Kill off another ugly wart from the side of the passdb subsystem.
[samba.git] / source3 / rpc_server / srv_pipe_hnd.c
1 /* 
2  *  Unix SMB/Netbios implementation.
3  *  Version 1.9.
4  *  RPC Pipe client / server routines
5  *  Copyright (C) Andrew Tridgell              1992-1998,
6  *  Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
7  *  Copyright (C) Jeremy Allison                                    1999.
8  *  
9  *  This program is free software; you can redistribute it and/or modify
10  *  it under the terms of the GNU General Public License as published by
11  *  the Free Software Foundation; either version 2 of the License, or
12  *  (at your option) any later version.
13  *  
14  *  This program is distributed in the hope that it will be useful,
15  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
16  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  *  GNU General Public License for more details.
18  *  
19  *  You should have received a copy of the GNU General Public License
20  *  along with this program; if not, write to the Free Software
21  *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22  */
23
24 #include "includes.h"
25
26 #define PIPE            "\\PIPE\\"
27 #define PIPELEN         strlen(PIPE)
28
29 static smb_np_struct *chain_p;
30 static int pipes_open;
31
32 #ifndef MAX_OPEN_PIPES
33 #define MAX_OPEN_PIPES 2048
34 #endif
35
36 static smb_np_struct *Pipes;
37 static pipes_struct *InternalPipes;
38 static struct bitmap *bmap;
39
40 /* TODO
41  * the following prototypes are declared here to avoid
42  * code being moved about too much for a patch to be
43  * disrupted / less obvious.
44  *
45  * these functions, and associated functions that they
46  * call, should be moved behind a .so module-loading
47  * system _anyway_.  so that's the next step...
48  */
49
50 static ssize_t read_from_internal_pipe(void *np_conn, char *data, size_t n,
51                 BOOL *is_data_outstanding);
52 static ssize_t write_to_internal_pipe(void *np_conn, char *data, size_t n);
53 static BOOL close_internal_rpc_pipe_hnd(void *np_conn);
54 static void *make_internal_rpc_pipe_p(char *pipe_name, 
55                               connection_struct *conn, uint16 vuid);
56
57 /****************************************************************************
58  Pipe iterator functions.
59 ****************************************************************************/
60
61 smb_np_struct *get_first_pipe(void)
62 {
63         return Pipes;
64 }
65
66 smb_np_struct *get_next_pipe(smb_np_struct *p)
67 {
68         return p->next;
69 }
70
71 /****************************************************************************
72  Internal Pipe iterator functions.
73 ****************************************************************************/
74
75 pipes_struct *get_first_internal_pipe(void)
76 {
77         return InternalPipes;
78 }
79
80 pipes_struct *get_next_internal_pipe(pipes_struct *p)
81 {
82         return p->next;
83 }
84
85 /* this must be larger than the sum of the open files and directories */
86 static int pipe_handle_offset;
87
88 /****************************************************************************
89  Set the pipe_handle_offset. Called from smbd/files.c
90 ****************************************************************************/
91
92 void set_pipe_handle_offset(int max_open_files)
93 {
94   if(max_open_files < 0x7000)
95     pipe_handle_offset = 0x7000;
96   else
97     pipe_handle_offset = max_open_files + 10; /* For safety. :-) */
98 }
99
100 /****************************************************************************
101  Reset pipe chain handle number.
102 ****************************************************************************/
103 void reset_chain_p(void)
104 {
105         chain_p = NULL;
106 }
107
108 /****************************************************************************
109  Initialise pipe handle states.
110 ****************************************************************************/
111
112 void init_rpc_pipe_hnd(void)
113 {
114         bmap = bitmap_allocate(MAX_OPEN_PIPES);
115         if (!bmap)
116                 exit_server("out of memory in init_rpc_pipe_hnd");
117 }
118
119 /****************************************************************************
120  Initialise an outgoing packet.
121 ****************************************************************************/
122
123 static BOOL pipe_init_outgoing_data(pipes_struct *p)
124 {
125         output_data *o_data = &p->out_data;
126
127         /* Reset the offset counters. */
128         o_data->data_sent_length = 0;
129         o_data->current_pdu_len = 0;
130         o_data->current_pdu_sent = 0;
131
132         memset(o_data->current_pdu, '\0', sizeof(o_data->current_pdu));
133
134         /* Free any memory in the current return data buffer. */
135         prs_mem_free(&o_data->rdata);
136
137         /*
138          * Initialize the outgoing RPC data buffer.
139          * we will use this as the raw data area for replying to rpc requests.
140          */     
141         if(!prs_init(&o_data->rdata, MAX_PDU_FRAG_LEN, p->mem_ctx, MARSHALL)) {
142                 DEBUG(0,("pipe_init_outgoing_data: malloc fail.\n"));
143                 return False;
144         }
145
146         return True;
147 }
148
149 /****************************************************************************
150  Find first available pipe slot.
151 ****************************************************************************/
152
153 smb_np_struct *open_rpc_pipe_p(char *pipe_name, 
154                               connection_struct *conn, uint16 vuid)
155 {
156         int i;
157         smb_np_struct *p, *p_it;
158         static int next_pipe;
159
160         DEBUG(4,("Open pipe requested %s (pipes_open=%d)\n",
161                  pipe_name, pipes_open));
162
163         
164         /* not repeating pipe numbers makes it easier to track things in 
165            log files and prevents client bugs where pipe numbers are reused
166            over connection restarts */
167         if (next_pipe == 0)
168                 next_pipe = (sys_getpid() ^ time(NULL)) % MAX_OPEN_PIPES;
169
170         i = bitmap_find(bmap, next_pipe);
171
172         if (i == -1) {
173                 DEBUG(0,("ERROR! Out of pipe structures\n"));
174                 return NULL;
175         }
176
177         next_pipe = (i+1) % MAX_OPEN_PIPES;
178
179         for (p = Pipes; p; p = p->next)
180                 DEBUG(5,("open_rpc_pipe_p: name %s pnum=%x\n", p->name, p->pnum));  
181
182         p = (smb_np_struct *)malloc(sizeof(*p));
183
184         if (!p)
185         {
186                 DEBUG(0,("ERROR! no memory for pipes_struct!\n"));
187                 return NULL;
188         }
189
190         ZERO_STRUCTP(p);
191
192         /* add a dso mechanism instead of this, here */
193
194         p->namedpipe_create = make_internal_rpc_pipe_p;
195         p->namedpipe_read = read_from_internal_pipe;
196         p->namedpipe_write = write_to_internal_pipe;
197         p->namedpipe_close = close_internal_rpc_pipe_hnd;
198
199         p->np_state = p->namedpipe_create(pipe_name, conn, vuid);
200
201         if (p->np_state == NULL) {
202
203                 DEBUG(0,("open_rpc_pipe_p: make_internal_rpc_pipe_p failed.\n"));
204                 SAFE_FREE(p);
205                 return NULL;
206         }
207
208
209         DLIST_ADD(Pipes, p);
210
211         /*
212          * Initialize the incoming RPC data buffer with one PDU worth of memory.
213          * We cheat here and say we're marshalling, as we intend to add incoming
214          * data directly into the prs_struct and we want it to auto grow. We will
215          * change the type to UNMARSALLING before processing the stream.
216          */
217
218         bitmap_set(bmap, i);
219         i += pipe_handle_offset;
220
221         pipes_open++;
222
223         p->pnum = i;
224
225         p->open = True;
226         p->device_state = 0;
227         p->priority = 0;
228         p->conn = conn;
229         p->vuid  = vuid;
230
231         p->max_trans_reply = 0;
232         
233         fstrcpy(p->name, pipe_name);
234         
235         DEBUG(4,("Opened pipe %s with handle %x (pipes_open=%d)\n",
236                  pipe_name, i, pipes_open));
237         
238         chain_p = p;
239         
240         /* Iterate over p_it as a temp variable, to display all open pipes */ 
241         for (p_it = Pipes; p_it; p_it = p_it->next)
242                 DEBUG(5,("open pipes: name %s pnum=%x\n", p_it->name, p_it->pnum));  
243
244         return chain_p;
245 }
246
247 /****************************************************************************
248  * make an internal namedpipes structure
249 ****************************************************************************/
250
251 static void *make_internal_rpc_pipe_p(char *pipe_name, 
252                               connection_struct *conn, uint16 vuid)
253 {
254         pipes_struct *p;
255         user_struct *vuser = get_valid_user_struct(vuid);
256
257         DEBUG(4,("Create pipe requested %s\n", pipe_name));
258
259         if (!vuser && vuid != UID_FIELD_INVALID) {
260                 DEBUG(0,("ERROR! vuid %d did not map to a valid vuser struct!\n", vuid));
261                 return NULL;
262         }
263
264         p = (pipes_struct *)malloc(sizeof(*p));
265
266         if (!p)
267         {
268                 DEBUG(0,("ERROR! no memory for pipes_struct!\n"));
269                 return NULL;
270         }
271
272         ZERO_STRUCTP(p);
273
274         if ((p->mem_ctx = talloc_init()) == NULL) {
275                 DEBUG(0,("open_rpc_pipe_p: talloc_init failed.\n"));
276                 SAFE_FREE(p);
277                 return NULL;
278         }
279
280         if (!init_pipe_handle_list(p, pipe_name)) {
281                 DEBUG(0,("open_rpc_pipe_p: init_pipe_handles failed.\n"));
282                 talloc_destroy(p->mem_ctx);
283                 SAFE_FREE(p);
284                 return NULL;
285         }
286
287         /*
288          * Initialize the incoming RPC data buffer with one PDU worth of memory.
289          * We cheat here and say we're marshalling, as we intend to add incoming
290          * data directly into the prs_struct and we want it to auto grow. We will
291          * change the type to UNMARSALLING before processing the stream.
292          */
293
294         if(!prs_init(&p->in_data.data, MAX_PDU_FRAG_LEN, p->mem_ctx, MARSHALL)) {
295                 DEBUG(0,("open_rpc_pipe_p: malloc fail for in_data struct.\n"));
296                 return NULL;
297         }
298
299         DLIST_ADD(InternalPipes, p);
300
301         p->conn = conn;
302         p->vuid  = vuid;
303
304         p->ntlmssp_chal_flags = 0;
305         p->ntlmssp_auth_validated = False;
306         p->ntlmssp_auth_requested = False;
307
308         p->pipe_bound = False;
309         p->fault_state = False;
310         p->endian = RPC_LITTLE_ENDIAN;
311
312         ZERO_STRUCT(p->pipe_user);
313
314         p->pipe_user.uid = (uid_t)-1;
315         p->pipe_user.gid = (gid_t)-1;
316         
317         /* Store the session key */
318         if (vuser) {
319                 memcpy(p->session_key, vuser->session_key, sizeof(p->session_key));
320         }
321
322         /*
323          * Initialize the incoming RPC struct.
324          */
325
326         p->in_data.pdu_needed_len = 0;
327         p->in_data.pdu_received_len = 0;
328
329         /*
330          * Initialize the outgoing RPC struct.
331          */
332
333         p->out_data.current_pdu_len = 0;
334         p->out_data.current_pdu_sent = 0;
335         p->out_data.data_sent_length = 0;
336
337         /*
338          * Initialize the outgoing RPC data buffer with no memory.
339          */     
340         prs_init(&p->out_data.rdata, 0, p->mem_ctx, MARSHALL);
341         
342         fstrcpy(p->name, pipe_name);
343         
344         DEBUG(4,("Created internal pipe %s (pipes_open=%d)\n",
345                  pipe_name, pipes_open));
346
347         return (void*)p;
348 }
349
350 /****************************************************************************
351  Sets the fault state on incoming packets.
352 ****************************************************************************/
353
354 static void set_incoming_fault(pipes_struct *p)
355 {
356         prs_mem_free(&p->in_data.data);
357         p->in_data.pdu_needed_len = 0;
358         p->in_data.pdu_received_len = 0;
359         p->fault_state = True;
360         DEBUG(10,("set_incoming_fault: Setting fault state on pipe %s : vuid = 0x%x\n",
361                 p->name, p->vuid ));
362 }
363
364 /****************************************************************************
365  Ensures we have at least RPC_HEADER_LEN amount of data in the incoming buffer.
366 ****************************************************************************/
367
368 static ssize_t fill_rpc_header(pipes_struct *p, char *data, size_t data_to_copy)
369 {
370         size_t len_needed_to_complete_hdr = MIN(data_to_copy, RPC_HEADER_LEN - p->in_data.pdu_received_len);
371
372         DEBUG(10,("fill_rpc_header: data_to_copy = %u, len_needed_to_complete_hdr = %u, receive_len = %u\n",
373                         (unsigned int)data_to_copy, (unsigned int)len_needed_to_complete_hdr,
374                         (unsigned int)p->in_data.pdu_received_len ));
375
376         memcpy((char *)&p->in_data.current_in_pdu[p->in_data.pdu_received_len], data, len_needed_to_complete_hdr);
377         p->in_data.pdu_received_len += len_needed_to_complete_hdr;
378
379         return (ssize_t)len_needed_to_complete_hdr;
380 }
381
382 /****************************************************************************
383  Unmarshalls a new PDU header. Assumes the raw header data is in current_in_pdu.
384 ****************************************************************************/
385
386 static ssize_t unmarshall_rpc_header(pipes_struct *p)
387 {
388         /*
389          * Unmarshall the header to determine the needed length.
390          */
391
392         prs_struct rpc_in;
393
394         if(p->in_data.pdu_received_len != RPC_HEADER_LEN) {
395                 DEBUG(0,("unmarshall_rpc_header: assert on rpc header length failed.\n"));
396                 set_incoming_fault(p);
397                 return -1;
398         }
399
400         prs_init( &rpc_in, 0, p->mem_ctx, UNMARSHALL);
401         prs_set_endian_data( &rpc_in, p->endian);
402
403         prs_give_memory( &rpc_in, (char *)&p->in_data.current_in_pdu[0],
404                                         p->in_data.pdu_received_len, False);
405
406         /*
407          * Unmarshall the header as this will tell us how much
408          * data we need to read to get the complete pdu.
409          * This also sets the endian flag in rpc_in.
410          */
411
412         if(!smb_io_rpc_hdr("", &p->hdr, &rpc_in, 0)) {
413                 DEBUG(0,("unmarshall_rpc_header: failed to unmarshall RPC_HDR.\n"));
414                 set_incoming_fault(p);
415                 prs_mem_free(&rpc_in);
416                 return -1;
417         }
418
419         /*
420          * Validate the RPC header.
421          */
422
423         if(p->hdr.major != 5 && p->hdr.minor != 0) {
424                 DEBUG(0,("unmarshall_rpc_header: invalid major/minor numbers in RPC_HDR.\n"));
425                 set_incoming_fault(p);
426                 prs_mem_free(&rpc_in);
427                 return -1;
428         }
429
430         /*
431          * If there's not data in the incoming buffer this should be the start of a new RPC.
432          */
433
434         if(prs_offset(&p->in_data.data) == 0) {
435
436                 /*
437                  * AS/U doesn't set FIRST flag in a BIND packet it seems.
438                  */
439
440                 if ((p->hdr.pkt_type == RPC_REQUEST) && !(p->hdr.flags & RPC_FLG_FIRST)) {
441                         /*
442                          * Ensure that the FIRST flag is set. If not then we have
443                          * a stream missmatch.
444                          */
445
446                         DEBUG(0,("unmarshall_rpc_header: FIRST flag not set in first PDU !\n"));
447                         set_incoming_fault(p);
448                         prs_mem_free(&rpc_in);
449                         return -1;
450                 }
451
452                 /*
453                  * If this is the first PDU then set the endianness
454                  * flag in the pipe. We will need this when parsing all
455                  * data in this RPC.
456                  */
457
458                 p->endian = rpc_in.bigendian_data;
459
460                 DEBUG(5,("unmarshall_rpc_header: using %sendian RPC\n",
461                                 p->endian == RPC_LITTLE_ENDIAN ? "little-" : "big-" ));
462
463         } else {
464
465                 /*
466                  * If this is *NOT* the first PDU then check the endianness
467                  * flag in the pipe is the same as that in the PDU.
468                  */
469
470                 if (p->endian != rpc_in.bigendian_data) {
471                         DEBUG(0,("unmarshall_rpc_header: FIRST endianness flag (%d) different in next PDU !\n", (int)p->endian));
472                         set_incoming_fault(p);
473                         prs_mem_free(&rpc_in);
474                         return -1;
475                 }
476         }
477
478         /*
479          * Ensure that the pdu length is sane.
480          */
481
482         if((p->hdr.frag_len < RPC_HEADER_LEN) || (p->hdr.frag_len > MAX_PDU_FRAG_LEN)) {
483                 DEBUG(0,("unmarshall_rpc_header: assert on frag length failed.\n"));
484                 set_incoming_fault(p);
485                 prs_mem_free(&rpc_in);
486                 return -1;
487         }
488
489         DEBUG(10,("unmarshall_rpc_header: type = %u, flags = %u\n", (unsigned int)p->hdr.pkt_type,
490                         (unsigned int)p->hdr.flags ));
491
492         /*
493          * Adjust for the header we just ate.
494          */
495         p->in_data.pdu_received_len = 0;
496         p->in_data.pdu_needed_len = (uint32)p->hdr.frag_len - RPC_HEADER_LEN;
497
498         /*
499          * Null the data we just ate.
500          */
501
502         memset((char *)&p->in_data.current_in_pdu[0], '\0', RPC_HEADER_LEN);
503
504         prs_mem_free(&rpc_in);
505
506         return 0; /* No extra data processed. */
507 }
508
509 /****************************************************************************
510  Call this to free any talloc'ed memory. Do this before and after processing
511  a complete PDU.
512 ****************************************************************************/
513
514 void free_pipe_context(pipes_struct *p)
515 {
516         if (p->mem_ctx) {
517                 DEBUG(3,("free_pipe_context: destroying talloc pool of size %u\n", talloc_pool_size(p->mem_ctx) ));
518                 talloc_destroy_pool(p->mem_ctx);
519         } else {
520                 p->mem_ctx = talloc_init();
521                 if (p->mem_ctx == NULL)
522                         p->fault_state = True;
523         }
524 }
525
526 /****************************************************************************
527  Processes a request pdu. This will do auth processing if needed, and
528  appends the data into the complete stream if the LAST flag is not set.
529 ****************************************************************************/
530
531 static BOOL process_request_pdu(pipes_struct *p, prs_struct *rpc_in_p)
532 {
533         BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
534         size_t data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
535                                 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - p->hdr.auth_len;
536
537         if(!p->pipe_bound) {
538                 DEBUG(0,("process_request_pdu: rpc request with no bind.\n"));
539                 set_incoming_fault(p);
540                 return False;
541         }
542
543         /*
544          * Check if we need to do authentication processing.
545          * This is only done on requests, not binds.
546          */
547
548         /*
549          * Read the RPC request header.
550          */
551
552         if(!smb_io_rpc_hdr_req("req", &p->hdr_req, rpc_in_p, 0)) {
553                 DEBUG(0,("process_request_pdu: failed to unmarshall RPC_HDR_REQ.\n"));
554                 set_incoming_fault(p);
555                 return False;
556         }
557
558         if(p->ntlmssp_auth_validated && !api_pipe_auth_process(p, rpc_in_p)) {
559                 DEBUG(0,("process_request_pdu: failed to do auth processing.\n"));
560                 set_incoming_fault(p);
561                 return False;
562         }
563
564         if (p->ntlmssp_auth_requested && !p->ntlmssp_auth_validated) {
565
566                 /*
567                  * Authentication _was_ requested and it already failed.
568                  */
569
570                 DEBUG(0,("process_request_pdu: RPC request received on pipe %s where \
571 authentication failed. Denying the request.\n", p->name));
572                 set_incoming_fault(p);
573         return False;
574     }
575
576         /*
577          * Check the data length doesn't go over the 10Mb limit.
578          */
579         
580         if(prs_data_size(&p->in_data.data) + data_len > 10*1024*1024) {
581                 DEBUG(0,("process_request_pdu: rpc data buffer too large (%u) + (%u)\n",
582                                 (unsigned int)prs_data_size(&p->in_data.data), (unsigned int)data_len ));
583                 set_incoming_fault(p);
584                 return False;
585         }
586
587         /*
588          * Append the data portion into the buffer and return.
589          */
590
591         {
592                 char *data_from = prs_data_p(rpc_in_p) + prs_offset(rpc_in_p);
593
594                 if(!prs_append_data(&p->in_data.data, data_from, data_len)) {
595                         DEBUG(0,("process_request_pdu: Unable to append data size %u to parse buffer of size %u.\n",
596                                         (unsigned int)data_len, (unsigned int)prs_data_size(&p->in_data.data) ));
597                         set_incoming_fault(p);
598                         return False;
599                 }
600
601         }
602
603         if(p->hdr.flags & RPC_FLG_LAST) {
604                 BOOL ret = False;
605                 /*
606                  * Ok - we finally have a complete RPC stream.
607                  * Call the rpc command to process it.
608                  */
609
610                 /*
611                  * Ensure the internal prs buffer size is *exactly* the same
612                  * size as the current offset.
613                  */
614
615                 if(!prs_set_buffer_size(&p->in_data.data, prs_offset(&p->in_data.data)))
616                 {
617                         DEBUG(0,("process_request_pdu: Call to prs_set_buffer_size failed!\n"));
618                         set_incoming_fault(p);
619                         return False;
620                 }
621
622                 /*
623                  * Set the parse offset to the start of the data and set the
624                  * prs_struct to UNMARSHALL.
625                  */
626
627                 prs_set_offset(&p->in_data.data, 0);
628                 prs_switch_type(&p->in_data.data, UNMARSHALL);
629
630                 /*
631                  * Process the complete data stream here.
632                  */
633
634                 free_pipe_context(p);
635
636                 if(pipe_init_outgoing_data(p))
637                         ret = api_pipe_request(p);
638
639                 free_pipe_context(p);
640
641                 /*
642                  * We have consumed the whole data stream. Set back to
643                  * marshalling and set the offset back to the start of
644                  * the buffer to re-use it (we could also do a prs_mem_free()
645                  * and then re_init on the next start of PDU. Not sure which
646                  * is best here.... JRA.
647                  */
648
649                 prs_switch_type(&p->in_data.data, MARSHALL);
650                 prs_set_offset(&p->in_data.data, 0);
651                 return ret;
652         }
653
654         return True;
655 }
656
657 /****************************************************************************
658  Processes a finished PDU stored in current_in_pdu. The RPC_HEADER has
659  already been parsed and stored in p->hdr.
660 ****************************************************************************/
661
662 static ssize_t process_complete_pdu(pipes_struct *p)
663 {
664         prs_struct rpc_in;
665         size_t data_len = p->in_data.pdu_received_len;
666         char *data_p = (char *)&p->in_data.current_in_pdu[0];
667         BOOL reply = False;
668
669         if(p->fault_state) {
670                 DEBUG(10,("process_complete_pdu: pipe %s in fault state.\n",
671                         p->name ));
672                 set_incoming_fault(p);
673                 setup_fault_pdu(p, NT_STATUS(0x1c010002));
674                 return (ssize_t)data_len;
675         }
676
677         prs_init( &rpc_in, 0, p->mem_ctx, UNMARSHALL);
678
679         /*
680          * Ensure we're using the corrent endianness for both the 
681          * RPC header flags and the raw data we will be reading from.
682          */
683
684         prs_set_endian_data( &rpc_in, p->endian);
685         prs_set_endian_data( &p->in_data.data, p->endian);
686
687         prs_give_memory( &rpc_in, data_p, (uint32)data_len, False);
688
689         DEBUG(10,("process_complete_pdu: processing packet type %u\n",
690                         (unsigned int)p->hdr.pkt_type ));
691
692         switch (p->hdr.pkt_type) {
693                 case RPC_BIND:
694                 case RPC_ALTCONT:
695                         /*
696                          * We assume that a pipe bind is only in one pdu.
697                          */
698                         if(pipe_init_outgoing_data(p))
699                                 reply = api_pipe_bind_req(p, &rpc_in);
700                         break;
701                 case RPC_BINDRESP:
702                         /*
703                          * We assume that a pipe bind_resp is only in one pdu.
704                          */
705                         if(pipe_init_outgoing_data(p))
706                                 reply = api_pipe_bind_auth_resp(p, &rpc_in);
707                         break;
708                 case RPC_REQUEST:
709                         reply = process_request_pdu(p, &rpc_in);
710                         break;
711                 default:
712                         DEBUG(0,("process_complete_pdu: Unknown rpc type = %u received.\n", (unsigned int)p->hdr.pkt_type ));
713                         break;
714         }
715
716         /* Reset to little endian. Probably don't need this but it won't hurt. */
717         prs_set_endian_data( &p->in_data.data, RPC_LITTLE_ENDIAN);
718
719         if (!reply) {
720                 DEBUG(3,("process_complete_pdu: DCE/RPC fault sent on pipe %s\n", p->pipe_srv_name));
721                 set_incoming_fault(p);
722                 setup_fault_pdu(p, NT_STATUS(0x1c010002));
723                 prs_mem_free(&rpc_in);
724         } else {
725                 /*
726                  * Reset the lengths. We're ready for a new pdu.
727                  */
728                 p->in_data.pdu_needed_len = 0;
729                 p->in_data.pdu_received_len = 0;
730         }
731
732         prs_mem_free(&rpc_in);
733         return (ssize_t)data_len;
734 }
735
736 /****************************************************************************
737  Accepts incoming data on an rpc pipe. Processes the data in pdu sized units.
738 ****************************************************************************/
739
740 static ssize_t process_incoming_data(pipes_struct *p, char *data, size_t n)
741 {
742         size_t data_to_copy = MIN(n, MAX_PDU_FRAG_LEN - p->in_data.pdu_received_len);
743
744         DEBUG(10,("process_incoming_data: Start: pdu_received_len = %u, pdu_needed_len = %u, incoming data = %u\n",
745                 (unsigned int)p->in_data.pdu_received_len, (unsigned int)p->in_data.pdu_needed_len,
746                 (unsigned int)n ));
747
748         if(data_to_copy == 0) {
749                 /*
750                  * This is an error - data is being received and there is no
751                  * space in the PDU. Free the received data and go into the fault state.
752                  */
753                 DEBUG(0,("process_incoming_data: No space in incoming pdu buffer. Current size = %u \
754 incoming data size = %u\n", (unsigned int)p->in_data.pdu_received_len, (unsigned int)n ));
755                 set_incoming_fault(p);
756                 return -1;
757         }
758
759         /*
760          * If we have no data already, wait until we get at least a RPC_HEADER_LEN
761          * number of bytes before we can do anything.
762          */
763
764         if((p->in_data.pdu_needed_len == 0) && (p->in_data.pdu_received_len < RPC_HEADER_LEN)) {
765                 /*
766                  * Always return here. If we have more data then the RPC_HEADER
767                  * will be processed the next time around the loop.
768                  */
769                 return fill_rpc_header(p, data, data_to_copy);
770         }
771
772         /*
773          * At this point we know we have at least an RPC_HEADER_LEN amount of data
774          * stored in current_in_pdu.
775          */
776
777         /*
778          * If pdu_needed_len is zero this is a new pdu. 
779          * Unmarshall the header so we know how much more
780          * data we need, then loop again.
781          */
782
783         if(p->in_data.pdu_needed_len == 0)
784                 return unmarshall_rpc_header(p);
785
786         /*
787          * Ok - at this point we have a valid RPC_HEADER in p->hdr.
788          * Keep reading until we have a full pdu.
789          */
790
791         data_to_copy = MIN(data_to_copy, p->in_data.pdu_needed_len);
792
793         /*
794          * Copy as much of the data as we need into the current_in_pdu buffer.
795          */
796
797         memcpy( (char *)&p->in_data.current_in_pdu[p->in_data.pdu_received_len], data, data_to_copy);
798         p->in_data.pdu_received_len += data_to_copy;
799
800         /*
801          * Do we have a complete PDU ?
802          */
803
804         if(p->in_data.pdu_received_len == p->in_data.pdu_needed_len)
805                 return process_complete_pdu(p);
806
807         DEBUG(10,("process_incoming_data: not a complete PDU yet. pdu_received_len = %u, pdu_needed_len = %u\n",
808                 (unsigned int)p->in_data.pdu_received_len, (unsigned int)p->in_data.pdu_needed_len ));
809
810         return (ssize_t)data_to_copy;
811
812 }
813
814 /****************************************************************************
815  Accepts incoming data on an rpc pipe.
816 ****************************************************************************/
817
818 ssize_t write_to_pipe(smb_np_struct *p, char *data, size_t n)
819 {
820         DEBUG(6,("write_to_pipe: %x", p->pnum));
821
822         DEBUG(6,(" name: %s open: %s len: %d\n",
823                  p->name, BOOLSTR(p->open), (int)n));
824
825         dump_data(50, data, n);
826
827         return p->namedpipe_write(p->np_state, data, n);
828 }
829
830 /****************************************************************************
831  Accepts incoming data on an internal rpc pipe.
832 ****************************************************************************/
833
834 static ssize_t write_to_internal_pipe(void *np_conn, char *data, size_t n)
835 {
836         pipes_struct *p = (pipes_struct*)np_conn;
837         size_t data_left = n;
838
839         while(data_left) {
840                 ssize_t data_used;
841
842                 DEBUG(10,("write_to_pipe: data_left = %u\n", (unsigned int)data_left ));
843
844                 data_used = process_incoming_data(p, data, data_left);
845
846                 DEBUG(10,("write_to_pipe: data_used = %d\n", (int)data_used ));
847
848                 if(data_used < 0)
849                         return -1;
850
851                 data_left -= data_used;
852                 data += data_used;
853         }       
854
855         return n;
856 }
857
858 /****************************************************************************
859  Replies to a request to read data from a pipe.
860
861  Headers are interspersed with the data at PDU intervals. By the time
862  this function is called, the start of the data could possibly have been
863  read by an SMBtrans (file_offset != 0).
864
865  Calling create_rpc_reply() here is a hack. The data should already
866  have been prepared into arrays of headers + data stream sections.
867 ****************************************************************************/
868
869 ssize_t read_from_pipe(smb_np_struct *p, char *data, size_t n,
870                 BOOL *is_data_outstanding)
871 {
872         if (!p || !p->open) {
873                 DEBUG(0,("read_from_pipe: pipe not open\n"));
874                 return -1;              
875         }
876
877         DEBUG(6,("read_from_pipe: %x", p->pnum));
878
879         return p->namedpipe_read(p->np_state, data, n, is_data_outstanding);
880 }
881
882 /****************************************************************************
883  Replies to a request to read data from a pipe.
884
885  Headers are interspersed with the data at PDU intervals. By the time
886  this function is called, the start of the data could possibly have been
887  read by an SMBtrans (file_offset != 0).
888
889  Calling create_rpc_reply() here is a hack. The data should already
890  have been prepared into arrays of headers + data stream sections.
891 ****************************************************************************/
892
893 static ssize_t read_from_internal_pipe(void *np_conn, char *data, size_t n,
894                 BOOL *is_data_outstanding)
895 {
896         pipes_struct *p = (pipes_struct*)np_conn;
897         uint32 pdu_remaining = 0;
898         ssize_t data_returned = 0;
899
900         if (!p) {
901                 DEBUG(0,("read_from_pipe: pipe not open\n"));
902                 return -1;              
903         }
904
905         DEBUG(6,(" name: %s len: %u\n", p->name, (unsigned int)n));
906
907         /*
908          * We cannot return more than one PDU length per
909          * read request.
910          */
911
912         /*
913          * This condition should result in the connection being closed.  
914          * Netapp filers seem to set it to 0xffff which results in domain
915          * authentications failing.  Just ignore it so things work.
916          */
917
918         if(n > MAX_PDU_FRAG_LEN) {
919                 DEBUG(5,("read_from_pipe: too large read (%u) requested on \
920 pipe %s. We can only service %d sized reads.\n", (unsigned int)n, p->name, MAX_PDU_FRAG_LEN ));
921         }
922
923         /*
924          * Determine if there is still data to send in the
925          * pipe PDU buffer. Always send this first. Never
926          * send more than is left in the current PDU. The
927          * client should send a new read request for a new
928          * PDU.
929          */
930
931         if((pdu_remaining = p->out_data.current_pdu_len - p->out_data.current_pdu_sent) > 0) {
932                 data_returned = (ssize_t)MIN(n, pdu_remaining);
933
934                 DEBUG(10,("read_from_pipe: %s: current_pdu_len = %u, current_pdu_sent = %u \
935 returning %d bytes.\n", p->name, (unsigned int)p->out_data.current_pdu_len, 
936                         (unsigned int)p->out_data.current_pdu_sent, (int)data_returned));
937
938                 memcpy( data, &p->out_data.current_pdu[p->out_data.current_pdu_sent], (size_t)data_returned);
939                 p->out_data.current_pdu_sent += (uint32)data_returned;
940                 goto out;
941         }
942
943         /*
944          * At this point p->current_pdu_len == p->current_pdu_sent (which
945          * may of course be zero if this is the first return fragment.
946          */
947
948         DEBUG(10,("read_from_pipe: %s: fault_state = %d : data_sent_length \
949 = %u, prs_offset(&p->out_data.rdata) = %u.\n",
950                 p->name, (int)p->fault_state, (unsigned int)p->out_data.data_sent_length, (unsigned int)prs_offset(&p->out_data.rdata) ));
951
952         if(p->out_data.data_sent_length >= prs_offset(&p->out_data.rdata)) {
953                 /*
954                  * We have sent all possible data, return 0.
955                  */
956                 data_returned = 0;
957                 goto out;
958         }
959
960         /*
961          * We need to create a new PDU from the data left in p->rdata.
962          * Create the header/data/footers. This also sets up the fields
963          * p->current_pdu_len, p->current_pdu_sent, p->data_sent_length
964          * and stores the outgoing PDU in p->current_pdu.
965          */
966
967         if(!create_next_pdu(p)) {
968                 DEBUG(0,("read_from_pipe: %s: create_next_pdu failed.\n", p->name));
969                 return -1;
970         }
971
972         data_returned = MIN(n, p->out_data.current_pdu_len);
973
974         memcpy( data, p->out_data.current_pdu, (size_t)data_returned);
975         p->out_data.current_pdu_sent += (uint32)data_returned;
976
977   out:
978
979         (*is_data_outstanding) = p->out_data.current_pdu_len > n;
980         return data_returned;
981 }
982
983 /****************************************************************************
984  Wait device state on a pipe. Exactly what this is for is unknown...
985 ****************************************************************************/
986
987 BOOL wait_rpc_pipe_hnd_state(smb_np_struct *p, uint16 priority)
988 {
989         if (p == NULL)
990                 return False;
991
992         if (p->open) {
993                 DEBUG(3,("wait_rpc_pipe_hnd_state: Setting pipe wait state priority=%x on pipe (name=%s)\n",
994                          priority, p->name));
995
996                 p->priority = priority;
997                 
998                 return True;
999         } 
1000
1001         DEBUG(3,("wait_rpc_pipe_hnd_state: Error setting pipe wait state priority=%x (name=%s)\n",
1002                  priority, p->name));
1003         return False;
1004 }
1005
1006
1007 /****************************************************************************
1008  Set device state on a pipe. Exactly what this is for is unknown...
1009 ****************************************************************************/
1010
1011 BOOL set_rpc_pipe_hnd_state(smb_np_struct *p, uint16 device_state)
1012 {
1013         if (p == NULL)
1014                 return False;
1015
1016         if (p->open) {
1017                 DEBUG(3,("set_rpc_pipe_hnd_state: Setting pipe device state=%x on pipe (name=%s)\n",
1018                          device_state, p->name));
1019
1020                 p->device_state = device_state;
1021                 
1022                 return True;
1023         } 
1024
1025         DEBUG(3,("set_rpc_pipe_hnd_state: Error setting pipe device state=%x (name=%s)\n",
1026                  device_state, p->name));
1027         return False;
1028 }
1029
1030
1031 /****************************************************************************
1032  Close an rpc pipe.
1033 ****************************************************************************/
1034
1035 BOOL close_rpc_pipe_hnd(smb_np_struct *p)
1036 {
1037         if (!p) {
1038                 DEBUG(0,("Invalid pipe in close_rpc_pipe_hnd\n"));
1039                 return False;
1040         }
1041
1042         p->namedpipe_close(p->np_state);
1043
1044         bitmap_clear(bmap, p->pnum - pipe_handle_offset);
1045
1046         pipes_open--;
1047
1048         DEBUG(4,("closed pipe name %s pnum=%x (pipes_open=%d)\n", 
1049                  p->name, p->pnum, pipes_open));  
1050
1051         DLIST_REMOVE(Pipes, p);
1052
1053         ZERO_STRUCTP(p);
1054
1055         SAFE_FREE(p);
1056         
1057         return True;
1058 }
1059
1060 /****************************************************************************
1061  Close an rpc pipe.
1062 ****************************************************************************/
1063
1064 static BOOL close_internal_rpc_pipe_hnd(void *np_conn)
1065 {
1066         pipes_struct *p = (pipes_struct *)np_conn;
1067         if (!p) {
1068                 DEBUG(0,("Invalid pipe in close_internal_rpc_pipe_hnd\n"));
1069                 return False;
1070         }
1071
1072         prs_mem_free(&p->out_data.rdata);
1073         prs_mem_free(&p->in_data.data);
1074
1075         if (p->mem_ctx)
1076                 talloc_destroy(p->mem_ctx);
1077
1078         /* Free the handles database. */
1079         close_policy_by_pipe(p);
1080
1081         delete_nt_token(&p->pipe_user.nt_user_token);
1082         SAFE_FREE(p->pipe_user.groups);
1083
1084         DLIST_REMOVE(InternalPipes, p);
1085
1086         ZERO_STRUCTP(p);
1087
1088         SAFE_FREE(p);
1089         
1090         return True;
1091 }
1092
1093 /****************************************************************************
1094  Find an rpc pipe given a pipe handle in a buffer and an offset.
1095 ****************************************************************************/
1096
1097 smb_np_struct *get_rpc_pipe_p(char *buf, int where)
1098 {
1099         int pnum = SVAL(buf,where);
1100
1101         if (chain_p)
1102                 return chain_p;
1103
1104         return get_rpc_pipe(pnum);
1105 }
1106
1107 /****************************************************************************
1108  Find an rpc pipe given a pipe handle.
1109 ****************************************************************************/
1110
1111 smb_np_struct *get_rpc_pipe(int pnum)
1112 {
1113         smb_np_struct *p;
1114
1115         DEBUG(4,("search for pipe pnum=%x\n", pnum));
1116
1117         for (p=Pipes;p;p=p->next)
1118                 DEBUG(5,("pipe name %s pnum=%x (pipes_open=%d)\n", 
1119                           p->name, p->pnum, pipes_open));  
1120
1121         for (p=Pipes;p;p=p->next) {
1122                 if (p->pnum == pnum) {
1123                         chain_p = p;
1124                         return p;
1125                 }
1126         }
1127
1128         return NULL;
1129 }