merge from appliance_head
[samba.git] / source3 / rpc_server / srv_pipe_hnd.c
1 /* 
2  *  Unix SMB/Netbios implementation.
3  *  Version 1.9.
4  *  RPC Pipe client / server routines
5  *  Copyright (C) Andrew Tridgell              1992-1998,
6  *  Copyright (C) Luke Kenneth Casson Leighton 1996-1998,
7  *  Copyright (C) Jeremy Allison                                    1999.
8  *  
9  *  This program is free software; you can redistribute it and/or modify
10  *  it under the terms of the GNU General Public License as published by
11  *  the Free Software Foundation; either version 2 of the License, or
12  *  (at your option) any later version.
13  *  
14  *  This program is distributed in the hope that it will be useful,
15  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
16  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17  *  GNU General Public License for more details.
18  *  
19  *  You should have received a copy of the GNU General Public License
20  *  along with this program; if not, write to the Free Software
21  *  Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
22  */
23
24 #include "includes.h"
25
26 #define PIPE            "\\PIPE\\"
27 #define PIPELEN         strlen(PIPE)
28
29 static smb_np_struct *chain_p;
30 static int pipes_open;
31
32 #ifndef MAX_OPEN_PIPES
33 #define MAX_OPEN_PIPES 2048
34 #endif
35
36 static smb_np_struct *Pipes;
37 static pipes_struct *InternalPipes;
38 static struct bitmap *bmap;
39
40 /* TODO
41  * the following prototypes are declared here to avoid
42  * code being moved about too much for a patch to be
43  * disrupted / less obvious.
44  *
45  * these functions, and associated functions that they
46  * call, should be moved behind a .so module-loading
47  * system _anyway_.  so that's the next step...
48  */
49
50 static ssize_t read_from_internal_pipe(void *np_conn, char *data, size_t n,
51                 BOOL *is_data_outstanding);
52 static ssize_t write_to_internal_pipe(void *np_conn, char *data, size_t n);
53 static BOOL close_internal_rpc_pipe_hnd(void *np_conn);
54 static void *make_internal_rpc_pipe_p(char *pipe_name, 
55                               connection_struct *conn, uint16 vuid);
56
57 /****************************************************************************
58  Pipe iterator functions.
59 ****************************************************************************/
60
61 smb_np_struct *get_first_pipe(void)
62 {
63         return Pipes;
64 }
65
66 smb_np_struct *get_next_pipe(smb_np_struct *p)
67 {
68         return p->next;
69 }
70
71 /****************************************************************************
72  Internal Pipe iterator functions.
73 ****************************************************************************/
74
75 pipes_struct *get_first_internal_pipe(void)
76 {
77         return InternalPipes;
78 }
79
80 pipes_struct *get_next_internal_pipe(pipes_struct *p)
81 {
82         return p->next;
83 }
84
85 /* this must be larger than the sum of the open files and directories */
86 static int pipe_handle_offset;
87
88 /****************************************************************************
89  Set the pipe_handle_offset. Called from smbd/files.c
90 ****************************************************************************/
91
92 void set_pipe_handle_offset(int max_open_files)
93 {
94   if(max_open_files < 0x7000)
95     pipe_handle_offset = 0x7000;
96   else
97     pipe_handle_offset = max_open_files + 10; /* For safety. :-) */
98 }
99
100 /****************************************************************************
101  Reset pipe chain handle number.
102 ****************************************************************************/
103 void reset_chain_p(void)
104 {
105         chain_p = NULL;
106 }
107
108 /****************************************************************************
109  Initialise pipe handle states.
110 ****************************************************************************/
111
112 void init_rpc_pipe_hnd(void)
113 {
114         bmap = bitmap_allocate(MAX_OPEN_PIPES);
115         if (!bmap)
116                 exit_server("out of memory in init_rpc_pipe_hnd");
117 }
118
119 /****************************************************************************
120  Initialise an outgoing packet.
121 ****************************************************************************/
122
123 static BOOL pipe_init_outgoing_data(pipes_struct *p)
124 {
125         output_data *o_data = &p->out_data;
126
127         /* Reset the offset counters. */
128         o_data->data_sent_length = 0;
129         o_data->current_pdu_len = 0;
130         o_data->current_pdu_sent = 0;
131
132         memset(o_data->current_pdu, '\0', sizeof(o_data->current_pdu));
133
134         /* Free any memory in the current return data buffer. */
135         prs_mem_free(&o_data->rdata);
136
137         /*
138          * Initialize the outgoing RPC data buffer.
139          * we will use this as the raw data area for replying to rpc requests.
140          */     
141         if(!prs_init(&o_data->rdata, MAX_PDU_FRAG_LEN, p->mem_ctx, MARSHALL)) {
142                 DEBUG(0,("pipe_init_outgoing_data: malloc fail.\n"));
143                 return False;
144         }
145
146         return True;
147 }
148
149 /****************************************************************************
150  Find first available pipe slot.
151 ****************************************************************************/
152
153 smb_np_struct *open_rpc_pipe_p(char *pipe_name, 
154                               connection_struct *conn, uint16 vuid)
155 {
156         int i;
157         smb_np_struct *p, *p_it;
158         static int next_pipe;
159
160         DEBUG(4,("Open pipe requested %s (pipes_open=%d)\n",
161                  pipe_name, pipes_open));
162
163         
164         /* not repeating pipe numbers makes it easier to track things in 
165            log files and prevents client bugs where pipe numbers are reused
166            over connection restarts */
167         if (next_pipe == 0)
168                 next_pipe = (sys_getpid() ^ time(NULL)) % MAX_OPEN_PIPES;
169
170         i = bitmap_find(bmap, next_pipe);
171
172         if (i == -1) {
173                 DEBUG(0,("ERROR! Out of pipe structures\n"));
174                 return NULL;
175         }
176
177         next_pipe = (i+1) % MAX_OPEN_PIPES;
178
179         for (p = Pipes; p; p = p->next)
180                 DEBUG(5,("open_rpc_pipe_p: name %s pnum=%x\n", p->name, p->pnum));  
181
182         p = (smb_np_struct *)malloc(sizeof(*p));
183
184         if (!p)
185         {
186                 DEBUG(0,("ERROR! no memory for pipes_struct!\n"));
187                 return NULL;
188         }
189
190         ZERO_STRUCTP(p);
191
192         /* add a dso mechanism instead of this, here */
193
194         p->namedpipe_create = make_internal_rpc_pipe_p;
195         p->namedpipe_read = read_from_internal_pipe;
196         p->namedpipe_write = write_to_internal_pipe;
197         p->namedpipe_close = close_internal_rpc_pipe_hnd;
198
199         p->np_state = p->namedpipe_create(pipe_name, conn, vuid);
200
201         if (p->np_state == NULL) {
202
203                 DEBUG(0,("open_rpc_pipe_p: make_internal_rpc_pipe_p failed.\n"));
204                 SAFE_FREE(p);
205                 return NULL;
206         }
207
208
209         DLIST_ADD(Pipes, p);
210
211         /*
212          * Initialize the incoming RPC data buffer with one PDU worth of memory.
213          * We cheat here and say we're marshalling, as we intend to add incoming
214          * data directly into the prs_struct and we want it to auto grow. We will
215          * change the type to UNMARSALLING before processing the stream.
216          */
217
218         bitmap_set(bmap, i);
219         i += pipe_handle_offset;
220
221         pipes_open++;
222
223         p->pnum = i;
224
225         p->open = True;
226         p->device_state = 0;
227         p->priority = 0;
228         p->conn = conn;
229         p->vuid  = vuid;
230
231         p->max_trans_reply = 0;
232         
233         fstrcpy(p->name, pipe_name);
234         
235         DEBUG(4,("Opened pipe %s with handle %x (pipes_open=%d)\n",
236                  pipe_name, i, pipes_open));
237         
238         chain_p = p;
239         
240         /* Iterate over p_it as a temp variable, to display all open pipes */ 
241         for (p_it = Pipes; p_it; p_it = p_it->next)
242                 DEBUG(5,("open pipes: name %s pnum=%x\n", p_it->name, p_it->pnum));  
243
244         return chain_p;
245 }
246
247 /****************************************************************************
248  * make an internal namedpipes structure
249 ****************************************************************************/
250
251 static void *make_internal_rpc_pipe_p(char *pipe_name, 
252                               connection_struct *conn, uint16 vuid)
253 {
254         pipes_struct *p;
255         user_struct *vuser = get_valid_user_struct(vuid);
256
257         DEBUG(4,("Create pipe requested %s\n", pipe_name));
258
259         if (!vuser && vuid != UID_FIELD_INVALID) {
260                 DEBUG(0,("ERROR! vuid %d did not map to a valid vuser struct!\n", vuid));
261                 return NULL;
262         }
263
264         p = (pipes_struct *)malloc(sizeof(*p));
265
266         if (!p)
267         {
268                 DEBUG(0,("ERROR! no memory for pipes_struct!\n"));
269                 return NULL;
270         }
271
272         ZERO_STRUCTP(p);
273
274         if ((p->mem_ctx = talloc_init()) == NULL) {
275                 DEBUG(0,("open_rpc_pipe_p: talloc_init failed.\n"));
276                 SAFE_FREE(p);
277                 return NULL;
278         }
279
280         if (!init_pipe_handle_list(p, pipe_name)) {
281                 DEBUG(0,("open_rpc_pipe_p: init_pipe_handles failed.\n"));
282                 talloc_destroy(p->mem_ctx);
283                 SAFE_FREE(p);
284                 return NULL;
285         }
286
287         /*
288          * Initialize the incoming RPC data buffer with one PDU worth of memory.
289          * We cheat here and say we're marshalling, as we intend to add incoming
290          * data directly into the prs_struct and we want it to auto grow. We will
291          * change the type to UNMARSALLING before processing the stream.
292          */
293
294         if(!prs_init(&p->in_data.data, MAX_PDU_FRAG_LEN, p->mem_ctx, MARSHALL)) {
295                 DEBUG(0,("open_rpc_pipe_p: malloc fail for in_data struct.\n"));
296                 return NULL;
297         }
298
299         DLIST_ADD(InternalPipes, p);
300
301         p->conn = conn;
302         p->vuid  = vuid;
303
304         p->ntlmssp_chal_flags = 0;
305         p->ntlmssp_auth_validated = False;
306         p->ntlmssp_auth_requested = False;
307
308         p->pipe_bound = False;
309         p->fault_state = False;
310         p->endian = RPC_LITTLE_ENDIAN;
311
312         ZERO_STRUCT(p->pipe_user);
313
314         p->pipe_user.uid = (uid_t)-1;
315         p->pipe_user.gid = (gid_t)-1;
316         
317         /* Store the session key */
318         if (vuser) {
319                 memcpy(p->session_key, vuser->session_key, sizeof(p->session_key));
320         }
321
322         /*
323          * Initialize the incoming RPC struct.
324          */
325
326         p->in_data.pdu_needed_len = 0;
327         p->in_data.pdu_received_len = 0;
328
329         /*
330          * Initialize the outgoing RPC struct.
331          */
332
333         p->out_data.current_pdu_len = 0;
334         p->out_data.current_pdu_sent = 0;
335         p->out_data.data_sent_length = 0;
336
337         /*
338          * Initialize the outgoing RPC data buffer with no memory.
339          */     
340         prs_init(&p->out_data.rdata, 0, p->mem_ctx, MARSHALL);
341         
342         fstrcpy(p->name, pipe_name);
343         
344         DEBUG(4,("Created internal pipe %s (pipes_open=%d)\n",
345                  pipe_name, pipes_open));
346
347         return (void*)p;
348 }
349
350 /****************************************************************************
351  Sets the fault state on incoming packets.
352 ****************************************************************************/
353
354 static void set_incoming_fault(pipes_struct *p)
355 {
356         prs_mem_free(&p->in_data.data);
357         p->in_data.pdu_needed_len = 0;
358         p->in_data.pdu_received_len = 0;
359         p->fault_state = True;
360         DEBUG(10,("set_incoming_fault: Setting fault state on pipe %s : vuid = 0x%x\n",
361                 p->name, p->vuid ));
362 }
363
364 /****************************************************************************
365  Ensures we have at least RPC_HEADER_LEN amount of data in the incoming buffer.
366 ****************************************************************************/
367
368 static ssize_t fill_rpc_header(pipes_struct *p, char *data, size_t data_to_copy)
369 {
370         size_t len_needed_to_complete_hdr = MIN(data_to_copy, RPC_HEADER_LEN - p->in_data.pdu_received_len);
371
372         DEBUG(10,("fill_rpc_header: data_to_copy = %u, len_needed_to_complete_hdr = %u, receive_len = %u\n",
373                         (unsigned int)data_to_copy, (unsigned int)len_needed_to_complete_hdr,
374                         (unsigned int)p->in_data.pdu_received_len ));
375
376         memcpy((char *)&p->in_data.current_in_pdu[p->in_data.pdu_received_len], data, len_needed_to_complete_hdr);
377         p->in_data.pdu_received_len += len_needed_to_complete_hdr;
378
379         return (ssize_t)len_needed_to_complete_hdr;
380 }
381
382 /****************************************************************************
383  Unmarshalls a new PDU header. Assumes the raw header data is in current_in_pdu.
384 ****************************************************************************/
385
386 static ssize_t unmarshall_rpc_header(pipes_struct *p)
387 {
388         /*
389          * Unmarshall the header to determine the needed length.
390          */
391
392         prs_struct rpc_in;
393
394         if(p->in_data.pdu_received_len != RPC_HEADER_LEN) {
395                 DEBUG(0,("unmarshall_rpc_header: assert on rpc header length failed.\n"));
396                 set_incoming_fault(p);
397                 return -1;
398         }
399
400         prs_init( &rpc_in, 0, p->mem_ctx, UNMARSHALL);
401         prs_set_endian_data( &rpc_in, p->endian);
402
403         prs_give_memory( &rpc_in, (char *)&p->in_data.current_in_pdu[0],
404                                         p->in_data.pdu_received_len, False);
405
406         /*
407          * Unmarshall the header as this will tell us how much
408          * data we need to read to get the complete pdu.
409          * This also sets the endian flag in rpc_in.
410          */
411
412         if(!smb_io_rpc_hdr("", &p->hdr, &rpc_in, 0)) {
413                 DEBUG(0,("unmarshall_rpc_header: failed to unmarshall RPC_HDR.\n"));
414                 set_incoming_fault(p);
415                 prs_mem_free(&rpc_in);
416                 return -1;
417         }
418
419         /*
420          * Validate the RPC header.
421          */
422
423         if(p->hdr.major != 5 && p->hdr.minor != 0) {
424                 DEBUG(0,("unmarshall_rpc_header: invalid major/minor numbers in RPC_HDR.\n"));
425                 set_incoming_fault(p);
426                 prs_mem_free(&rpc_in);
427                 return -1;
428         }
429
430         /*
431          * If there's not data in the incoming buffer this should be the start of a new RPC.
432          */
433
434         if(prs_offset(&p->in_data.data) == 0) {
435
436                 /*
437                  * AS/U doesn't set FIRST flag in a BIND packet it seems.
438                  */
439
440                 if ((p->hdr.pkt_type == RPC_REQUEST) && !(p->hdr.flags & RPC_FLG_FIRST)) {
441                         /*
442                          * Ensure that the FIRST flag is set. If not then we have
443                          * a stream missmatch.
444                          */
445
446                         DEBUG(0,("unmarshall_rpc_header: FIRST flag not set in first PDU !\n"));
447                         set_incoming_fault(p);
448                         prs_mem_free(&rpc_in);
449                         return -1;
450                 }
451
452                 /*
453                  * If this is the first PDU then set the endianness
454                  * flag in the pipe. We will need this when parsing all
455                  * data in this RPC.
456                  */
457
458                 p->endian = rpc_in.bigendian_data;
459
460                 DEBUG(5,("unmarshall_rpc_header: using %sendian RPC\n",
461                                 p->endian == RPC_LITTLE_ENDIAN ? "little-" : "big-" ));
462
463         } else {
464
465                 /*
466                  * If this is *NOT* the first PDU then check the endianness
467                  * flag in the pipe is the same as that in the PDU.
468                  */
469
470                 if (p->endian != rpc_in.bigendian_data) {
471                         DEBUG(0,("unmarshall_rpc_header: FIRST endianness flag (%d) different in next PDU !\n", (int)p->endian));
472                         set_incoming_fault(p);
473                         prs_mem_free(&rpc_in);
474                         return -1;
475                 }
476         }
477
478         /*
479          * Ensure that the pdu length is sane.
480          */
481
482         if((p->hdr.frag_len < RPC_HEADER_LEN) || (p->hdr.frag_len > MAX_PDU_FRAG_LEN)) {
483                 DEBUG(0,("unmarshall_rpc_header: assert on frag length failed.\n"));
484                 set_incoming_fault(p);
485                 prs_mem_free(&rpc_in);
486                 return -1;
487         }
488
489         DEBUG(10,("unmarshall_rpc_header: type = %u, flags = %u\n", (unsigned int)p->hdr.pkt_type,
490                         (unsigned int)p->hdr.flags ));
491
492         /*
493          * Adjust for the header we just ate.
494          */
495         p->in_data.pdu_received_len = 0;
496         p->in_data.pdu_needed_len = (uint32)p->hdr.frag_len - RPC_HEADER_LEN;
497
498         /*
499          * Null the data we just ate.
500          */
501
502         memset((char *)&p->in_data.current_in_pdu[0], '\0', RPC_HEADER_LEN);
503
504         prs_mem_free(&rpc_in);
505
506         return 0; /* No extra data processed. */
507 }
508
509 /****************************************************************************
510  Call this to free any talloc'ed memory. Do this before and after processing
511  a complete PDU.
512 ****************************************************************************/
513
514 void free_pipe_context(pipes_struct *p)
515 {
516         if (p->mem_ctx) {
517                 DEBUG(3,("free_pipe_context: destroying talloc pool of size %u\n", talloc_pool_size(p->mem_ctx) ));
518                 talloc_destroy_pool(p->mem_ctx);
519         } else {
520                 p->mem_ctx = talloc_init();
521                 if (p->mem_ctx == NULL)
522                         p->fault_state = True;
523         }
524 }
525
526 /****************************************************************************
527  Processes a request pdu. This will do auth processing if needed, and
528  appends the data into the complete stream if the LAST flag is not set.
529 ****************************************************************************/
530
531 static BOOL process_request_pdu(pipes_struct *p, prs_struct *rpc_in_p)
532 {
533         BOOL auth_verify = ((p->ntlmssp_chal_flags & NTLMSSP_NEGOTIATE_SIGN) != 0);
534         size_t data_len = p->hdr.frag_len - RPC_HEADER_LEN - RPC_HDR_REQ_LEN -
535                                 (auth_verify ? RPC_HDR_AUTH_LEN : 0) - p->hdr.auth_len;
536
537         if(!p->pipe_bound) {
538                 DEBUG(0,("process_request_pdu: rpc request with no bind.\n"));
539                 set_incoming_fault(p);
540                 return False;
541         }
542
543         /*
544          * Check if we need to do authentication processing.
545          * This is only done on requests, not binds.
546          */
547
548         /*
549          * Read the RPC request header.
550          */
551
552         if(!smb_io_rpc_hdr_req("req", &p->hdr_req, rpc_in_p, 0)) {
553                 DEBUG(0,("process_request_pdu: failed to unmarshall RPC_HDR_REQ.\n"));
554                 set_incoming_fault(p);
555                 return False;
556         }
557
558         if(p->ntlmssp_auth_validated && !api_pipe_auth_process(p, rpc_in_p)) {
559                 DEBUG(0,("process_request_pdu: failed to do auth processing.\n"));
560                 set_incoming_fault(p);
561                 return False;
562         }
563
564         if (p->ntlmssp_auth_requested && !p->ntlmssp_auth_validated) {
565
566                 /*
567                  * Authentication _was_ requested and it already failed.
568                  */
569
570                 DEBUG(0,("process_request_pdu: RPC request received on pipe %s where \
571 authentication failed. Denying the request.\n", p->name));
572                 set_incoming_fault(p);
573         return False;
574     }
575
576         /*
577          * Check the data length doesn't go over the 15Mb limit.
578          * increased after observing a bug in the Windows NT 4.0 SP6a
579          * spoolsv.exe when the response to a GETPRINTERDRIVER2 RPC
580          * will not fit in the initial buffer of size 0x1068   --jerry 22/01/2002
581          */
582         
583         if(prs_data_size(&p->in_data.data) + data_len > 15*1024*1024) {
584                 DEBUG(0,("process_request_pdu: rpc data buffer too large (%u) + (%u)\n",
585                                 (unsigned int)prs_data_size(&p->in_data.data), (unsigned int)data_len ));
586                 set_incoming_fault(p);
587                 return False;
588         }
589
590         /*
591          * Append the data portion into the buffer and return.
592          */
593
594         {
595                 char *data_from = prs_data_p(rpc_in_p) + prs_offset(rpc_in_p);
596
597                 if(!prs_append_data(&p->in_data.data, data_from, data_len)) {
598                         DEBUG(0,("process_request_pdu: Unable to append data size %u to parse buffer of size %u.\n",
599                                         (unsigned int)data_len, (unsigned int)prs_data_size(&p->in_data.data) ));
600                         set_incoming_fault(p);
601                         return False;
602                 }
603
604         }
605
606         if(p->hdr.flags & RPC_FLG_LAST) {
607                 BOOL ret = False;
608                 /*
609                  * Ok - we finally have a complete RPC stream.
610                  * Call the rpc command to process it.
611                  */
612
613                 /*
614                  * Ensure the internal prs buffer size is *exactly* the same
615                  * size as the current offset.
616                  */
617
618                 if(!prs_set_buffer_size(&p->in_data.data, prs_offset(&p->in_data.data)))
619                 {
620                         DEBUG(0,("process_request_pdu: Call to prs_set_buffer_size failed!\n"));
621                         set_incoming_fault(p);
622                         return False;
623                 }
624
625                 /*
626                  * Set the parse offset to the start of the data and set the
627                  * prs_struct to UNMARSHALL.
628                  */
629
630                 prs_set_offset(&p->in_data.data, 0);
631                 prs_switch_type(&p->in_data.data, UNMARSHALL);
632
633                 /*
634                  * Process the complete data stream here.
635                  */
636
637                 free_pipe_context(p);
638
639                 if(pipe_init_outgoing_data(p))
640                         ret = api_pipe_request(p);
641
642                 free_pipe_context(p);
643
644                 /*
645                  * We have consumed the whole data stream. Set back to
646                  * marshalling and set the offset back to the start of
647                  * the buffer to re-use it (we could also do a prs_mem_free()
648                  * and then re_init on the next start of PDU. Not sure which
649                  * is best here.... JRA.
650                  */
651
652                 prs_switch_type(&p->in_data.data, MARSHALL);
653                 prs_set_offset(&p->in_data.data, 0);
654                 return ret;
655         }
656
657         return True;
658 }
659
660 /****************************************************************************
661  Processes a finished PDU stored in current_in_pdu. The RPC_HEADER has
662  already been parsed and stored in p->hdr.
663 ****************************************************************************/
664
665 static ssize_t process_complete_pdu(pipes_struct *p)
666 {
667         prs_struct rpc_in;
668         size_t data_len = p->in_data.pdu_received_len;
669         char *data_p = (char *)&p->in_data.current_in_pdu[0];
670         BOOL reply = False;
671
672         if(p->fault_state) {
673                 DEBUG(10,("process_complete_pdu: pipe %s in fault state.\n",
674                         p->name ));
675                 set_incoming_fault(p);
676                 setup_fault_pdu(p, NT_STATUS(0x1c010002));
677                 return (ssize_t)data_len;
678         }
679
680         prs_init( &rpc_in, 0, p->mem_ctx, UNMARSHALL);
681
682         /*
683          * Ensure we're using the corrent endianness for both the 
684          * RPC header flags and the raw data we will be reading from.
685          */
686
687         prs_set_endian_data( &rpc_in, p->endian);
688         prs_set_endian_data( &p->in_data.data, p->endian);
689
690         prs_give_memory( &rpc_in, data_p, (uint32)data_len, False);
691
692         DEBUG(10,("process_complete_pdu: processing packet type %u\n",
693                         (unsigned int)p->hdr.pkt_type ));
694
695         switch (p->hdr.pkt_type) {
696                 case RPC_BIND:
697                 case RPC_ALTCONT:
698                         /*
699                          * We assume that a pipe bind is only in one pdu.
700                          */
701                         if(pipe_init_outgoing_data(p))
702                                 reply = api_pipe_bind_req(p, &rpc_in);
703                         break;
704                 case RPC_BINDRESP:
705                         /*
706                          * We assume that a pipe bind_resp is only in one pdu.
707                          */
708                         if(pipe_init_outgoing_data(p))
709                                 reply = api_pipe_bind_auth_resp(p, &rpc_in);
710                         break;
711                 case RPC_REQUEST:
712                         reply = process_request_pdu(p, &rpc_in);
713                         break;
714                 default:
715                         DEBUG(0,("process_complete_pdu: Unknown rpc type = %u received.\n", (unsigned int)p->hdr.pkt_type ));
716                         break;
717         }
718
719         /* Reset to little endian. Probably don't need this but it won't hurt. */
720         prs_set_endian_data( &p->in_data.data, RPC_LITTLE_ENDIAN);
721
722         if (!reply) {
723                 DEBUG(3,("process_complete_pdu: DCE/RPC fault sent on pipe %s\n", p->pipe_srv_name));
724                 set_incoming_fault(p);
725                 setup_fault_pdu(p, NT_STATUS(0x1c010002));
726                 prs_mem_free(&rpc_in);
727         } else {
728                 /*
729                  * Reset the lengths. We're ready for a new pdu.
730                  */
731                 p->in_data.pdu_needed_len = 0;
732                 p->in_data.pdu_received_len = 0;
733         }
734
735         prs_mem_free(&rpc_in);
736         return (ssize_t)data_len;
737 }
738
739 /****************************************************************************
740  Accepts incoming data on an rpc pipe. Processes the data in pdu sized units.
741 ****************************************************************************/
742
743 static ssize_t process_incoming_data(pipes_struct *p, char *data, size_t n)
744 {
745         size_t data_to_copy = MIN(n, MAX_PDU_FRAG_LEN - p->in_data.pdu_received_len);
746
747         DEBUG(10,("process_incoming_data: Start: pdu_received_len = %u, pdu_needed_len = %u, incoming data = %u\n",
748                 (unsigned int)p->in_data.pdu_received_len, (unsigned int)p->in_data.pdu_needed_len,
749                 (unsigned int)n ));
750
751         if(data_to_copy == 0) {
752                 /*
753                  * This is an error - data is being received and there is no
754                  * space in the PDU. Free the received data and go into the fault state.
755                  */
756                 DEBUG(0,("process_incoming_data: No space in incoming pdu buffer. Current size = %u \
757 incoming data size = %u\n", (unsigned int)p->in_data.pdu_received_len, (unsigned int)n ));
758                 set_incoming_fault(p);
759                 return -1;
760         }
761
762         /*
763          * If we have no data already, wait until we get at least a RPC_HEADER_LEN
764          * number of bytes before we can do anything.
765          */
766
767         if((p->in_data.pdu_needed_len == 0) && (p->in_data.pdu_received_len < RPC_HEADER_LEN)) {
768                 /*
769                  * Always return here. If we have more data then the RPC_HEADER
770                  * will be processed the next time around the loop.
771                  */
772                 return fill_rpc_header(p, data, data_to_copy);
773         }
774
775         /*
776          * At this point we know we have at least an RPC_HEADER_LEN amount of data
777          * stored in current_in_pdu.
778          */
779
780         /*
781          * If pdu_needed_len is zero this is a new pdu. 
782          * Unmarshall the header so we know how much more
783          * data we need, then loop again.
784          */
785
786         if(p->in_data.pdu_needed_len == 0)
787                 return unmarshall_rpc_header(p);
788
789         /*
790          * Ok - at this point we have a valid RPC_HEADER in p->hdr.
791          * Keep reading until we have a full pdu.
792          */
793
794         data_to_copy = MIN(data_to_copy, p->in_data.pdu_needed_len);
795
796         /*
797          * Copy as much of the data as we need into the current_in_pdu buffer.
798          */
799
800         memcpy( (char *)&p->in_data.current_in_pdu[p->in_data.pdu_received_len], data, data_to_copy);
801         p->in_data.pdu_received_len += data_to_copy;
802
803         /*
804          * Do we have a complete PDU ?
805          */
806
807         if(p->in_data.pdu_received_len == p->in_data.pdu_needed_len)
808                 return process_complete_pdu(p);
809
810         DEBUG(10,("process_incoming_data: not a complete PDU yet. pdu_received_len = %u, pdu_needed_len = %u\n",
811                 (unsigned int)p->in_data.pdu_received_len, (unsigned int)p->in_data.pdu_needed_len ));
812
813         return (ssize_t)data_to_copy;
814
815 }
816
817 /****************************************************************************
818  Accepts incoming data on an rpc pipe.
819 ****************************************************************************/
820
821 ssize_t write_to_pipe(smb_np_struct *p, char *data, size_t n)
822 {
823         DEBUG(6,("write_to_pipe: %x", p->pnum));
824
825         DEBUG(6,(" name: %s open: %s len: %d\n",
826                  p->name, BOOLSTR(p->open), (int)n));
827
828         dump_data(50, data, n);
829
830         return p->namedpipe_write(p->np_state, data, n);
831 }
832
833 /****************************************************************************
834  Accepts incoming data on an internal rpc pipe.
835 ****************************************************************************/
836
837 static ssize_t write_to_internal_pipe(void *np_conn, char *data, size_t n)
838 {
839         pipes_struct *p = (pipes_struct*)np_conn;
840         size_t data_left = n;
841
842         while(data_left) {
843                 ssize_t data_used;
844
845                 DEBUG(10,("write_to_pipe: data_left = %u\n", (unsigned int)data_left ));
846
847                 data_used = process_incoming_data(p, data, data_left);
848
849                 DEBUG(10,("write_to_pipe: data_used = %d\n", (int)data_used ));
850
851                 if(data_used < 0)
852                         return -1;
853
854                 data_left -= data_used;
855                 data += data_used;
856         }       
857
858         return n;
859 }
860
861 /****************************************************************************
862  Replies to a request to read data from a pipe.
863
864  Headers are interspersed with the data at PDU intervals. By the time
865  this function is called, the start of the data could possibly have been
866  read by an SMBtrans (file_offset != 0).
867
868  Calling create_rpc_reply() here is a hack. The data should already
869  have been prepared into arrays of headers + data stream sections.
870 ****************************************************************************/
871
872 ssize_t read_from_pipe(smb_np_struct *p, char *data, size_t n,
873                 BOOL *is_data_outstanding)
874 {
875         if (!p || !p->open) {
876                 DEBUG(0,("read_from_pipe: pipe not open\n"));
877                 return -1;              
878         }
879
880         DEBUG(6,("read_from_pipe: %x", p->pnum));
881
882         return p->namedpipe_read(p->np_state, data, n, is_data_outstanding);
883 }
884
885 /****************************************************************************
886  Replies to a request to read data from a pipe.
887
888  Headers are interspersed with the data at PDU intervals. By the time
889  this function is called, the start of the data could possibly have been
890  read by an SMBtrans (file_offset != 0).
891
892  Calling create_rpc_reply() here is a hack. The data should already
893  have been prepared into arrays of headers + data stream sections.
894 ****************************************************************************/
895
896 static ssize_t read_from_internal_pipe(void *np_conn, char *data, size_t n,
897                 BOOL *is_data_outstanding)
898 {
899         pipes_struct *p = (pipes_struct*)np_conn;
900         uint32 pdu_remaining = 0;
901         ssize_t data_returned = 0;
902
903         if (!p) {
904                 DEBUG(0,("read_from_pipe: pipe not open\n"));
905                 return -1;              
906         }
907
908         DEBUG(6,(" name: %s len: %u\n", p->name, (unsigned int)n));
909
910         /*
911          * We cannot return more than one PDU length per
912          * read request.
913          */
914
915         /*
916          * This condition should result in the connection being closed.  
917          * Netapp filers seem to set it to 0xffff which results in domain
918          * authentications failing.  Just ignore it so things work.
919          */
920
921         if(n > MAX_PDU_FRAG_LEN) {
922                 DEBUG(5,("read_from_pipe: too large read (%u) requested on \
923 pipe %s. We can only service %d sized reads.\n", (unsigned int)n, p->name, MAX_PDU_FRAG_LEN ));
924         }
925
926         /*
927          * Determine if there is still data to send in the
928          * pipe PDU buffer. Always send this first. Never
929          * send more than is left in the current PDU. The
930          * client should send a new read request for a new
931          * PDU.
932          */
933
934         if((pdu_remaining = p->out_data.current_pdu_len - p->out_data.current_pdu_sent) > 0) {
935                 data_returned = (ssize_t)MIN(n, pdu_remaining);
936
937                 DEBUG(10,("read_from_pipe: %s: current_pdu_len = %u, current_pdu_sent = %u \
938 returning %d bytes.\n", p->name, (unsigned int)p->out_data.current_pdu_len, 
939                         (unsigned int)p->out_data.current_pdu_sent, (int)data_returned));
940
941                 memcpy( data, &p->out_data.current_pdu[p->out_data.current_pdu_sent], (size_t)data_returned);
942                 p->out_data.current_pdu_sent += (uint32)data_returned;
943                 goto out;
944         }
945
946         /*
947          * At this point p->current_pdu_len == p->current_pdu_sent (which
948          * may of course be zero if this is the first return fragment.
949          */
950
951         DEBUG(10,("read_from_pipe: %s: fault_state = %d : data_sent_length \
952 = %u, prs_offset(&p->out_data.rdata) = %u.\n",
953                 p->name, (int)p->fault_state, (unsigned int)p->out_data.data_sent_length, (unsigned int)prs_offset(&p->out_data.rdata) ));
954
955         if(p->out_data.data_sent_length >= prs_offset(&p->out_data.rdata)) {
956                 /*
957                  * We have sent all possible data, return 0.
958                  */
959                 data_returned = 0;
960                 goto out;
961         }
962
963         /*
964          * We need to create a new PDU from the data left in p->rdata.
965          * Create the header/data/footers. This also sets up the fields
966          * p->current_pdu_len, p->current_pdu_sent, p->data_sent_length
967          * and stores the outgoing PDU in p->current_pdu.
968          */
969
970         if(!create_next_pdu(p)) {
971                 DEBUG(0,("read_from_pipe: %s: create_next_pdu failed.\n", p->name));
972                 return -1;
973         }
974
975         data_returned = MIN(n, p->out_data.current_pdu_len);
976
977         memcpy( data, p->out_data.current_pdu, (size_t)data_returned);
978         p->out_data.current_pdu_sent += (uint32)data_returned;
979
980   out:
981
982         (*is_data_outstanding) = p->out_data.current_pdu_len > n;
983         return data_returned;
984 }
985
986 /****************************************************************************
987  Wait device state on a pipe. Exactly what this is for is unknown...
988 ****************************************************************************/
989
990 BOOL wait_rpc_pipe_hnd_state(smb_np_struct *p, uint16 priority)
991 {
992         if (p == NULL)
993                 return False;
994
995         if (p->open) {
996                 DEBUG(3,("wait_rpc_pipe_hnd_state: Setting pipe wait state priority=%x on pipe (name=%s)\n",
997                          priority, p->name));
998
999                 p->priority = priority;
1000                 
1001                 return True;
1002         } 
1003
1004         DEBUG(3,("wait_rpc_pipe_hnd_state: Error setting pipe wait state priority=%x (name=%s)\n",
1005                  priority, p->name));
1006         return False;
1007 }
1008
1009
1010 /****************************************************************************
1011  Set device state on a pipe. Exactly what this is for is unknown...
1012 ****************************************************************************/
1013
1014 BOOL set_rpc_pipe_hnd_state(smb_np_struct *p, uint16 device_state)
1015 {
1016         if (p == NULL)
1017                 return False;
1018
1019         if (p->open) {
1020                 DEBUG(3,("set_rpc_pipe_hnd_state: Setting pipe device state=%x on pipe (name=%s)\n",
1021                          device_state, p->name));
1022
1023                 p->device_state = device_state;
1024                 
1025                 return True;
1026         } 
1027
1028         DEBUG(3,("set_rpc_pipe_hnd_state: Error setting pipe device state=%x (name=%s)\n",
1029                  device_state, p->name));
1030         return False;
1031 }
1032
1033
1034 /****************************************************************************
1035  Close an rpc pipe.
1036 ****************************************************************************/
1037
1038 BOOL close_rpc_pipe_hnd(smb_np_struct *p)
1039 {
1040         if (!p) {
1041                 DEBUG(0,("Invalid pipe in close_rpc_pipe_hnd\n"));
1042                 return False;
1043         }
1044
1045         p->namedpipe_close(p->np_state);
1046
1047         bitmap_clear(bmap, p->pnum - pipe_handle_offset);
1048
1049         pipes_open--;
1050
1051         DEBUG(4,("closed pipe name %s pnum=%x (pipes_open=%d)\n", 
1052                  p->name, p->pnum, pipes_open));  
1053
1054         DLIST_REMOVE(Pipes, p);
1055
1056         ZERO_STRUCTP(p);
1057
1058         SAFE_FREE(p);
1059         
1060         return True;
1061 }
1062
1063 /****************************************************************************
1064  Close an rpc pipe.
1065 ****************************************************************************/
1066
1067 static BOOL close_internal_rpc_pipe_hnd(void *np_conn)
1068 {
1069         pipes_struct *p = (pipes_struct *)np_conn;
1070         if (!p) {
1071                 DEBUG(0,("Invalid pipe in close_internal_rpc_pipe_hnd\n"));
1072                 return False;
1073         }
1074
1075         prs_mem_free(&p->out_data.rdata);
1076         prs_mem_free(&p->in_data.data);
1077
1078         if (p->mem_ctx)
1079                 talloc_destroy(p->mem_ctx);
1080
1081         /* Free the handles database. */
1082         close_policy_by_pipe(p);
1083
1084         delete_nt_token(&p->pipe_user.nt_user_token);
1085         SAFE_FREE(p->pipe_user.groups);
1086
1087         DLIST_REMOVE(InternalPipes, p);
1088
1089         ZERO_STRUCTP(p);
1090
1091         SAFE_FREE(p);
1092         
1093         return True;
1094 }
1095
1096 /****************************************************************************
1097  Find an rpc pipe given a pipe handle in a buffer and an offset.
1098 ****************************************************************************/
1099
1100 smb_np_struct *get_rpc_pipe_p(char *buf, int where)
1101 {
1102         int pnum = SVAL(buf,where);
1103
1104         if (chain_p)
1105                 return chain_p;
1106
1107         return get_rpc_pipe(pnum);
1108 }
1109
1110 /****************************************************************************
1111  Find an rpc pipe given a pipe handle.
1112 ****************************************************************************/
1113
1114 smb_np_struct *get_rpc_pipe(int pnum)
1115 {
1116         smb_np_struct *p;
1117
1118         DEBUG(4,("search for pipe pnum=%x\n", pnum));
1119
1120         for (p=Pipes;p;p=p->next)
1121                 DEBUG(5,("pipe name %s pnum=%x (pipes_open=%d)\n", 
1122                           p->name, p->pnum, pipes_open));  
1123
1124         for (p=Pipes;p;p=p->next) {
1125                 if (p->pnum == pnum) {
1126                         chain_p = p;
1127                         return p;
1128                 }
1129         }
1130
1131         return NULL;
1132 }