2 * Unix SMB/CIFS implementation.
3 * RPC Pipe client / server routines
4 * Copyright (C) Andrew Tridgell 1992-1998,
5 * Largely re-written : 2005
6 * Copyright (C) Jeremy Allison 1998 - 2005
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License as published by
10 * the Free Software Foundation; either version 2 of the License, or
11 * (at your option) any later version.
13 * This program is distributed in the hope that it will be useful,
14 * but WITHOUT ANY WARRANTY; without even the implied warranty of
15 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16 * GNU General Public License for more details.
18 * You should have received a copy of the GNU General Public License
19 * along with this program; if not, write to the Free Software
20 * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
26 #define DBGC_CLASS DBGC_RPC_SRV
28 #define PIPE "\\PIPE\\"
29 #define PIPELEN strlen(PIPE)
31 static smb_np_struct *chain_p;
32 static int pipes_open;
35 * Sometimes I can't decide if I hate Windows printer driver
36 * writers more than I hate the Windows spooler service driver
37 * writers. This gets around a combination of bugs in the spooler
38 * and the HP 8500 PCL driver that causes a spooler spin. JRA.
40 * bumped up from 20 -> 64 after viewing traffic from WordPerfect
41 * 2002 running on NT 4.- SP6
42 * bumped up from 64 -> 256 after viewing traffic from con2prt
43 * for lots of printers on a WinNT 4.x SP6 box.
46 #ifndef MAX_OPEN_SPOOLSS_PIPES
47 #define MAX_OPEN_SPOOLSS_PIPES 256
49 static int current_spoolss_pipes_open;
51 static smb_np_struct *Pipes;
52 static pipes_struct *InternalPipes;
53 static struct bitmap *bmap;
56 * the following prototypes are declared here to avoid
57 * code being moved about too much for a patch to be
58 * disrupted / less obvious.
60 * these functions, and associated functions that they
61 * call, should be moved behind a .so module-loading
62 * system _anyway_. so that's the next step...
65 static ssize_t read_from_internal_pipe(void *np_conn, char *data, size_t n,
66 BOOL *is_data_outstanding);
67 static ssize_t write_to_internal_pipe(void *np_conn, char *data, size_t n);
68 static BOOL close_internal_rpc_pipe_hnd(void *np_conn);
69 static void *make_internal_rpc_pipe_p(char *pipe_name,
70 connection_struct *conn, uint16 vuid);
72 /****************************************************************************
73 Pipe iterator functions.
74 ****************************************************************************/
76 smb_np_struct *get_first_pipe(void)
81 smb_np_struct *get_next_pipe(smb_np_struct *p)
86 /****************************************************************************
87 Internal Pipe iterator functions.
88 ****************************************************************************/
90 pipes_struct *get_first_internal_pipe(void)
95 pipes_struct *get_next_internal_pipe(pipes_struct *p)
100 /* this must be larger than the sum of the open files and directories */
101 static int pipe_handle_offset;
103 /****************************************************************************
104 Set the pipe_handle_offset. Called from smbd/files.c
105 ****************************************************************************/
107 void set_pipe_handle_offset(int max_open_files)
109 if(max_open_files < 0x7000) {
110 pipe_handle_offset = 0x7000;
112 pipe_handle_offset = max_open_files + 10; /* For safety. :-) */
116 /****************************************************************************
117 Reset pipe chain handle number.
118 ****************************************************************************/
120 void reset_chain_p(void)
125 /****************************************************************************
126 Initialise pipe handle states.
127 ****************************************************************************/
129 void init_rpc_pipe_hnd(void)
131 bmap = bitmap_allocate(MAX_OPEN_PIPES);
133 exit_server("out of memory in init_rpc_pipe_hnd");
137 /****************************************************************************
138 Initialise an outgoing packet.
139 ****************************************************************************/
141 static BOOL pipe_init_outgoing_data(pipes_struct *p)
143 output_data *o_data = &p->out_data;
145 /* Reset the offset counters. */
146 o_data->data_sent_length = 0;
147 o_data->current_pdu_len = 0;
148 o_data->current_pdu_sent = 0;
150 memset(o_data->current_pdu, '\0', sizeof(o_data->current_pdu));
152 /* Free any memory in the current return data buffer. */
153 prs_mem_free(&o_data->rdata);
156 * Initialize the outgoing RPC data buffer.
157 * we will use this as the raw data area for replying to rpc requests.
159 if(!prs_init(&o_data->rdata, RPC_MAX_PDU_FRAG_LEN, p->mem_ctx, MARSHALL)) {
160 DEBUG(0,("pipe_init_outgoing_data: malloc fail.\n"));
167 /****************************************************************************
168 Find first available pipe slot.
169 ****************************************************************************/
171 smb_np_struct *open_rpc_pipe_p(char *pipe_name,
172 connection_struct *conn, uint16 vuid)
175 smb_np_struct *p, *p_it;
176 static int next_pipe;
177 BOOL is_spoolss_pipe = False;
179 DEBUG(4,("Open pipe requested %s (pipes_open=%d)\n",
180 pipe_name, pipes_open));
182 if (strstr(pipe_name, "spoolss")) {
183 is_spoolss_pipe = True;
186 if (is_spoolss_pipe && current_spoolss_pipes_open >= MAX_OPEN_SPOOLSS_PIPES) {
187 DEBUG(10,("open_rpc_pipe_p: spooler bug workaround. Denying open on pipe %s\n",
192 /* not repeating pipe numbers makes it easier to track things in
193 log files and prevents client bugs where pipe numbers are reused
194 over connection restarts */
196 if (next_pipe == 0) {
197 next_pipe = (sys_getpid() ^ time(NULL)) % MAX_OPEN_PIPES;
200 i = bitmap_find(bmap, next_pipe);
203 DEBUG(0,("ERROR! Out of pipe structures\n"));
207 next_pipe = (i+1) % MAX_OPEN_PIPES;
209 for (p = Pipes; p; p = p->next) {
210 DEBUG(5,("open_rpc_pipe_p: name %s pnum=%x\n", p->name, p->pnum));
213 p = SMB_MALLOC_P(smb_np_struct);
215 DEBUG(0,("ERROR! no memory for pipes_struct!\n"));
221 /* add a dso mechanism instead of this, here */
223 p->namedpipe_create = make_internal_rpc_pipe_p;
224 p->namedpipe_read = read_from_internal_pipe;
225 p->namedpipe_write = write_to_internal_pipe;
226 p->namedpipe_close = close_internal_rpc_pipe_hnd;
228 p->np_state = p->namedpipe_create(pipe_name, conn, vuid);
230 if (p->np_state == NULL) {
231 DEBUG(0,("open_rpc_pipe_p: make_internal_rpc_pipe_p failed.\n"));
239 * Initialize the incoming RPC data buffer with one PDU worth of memory.
240 * We cheat here and say we're marshalling, as we intend to add incoming
241 * data directly into the prs_struct and we want it to auto grow. We will
242 * change the type to UNMARSALLING before processing the stream.
246 i += pipe_handle_offset;
258 p->max_trans_reply = 0;
260 fstrcpy(p->name, pipe_name);
262 DEBUG(4,("Opened pipe %s with handle %x (pipes_open=%d)\n",
263 pipe_name, i, pipes_open));
267 /* Iterate over p_it as a temp variable, to display all open pipes */
268 for (p_it = Pipes; p_it; p_it = p_it->next) {
269 DEBUG(5,("open pipes: name %s pnum=%x\n", p_it->name, p_it->pnum));
275 /****************************************************************************
276 Make an internal namedpipes structure
277 ****************************************************************************/
279 static void *make_internal_rpc_pipe_p(char *pipe_name,
280 connection_struct *conn, uint16 vuid)
283 user_struct *vuser = get_valid_user_struct(vuid);
285 DEBUG(4,("Create pipe requested %s\n", pipe_name));
287 if (!vuser && vuid != UID_FIELD_INVALID) {
288 DEBUG(0,("ERROR! vuid %d did not map to a valid vuser struct!\n", vuid));
292 p = SMB_MALLOC_P(pipes_struct);
295 DEBUG(0,("ERROR! no memory for pipes_struct!\n"));
301 if ((p->mem_ctx = talloc_init("pipe %s %p", pipe_name, p)) == NULL) {
302 DEBUG(0,("open_rpc_pipe_p: talloc_init failed.\n"));
307 if ((p->pipe_state_mem_ctx = talloc_init("pipe_state %s %p", pipe_name, p)) == NULL) {
308 DEBUG(0,("open_rpc_pipe_p: talloc_init failed.\n"));
309 talloc_destroy(p->mem_ctx);
314 if (!init_pipe_handle_list(p, pipe_name)) {
315 DEBUG(0,("open_rpc_pipe_p: init_pipe_handles failed.\n"));
316 talloc_destroy(p->mem_ctx);
317 talloc_destroy(p->pipe_state_mem_ctx);
323 * Initialize the incoming RPC data buffer with one PDU worth of memory.
324 * We cheat here and say we're marshalling, as we intend to add incoming
325 * data directly into the prs_struct and we want it to auto grow. We will
326 * change the type to UNMARSALLING before processing the stream.
329 if(!prs_init(&p->in_data.data, RPC_MAX_PDU_FRAG_LEN, p->mem_ctx, MARSHALL)) {
330 DEBUG(0,("open_rpc_pipe_p: malloc fail for in_data struct.\n"));
331 talloc_destroy(p->mem_ctx);
332 talloc_destroy(p->pipe_state_mem_ctx);
333 close_policy_by_pipe(p);
338 DLIST_ADD(InternalPipes, p);
344 p->endian = RPC_LITTLE_ENDIAN;
346 ZERO_STRUCT(p->pipe_user);
348 p->pipe_user.ut.uid = (uid_t)-1;
349 p->pipe_user.ut.gid = (gid_t)-1;
351 /* Store the session key and NT_TOKEN */
353 p->session_key = data_blob(vuser->session_key.data, vuser->session_key.length);
354 p->pipe_user.nt_user_token = dup_nt_token(
355 NULL, vuser->nt_user_token);
359 * Initialize the outgoing RPC data buffer with no memory.
361 prs_init(&p->out_data.rdata, 0, p->mem_ctx, MARSHALL);
363 fstrcpy(p->name, pipe_name);
365 DEBUG(4,("Created internal pipe %s (pipes_open=%d)\n",
366 pipe_name, pipes_open));
371 /****************************************************************************
372 Sets the fault state on incoming packets.
373 ****************************************************************************/
375 static void set_incoming_fault(pipes_struct *p)
377 prs_mem_free(&p->in_data.data);
378 p->in_data.pdu_needed_len = 0;
379 p->in_data.pdu_received_len = 0;
380 p->fault_state = True;
381 DEBUG(10,("set_incoming_fault: Setting fault state on pipe %s : vuid = 0x%x\n",
385 /****************************************************************************
386 Ensures we have at least RPC_HEADER_LEN amount of data in the incoming buffer.
387 ****************************************************************************/
389 static ssize_t fill_rpc_header(pipes_struct *p, char *data, size_t data_to_copy)
391 size_t len_needed_to_complete_hdr = MIN(data_to_copy, RPC_HEADER_LEN - p->in_data.pdu_received_len);
393 DEBUG(10,("fill_rpc_header: data_to_copy = %u, len_needed_to_complete_hdr = %u, receive_len = %u\n",
394 (unsigned int)data_to_copy, (unsigned int)len_needed_to_complete_hdr,
395 (unsigned int)p->in_data.pdu_received_len ));
397 memcpy((char *)&p->in_data.current_in_pdu[p->in_data.pdu_received_len], data, len_needed_to_complete_hdr);
398 p->in_data.pdu_received_len += len_needed_to_complete_hdr;
400 return (ssize_t)len_needed_to_complete_hdr;
403 /****************************************************************************
404 Unmarshalls a new PDU header. Assumes the raw header data is in current_in_pdu.
405 ****************************************************************************/
407 static ssize_t unmarshall_rpc_header(pipes_struct *p)
410 * Unmarshall the header to determine the needed length.
415 if(p->in_data.pdu_received_len != RPC_HEADER_LEN) {
416 DEBUG(0,("unmarshall_rpc_header: assert on rpc header length failed.\n"));
417 set_incoming_fault(p);
421 prs_init( &rpc_in, 0, p->mem_ctx, UNMARSHALL);
422 prs_set_endian_data( &rpc_in, p->endian);
424 prs_give_memory( &rpc_in, (char *)&p->in_data.current_in_pdu[0],
425 p->in_data.pdu_received_len, False);
428 * Unmarshall the header as this will tell us how much
429 * data we need to read to get the complete pdu.
430 * This also sets the endian flag in rpc_in.
433 if(!smb_io_rpc_hdr("", &p->hdr, &rpc_in, 0)) {
434 DEBUG(0,("unmarshall_rpc_header: failed to unmarshall RPC_HDR.\n"));
435 set_incoming_fault(p);
436 prs_mem_free(&rpc_in);
441 * Validate the RPC header.
444 if(p->hdr.major != 5 && p->hdr.minor != 0) {
445 DEBUG(0,("unmarshall_rpc_header: invalid major/minor numbers in RPC_HDR.\n"));
446 set_incoming_fault(p);
447 prs_mem_free(&rpc_in);
452 * If there's not data in the incoming buffer this should be the start of a new RPC.
455 if(prs_offset(&p->in_data.data) == 0) {
458 * AS/U doesn't set FIRST flag in a BIND packet it seems.
461 if ((p->hdr.pkt_type == RPC_REQUEST) && !(p->hdr.flags & RPC_FLG_FIRST)) {
463 * Ensure that the FIRST flag is set. If not then we have
464 * a stream missmatch.
467 DEBUG(0,("unmarshall_rpc_header: FIRST flag not set in first PDU !\n"));
468 set_incoming_fault(p);
469 prs_mem_free(&rpc_in);
474 * If this is the first PDU then set the endianness
475 * flag in the pipe. We will need this when parsing all
479 p->endian = rpc_in.bigendian_data;
481 DEBUG(5,("unmarshall_rpc_header: using %sendian RPC\n",
482 p->endian == RPC_LITTLE_ENDIAN ? "little-" : "big-" ));
487 * If this is *NOT* the first PDU then check the endianness
488 * flag in the pipe is the same as that in the PDU.
491 if (p->endian != rpc_in.bigendian_data) {
492 DEBUG(0,("unmarshall_rpc_header: FIRST endianness flag (%d) different in next PDU !\n", (int)p->endian));
493 set_incoming_fault(p);
494 prs_mem_free(&rpc_in);
500 * Ensure that the pdu length is sane.
503 if((p->hdr.frag_len < RPC_HEADER_LEN) || (p->hdr.frag_len > RPC_MAX_PDU_FRAG_LEN)) {
504 DEBUG(0,("unmarshall_rpc_header: assert on frag length failed.\n"));
505 set_incoming_fault(p);
506 prs_mem_free(&rpc_in);
510 DEBUG(10,("unmarshall_rpc_header: type = %u, flags = %u\n", (unsigned int)p->hdr.pkt_type,
511 (unsigned int)p->hdr.flags ));
513 p->in_data.pdu_needed_len = (uint32)p->hdr.frag_len - RPC_HEADER_LEN;
515 prs_mem_free(&rpc_in);
517 return 0; /* No extra data processed. */
520 /****************************************************************************
521 Call this to free any talloc'ed memory. Do this before and after processing
523 ****************************************************************************/
525 static void free_pipe_context(pipes_struct *p)
528 DEBUG(3,("free_pipe_context: destroying talloc pool of size "
529 "%lu\n", (unsigned long)talloc_total_size(p->mem_ctx) ));
530 talloc_free_children(p->mem_ctx);
532 p->mem_ctx = talloc_init("pipe %s %p", p->name, p);
533 if (p->mem_ctx == NULL) {
534 p->fault_state = True;
539 /****************************************************************************
540 Processes a request pdu. This will do auth processing if needed, and
541 appends the data into the complete stream if the LAST flag is not set.
542 ****************************************************************************/
544 static BOOL process_request_pdu(pipes_struct *p, prs_struct *rpc_in_p)
546 uint32 ss_padding_len = 0;
547 size_t data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
548 (p->hdr.auth_len ? RPC_HDR_AUTH_LEN : 0) - p->hdr.auth_len;
551 DEBUG(0,("process_request_pdu: rpc request with no bind.\n"));
552 set_incoming_fault(p);
557 * Check if we need to do authentication processing.
558 * This is only done on requests, not binds.
562 * Read the RPC request header.
565 if(!smb_io_rpc_hdr_req("req", &p->hdr_req, rpc_in_p, 0)) {
566 DEBUG(0,("process_request_pdu: failed to unmarshall RPC_HDR_REQ.\n"));
567 set_incoming_fault(p);
571 switch(p->auth.auth_type) {
572 case PIPE_AUTH_TYPE_NONE:
575 case PIPE_AUTH_TYPE_SPNEGO_NTLMSSP:
576 case PIPE_AUTH_TYPE_NTLMSSP:
579 if(!api_pipe_ntlmssp_auth_process(p, rpc_in_p, &ss_padding_len, &status)) {
580 DEBUG(0,("process_request_pdu: failed to do auth processing.\n"));
581 DEBUG(0,("process_request_pdu: error was %s.\n", nt_errstr(status) ));
582 set_incoming_fault(p);
588 case PIPE_AUTH_TYPE_SCHANNEL:
589 if (!api_pipe_schannel_process(p, rpc_in_p, &ss_padding_len)) {
590 DEBUG(3,("process_request_pdu: failed to do schannel processing.\n"));
591 set_incoming_fault(p);
597 DEBUG(0,("process_request_pdu: unknown auth type %u set.\n", (unsigned int)p->auth.auth_type ));
598 set_incoming_fault(p);
602 /* Now we've done the sign/seal we can remove any padding data. */
603 if (data_len > ss_padding_len) {
604 data_len -= ss_padding_len;
608 * Check the data length doesn't go over the 15Mb limit.
609 * increased after observing a bug in the Windows NT 4.0 SP6a
610 * spoolsv.exe when the response to a GETPRINTERDRIVER2 RPC
611 * will not fit in the initial buffer of size 0x1068 --jerry 22/01/2002
614 if(prs_offset(&p->in_data.data) + data_len > 15*1024*1024) {
615 DEBUG(0,("process_request_pdu: rpc data buffer too large (%u) + (%u)\n",
616 (unsigned int)prs_data_size(&p->in_data.data), (unsigned int)data_len ));
617 set_incoming_fault(p);
622 * Append the data portion into the buffer and return.
625 if(!prs_append_some_prs_data(&p->in_data.data, rpc_in_p, prs_offset(rpc_in_p), data_len)) {
626 DEBUG(0,("process_request_pdu: Unable to append data size %u to parse buffer of size %u.\n",
627 (unsigned int)data_len, (unsigned int)prs_data_size(&p->in_data.data) ));
628 set_incoming_fault(p);
632 if(p->hdr.flags & RPC_FLG_LAST) {
635 * Ok - we finally have a complete RPC stream.
636 * Call the rpc command to process it.
640 * Ensure the internal prs buffer size is *exactly* the same
641 * size as the current offset.
644 if(!prs_set_buffer_size(&p->in_data.data, prs_offset(&p->in_data.data))) {
645 DEBUG(0,("process_request_pdu: Call to prs_set_buffer_size failed!\n"));
646 set_incoming_fault(p);
651 * Set the parse offset to the start of the data and set the
652 * prs_struct to UNMARSHALL.
655 prs_set_offset(&p->in_data.data, 0);
656 prs_switch_type(&p->in_data.data, UNMARSHALL);
659 * Process the complete data stream here.
662 free_pipe_context(p);
664 if(pipe_init_outgoing_data(p)) {
665 ret = api_pipe_request(p);
668 free_pipe_context(p);
671 * We have consumed the whole data stream. Set back to
672 * marshalling and set the offset back to the start of
673 * the buffer to re-use it (we could also do a prs_mem_free()
674 * and then re_init on the next start of PDU. Not sure which
675 * is best here.... JRA.
678 prs_switch_type(&p->in_data.data, MARSHALL);
679 prs_set_offset(&p->in_data.data, 0);
686 /****************************************************************************
687 Processes a finished PDU stored in current_in_pdu. The RPC_HEADER has
688 already been parsed and stored in p->hdr.
689 ****************************************************************************/
691 static void process_complete_pdu(pipes_struct *p)
694 size_t data_len = p->in_data.pdu_received_len - RPC_HEADER_LEN;
695 char *data_p = (char *)&p->in_data.current_in_pdu[RPC_HEADER_LEN];
699 DEBUG(10,("process_complete_pdu: pipe %s in fault state.\n",
701 set_incoming_fault(p);
702 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
706 prs_init( &rpc_in, 0, p->mem_ctx, UNMARSHALL);
709 * Ensure we're using the corrent endianness for both the
710 * RPC header flags and the raw data we will be reading from.
713 prs_set_endian_data( &rpc_in, p->endian);
714 prs_set_endian_data( &p->in_data.data, p->endian);
716 prs_give_memory( &rpc_in, data_p, (uint32)data_len, False);
718 DEBUG(10,("process_complete_pdu: processing packet type %u\n",
719 (unsigned int)p->hdr.pkt_type ));
721 switch (p->hdr.pkt_type) {
723 reply = process_request_pdu(p, &rpc_in);
726 case RPC_PING: /* CL request - ignore... */
727 DEBUG(0,("process_complete_pdu: Error. Connectionless packet type %u received on pipe %s.\n",
728 (unsigned int)p->hdr.pkt_type, p->name));
731 case RPC_RESPONSE: /* No responses here. */
732 DEBUG(0,("process_complete_pdu: Error. RPC_RESPONSE received from client on pipe %s.\n",
737 case RPC_WORKING: /* CL request - reply to a ping when a call in process. */
738 case RPC_NOCALL: /* CL - server reply to a ping call. */
744 DEBUG(0,("process_complete_pdu: Error. Connectionless packet type %u received on pipe %s.\n",
745 (unsigned int)p->hdr.pkt_type, p->name));
750 * We assume that a pipe bind is only in one pdu.
752 if(pipe_init_outgoing_data(p)) {
753 reply = api_pipe_bind_req(p, &rpc_in);
759 DEBUG(0,("process_complete_pdu: Error. RPC_BINDACK/RPC_BINDNACK packet type %u received on pipe %s.\n",
760 (unsigned int)p->hdr.pkt_type, p->name));
766 * We assume that a pipe bind is only in one pdu.
768 if(pipe_init_outgoing_data(p)) {
769 reply = api_pipe_alter_context(p, &rpc_in);
773 case RPC_ALTCONTRESP:
774 DEBUG(0,("process_complete_pdu: Error. RPC_ALTCONTRESP on pipe %s: Should only be server -> client.\n",
780 * The third packet in an NTLMSSP auth exchange.
782 if(pipe_init_outgoing_data(p)) {
783 reply = api_pipe_bind_auth3(p, &rpc_in);
788 DEBUG(0,("process_complete_pdu: Error. RPC_SHUTDOWN on pipe %s: Should only be server -> client.\n",
793 /* For now just free all client data and continue processing. */
794 DEBUG(3,("process_complete_pdu: RPC_ORPHANED. Abandoning rpc call.\n"));
795 /* As we never do asynchronous RPC serving, we can never cancel a
796 call (as far as I know). If we ever did we'd have to send a cancel_ack
797 reply. For now, just free all client data and continue processing. */
801 /* Enable this if we're doing async rpc. */
802 /* We must check the call-id matches the outstanding callid. */
803 if(pipe_init_outgoing_data(p)) {
804 /* Send a cancel_ack PDU reply. */
805 /* We should probably check the auth-verifier here. */
806 reply = setup_cancel_ack_reply(p, &rpc_in);
812 /* We should probably check the auth-verifier here.
813 For now just free all client data and continue processing. */
814 DEBUG(3,("process_complete_pdu: RPC_ORPHANED. Abandoning rpc call.\n"));
819 DEBUG(0,("process_complete_pdu: Unknown rpc type = %u received.\n", (unsigned int)p->hdr.pkt_type ));
823 /* Reset to little endian. Probably don't need this but it won't hurt. */
824 prs_set_endian_data( &p->in_data.data, RPC_LITTLE_ENDIAN);
827 DEBUG(3,("process_complete_pdu: DCE/RPC fault sent on pipe %s\n", p->pipe_srv_name));
828 set_incoming_fault(p);
829 setup_fault_pdu(p, NT_STATUS(DCERPC_FAULT_OP_RNG_ERROR));
830 prs_mem_free(&rpc_in);
833 * Reset the lengths. We're ready for a new pdu.
835 p->in_data.pdu_needed_len = 0;
836 p->in_data.pdu_received_len = 0;
839 prs_mem_free(&rpc_in);
842 /****************************************************************************
843 Accepts incoming data on an rpc pipe. Processes the data in pdu sized units.
844 ****************************************************************************/
846 static ssize_t process_incoming_data(pipes_struct *p, char *data, size_t n)
848 size_t data_to_copy = MIN(n, RPC_MAX_PDU_FRAG_LEN - p->in_data.pdu_received_len);
850 DEBUG(10,("process_incoming_data: Start: pdu_received_len = %u, pdu_needed_len = %u, incoming data = %u\n",
851 (unsigned int)p->in_data.pdu_received_len, (unsigned int)p->in_data.pdu_needed_len,
854 if(data_to_copy == 0) {
856 * This is an error - data is being received and there is no
857 * space in the PDU. Free the received data and go into the fault state.
859 DEBUG(0,("process_incoming_data: No space in incoming pdu buffer. Current size = %u \
860 incoming data size = %u\n", (unsigned int)p->in_data.pdu_received_len, (unsigned int)n ));
861 set_incoming_fault(p);
866 * If we have no data already, wait until we get at least a RPC_HEADER_LEN
867 * number of bytes before we can do anything.
870 if((p->in_data.pdu_needed_len == 0) && (p->in_data.pdu_received_len < RPC_HEADER_LEN)) {
872 * Always return here. If we have more data then the RPC_HEADER
873 * will be processed the next time around the loop.
875 return fill_rpc_header(p, data, data_to_copy);
879 * At this point we know we have at least an RPC_HEADER_LEN amount of data
880 * stored in current_in_pdu.
884 * If pdu_needed_len is zero this is a new pdu.
885 * Unmarshall the header so we know how much more
886 * data we need, then loop again.
889 if(p->in_data.pdu_needed_len == 0) {
890 ssize_t rret = unmarshall_rpc_header(p);
891 if (rret == -1 || p->in_data.pdu_needed_len > 0) {
894 /* If rret == 0 and pdu_needed_len == 0 here we have a PDU that consists
895 of an RPC_HEADER only. This is a RPC_SHUTDOWN, RPC_CO_CANCEL or RPC_ORPHANED
896 pdu type. Deal with this in process_complete_pdu(). */
900 * Ok - at this point we have a valid RPC_HEADER in p->hdr.
901 * Keep reading until we have a full pdu.
904 data_to_copy = MIN(data_to_copy, p->in_data.pdu_needed_len);
907 * Copy as much of the data as we need into the current_in_pdu buffer.
908 * pdu_needed_len becomes zero when we have a complete pdu.
911 memcpy( (char *)&p->in_data.current_in_pdu[p->in_data.pdu_received_len], data, data_to_copy);
912 p->in_data.pdu_received_len += data_to_copy;
913 p->in_data.pdu_needed_len -= data_to_copy;
916 * Do we have a complete PDU ?
917 * (return the number of bytes handled in the call)
920 if(p->in_data.pdu_needed_len == 0) {
921 process_complete_pdu(p);
925 DEBUG(10,("process_incoming_data: not a complete PDU yet. pdu_received_len = %u, pdu_needed_len = %u\n",
926 (unsigned int)p->in_data.pdu_received_len, (unsigned int)p->in_data.pdu_needed_len ));
928 return (ssize_t)data_to_copy;
931 /****************************************************************************
932 Accepts incoming data on an rpc pipe.
933 ****************************************************************************/
935 ssize_t write_to_pipe(smb_np_struct *p, char *data, size_t n)
937 DEBUG(6,("write_to_pipe: %x", p->pnum));
939 DEBUG(6,(" name: %s open: %s len: %d\n",
940 p->name, BOOLSTR(p->open), (int)n));
942 dump_data(50, data, n);
944 return p->namedpipe_write(p->np_state, data, n);
947 /****************************************************************************
948 Accepts incoming data on an internal rpc pipe.
949 ****************************************************************************/
951 static ssize_t write_to_internal_pipe(void *np_conn, char *data, size_t n)
953 pipes_struct *p = (pipes_struct*)np_conn;
954 size_t data_left = n;
959 DEBUG(10,("write_to_pipe: data_left = %u\n", (unsigned int)data_left ));
961 data_used = process_incoming_data(p, data, data_left);
963 DEBUG(10,("write_to_pipe: data_used = %d\n", (int)data_used ));
969 data_left -= data_used;
976 /****************************************************************************
977 Replies to a request to read data from a pipe.
979 Headers are interspersed with the data at PDU intervals. By the time
980 this function is called, the start of the data could possibly have been
981 read by an SMBtrans (file_offset != 0).
983 Calling create_rpc_reply() here is a hack. The data should already
984 have been prepared into arrays of headers + data stream sections.
985 ****************************************************************************/
987 ssize_t read_from_pipe(smb_np_struct *p, char *data, size_t n,
988 BOOL *is_data_outstanding)
990 if (!p || !p->open) {
991 DEBUG(0,("read_from_pipe: pipe not open\n"));
995 DEBUG(6,("read_from_pipe: %x", p->pnum));
997 return p->namedpipe_read(p->np_state, data, n, is_data_outstanding);
1000 /****************************************************************************
1001 Replies to a request to read data from a pipe.
1003 Headers are interspersed with the data at PDU intervals. By the time
1004 this function is called, the start of the data could possibly have been
1005 read by an SMBtrans (file_offset != 0).
1007 Calling create_rpc_reply() here is a hack. The data should already
1008 have been prepared into arrays of headers + data stream sections.
1009 ****************************************************************************/
1011 static ssize_t read_from_internal_pipe(void *np_conn, char *data, size_t n,
1012 BOOL *is_data_outstanding)
1014 pipes_struct *p = (pipes_struct*)np_conn;
1015 uint32 pdu_remaining = 0;
1016 ssize_t data_returned = 0;
1019 DEBUG(0,("read_from_pipe: pipe not open\n"));
1023 DEBUG(6,(" name: %s len: %u\n", p->name, (unsigned int)n));
1026 * We cannot return more than one PDU length per
1031 * This condition should result in the connection being closed.
1032 * Netapp filers seem to set it to 0xffff which results in domain
1033 * authentications failing. Just ignore it so things work.
1036 if(n > RPC_MAX_PDU_FRAG_LEN) {
1037 DEBUG(5,("read_from_pipe: too large read (%u) requested on \
1038 pipe %s. We can only service %d sized reads.\n", (unsigned int)n, p->name, RPC_MAX_PDU_FRAG_LEN ));
1042 * Determine if there is still data to send in the
1043 * pipe PDU buffer. Always send this first. Never
1044 * send more than is left in the current PDU. The
1045 * client should send a new read request for a new
1049 if((pdu_remaining = p->out_data.current_pdu_len - p->out_data.current_pdu_sent) > 0) {
1050 data_returned = (ssize_t)MIN(n, pdu_remaining);
1052 DEBUG(10,("read_from_pipe: %s: current_pdu_len = %u, current_pdu_sent = %u \
1053 returning %d bytes.\n", p->name, (unsigned int)p->out_data.current_pdu_len,
1054 (unsigned int)p->out_data.current_pdu_sent, (int)data_returned));
1056 memcpy( data, &p->out_data.current_pdu[p->out_data.current_pdu_sent], (size_t)data_returned);
1057 p->out_data.current_pdu_sent += (uint32)data_returned;
1062 * At this point p->current_pdu_len == p->current_pdu_sent (which
1063 * may of course be zero if this is the first return fragment.
1066 DEBUG(10,("read_from_pipe: %s: fault_state = %d : data_sent_length \
1067 = %u, prs_offset(&p->out_data.rdata) = %u.\n",
1068 p->name, (int)p->fault_state, (unsigned int)p->out_data.data_sent_length, (unsigned int)prs_offset(&p->out_data.rdata) ));
1070 if(p->out_data.data_sent_length >= prs_offset(&p->out_data.rdata)) {
1072 * We have sent all possible data, return 0.
1079 * We need to create a new PDU from the data left in p->rdata.
1080 * Create the header/data/footers. This also sets up the fields
1081 * p->current_pdu_len, p->current_pdu_sent, p->data_sent_length
1082 * and stores the outgoing PDU in p->current_pdu.
1085 if(!create_next_pdu(p)) {
1086 DEBUG(0,("read_from_pipe: %s: create_next_pdu failed.\n", p->name));
1090 data_returned = MIN(n, p->out_data.current_pdu_len);
1092 memcpy( data, p->out_data.current_pdu, (size_t)data_returned);
1093 p->out_data.current_pdu_sent += (uint32)data_returned;
1097 (*is_data_outstanding) = p->out_data.current_pdu_len > n;
1098 return data_returned;
1101 /****************************************************************************
1102 Wait device state on a pipe. Exactly what this is for is unknown...
1103 ****************************************************************************/
1105 BOOL wait_rpc_pipe_hnd_state(smb_np_struct *p, uint16 priority)
1112 DEBUG(3,("wait_rpc_pipe_hnd_state: Setting pipe wait state priority=%x on pipe (name=%s)\n",
1113 priority, p->name));
1115 p->priority = priority;
1120 DEBUG(3,("wait_rpc_pipe_hnd_state: Error setting pipe wait state priority=%x (name=%s)\n",
1121 priority, p->name));
1126 /****************************************************************************
1127 Set device state on a pipe. Exactly what this is for is unknown...
1128 ****************************************************************************/
1130 BOOL set_rpc_pipe_hnd_state(smb_np_struct *p, uint16 device_state)
1137 DEBUG(3,("set_rpc_pipe_hnd_state: Setting pipe device state=%x on pipe (name=%s)\n",
1138 device_state, p->name));
1140 p->device_state = device_state;
1145 DEBUG(3,("set_rpc_pipe_hnd_state: Error setting pipe device state=%x (name=%s)\n",
1146 device_state, p->name));
1151 /****************************************************************************
1153 ****************************************************************************/
1155 BOOL close_rpc_pipe_hnd(smb_np_struct *p)
1158 DEBUG(0,("Invalid pipe in close_rpc_pipe_hnd\n"));
1162 p->namedpipe_close(p->np_state);
1164 bitmap_clear(bmap, p->pnum - pipe_handle_offset);
1168 DEBUG(4,("closed pipe name %s pnum=%x (pipes_open=%d)\n",
1169 p->name, p->pnum, pipes_open));
1171 DLIST_REMOVE(Pipes, p);
1180 /****************************************************************************
1181 Close all pipes on a connection.
1182 ****************************************************************************/
1184 void pipe_close_conn(connection_struct *conn)
1186 smb_np_struct *p, *next;
1188 for (p=Pipes;p;p=next) {
1190 if (p->conn == conn) {
1191 close_rpc_pipe_hnd(p);
1196 /****************************************************************************
1198 ****************************************************************************/
1200 static BOOL close_internal_rpc_pipe_hnd(void *np_conn)
1202 pipes_struct *p = (pipes_struct *)np_conn;
1204 DEBUG(0,("Invalid pipe in close_internal_rpc_pipe_hnd\n"));
1208 prs_mem_free(&p->out_data.rdata);
1209 prs_mem_free(&p->in_data.data);
1211 if (p->auth.auth_data_free_func) {
1212 (*p->auth.auth_data_free_func)(&p->auth);
1216 talloc_destroy(p->mem_ctx);
1219 if (p->pipe_state_mem_ctx) {
1220 talloc_destroy(p->pipe_state_mem_ctx);
1223 free_pipe_rpc_context( p->contexts );
1225 /* Free the handles database. */
1226 close_policy_by_pipe(p);
1228 TALLOC_FREE(p->pipe_user.nt_user_token);
1229 data_blob_free(&p->session_key);
1230 SAFE_FREE(p->pipe_user.ut.groups);
1232 DLIST_REMOVE(InternalPipes, p);
1241 /****************************************************************************
1242 Find an rpc pipe given a pipe handle in a buffer and an offset.
1243 ****************************************************************************/
1245 smb_np_struct *get_rpc_pipe_p(char *buf, int where)
1247 int pnum = SVAL(buf,where);
1253 return get_rpc_pipe(pnum);
1256 /****************************************************************************
1257 Find an rpc pipe given a pipe handle.
1258 ****************************************************************************/
1260 smb_np_struct *get_rpc_pipe(int pnum)
1264 DEBUG(4,("search for pipe pnum=%x\n", pnum));
1266 for (p=Pipes;p;p=p->next) {
1267 DEBUG(5,("pipe name %s pnum=%x (pipes_open=%d)\n",
1268 p->name, p->pnum, pipes_open));
1271 for (p=Pipes;p;p=p->next) {
1272 if (p->pnum == pnum) {
git.samba.org / samba.git / blob