         /* add a new perfcounter for this element of chain */
2044         SMB_PERFCOUNT_ADD(&req->pcd);
2045         SMB_PERFCOUNT_SET_OP(&req->pcd, chain_cmd);
2046         SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, smblen);
2047
2048         /*
2049          * Check if the client tries to fool us. The request so far uses the
2050          * space to the end of the byte buffer in the request just
2051          * processed. The chain_offset can't point into that area. If that was
2052          * the case, we could end up with an endless processing of the chain,
2053          * we would always handle the same request.
2054          */
2055
2056         already_used = PTR_DIFF(req->buf+req->buflen, smb_base(req->inbuf));
2057         if (chain_offset < already_used) {
2058                 goto error;
2059         }
2060
2061         /*
2062          * Next check: Make sure the chain offset does not point beyond the
2063          * overall smb request length.
2064          */
2065
2066         length_needed = chain_offset+1; /* wct */
2067         if (length_needed > smblen) {
2068                 goto error;
2069         }
2070
2071         /*
2072          * Now comes the pointer magic. Goal here is to set up req->vwv and
2073          * req->buf correctly again to be able to call the subsequent
2074          * switch_message(). The chain offset (the former vwv[1]) points at
2075          * the new wct field.
2076          */
2077
2078         wct = CVAL(smb_base(req->inbuf), chain_offset);
2079
2080         /*
2081          * Next consistency check: Make the new vwv array fits in the overall
2082          * smb request.
2083          */
2084
2085         length_needed += (wct+1)*sizeof(uint16_t); /* vwv+buflen */
2086         if (length_needed > smblen) {
2087                 goto error;
2088         }
2089         vwv = (uint16_t *)(smb_base(req->inbuf) + chain_offset + 1);
2090
2091         /*
2092          * Now grab the new byte buffer....
2093          */
2094
2095         buflen = SVAL(vwv+wct, 0);
2096
2097         /*
2098          * .. and check that it fits.
2099          */
2100
2101         length_needed += buflen;
2102         if (length_needed > smblen) {
2103                 goto error;
2104         }
2105         buf = (uint8_t *)(vwv+wct+1);
2106
2107         req->cmd = chain_cmd;
2108         req->wct = wct;
2109         req->vwv = vwv;
2110         req->buflen = buflen;
2111         req->buf = buf;
2112
2113         switch_message(chain_cmd, req, smblen);
2114
2115         if (req->outbuf == NULL) {
2116                 /*
2117                  * This happens if the chained command has suspended itself or
2118                  * if it has called srv_send_smb() itself.
2119                  */
2120                 return;
2121         }
2122
2123         /*
2124          * We end up here if the chained command was not itself chained or
2125          * suspended, but for example a close() command. We now need to splice
2126          * the chained commands' outbuf into the already built up chain_outbuf
2127          * and ship the result.
2128          */
2129         goto done;
2130
2131  error:
2132         /*
2133          * We end up here if there's any error in the chain syntax. Report a
2134          * DOS error, just like Windows does.
2135          */
2136         reply_force_doserror(req, ERRSRV, ERRerror);
2137         fixup_chain_error_packet(req);
2138
2139  done:
2140         /*
2141          * This scary statement intends to set the
2142          * FLAGS2_32_BIT_ERROR_CODES flg2 field in req->chain_outbuf
2143          * to the value req->outbuf carries
2144          */
2145         SSVAL(req->chain_outbuf, smb_flg2,
2146               (SVAL(req->chain_outbuf, smb_flg2) & ~FLAGS2_32_BIT_ERROR_CODES)
2147               | (SVAL(req->outbuf, smb_flg2) & FLAGS2_32_BIT_ERROR_CODES));
2148
2149         /*
2150          * Transfer the error codes from the subrequest to the main one
2151          */
2152         SSVAL(req->chain_outbuf, smb_rcls, SVAL(req->outbuf, smb_rcls));
2153         SSVAL(req->chain_outbuf, smb_err, SVAL(req->outbuf, smb_err));
2154
2155         if (!smb_splice_chain(&req->chain_outbuf,
2156                               CVAL(req->outbuf, smb_com),
2157                               CVAL(req->outbuf, smb_wct),
2158                               (uint16_t *)(req->outbuf + smb_vwv),
2159                               0, smb_buflen(req->outbuf),
2160                               (uint8_t *)smb_buf(req->outbuf))) {
2161                 exit_server_cleanly("chain_reply: smb_splice_chain failed\n");
2162         }
2163         TALLOC_FREE(req->outbuf);
2164
2165         smb_setlen((char *)(req->chain_outbuf),
2166                    talloc_get_size(req->chain_outbuf) - 4);
2167
2168         show_msg((char *)(req->chain_outbuf));
2169
2170         if (!srv_send_smb(smbd_server_fd(), (char *)req->chain_outbuf,
2171                           true, req->seqnum+1,
2172                           IS_CONN_ENCRYPTED(req->conn)||req->encrypted,
2173                           &req->pcd)) {
2174                 exit_server_cleanly("construct_reply: srv_send_smb failed.");
2175         }
2176         TALLOC_FREE(req->chain_outbuf);
2177         req->done = true;
2178 }
2179
2180 /****************************************************************************
2181  Check if services need reloading.
2182 ****************************************************************************/
2183
2184 void check_reload(time_t t)
2185 {
2186         time_t printcap_cache_time = (time_t)lp_printcap_cache_time();
2187
2188         if(last_smb_conf_reload_time == 0) {
2189                 last_smb_conf_reload_time = t;
2190                 /* Our printing subsystem might not be ready at smbd start up.
2191                    Then no printer is available till the first printers check
2192                    is performed.  A lower initial interval circumvents this. */
2193                 if ( printcap_cache_time > 60 )
2194                         last_printer_reload_time = t - printcap_cache_time + 60;
2195                 else
2196                         last_printer_reload_time = t;
2197         }
2198
2199         if (mypid != getpid()) { /* First time or fork happened meanwhile */
2200                 /* randomize over 60 second the printcap reload to avoid all
2201                  * process hitting cupsd at the same time */
2202                 int time_range = 60;
2203
2204                 last_printer_reload_time += random() % time_range;
2205                 mypid = getpid();
2206         }
2207
2208         if (t >= last_smb_conf_reload_time+SMBD_RELOAD_CHECK) {
2209                 reload_services(True);
2210                 last_smb_conf_reload_time = t;
2211         }
2212
2213         /* 'printcap cache time = 0' disable the feature */
2214
2215         if ( printcap_cache_time != 0 )
2216         { 
2217                 /* see if it's time to reload or if the clock has been set back */
2218
2219                 if ( (t >= last_printer_reload_time+printcap_cache_time) 
2220                         || (t-last_printer_reload_time  < 0) ) 
2221                 {
2222                         DEBUG( 3,( "Printcap cache time expired.\n"));
2223                         reload_printers();
2224                         last_printer_reload_time = t;
2225                 }
2226         }
2227 }
2228
2229 static bool fd_is_readable(int fd)
2230 {
2231         fd_set fds;
2232         struct timeval timeout = {0, };
2233         int ret;
2234
2235         FD_ZERO(&fds);
2236         FD_SET(fd, &fds);
2237
2238         ret = sys_select(fd+1, &fds, NULL, NULL, &timeout);
2239         if (ret == -1) {
2240                 return false;
2241         }
2242         return FD_ISSET(fd, &fds);
2243 }
2244
2245 static void smbd_server_connection_write_handler(struct smbd_server_connection *conn)
2246 {
2247         /* TODO: make write nonblocking */
2248 }
2249
2250 static void smbd_server_connection_read_handler(
2251         struct smbd_server_connection *conn, int fd)
2252 {
2253         uint8_t *inbuf = NULL;
2254         size_t inbuf_len = 0;
2255         size_t unread_bytes = 0;
2256         bool encrypted = false;
2257         TALLOC_CTX *mem_ctx = talloc_tos();
2258         NTSTATUS status;
2259         uint32_t seqnum;
2260
2261         bool from_client = (smbd_server_fd() == fd)?true:false;
2262
2263         if (from_client) {
2264                 smbd_lock_socket(conn);
2265
2266                 if (!fd_is_readable(smbd_server_fd())) {
2267                         DEBUG(10,("the echo listener was faster\n"));
2268                         smbd_unlock_socket(conn);
2269                         return;
2270                 }
2271
2272                 /* TODO: make this completely nonblocking */
2273                 status = receive_smb_talloc(mem_ctx, fd,
2274                                             (char **)(void *)&inbuf,
2275                                             0, /* timeout */
2276                                             &unread_bytes,
2277                                             &encrypted,
2278                                             &inbuf_len, &seqnum,
2279                                             false /* trusted channel */);
2280                 smbd_unlock_socket(conn);
2281         } else {
2282                 /* TODO: make this completely nonblocking */
2283                 status = receive_smb_talloc(mem_ctx, fd,
2284                                             (char **)(void *)&inbuf,
2285                                             0, /* timeout */
2286                                             &unread_bytes,
2287                                             &encrypted,
2288                                             &inbuf_len, &seqnum,
2289                                             true /* trusted channel */);
2290         }
2291
2292         if (NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
2293                 goto process;
2294         }
2295         if (NT_STATUS_IS_ERR(status)) {
2296                 exit_server_cleanly("failed to receive smb request");
2297         }
2298         if (!NT_STATUS_IS_OK(status)) {
2299                 return;
2300         }
2301
2302 process:
2303         process_smb(conn, inbuf, inbuf_len, unread_bytes,
2304                     seqnum, encrypted, NULL);
2305 }
2306
2307 static void smbd_server_connection_handler(struct event_context *ev,
2308                                            struct fd_event *fde,
2309                                            uint16_t flags,
2310                                            void *private_data)
2311 {
2312         struct smbd_server_connection *conn = talloc_get_type(private_data,
2313                                               struct smbd_server_connection);
2314
2315         if (flags & EVENT_FD_WRITE) {
2316                 smbd_server_connection_write_handler(conn);
2317         } else if (flags & EVENT_FD_READ) {
2318                 smbd_server_connection_read_handler(conn, smbd_server_fd());
2319         }
2320 }
2321
2322 static void smbd_server_echo_handler(struct event_context *ev,
2323                                      struct fd_event *fde,
2324                                      uint16_t flags,
2325                                      void *private_data)
2326 {
2327         struct smbd_server_connection *conn = talloc_get_type(private_data,
2328                                               struct smbd_server_connection);
2329
2330         if (flags & EVENT_FD_WRITE) {
2331                 smbd_server_connection_write_handler(conn);
2332         } else if (flags & EVENT_FD_READ) {
2333                 smbd_server_connection_read_handler(
2334                         conn, conn->smb1.echo_handler.trusted_fd);
2335         }
2336 }
2337
2338 /****************************************************************************
2339 received when we should release a specific IP
2340 ****************************************************************************/
2341 static void release_ip(const char *ip, void *priv)
2342 {
2343         char addr[INET6_ADDRSTRLEN];
2344         char *p = addr;
2345
2346         client_socket_addr(get_client_fd(),addr,sizeof(addr));
2347
2348         if (strncmp("::ffff:", addr, 7) == 0) {
2349                 p = addr + 7;
2350         }
2351
2352         if ((strcmp(p, ip) == 0) || ((p != addr) && strcmp(addr, ip) == 0)) {
2353                 /* we can't afford to do a clean exit - that involves
2354                    database writes, which would potentially mean we
2355                    are still running after the failover has finished -
2356                    we have to get rid of this process ID straight
2357                    away */
2358                 DEBUG(0,("Got release IP message for our IP %s - exiting immediately\n",
2359                         ip));
2360                 /* note we must exit with non-zero status so the unclean handler gets
2361                    called in the parent, so that the brl database is tickled */
2362                 _exit(1);
2363         }
2364 }
2365
2366 static void msg_release_ip(struct messaging_context *msg_ctx, void *private_data,
2367                            uint32_t msg_type, struct server_id server_id, DATA_BLOB *data)
2368 {
2369         release_ip((char *)data->data, NULL);
2370 }
2371
2372 #ifdef CLUSTER_SUPPORT
2373 static int client_get_tcp_info(struct sockaddr_storage *server,
2374                                struct sockaddr_storage *client)
2375 {
2376         socklen_t length;
2377         if (server_fd == -1) {
2378                 return -1;
2379         }
2380         length = sizeof(*server);
2381         if (getsockname(server_fd, (struct sockaddr *)server, &length) != 0) {
2382                 return -1;
2383         }
2384         length = sizeof(*client);
2385         if (getpeername(server_fd, (struct sockaddr *)client, &length) != 0) {
2386                 return -1;
2387         }
2388         return 0;
2389 }
2390 #endif
2391
2392 /*
2393  * Send keepalive packets to our client
2394  */
2395 static bool keepalive_fn(const struct timeval *now, void *private_data)
2396 {
2397         bool ret;
2398
2399         smbd_lock_socket(smbd_server_conn);
2400         ret = send_keepalive(smbd_server_fd());
2401         smbd_unlock_socket(smbd_server_conn);
2402
2403         if (!ret) {
2404                 DEBUG( 2, ( "Keepalive failed - exiting.\n" ) );
2405                 return False;
2406         }
2407         return True;
2408 }
2409
2410 /*
2411  * Do the recurring check if we're idle
2412  */
2413 static bool deadtime_fn(const struct timeval *now, void *private_data)
2414 {
2415         struct smbd_server_connection *sconn = smbd_server_conn;
2416
2417         if (sconn->allow_smb2) {
2418                 /* TODO: implement real idle check */
2419                 if (sconn->smb2.sessions.list) {
2420                         return true;
2421                 }
2422                 DEBUG( 2, ( "Closing idle SMB2 connection\n" ) );
2423                 messaging_send(smbd_messaging_context(), procid_self(),
2424                                MSG_SHUTDOWN, &data_blob_null);
2425                 return false;
2426         }
2427
2428         if ((conn_num_open(sconn) == 0)
2429             || (conn_idle_all(sconn, now->tv_sec))) {
2430                 DEBUG( 2, ( "Closing idle SMB1 connection\n" ) );
2431                 messaging_send(smbd_messaging_context(), procid_self(),
2432                                MSG_SHUTDOWN, &data_blob_null);
2433                 return False;
2434         }
2435
2436         return True;
2437 }
2438
2439 /*
2440  * Do the recurring log file and smb.conf reload checks.
2441  */
2442
2443 static bool housekeeping_fn(const struct timeval *now, void *private_data)
2444 {
2445         change_to_root_user();
2446
2447         /* update printer queue caches if necessary */
2448         update_monitored_printq_cache();
2449
2450         /* check if we need to reload services */
2451         check_reload(time(NULL));
2452
2453         /* Change machine password if neccessary. */
2454         attempt_machine_password_change();
2455
2456         /*
2457          * Force a log file check.
2458          */
2459         force_check_log_size();
2460         check_log_size();
2461         return true;
2462 }
2463
2464 static int create_unlink_tmp(const char *dir)
2465 {
2466         char *fname;
2467         int fd;
2468
2469         fname = talloc_asprintf(talloc_tos(), "%s/listenerlock_XXXXXX", dir);
2470         if (fname == NULL) {
2471                 errno = ENOMEM;
2472                 return -1;
2473         }
2474         fd = mkstemp(fname);
2475         if (fd == -1) {
2476                 TALLOC_FREE(fname);
2477                 return -1;
2478         }
2479         if (unlink(fname) == -1) {
2480                 int sys_errno = errno;
2481                 close(fd);
2482                 TALLOC_FREE(fname);
2483                 errno = sys_errno;
2484                 return -1;
2485         }
2486         TALLOC_FREE(fname);
2487         return fd;
2488 }
2489
2490 struct smbd_echo_state {
2491         struct tevent_context *ev;
2492         struct iovec *pending;
2493         struct smbd_server_connection *sconn;
2494         int parent_pipe;
2495
2496         struct tevent_fd *parent_fde;
2497
2498         struct tevent_fd *read_fde;
2499         struct tevent_req *write_req;
2500 };
2501
2502 static void smbd_echo_writer_done(struct tevent_req *req);
2503
2504 static void smbd_echo_activate_writer(struct smbd_echo_state *state)
2505 {
2506         int num_pending;
2507
2508         if (state->write_req != NULL) {
2509                 return;
2510         }
2511
2512         num_pending = talloc_array_length(state->pending);
2513         if (num_pending == 0) {
2514                 return;
2515         }
2516
2517         state->write_req = writev_send(state, state->ev, NULL,
2518                                        state->parent_pipe, false,
2519                                        state->pending, num_pending);
2520         if (state->write_req == NULL) {
2521                 DEBUG(1, ("writev_send failed\n"));
2522                 exit(1);
2523         }
2524
2525         talloc_steal(state->write_req, state->pending);
2526         state->pending = NULL;
2527
2528         tevent_req_set_callback(state->write_req, smbd_echo_writer_done,
2529                                 state);
2530 }
2531
2532 static void smbd_echo_writer_done(struct tevent_req *req)
2533 {
2534         struct smbd_echo_state *state = tevent_req_callback_data(
2535                 req, struct smbd_echo_state);
2536         ssize_t written;
2537         int err;
2538
2539         written = writev_recv(req, &err);
2540         TALLOC_FREE(req);
2541         state->write_req = NULL;
2542         if (written == -1) {
2543                 DEBUG(1, ("writev to parent failed: %s\n", strerror(err)));
2544                 exit(1);
2545         }
2546         DEBUG(10,("echo_handler[%d]: forwarded pdu to main\n", (int)sys_getpid()));
2547         smbd_echo_activate_writer(state);
2548 }
2549
2550 static bool smbd_echo_reply(int fd,
2551                             uint8_t *inbuf, size_t inbuf_len,
2552                             uint32_t seqnum)
2553 {
2554         struct smb_request req;
2555         uint16_t num_replies;
2556         size_t out_len;
2557         char *outbuf;
2558         bool ok;
2559
2560         if (inbuf_len < smb_size) {
2561                 DEBUG(10, ("Got short packet: %d bytes\n", (int)inbuf_len));
2562                 return false;
2563         }
2564         if (!valid_smb_header(inbuf)) {
2565                 DEBUG(10, ("Got invalid SMB header\n"));
2566                 return false;
2567         }
2568
2569         if (!init_smb_request(&req, inbuf, 0, false, seqnum)) {
2570                 return false;
2571         }
2572         req.inbuf = inbuf;
2573
2574         DEBUG(10, ("smbecho handler got cmd %d (%s)\n", (int)req.cmd,
2575                    smb_messages[req.cmd].name
2576                    ? smb_messages[req.cmd].name : "unknown"));
2577
2578         if (req.cmd != SMBecho) {
2579                 return false;
2580         }
2581         if (req.wct < 1) {
2582                 return false;
2583         }
2584
2585         num_replies = SVAL(req.vwv+0, 0);
2586         if (num_replies != 1) {
2587                 /* Not a Windows "Hey, you're still there?" request */
2588                 return false;
2589         }
2590
2591         if (!create_outbuf(talloc_tos(), &req, (char *)req.inbuf, &outbuf,
2592                            1, req.buflen)) {
2593                 DEBUG(10, ("create_outbuf failed\n"));
2594                 return false;
2595         }
2596         req.outbuf = (uint8_t *)outbuf;
2597
2598         SSVAL(req.outbuf, smb_vwv0, num_replies);
2599
2600         if (req.buflen > 0) {
2601                 memcpy(smb_buf(req.outbuf), req.buf, req.buflen);
2602         }
2603
2604         out_len = smb_len(req.outbuf) + 4;
2605
2606         ok = srv_send_smb(smbd_server_fd(),
2607                           (char *)outbuf,
2608                           true, seqnum+1,
2609                           false, &req.pcd);
2610         TALLOC_FREE(outbuf);
2611         if (!ok) {
2612                 exit(1);
2613         }
2614
2615         return true;
2616 }
2617
2618 static void smbd_echo_exit(struct tevent_context *ev,
2619                            struct tevent_fd *fde, uint16_t flags,
2620                            void *private_data)
2621 {
2622         DEBUG(2, ("smbd_echo_exit: lost connection to parent\n"));
2623         exit(0);
2624 }
2625
2626 static void smbd_echo_reader(struct tevent_context *ev,
2627                              struct tevent_fd *fde, uint16_t flags,
2628                              void *private_data)
2629 {
2630         struct smbd_echo_state *state = talloc_get_type_abort(
2631                 private_data, struct smbd_echo_state);
2632         struct smbd_server_connection *sconn = state->sconn;
2633         size_t unread, num_pending;
2634         NTSTATUS status;
2635         struct iovec *tmp;
2636         uint32_t seqnum = 0;
2637         bool reply;
2638         bool ok;
2639         bool encrypted = false;
2640
2641         ok = smbd_lock_socket_internal(sconn);
2642         if (!ok) {
2643                 DEBUG(0, ("%s: failed to lock socket\n",
2644                         __location__));
2645                 exit(1);
2646         }
2647
2648         if (!fd_is_readable(smbd_server_fd())) {
2649                 DEBUG(10,("echo_handler[%d] the parent smbd was faster\n",
2650                           (int)sys_getpid()));
2651                 ok = smbd_unlock_socket_internal(sconn);
2652                 if (!ok) {
2653                         DEBUG(1, ("%s: failed to unlock socket in\n",
2654                                 __location__));
2655                         exit(1);
2656                 }
2657                 return;
2658         }
2659
2660         num_pending = talloc_array_length(state->pending);
2661         tmp = talloc_realloc(state, state->pending, struct iovec,
2662                              num_pending+1);
2663         if (tmp == NULL) {
2664                 DEBUG(1, ("talloc_realloc failed\n"));
2665                 exit(1);
2666         }
2667         state->pending = tmp;
2668
2669         DEBUG(10,("echo_handler[%d]: reading pdu\n", (int)sys_getpid()));
2670
2671         status = receive_smb_talloc(state->pending, smbd_server_fd(),
2672                                     (char **)(void *)&state->pending[num_pending].iov_base,
2673                                     0 /* timeout */,
2674                                     &unread,
2675                                     &encrypted,
2676                                     &state->pending[num_pending].iov_len,
2677                                     &seqnum,
2678                                     false /* trusted_channel*/);
2679         if (!NT_STATUS_IS_OK(status)) {
2680                 DEBUG(1, ("echo_handler[%d]: receive_smb_raw_talloc failed: %s\n",
2681                           (int)sys_getpid(), nt_errstr(status)));
2682                 exit(1);
2683         }
2684
2685         ok = smbd_unlock_socket_internal(sconn);
2686         if (!ok) {
2687                 DEBUG(1, ("%s: failed to unlock socket in\n",
2688                         __location__));
2689                 exit(1);
2690         }
2691
2692         /*
2693          * place the seqnum in the packet so that the main process can reply
2694          * with signing
2695          */
2696         SIVAL((uint8_t *)state->pending[num_pending].iov_base, smb_ss_field, seqnum);
2697         SIVAL((uint8_t *)state->pending[num_pending].iov_base, smb_ss_field+4, NT_STATUS_V(NT_STATUS_OK));
2698
2699         reply = smbd_echo_reply(smbd_server_fd(),
2700                                 (uint8_t *)state->pending[num_pending].iov_base,
2701                                 state->pending[num_pending].iov_len,
2702                                 seqnum);
2703         if (reply) {
2704                 DEBUG(10,("echo_handler[%d]: replied to client\n", (int)sys_getpid()));
2705                 /* no check, shrinking by some bytes does not fail */
2706                 state->pending = talloc_realloc(state, state->pending,
2707                                                 struct iovec,
2708                                                 num_pending);
2709         } else {
2710                 DEBUG(10,("echo_handler[%d]: forward to main\n", (int)sys_getpid()));
2711                 smbd_echo_activate_writer(state);
2712         }
2713 }
2714
2715 static void smbd_echo_loop(struct smbd_server_connection *sconn,
2716                            int parent_pipe)
2717 {
2718         struct smbd_echo_state *state;
2719
2720         state = talloc_zero(sconn, struct smbd_echo_state);
2721         if (state == NULL) {
2722                 DEBUG(1, ("talloc failed\n"));
2723                 return;
2724         }
2725         state->sconn = sconn;
2726         state->parent_pipe = parent_pipe;
2727         state->ev = s3_tevent_context_init(state);
2728         if (state->ev == NULL) {
2729                 DEBUG(1, ("tevent_context_init failed\n"));
2730                 TALLOC_FREE(state);
2731                 return;
2732         }
2733         state->parent_fde = tevent_add_fd(state->ev, state, parent_pipe,
2734                                         TEVENT_FD_READ, smbd_echo_exit,
2735                                         state);
2736         if (state->parent_fde == NULL) {
2737                 DEBUG(1, ("tevent_add_fd failed\n"));
2738                 TALLOC_FREE(state);
2739                 return;
2740         }
2741         state->read_fde = tevent_add_fd(state->ev, state, smbd_server_fd(),
2742                                         TEVENT_FD_READ, smbd_echo_reader,
2743                                         state);
2744         if (state->read_fde == NULL) {
2745                 DEBUG(1, ("tevent_add_fd failed\n"));
2746                 TALLOC_FREE(state);
2747                 return;
2748         }
2749
2750         while (true) {
2751                 if (tevent_loop_once(state->ev) == -1) {
2752                         DEBUG(1, ("tevent_loop_once failed: %s\n",
2753                                   strerror(errno)));
2754                         break;
2755                 }
2756         }
2757         TALLOC_FREE(state);
2758 }
2759
2760 /*
2761  * Handle SMBecho requests in a forked child process
2762  */
2763 static bool fork_echo_handler(struct smbd_server_connection *sconn)
2764 {
2765         int listener_pipe[2];
2766         int res;
2767         pid_t child;
2768
2769         res = pipe(listener_pipe);
2770         if (res == -1) {
2771                 DEBUG(1, ("pipe() failed: %s\n", strerror(errno)));
2772                 return false;
2773         }
2774         sconn->smb1.echo_handler.socket_lock_fd = create_unlink_tmp(lp_lockdir());
2775         if (sconn->smb1.echo_handler.socket_lock_fd == -1) {
2776                 DEBUG(1, ("Could not create lock fd: %s\n", strerror(errno)));
2777                 goto fail;
2778         }
2779
2780         child = sys_fork();
2781         if (child == 0) {
2782                 NTSTATUS status;
2783
2784                 close(listener_pipe[0]);
2785
2786                 status = reinit_after_fork(smbd_messaging_context(),
2787                                            smbd_event_context(), false);
2788                 if (!NT_STATUS_IS_OK(status)) {
2789                         DEBUG(1, ("reinit_after_fork failed: %s\n",
2790                                   nt_errstr(status)));
2791                         exit(1);
2792                 }
2793                 smbd_echo_loop(sconn, listener_pipe[1]);
2794                 exit(0);
2795         }
2796         close(listener_pipe[1]);
2797         listener_pipe[1] = -1;
2798         sconn->smb1.echo_handler.trusted_fd = listener_pipe[0];
2799
2800         DEBUG(10,("fork_echo_handler: main[%d] echo_child[%d]\n", (int)sys_getpid(), child));
2801
2802         /*
2803          * Without smb signing this is the same as the normal smbd
2804          * listener. This needs to change once signing comes in.
2805          */
2806         sconn->smb1.echo_handler.trusted_fde = event_add_fd(smbd_event_context(),
2807                                         sconn,
2808                                         sconn->smb1.echo_handler.trusted_fd,
2809                                         EVENT_FD_READ,
2810                                         smbd_server_echo_handler,
2811                                         sconn);
2812         if (sconn->smb1.echo_handler.trusted_fde == NULL) {
2813                 DEBUG(1, ("event_add_fd failed\n"));
2814                 goto fail;
2815         }
2816
2817         return true;
2818
2819 fail:
2820         if (listener_pipe[0] != -1) {
2821                 close(listener_pipe[0]);
2822         }
2823         if (listener_pipe[1] != -1) {
2824                 close(listener_pipe[1]);
2825         }
2826         sconn->smb1.echo_handler.trusted_fd = -1;
2827         if (sconn->smb1.echo_handler.socket_lock_fd != -1) {
2828                 close(sconn->smb1.echo_handler.socket_lock_fd);
2829         }
2830         sconn->smb1.echo_handler.trusted_fd = -1;
2831         sconn->smb1.echo_handler.socket_lock_fd = -1;
2832         return false;
2833 }
2834
2835 /****************************************************************************
2836  Process commands from the client
2837 ****************************************************************************/
2838
2839 void smbd_process(void)
2840 {
2841         TALLOC_CTX *frame = talloc_stackframe();
2842         struct sockaddr_storage ss;
2843         struct sockaddr *sa = NULL;
2844         socklen_t sa_len;
2845         struct tsocket_address *local_address = NULL;
2846         struct tsocket_address *remote_address = NULL;
2847         const char *remaddr = NULL;
2848         int ret;
2849
2850         if (lp_maxprotocol() == PROTOCOL_SMB2 &&
2851             lp_security() != SEC_SHARE &&
2852             !lp_async_smb_echo_handler()) {
2853                 smbd_server_conn->allow_smb2 = true;
2854         }
2855
2856         /* Ensure child is set to blocking mode */
2857         set_blocking(smbd_server_fd(),True);
2858
2859         set_socket_options(smbd_server_fd(),"SO_KEEPALIVE");
2860         set_socket_options(smbd_server_fd(), lp_socket_options());
2861
2862         sa = (struct sockaddr *)(void *)&ss;
2863         sa_len = sizeof(ss);
2864         ret = getpeername(smbd_server_fd(), sa, &sa_len);
2865         if (ret != 0) {
2866                 int level = (errno == ENOTCONN)?2:0;
2867                 DEBUG(level,("getpeername() failed - %s\n", strerror(errno)));
2868                 exit_server("getpeername() failed.\n");
2869         }
2870         ret = tsocket_address_bsd_from_sockaddr(smbd_server_conn,
2871                                                 sa, sa_len,
2872                                                 &remote_address);
2873         if (ret != 0) {
2874                 DEBUG(0,("%s: tsocket_address_bsd_from_sockaddr remote failed - %s\n",
2875                         __location__, strerror(errno)));
2876                 exit_server("tsocket_address_bsd_from_sockaddr remote failed.\n");
2877         }
2878
2879         sa = (struct sockaddr *)(void *)&ss;
2880         sa_len = sizeof(ss);
2881         ret = getsockname(smbd_server_fd(), sa, &sa_len);
2882         if (ret != 0) {
2883                 int level = (errno == ENOTCONN)?2:0;
2884                 DEBUG(level,("getsockname() failed - %s\n", strerror(errno)));
2885                 exit_server("getsockname() failed.\n");
2886         }
2887         ret = tsocket_address_bsd_from_sockaddr(smbd_server_conn,
2888                                                 sa, sa_len,
2889                                                 &local_address);
2890         if (ret != 0) {
2891                 DEBUG(0,("%s: tsocket_address_bsd_from_sockaddr remote failed - %s\n",
2892                         __location__, strerror(errno)));
2893                 exit_server("tsocket_address_bsd_from_sockaddr remote failed.\n");
2894         }
2895
2896         smbd_server_conn->local_address = local_address;
2897         smbd_server_conn->remote_address = remote_address;
2898
2899         if (tsocket_address_is_inet(remote_address, "ip")) {
2900                 remaddr = tsocket_address_inet_addr_string(
2901                                 smbd_server_conn->remote_address,
2902                                 talloc_tos());
2903                 if (remaddr == NULL) {
2904
2905                 }
2906         } else {
2907                 remaddr = "0.0.0.0";
2908         }
2909
2910         /* this is needed so that we get decent entries
2911            in smbstatus for port 445 connects */
2912         set_remote_machine_name(remaddr, false);
2913         reload_services(true);
2914
2915         /*
2916          * Before the first packet, check the global hosts allow/ hosts deny
2917          * parameters before doing any parsing of packets passed to us by the
2918          * client. This prevents attacks on our parsing code from hosts not in
2919          * the hosts allow list.
2920          */
2921
2922         if (!check_access(smbd_server_fd(), lp_hostsallow(-1),
2923                           lp_hostsdeny(-1))) {
2924                 /*
2925                  * send a negative session response "not listening on calling
2926                  * name"
2927                  */
2928                 unsigned char buf[5] = {0x83, 0, 0, 1, 0x81};
2929                 DEBUG( 1, ("Connection denied from %s to %s\n",
2930                            tsocket_address_string(remote_address, talloc_tos()),
2931                            tsocket_address_string(local_address, talloc_tos())));
2932                 (void)srv_send_smb(smbd_server_fd(),(char *)buf, false,
2933                                    0, false, NULL);
2934                 exit_server_cleanly("connection denied");
2935         }
2936
2937         DEBUG(10, ("Connection allowed from %s to %s\n",
2938                    tsocket_address_string(remote_address, talloc_tos()),
2939                    tsocket_address_string(local_address, talloc_tos())));
2940
2941         static_init_rpc;
2942
2943         init_modules();
2944
2945         smb_perfcount_init();
2946
2947         if (!init_account_policy()) {
2948                 exit_server("Could not open account policy tdb.\n");
2949         }
2950
2951         if (*lp_rootdir()) {
2952                 if (chroot(lp_rootdir()) != 0) {
2953                         DEBUG(0,("Failed to change root to %s\n", lp_rootdir()));
2954                         exit_server("Failed to chroot()");
2955                 }
2956                 if (chdir("/") == -1) {
2957                         DEBUG(0,("Failed to chdir to / on chroot to %s\n", lp_rootdir()));
2958                         exit_server("Failed to chroot()");
2959                 }
2960                 DEBUG(0,("Changed root to %s\n", lp_rootdir()));
2961         }
2962
2963         if (!srv_init_signing(smbd_server_conn)) {
2964                 exit_server("Failed to init smb_signing");
2965         }
2966
2967         if (lp_async_smb_echo_handler() && !fork_echo_handler(smbd_server_conn)) {
2968                 exit_server("Failed to fork echo handler");
2969         }
2970
2971         /* Setup oplocks */
2972         if (!init_oplocks(smbd_messaging_context()))
2973                 exit_server("Failed to init oplocks");
2974
2975         /* register our message handlers */
2976         messaging_register(smbd_messaging_context(), NULL,
2977                            MSG_SMB_FORCE_TDIS, msg_force_tdis);
2978         messaging_register(smbd_messaging_context(), NULL,
2979                            MSG_SMB_RELEASE_IP, msg_release_ip);
2980         messaging_register(smbd_messaging_context(), NULL,
2981                            MSG_SMB_CLOSE_FILE, msg_close_file);
2982
2983         /*
2984          * Use the default MSG_DEBUG handler to avoid rebroadcasting
2985          * MSGs to all child processes
2986          */
2987         messaging_deregister(smbd_messaging_context(),
2988                              MSG_DEBUG, NULL);
2989         messaging_register(smbd_messaging_context(), NULL,
2990                            MSG_DEBUG, debug_message);
2991
2992         if ((lp_keepalive() != 0)
2993             && !(event_add_idle(smbd_event_context(), NULL,
2994                                 timeval_set(lp_keepalive(), 0),
2995                                 "keepalive", keepalive_fn,
2996                                 NULL))) {
2997                 DEBUG(0, ("Could not add keepalive event\n"));
2998                 exit(1);
2999         }
3000
3001         if (!(event_add_idle(smbd_event_context(), NULL,
3002                              timeval_set(IDLE_CLOSED_TIMEOUT, 0),
3003                              "deadtime", deadtime_fn, NULL))) {
3004                 DEBUG(0, ("Could not add deadtime event\n"));
3005                 exit(1);
3006         }
3007
3008         if (!(event_add_idle(smbd_event_context(), NULL,
3009                              timeval_set(SMBD_SELECT_TIMEOUT, 0),
3010                              "housekeeping", housekeeping_fn, NULL))) {
3011                 DEBUG(0, ("Could not add housekeeping event\n"));
3012                 exit(1);
3013         }
3014
3015 #ifdef CLUSTER_SUPPORT
3016
3017         if (lp_clustering()) {
3018                 /*
3019                  * We need to tell ctdb about our client's TCP
3020                  * connection, so that for failover ctdbd can send
3021                  * tickle acks, triggering a reconnection by the
3022                  * client.
3023                  */
3024
3025                 struct sockaddr_storage srv, clnt;
3026
3027                 if (client_get_tcp_info(&srv, &clnt) == 0) {
3028
3029                         NTSTATUS status;
3030
3031                         status = ctdbd_register_ips(
3032                                 messaging_ctdbd_connection(),
3033                                 &srv, &clnt, release_ip, NULL);
3034
3035                         if (!NT_STATUS_IS_OK(status)) {
3036                                 DEBUG(0, ("ctdbd_register_ips failed: %s\n",
3037                                           nt_errstr(status)));
3038                         }
3039                 } else
3040                 {
3041                         DEBUG(0,("Unable to get tcp info for "
3042                                  "CTDB_CONTROL_TCP_CLIENT: %s\n",
3043                                  strerror(errno)));
3044                 }
3045         }
3046
3047 #endif
3048
3049         smbd_server_conn->nbt.got_session = false;
3050
3051         smbd_server_conn->smb1.negprot.max_recv = MIN(lp_maxxmit(),BUFFER_SIZE);
3052
3053         smbd_server_conn->smb1.sessions.done_sesssetup = false;
3054         smbd_server_conn->smb1.sessions.max_send = BUFFER_SIZE;
3055         smbd_server_conn->smb1.sessions.last_session_tag = UID_FIELD_INVALID;
3056         /* users from session setup */
3057         smbd_server_conn->smb1.sessions.session_userlist = NULL;
3058         /* workgroup from session setup. */
3059         smbd_server_conn->smb1.sessions.session_workgroup = NULL;
3060         /* this holds info on user ids that are already validated for this VC */
3061         smbd_server_conn->smb1.sessions.validated_users = NULL;
3062         smbd_server_conn->smb1.sessions.next_vuid = VUID_OFFSET;
3063         smbd_server_conn->smb1.sessions.num_validated_vuids = 0;
3064
3065         conn_init(smbd_server_conn);
3066         if (!init_dptrs(smbd_server_conn)) {
3067                 exit_server("init_dptrs() failed");
3068         }
3069
3070         smbd_server_conn->smb1.fde = event_add_fd(smbd_event_context(),
3071                                                   smbd_server_conn,
3072                                                   smbd_server_fd(),
3073                                                   EVENT_FD_READ,
3074                                                   smbd_server_connection_handler,
3075                                                   smbd_server_conn);
3076         if (!smbd_server_conn->smb1.fde) {
3077                 exit_server("failed to create smbd_server_connection fde");
3078         }
3079
3080         TALLOC_FREE(frame);
3081
3082         while (True) {
3083                 NTSTATUS status;
3084
3085                 frame = talloc_stackframe_pool(8192);
3086
3087                 errno = 0;
3088
3089                 status = smbd_server_connection_loop_once(smbd_server_conn);
3090                 if (!NT_STATUS_EQUAL(status, NT_STATUS_RETRY) &&
3091                     !NT_STATUS_IS_OK(status)) {
3092                         DEBUG(3, ("smbd_server_connection_loop_once failed: %s,"
3093                                   " exiting\n", nt_errstr(status)));
3094                         break;
3095                 }
3096
3097                 TALLOC_FREE(frame);
3098         }
3099
3100         exit_server_cleanly(NULL);
3101 }
3102
3103 bool req_is_in_chain(struct smb_request *req)
3104 {
3105         if (req->vwv != (uint16_t *)(req->inbuf+smb_vwv)) {
3106                 /*
3107                  * We're right now handling a subsequent request, so we must
3108                  * be in a chain
3109                  */
3110                 return true;
3111         }
3112
3113         if (!is_andx_req(req->cmd)) {
3114                 return false;
3115         }
3116
3117         if (req->wct < 2) {
3118                 /*
3119                  * Okay, an illegal request, but definitely not chained :-)
3120                  */
3121                 return false;
3122         }
3123
3124         return (CVAL(req->vwv+0, 0) != 0xFF);
3125 }