65bb25db5961d298fe5c95347a8e3c6eb3b28ea8
[samba.git] / source3 / smbd / process.c
1 /* 
2    Unix SMB/CIFS implementation.
3    process incoming packets - main loop
4    Copyright (C) Andrew Tridgell 1992-1998
5    Copyright (C) Volker Lendecke 2005-2007
6    
7    This program is free software; you can redistribute it and/or modify
8    it under the terms of the GNU General Public License as published by
9    the Free Software Foundation; either version 3 of the License, or
10    (at your option) any later version.
11    
12    This program is distributed in the hope that it will be useful,
13    but WITHOUT ANY WARRANTY; without even the implied warranty of
14    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
15    GNU General Public License for more details.
16    
17    You should have received a copy of the GNU General Public License
18    along with this program.  If not, see <http://www.gnu.org/licenses/>.
19 */
20
21 #include "includes.h"
22 #include "smbd/globals.h"
23 #include "../librpc/gen_ndr/srv_dfs.h"
24 #include "../librpc/gen_ndr/srv_dssetup.h"
25 #include "../librpc/gen_ndr/srv_echo.h"
26 #include "../librpc/gen_ndr/srv_eventlog.h"
27 #include "../librpc/gen_ndr/srv_initshutdown.h"
28 #include "../librpc/gen_ndr/srv_lsa.h"
29 #include "../librpc/gen_ndr/srv_netlogon.h"
30 #include "../librpc/gen_ndr/srv_ntsvcs.h"
31 #include "../librpc/gen_ndr/srv_samr.h"
32 #include "../librpc/gen_ndr/srv_spoolss.h"
33 #include "../librpc/gen_ndr/srv_srvsvc.h"
34 #include "../librpc/gen_ndr/srv_svcctl.h"
35 #include "../librpc/gen_ndr/srv_winreg.h"
36 #include "../librpc/gen_ndr/srv_wkssvc.h"
37
38 extern bool global_machine_password_needs_changing;
39
40 static void construct_reply_common(struct smb_request *req, const char *inbuf,
41                                    char *outbuf);
42
43 /* Accessor function for smb_read_error for smbd functions. */
44
45 /****************************************************************************
46  Send an smb to a fd.
47 ****************************************************************************/
48
49 bool srv_send_smb(int fd, char *buffer,
50                   bool do_signing, uint32_t seqnum,
51                   bool do_encrypt,
52                   struct smb_perfcount_data *pcd)
53 {
54         size_t len = 0;
55         size_t nwritten=0;
56         ssize_t ret;
57         char *buf_out = buffer;
58
59         if (do_signing) {
60                 /* Sign the outgoing packet if required. */
61                 srv_calculate_sign_mac(smbd_server_conn, buf_out, seqnum);
62         }
63
64         if (do_encrypt) {
65                 NTSTATUS status = srv_encrypt_buffer(buffer, &buf_out);
66                 if (!NT_STATUS_IS_OK(status)) {
67                         DEBUG(0, ("send_smb: SMB encryption failed "
68                                 "on outgoing packet! Error %s\n",
69                                 nt_errstr(status) ));
70                         goto out;
71                 }
72         }
73
74         len = smb_len(buf_out) + 4;
75
76         ret = write_data(fd,buf_out+nwritten,len - nwritten);
77         if (ret <= 0) {
78                 DEBUG(0,("Error writing %d bytes to client. %d. (%s)\n",
79                          (int)len,(int)ret, strerror(errno) ));
80                 srv_free_enc_buffer(buf_out);
81                 goto out;
82         }
83
84         SMB_PERFCOUNT_SET_MSGLEN_OUT(pcd, len);
85         srv_free_enc_buffer(buf_out);
86 out:
87         SMB_PERFCOUNT_END(pcd);
88         return true;
89 }
90
91 /*******************************************************************
92  Setup the word count and byte count for a smb message.
93 ********************************************************************/
94
95 int srv_set_message(char *buf,
96                         int num_words,
97                         int num_bytes,
98                         bool zero)
99 {
100         if (zero && (num_words || num_bytes)) {
101                 memset(buf + smb_size,'\0',num_words*2 + num_bytes);
102         }
103         SCVAL(buf,smb_wct,num_words);
104         SSVAL(buf,smb_vwv + num_words*SIZEOFWORD,num_bytes);
105         smb_setlen(buf,(smb_size + num_words*2 + num_bytes - 4));
106         return (smb_size + num_words*2 + num_bytes);
107 }
108
109 static bool valid_smb_header(const uint8_t *inbuf)
110 {
111         if (is_encrypted_packet(inbuf)) {
112                 return true;
113         }
114         /*
115          * This used to be (strncmp(smb_base(inbuf),"\377SMB",4) == 0)
116          * but it just looks weird to call strncmp for this one.
117          */
118         return (IVAL(smb_base(inbuf), 0) == 0x424D53FF);
119 }
120
121 /* Socket functions for smbd packet processing. */
122
123 static bool valid_packet_size(size_t len)
124 {
125         /*
126          * A WRITEX with CAP_LARGE_WRITEX can be 64k worth of data plus 65 bytes
127          * of header. Don't print the error if this fits.... JRA.
128          */
129
130         if (len > (BUFFER_SIZE + LARGE_WRITEX_HDR_SIZE)) {
131                 DEBUG(0,("Invalid packet length! (%lu bytes).\n",
132                                         (unsigned long)len));
133                 return false;
134         }
135         return true;
136 }
137
138 static NTSTATUS read_packet_remainder(int fd, char *buffer,
139                                       unsigned int timeout, ssize_t len)
140 {
141         if (len <= 0) {
142                 return NT_STATUS_OK;
143         }
144
145         return read_fd_with_timeout(fd, buffer, len, len, timeout, NULL);
146 }
147
148 /****************************************************************************
149  Attempt a zerocopy writeX read. We know here that len > smb_size-4
150 ****************************************************************************/
151
152 /*
153  * Unfortunately, earlier versions of smbclient/libsmbclient
154  * don't send this "standard" writeX header. I've fixed this
155  * for 3.2 but we'll use the old method with earlier versions.
156  * Windows and CIFSFS at least use this standard size. Not
157  * sure about MacOSX.
158  */
159
160 #define STANDARD_WRITE_AND_X_HEADER_SIZE (smb_size - 4 + /* basic header */ \
161                                 (2*14) + /* word count (including bcc) */ \
162                                 1 /* pad byte */)
163
164 static NTSTATUS receive_smb_raw_talloc_partial_read(TALLOC_CTX *mem_ctx,
165                                                     const char lenbuf[4],
166                                                     int fd, char **buffer,
167                                                     unsigned int timeout,
168                                                     size_t *p_unread,
169                                                     size_t *len_ret)
170 {
171         /* Size of a WRITEX call (+4 byte len). */
172         char writeX_header[4 + STANDARD_WRITE_AND_X_HEADER_SIZE];
173         ssize_t len = smb_len_large(lenbuf); /* Could be a UNIX large writeX. */
174         ssize_t toread;
175         NTSTATUS status;
176
177         memcpy(writeX_header, lenbuf, 4);
178
179         status = read_fd_with_timeout(
180                 fd, writeX_header + 4,
181                 STANDARD_WRITE_AND_X_HEADER_SIZE,
182                 STANDARD_WRITE_AND_X_HEADER_SIZE,
183                 timeout, NULL);
184
185         if (!NT_STATUS_IS_OK(status)) {
186                 return status;
187         }
188
189         /*
190          * Ok - now try and see if this is a possible
191          * valid writeX call.
192          */
193
194         if (is_valid_writeX_buffer((uint8_t *)writeX_header)) {
195                 /*
196                  * If the data offset is beyond what
197                  * we've read, drain the extra bytes.
198                  */
199                 uint16_t doff = SVAL(writeX_header,smb_vwv11);
200                 ssize_t newlen;
201
202                 if (doff > STANDARD_WRITE_AND_X_HEADER_SIZE) {
203                         size_t drain = doff - STANDARD_WRITE_AND_X_HEADER_SIZE;
204                         if (drain_socket(smbd_server_fd(), drain) != drain) {
205                                 smb_panic("receive_smb_raw_talloc_partial_read:"
206                                         " failed to drain pending bytes");
207                         }
208                 } else {
209                         doff = STANDARD_WRITE_AND_X_HEADER_SIZE;
210                 }
211
212                 /* Spoof down the length and null out the bcc. */
213                 set_message_bcc(writeX_header, 0);
214                 newlen = smb_len(writeX_header);
215
216                 /* Copy the header we've written. */
217
218                 *buffer = (char *)TALLOC_MEMDUP(mem_ctx,
219                                 writeX_header,
220                                 sizeof(writeX_header));
221
222                 if (*buffer == NULL) {
223                         DEBUG(0, ("Could not allocate inbuf of length %d\n",
224                                   (int)sizeof(writeX_header)));
225                         return NT_STATUS_NO_MEMORY;
226                 }
227
228                 /* Work out the remaining bytes. */
229                 *p_unread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
230                 *len_ret = newlen + 4;
231                 return NT_STATUS_OK;
232         }
233
234         if (!valid_packet_size(len)) {
235                 return NT_STATUS_INVALID_PARAMETER;
236         }
237
238         /*
239          * Not a valid writeX call. Just do the standard
240          * talloc and return.
241          */
242
243         *buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
244
245         if (*buffer == NULL) {
246                 DEBUG(0, ("Could not allocate inbuf of length %d\n",
247                           (int)len+4));
248                 return NT_STATUS_NO_MEMORY;
249         }
250
251         /* Copy in what we already read. */
252         memcpy(*buffer,
253                 writeX_header,
254                 4 + STANDARD_WRITE_AND_X_HEADER_SIZE);
255         toread = len - STANDARD_WRITE_AND_X_HEADER_SIZE;
256
257         if(toread > 0) {
258                 status = read_packet_remainder(
259                         fd, (*buffer) + 4 + STANDARD_WRITE_AND_X_HEADER_SIZE,
260                         timeout, toread);
261
262                 if (!NT_STATUS_IS_OK(status)) {
263                         DEBUG(10, ("receive_smb_raw_talloc_partial_read: %s\n",
264                                    nt_errstr(status)));
265                         return status;
266                 }
267         }
268
269         *len_ret = len + 4;
270         return NT_STATUS_OK;
271 }
272
273 static NTSTATUS receive_smb_raw_talloc(TALLOC_CTX *mem_ctx, int fd,
274                                        char **buffer, unsigned int timeout,
275                                        size_t *p_unread, size_t *plen)
276 {
277         char lenbuf[4];
278         size_t len;
279         int min_recv_size = lp_min_receive_file_size();
280         NTSTATUS status;
281
282         *p_unread = 0;
283
284         status = read_smb_length_return_keepalive(fd, lenbuf, timeout, &len);
285         if (!NT_STATUS_IS_OK(status)) {
286                 DEBUG(10, ("receive_smb_raw: %s\n", nt_errstr(status)));
287                 return status;
288         }
289
290         if (CVAL(lenbuf,0) == 0 && min_recv_size &&
291             (smb_len_large(lenbuf) > /* Could be a UNIX large writeX. */
292                 (min_recv_size + STANDARD_WRITE_AND_X_HEADER_SIZE)) &&
293             !srv_is_signing_active(smbd_server_conn)) {
294
295                 return receive_smb_raw_talloc_partial_read(
296                         mem_ctx, lenbuf, fd, buffer, timeout, p_unread, plen);
297         }
298
299         if (!valid_packet_size(len)) {
300                 return NT_STATUS_INVALID_PARAMETER;
301         }
302
303         /*
304          * The +4 here can't wrap, we've checked the length above already.
305          */
306
307         *buffer = TALLOC_ARRAY(mem_ctx, char, len+4);
308
309         if (*buffer == NULL) {
310                 DEBUG(0, ("Could not allocate inbuf of length %d\n",
311                           (int)len+4));
312                 return NT_STATUS_NO_MEMORY;
313         }
314
315         memcpy(*buffer, lenbuf, sizeof(lenbuf));
316
317         status = read_packet_remainder(fd, (*buffer)+4, timeout, len);
318         if (!NT_STATUS_IS_OK(status)) {
319                 return status;
320         }
321
322         *plen = len + 4;
323         return NT_STATUS_OK;
324 }
325
326 static NTSTATUS receive_smb_talloc(TALLOC_CTX *mem_ctx, int fd,
327                                    char **buffer, unsigned int timeout,
328                                    size_t *p_unread, bool *p_encrypted,
329                                    size_t *p_len,
330                                    uint32_t *seqnum)
331 {
332         size_t len = 0;
333         NTSTATUS status;
334
335         *p_encrypted = false;
336
337         status = receive_smb_raw_talloc(mem_ctx, fd, buffer, timeout,
338                                         p_unread, &len);
339         if (!NT_STATUS_IS_OK(status)) {
340                 return status;
341         }
342
343         if (is_encrypted_packet((uint8_t *)*buffer)) {
344                 status = srv_decrypt_buffer(*buffer);
345                 if (!NT_STATUS_IS_OK(status)) {
346                         DEBUG(0, ("receive_smb_talloc: SMB decryption failed on "
347                                 "incoming packet! Error %s\n",
348                                 nt_errstr(status) ));
349                         return status;
350                 }
351                 *p_encrypted = true;
352         }
353
354         /* Check the incoming SMB signature. */
355         if (!srv_check_sign_mac(smbd_server_conn, *buffer, seqnum)) {
356                 DEBUG(0, ("receive_smb: SMB Signature verification failed on "
357                           "incoming packet!\n"));
358                 return NT_STATUS_INVALID_NETWORK_RESPONSE;
359         }
360
361         *p_len = len;
362         return NT_STATUS_OK;
363 }
364
365 /*
366  * Initialize a struct smb_request from an inbuf
367  */
368
369 static void init_smb_request(struct smb_request *req, const uint8 *inbuf,
370                              size_t unread_bytes, bool encrypted,
371                              uint32_t seqnum)
372 {
373         struct smbd_server_connection *sconn = smbd_server_conn;
374         size_t req_size = smb_len(inbuf) + 4;
375         /* Ensure we have at least smb_size bytes. */
376         if (req_size < smb_size) {
377                 DEBUG(0,("init_smb_request: invalid request size %u\n",
378                         (unsigned int)req_size ));
379                 exit_server_cleanly("Invalid SMB request");
380         }
381         req->cmd    = CVAL(inbuf, smb_com);
382         req->flags2 = SVAL(inbuf, smb_flg2);
383         req->smbpid = SVAL(inbuf, smb_pid);
384         req->mid    = SVAL(inbuf, smb_mid);
385         req->seqnum = seqnum;
386         req->vuid   = SVAL(inbuf, smb_uid);
387         req->tid    = SVAL(inbuf, smb_tid);
388         req->wct    = CVAL(inbuf, smb_wct);
389         req->vwv    = (uint16_t *)(inbuf+smb_vwv);
390         req->buflen = smb_buflen(inbuf);
391         req->buf    = (const uint8_t *)smb_buf(inbuf);
392         req->unread_bytes = unread_bytes;
393         req->encrypted = encrypted;
394         req->conn = conn_find(sconn,req->tid);
395         req->chain_fsp = NULL;
396         req->chain_outbuf = NULL;
397         req->done = false;
398         smb_init_perfcount_data(&req->pcd);
399
400         /* Ensure we have at least wct words and 2 bytes of bcc. */
401         if (smb_size + req->wct*2 > req_size) {
402                 DEBUG(0,("init_smb_request: invalid wct number %u (size %u)\n",
403                         (unsigned int)req->wct,
404                         (unsigned int)req_size));
405                 exit_server_cleanly("Invalid SMB request");
406         }
407         /* Ensure bcc is correct. */
408         if (((uint8 *)smb_buf(inbuf)) + req->buflen > inbuf + req_size) {
409                 DEBUG(0,("init_smb_request: invalid bcc number %u "
410                         "(wct = %u, size %u)\n",
411                         (unsigned int)req->buflen,
412                         (unsigned int)req->wct,
413                         (unsigned int)req_size));
414                 exit_server_cleanly("Invalid SMB request");
415         }
416
417         req->outbuf = NULL;
418 }
419
420 static void process_smb(struct smbd_server_connection *conn,
421                         uint8_t *inbuf, size_t nread, size_t unread_bytes,
422                         uint32_t seqnum, bool encrypted,
423                         struct smb_perfcount_data *deferred_pcd);
424
425 static void smbd_deferred_open_timer(struct event_context *ev,
426                                      struct timed_event *te,
427                                      struct timeval _tval,
428                                      void *private_data)
429 {
430         struct pending_message_list *msg = talloc_get_type(private_data,
431                                            struct pending_message_list);
432         TALLOC_CTX *mem_ctx = talloc_tos();
433         uint16_t mid = SVAL(msg->buf.data,smb_mid);
434         uint8_t *inbuf;
435
436         inbuf = (uint8_t *)talloc_memdup(mem_ctx, msg->buf.data,
437                                          msg->buf.length);
438         if (inbuf == NULL) {
439                 exit_server("smbd_deferred_open_timer: talloc failed\n");
440                 return;
441         }
442
443         /* We leave this message on the queue so the open code can
444            know this is a retry. */
445         DEBUG(5,("smbd_deferred_open_timer: trigger mid %u.\n",
446                 (unsigned int)mid ));
447
448         /* Mark the message as processed so this is not
449          * re-processed in error. */
450         msg->processed = true;
451
452         process_smb(smbd_server_conn, inbuf,
453                     msg->buf.length, 0,
454                     msg->seqnum, msg->encrypted, &msg->pcd);
455
456         /* If it's still there and was processed, remove it. */
457         msg = get_open_deferred_message(mid);
458         if (msg && msg->processed) {
459                 remove_deferred_open_smb_message(mid);
460         }
461 }
462
463 /****************************************************************************
464  Function to push a message onto the tail of a linked list of smb messages ready
465  for processing.
466 ****************************************************************************/
467
468 static bool push_queued_message(struct smb_request *req,
469                                 struct timeval request_time,
470                                 struct timeval end_time,
471                                 char *private_data, size_t private_len)
472 {
473         int msg_len = smb_len(req->inbuf) + 4;
474         struct pending_message_list *msg;
475
476         msg = TALLOC_ZERO_P(NULL, struct pending_message_list);
477
478         if(msg == NULL) {
479                 DEBUG(0,("push_message: malloc fail (1)\n"));
480                 return False;
481         }
482
483         msg->buf = data_blob_talloc(msg, req->inbuf, msg_len);
484         if(msg->buf.data == NULL) {
485                 DEBUG(0,("push_message: malloc fail (2)\n"));
486                 TALLOC_FREE(msg);
487                 return False;
488         }
489
490         msg->request_time = request_time;
491         msg->seqnum = req->seqnum;
492         msg->encrypted = req->encrypted;
493         msg->processed = false;
494         SMB_PERFCOUNT_DEFER_OP(&req->pcd, &msg->pcd);
495
496         if (private_data) {
497                 msg->private_data = data_blob_talloc(msg, private_data,
498                                                      private_len);
499                 if (msg->private_data.data == NULL) {
500                         DEBUG(0,("push_message: malloc fail (3)\n"));
501                         TALLOC_FREE(msg);
502                         return False;
503                 }
504         }
505
506         msg->te = event_add_timed(smbd_event_context(),
507                                   msg,
508                                   end_time,
509                                   smbd_deferred_open_timer,
510                                   msg);
511         if (!msg->te) {
512                 DEBUG(0,("push_message: event_add_timed failed\n"));
513                 TALLOC_FREE(msg);
514                 return false;
515         }
516
517         DLIST_ADD_END(deferred_open_queue, msg, struct pending_message_list *);
518
519         DEBUG(10,("push_message: pushed message length %u on "
520                   "deferred_open_queue\n", (unsigned int)msg_len));
521
522         return True;
523 }
524
525 /****************************************************************************
526  Function to delete a sharing violation open message by mid.
527 ****************************************************************************/
528
529 void remove_deferred_open_smb_message(uint16 mid)
530 {
531         struct pending_message_list *pml;
532
533         for (pml = deferred_open_queue; pml; pml = pml->next) {
534                 if (mid == SVAL(pml->buf.data,smb_mid)) {
535                         DEBUG(10,("remove_deferred_open_smb_message: "
536                                   "deleting mid %u len %u\n",
537                                   (unsigned int)mid,
538                                   (unsigned int)pml->buf.length ));
539                         DLIST_REMOVE(deferred_open_queue, pml);
540                         TALLOC_FREE(pml);
541                         return;
542                 }
543         }
544 }
545
546 /****************************************************************************
547  Move a sharing violation open retry message to the front of the list and
548  schedule it for immediate processing.
549 ****************************************************************************/
550
551 void schedule_deferred_open_smb_message(uint16 mid)
552 {
553         struct pending_message_list *pml;
554         int i = 0;
555
556         for (pml = deferred_open_queue; pml; pml = pml->next) {
557                 uint16 msg_mid = SVAL(pml->buf.data,smb_mid);
558
559                 DEBUG(10,("schedule_deferred_open_smb_message: [%d] msg_mid = %u\n", i++,
560                         (unsigned int)msg_mid ));
561
562                 if (mid == msg_mid) {
563                         struct timed_event *te;
564
565                         if (pml->processed) {
566                                 /* A processed message should not be
567                                  * rescheduled. */
568                                 DEBUG(0,("schedule_deferred_open_smb_message: LOGIC ERROR "
569                                         "message mid %u was already processed\n",
570                                         msg_mid ));
571                                 continue;
572                         }
573
574                         DEBUG(10,("schedule_deferred_open_smb_message: scheduling mid %u\n",
575                                 mid ));
576
577                         te = event_add_timed(smbd_event_context(),
578                                              pml,
579                                              timeval_zero(),
580                                              smbd_deferred_open_timer,
581                                              pml);
582                         if (!te) {
583                                 DEBUG(10,("schedule_deferred_open_smb_message: "
584                                           "event_add_timed() failed, skipping mid %u\n",
585                                           mid ));
586                         }
587
588                         TALLOC_FREE(pml->te);
589                         pml->te = te;
590                         DLIST_PROMOTE(deferred_open_queue, pml);
591                         return;
592                 }
593         }
594
595         DEBUG(10,("schedule_deferred_open_smb_message: failed to find message mid %u\n",
596                 mid ));
597 }
598
599 /****************************************************************************
600  Return true if this mid is on the deferred queue and was not yet processed.
601 ****************************************************************************/
602
603 bool open_was_deferred(uint16 mid)
604 {
605         struct pending_message_list *pml;
606
607         for (pml = deferred_open_queue; pml; pml = pml->next) {
608                 if (SVAL(pml->buf.data,smb_mid) == mid && !pml->processed) {
609                         return True;
610                 }
611         }
612         return False;
613 }
614
615 /****************************************************************************
616  Return the message queued by this mid.
617 ****************************************************************************/
618
619 struct pending_message_list *get_open_deferred_message(uint16 mid)
620 {
621         struct pending_message_list *pml;
622
623         for (pml = deferred_open_queue; pml; pml = pml->next) {
624                 if (SVAL(pml->buf.data,smb_mid) == mid) {
625                         return pml;
626                 }
627         }
628         return NULL;
629 }
630
631 /****************************************************************************
632  Function to push a deferred open smb message onto a linked list of local smb
633  messages ready for processing.
634 ****************************************************************************/
635
636 bool push_deferred_smb_message(struct smb_request *req,
637                                struct timeval request_time,
638                                struct timeval timeout,
639                                char *private_data, size_t priv_len)
640 {
641         struct timeval end_time;
642
643         if (req->unread_bytes) {
644                 DEBUG(0,("push_deferred_smb_message: logic error ! "
645                         "unread_bytes = %u\n",
646                         (unsigned int)req->unread_bytes ));
647                 smb_panic("push_deferred_smb_message: "
648                         "logic error unread_bytes != 0" );
649         }
650
651         end_time = timeval_sum(&request_time, &timeout);
652
653         DEBUG(10,("push_deferred_open_smb_message: pushing message len %u mid %u "
654                   "timeout time [%u.%06u]\n",
655                   (unsigned int) smb_len(req->inbuf)+4, (unsigned int)req->mid,
656                   (unsigned int)end_time.tv_sec,
657                   (unsigned int)end_time.tv_usec));
658
659         return push_queued_message(req, request_time, end_time,
660                                    private_data, priv_len);
661 }
662
663 struct idle_event {
664         struct timed_event *te;
665         struct timeval interval;
666         char *name;
667         bool (*handler)(const struct timeval *now, void *private_data);
668         void *private_data;
669 };
670
671 static void smbd_idle_event_handler(struct event_context *ctx,
672                                     struct timed_event *te,
673                                     struct timeval now,
674                                     void *private_data)
675 {
676         struct idle_event *event =
677                 talloc_get_type_abort(private_data, struct idle_event);
678
679         TALLOC_FREE(event->te);
680
681         DEBUG(10,("smbd_idle_event_handler: %s %p called\n",
682                   event->name, event->te));
683
684         if (!event->handler(&now, event->private_data)) {
685                 DEBUG(10,("smbd_idle_event_handler: %s %p stopped\n",
686                           event->name, event->te));
687                 /* Don't repeat, delete ourselves */
688                 TALLOC_FREE(event);
689                 return;
690         }
691
692         DEBUG(10,("smbd_idle_event_handler: %s %p rescheduled\n",
693                   event->name, event->te));
694
695         event->te = event_add_timed(ctx, event,
696                                     timeval_sum(&now, &event->interval),
697                                     smbd_idle_event_handler, event);
698
699         /* We can't do much but fail here. */
700         SMB_ASSERT(event->te != NULL);
701 }
702
703 struct idle_event *event_add_idle(struct event_context *event_ctx,
704                                   TALLOC_CTX *mem_ctx,
705                                   struct timeval interval,
706                                   const char *name,
707                                   bool (*handler)(const struct timeval *now,
708                                                   void *private_data),
709                                   void *private_data)
710 {
711         struct idle_event *result;
712         struct timeval now = timeval_current();
713
714         result = TALLOC_P(mem_ctx, struct idle_event);
715         if (result == NULL) {
716                 DEBUG(0, ("talloc failed\n"));
717                 return NULL;
718         }
719
720         result->interval = interval;
721         result->handler = handler;
722         result->private_data = private_data;
723
724         if (!(result->name = talloc_asprintf(result, "idle_evt(%s)", name))) {
725                 DEBUG(0, ("talloc failed\n"));
726                 TALLOC_FREE(result);
727                 return NULL;
728         }
729
730         result->te = event_add_timed(event_ctx, result,
731                                      timeval_sum(&now, &interval),
732                                      smbd_idle_event_handler, result);
733         if (result->te == NULL) {
734                 DEBUG(0, ("event_add_timed failed\n"));
735                 TALLOC_FREE(result);
736                 return NULL;
737         }
738
739         DEBUG(10,("event_add_idle: %s %p\n", result->name, result->te));
740         return result;
741 }
742
743 static void smbd_sig_term_handler(struct tevent_context *ev,
744                                   struct tevent_signal *se,
745                                   int signum,
746                                   int count,
747                                   void *siginfo,
748                                   void *private_data)
749 {
750         exit_server_cleanly("termination signal");
751 }
752
753 void smbd_setup_sig_term_handler(void)
754 {
755         struct tevent_signal *se;
756
757         se = tevent_add_signal(smbd_event_context(),
758                                smbd_event_context(),
759                                SIGTERM, 0,
760                                smbd_sig_term_handler,
761                                NULL);
762         if (!se) {
763                 exit_server("failed to setup SIGTERM handler");
764         }
765 }
766
767 static void smbd_sig_hup_handler(struct tevent_context *ev,
768                                   struct tevent_signal *se,
769                                   int signum,
770                                   int count,
771                                   void *siginfo,
772                                   void *private_data)
773 {
774         change_to_root_user();
775         DEBUG(1,("Reloading services after SIGHUP\n"));
776         reload_services(False);
777 }
778
779 void smbd_setup_sig_hup_handler(void)
780 {
781         struct tevent_signal *se;
782
783         se = tevent_add_signal(smbd_event_context(),
784                                smbd_event_context(),
785                                SIGHUP, 0,
786                                smbd_sig_hup_handler,
787                                NULL);
788         if (!se) {
789                 exit_server("failed to setup SIGHUP handler");
790         }
791 }
792
793 static NTSTATUS smbd_server_connection_loop_once(struct smbd_server_connection *conn)
794 {
795         fd_set r_fds, w_fds;
796         int selrtn;
797         struct timeval to;
798         int maxfd = 0;
799
800         to.tv_sec = SMBD_SELECT_TIMEOUT;
801         to.tv_usec = 0;
802
803         /*
804          * Setup the select fd sets.
805          */
806
807         FD_ZERO(&r_fds);
808         FD_ZERO(&w_fds);
809
810         /*
811          * Are there any timed events waiting ? If so, ensure we don't
812          * select for longer than it would take to wait for them.
813          */
814
815         {
816                 struct timeval now;
817                 GetTimeOfDay(&now);
818
819                 event_add_to_select_args(smbd_event_context(), &now,
820                                          &r_fds, &w_fds, &to, &maxfd);
821         }
822
823         /* Process a signal and timed events now... */
824         if (run_events(smbd_event_context(), 0, NULL, NULL)) {
825                 return NT_STATUS_RETRY;
826         }
827
828         {
829                 int sav;
830                 START_PROFILE(smbd_idle);
831
832                 selrtn = sys_select(maxfd+1,&r_fds,&w_fds,NULL,&to);
833                 sav = errno;
834
835                 END_PROFILE(smbd_idle);
836                 errno = sav;
837         }
838
839         if (run_events(smbd_event_context(), selrtn, &r_fds, &w_fds)) {
840                 return NT_STATUS_RETRY;
841         }
842
843         /* Check if error */
844         if (selrtn == -1) {
845                 /* something is wrong. Maybe the socket is dead? */
846                 return map_nt_error_from_unix(errno);
847         }
848
849         /* Did we timeout ? */
850         if (selrtn == 0) {
851                 return NT_STATUS_RETRY;
852         }
853
854         /* should not be reached */
855         return NT_STATUS_INTERNAL_ERROR;
856 }
857
858 /*
859  * Only allow 5 outstanding trans requests. We're allocating memory, so
860  * prevent a DoS.
861  */
862
863 NTSTATUS allow_new_trans(struct trans_state *list, int mid)
864 {
865         int count = 0;
866         for (; list != NULL; list = list->next) {
867
868                 if (list->mid == mid) {
869                         return NT_STATUS_INVALID_PARAMETER;
870                 }
871
872                 count += 1;
873         }
874         if (count > 5) {
875                 return NT_STATUS_INSUFFICIENT_RESOURCES;
876         }
877
878         return NT_STATUS_OK;
879 }
880
881 /*
882 These flags determine some of the permissions required to do an operation 
883
884 Note that I don't set NEED_WRITE on some write operations because they
885 are used by some brain-dead clients when printing, and I don't want to
886 force write permissions on print services.
887 */
888 #define AS_USER (1<<0)
889 #define NEED_WRITE (1<<1) /* Must be paired with AS_USER */
890 #define TIME_INIT (1<<2)
891 #define CAN_IPC (1<<3) /* Must be paired with AS_USER */
892 #define AS_GUEST (1<<5) /* Must *NOT* be paired with AS_USER */
893 #define DO_CHDIR (1<<6)
894
895 /* 
896    define a list of possible SMB messages and their corresponding
897    functions. Any message that has a NULL function is unimplemented -
898    please feel free to contribute implementations!
899 */
900 static const struct smb_message_struct {
901         const char *name;
902         void (*fn)(struct smb_request *req);
903         int flags;
904 } smb_messages[256] = {
905
906 /* 0x00 */ { "SMBmkdir",reply_mkdir,AS_USER | NEED_WRITE},
907 /* 0x01 */ { "SMBrmdir",reply_rmdir,AS_USER | NEED_WRITE},
908 /* 0x02 */ { "SMBopen",reply_open,AS_USER },
909 /* 0x03 */ { "SMBcreate",reply_mknew,AS_USER},
910 /* 0x04 */ { "SMBclose",reply_close,AS_USER | CAN_IPC },
911 /* 0x05 */ { "SMBflush",reply_flush,AS_USER},
912 /* 0x06 */ { "SMBunlink",reply_unlink,AS_USER | NEED_WRITE },
913 /* 0x07 */ { "SMBmv",reply_mv,AS_USER | NEED_WRITE },
914 /* 0x08 */ { "SMBgetatr",reply_getatr,AS_USER},
915 /* 0x09 */ { "SMBsetatr",reply_setatr,AS_USER | NEED_WRITE},
916 /* 0x0a */ { "SMBread",reply_read,AS_USER},
917 /* 0x0b */ { "SMBwrite",reply_write,AS_USER | CAN_IPC },
918 /* 0x0c */ { "SMBlock",reply_lock,AS_USER},
919 /* 0x0d */ { "SMBunlock",reply_unlock,AS_USER},
920 /* 0x0e */ { "SMBctemp",reply_ctemp,AS_USER },
921 /* 0x0f */ { "SMBmknew",reply_mknew,AS_USER},
922 /* 0x10 */ { "SMBcheckpath",reply_checkpath,AS_USER},
923 /* 0x11 */ { "SMBexit",reply_exit,DO_CHDIR},
924 /* 0x12 */ { "SMBlseek",reply_lseek,AS_USER},
925 /* 0x13 */ { "SMBlockread",reply_lockread,AS_USER},
926 /* 0x14 */ { "SMBwriteunlock",reply_writeunlock,AS_USER},
927 /* 0x15 */ { NULL, NULL, 0 },
928 /* 0x16 */ { NULL, NULL, 0 },
929 /* 0x17 */ { NULL, NULL, 0 },
930 /* 0x18 */ { NULL, NULL, 0 },
931 /* 0x19 */ { NULL, NULL, 0 },
932 /* 0x1a */ { "SMBreadbraw",reply_readbraw,AS_USER},
933 /* 0x1b */ { "SMBreadBmpx",reply_readbmpx,AS_USER},
934 /* 0x1c */ { "SMBreadBs",reply_readbs,AS_USER },
935 /* 0x1d */ { "SMBwritebraw",reply_writebraw,AS_USER},
936 /* 0x1e */ { "SMBwriteBmpx",reply_writebmpx,AS_USER},
937 /* 0x1f */ { "SMBwriteBs",reply_writebs,AS_USER},
938 /* 0x20 */ { "SMBwritec", NULL,0},
939 /* 0x21 */ { NULL, NULL, 0 },
940 /* 0x22 */ { "SMBsetattrE",reply_setattrE,AS_USER | NEED_WRITE },
941 /* 0x23 */ { "SMBgetattrE",reply_getattrE,AS_USER },
942 /* 0x24 */ { "SMBlockingX",reply_lockingX,AS_USER },
943 /* 0x25 */ { "SMBtrans",reply_trans,AS_USER | CAN_IPC },
944 /* 0x26 */ { "SMBtranss",reply_transs,AS_USER | CAN_IPC},
945 /* 0x27 */ { "SMBioctl",reply_ioctl,0},
946 /* 0x28 */ { "SMBioctls", NULL,AS_USER},
947 /* 0x29 */ { "SMBcopy",reply_copy,AS_USER | NEED_WRITE },
948 /* 0x2a */ { "SMBmove", NULL,AS_USER | NEED_WRITE },
949 /* 0x2b */ { "SMBecho",reply_echo,0},
950 /* 0x2c */ { "SMBwriteclose",reply_writeclose,AS_USER},
951 /* 0x2d */ { "SMBopenX",reply_open_and_X,AS_USER | CAN_IPC },
952 /* 0x2e */ { "SMBreadX",reply_read_and_X,AS_USER | CAN_IPC },
953 /* 0x2f */ { "SMBwriteX",reply_write_and_X,AS_USER | CAN_IPC },
954 /* 0x30 */ { NULL, NULL, 0 },
955 /* 0x31 */ { NULL, NULL, 0 },
956 /* 0x32 */ { "SMBtrans2",reply_trans2, AS_USER | CAN_IPC },
957 /* 0x33 */ { "SMBtranss2",reply_transs2, AS_USER | CAN_IPC },
958 /* 0x34 */ { "SMBfindclose",reply_findclose,AS_USER},
959 /* 0x35 */ { "SMBfindnclose",reply_findnclose,AS_USER},
960 /* 0x36 */ { NULL, NULL, 0 },
961 /* 0x37 */ { NULL, NULL, 0 },
962 /* 0x38 */ { NULL, NULL, 0 },
963 /* 0x39 */ { NULL, NULL, 0 },
964 /* 0x3a */ { NULL, NULL, 0 },
965 /* 0x3b */ { NULL, NULL, 0 },
966 /* 0x3c */ { NULL, NULL, 0 },
967 /* 0x3d */ { NULL, NULL, 0 },
968 /* 0x3e */ { NULL, NULL, 0 },
969 /* 0x3f */ { NULL, NULL, 0 },
970 /* 0x40 */ { NULL, NULL, 0 },
971 /* 0x41 */ { NULL, NULL, 0 },
972 /* 0x42 */ { NULL, NULL, 0 },
973 /* 0x43 */ { NULL, NULL, 0 },
974 /* 0x44 */ { NULL, NULL, 0 },
975 /* 0x45 */ { NULL, NULL, 0 },
976 /* 0x46 */ { NULL, NULL, 0 },
977 /* 0x47 */ { NULL, NULL, 0 },
978 /* 0x48 */ { NULL, NULL, 0 },
979 /* 0x49 */ { NULL, NULL, 0 },
980 /* 0x4a */ { NULL, NULL, 0 },
981 /* 0x4b */ { NULL, NULL, 0 },
982 /* 0x4c */ { NULL, NULL, 0 },
983 /* 0x4d */ { NULL, NULL, 0 },
984 /* 0x4e */ { NULL, NULL, 0 },
985 /* 0x4f */ { NULL, NULL, 0 },
986 /* 0x50 */ { NULL, NULL, 0 },
987 /* 0x51 */ { NULL, NULL, 0 },
988 /* 0x52 */ { NULL, NULL, 0 },
989 /* 0x53 */ { NULL, NULL, 0 },
990 /* 0x54 */ { NULL, NULL, 0 },
991 /* 0x55 */ { NULL, NULL, 0 },
992 /* 0x56 */ { NULL, NULL, 0 },
993 /* 0x57 */ { NULL, NULL, 0 },
994 /* 0x58 */ { NULL, NULL, 0 },
995 /* 0x59 */ { NULL, NULL, 0 },
996 /* 0x5a */ { NULL, NULL, 0 },
997 /* 0x5b */ { NULL, NULL, 0 },
998 /* 0x5c */ { NULL, NULL, 0 },
999 /* 0x5d */ { NULL, NULL, 0 },
1000 /* 0x5e */ { NULL, NULL, 0 },
1001 /* 0x5f */ { NULL, NULL, 0 },
1002 /* 0x60 */ { NULL, NULL, 0 },
1003 /* 0x61 */ { NULL, NULL, 0 },
1004 /* 0x62 */ { NULL, NULL, 0 },
1005 /* 0x63 */ { NULL, NULL, 0 },
1006 /* 0x64 */ { NULL, NULL, 0 },
1007 /* 0x65 */ { NULL, NULL, 0 },
1008 /* 0x66 */ { NULL, NULL, 0 },
1009 /* 0x67 */ { NULL, NULL, 0 },
1010 /* 0x68 */ { NULL, NULL, 0 },
1011 /* 0x69 */ { NULL, NULL, 0 },
1012 /* 0x6a */ { NULL, NULL, 0 },
1013 /* 0x6b */ { NULL, NULL, 0 },
1014 /* 0x6c */ { NULL, NULL, 0 },
1015 /* 0x6d */ { NULL, NULL, 0 },
1016 /* 0x6e */ { NULL, NULL, 0 },
1017 /* 0x6f */ { NULL, NULL, 0 },
1018 /* 0x70 */ { "SMBtcon",reply_tcon,0},
1019 /* 0x71 */ { "SMBtdis",reply_tdis,DO_CHDIR},
1020 /* 0x72 */ { "SMBnegprot",reply_negprot,0},
1021 /* 0x73 */ { "SMBsesssetupX",reply_sesssetup_and_X,0},
1022 /* 0x74 */ { "SMBulogoffX",reply_ulogoffX, 0}, /* ulogoff doesn't give a valid TID */
1023 /* 0x75 */ { "SMBtconX",reply_tcon_and_X,0},
1024 /* 0x76 */ { NULL, NULL, 0 },
1025 /* 0x77 */ { NULL, NULL, 0 },
1026 /* 0x78 */ { NULL, NULL, 0 },
1027 /* 0x79 */ { NULL, NULL, 0 },
1028 /* 0x7a */ { NULL, NULL, 0 },
1029 /* 0x7b */ { NULL, NULL, 0 },
1030 /* 0x7c */ { NULL, NULL, 0 },
1031 /* 0x7d */ { NULL, NULL, 0 },
1032 /* 0x7e */ { NULL, NULL, 0 },
1033 /* 0x7f */ { NULL, NULL, 0 },
1034 /* 0x80 */ { "SMBdskattr",reply_dskattr,AS_USER},
1035 /* 0x81 */ { "SMBsearch",reply_search,AS_USER},
1036 /* 0x82 */ { "SMBffirst",reply_search,AS_USER},
1037 /* 0x83 */ { "SMBfunique",reply_search,AS_USER},
1038 /* 0x84 */ { "SMBfclose",reply_fclose,AS_USER},
1039 /* 0x85 */ { NULL, NULL, 0 },
1040 /* 0x86 */ { NULL, NULL, 0 },
1041 /* 0x87 */ { NULL, NULL, 0 },
1042 /* 0x88 */ { NULL, NULL, 0 },
1043 /* 0x89 */ { NULL, NULL, 0 },
1044 /* 0x8a */ { NULL, NULL, 0 },
1045 /* 0x8b */ { NULL, NULL, 0 },
1046 /* 0x8c */ { NULL, NULL, 0 },
1047 /* 0x8d */ { NULL, NULL, 0 },
1048 /* 0x8e */ { NULL, NULL, 0 },
1049 /* 0x8f */ { NULL, NULL, 0 },
1050 /* 0x90 */ { NULL, NULL, 0 },
1051 /* 0x91 */ { NULL, NULL, 0 },
1052 /* 0x92 */ { NULL, NULL, 0 },
1053 /* 0x93 */ { NULL, NULL, 0 },
1054 /* 0x94 */ { NULL, NULL, 0 },
1055 /* 0x95 */ { NULL, NULL, 0 },
1056 /* 0x96 */ { NULL, NULL, 0 },
1057 /* 0x97 */ { NULL, NULL, 0 },
1058 /* 0x98 */ { NULL, NULL, 0 },
1059 /* 0x99 */ { NULL, NULL, 0 },
1060 /* 0x9a */ { NULL, NULL, 0 },
1061 /* 0x9b */ { NULL, NULL, 0 },
1062 /* 0x9c */ { NULL, NULL, 0 },
1063 /* 0x9d */ { NULL, NULL, 0 },
1064 /* 0x9e */ { NULL, NULL, 0 },
1065 /* 0x9f */ { NULL, NULL, 0 },
1066 /* 0xa0 */ { "SMBnttrans",reply_nttrans, AS_USER | CAN_IPC },
1067 /* 0xa1 */ { "SMBnttranss",reply_nttranss, AS_USER | CAN_IPC },
1068 /* 0xa2 */ { "SMBntcreateX",reply_ntcreate_and_X, AS_USER | CAN_IPC },
1069 /* 0xa3 */ { NULL, NULL, 0 },
1070 /* 0xa4 */ { "SMBntcancel",reply_ntcancel, 0 },
1071 /* 0xa5 */ { "SMBntrename",reply_ntrename, AS_USER | NEED_WRITE },
1072 /* 0xa6 */ { NULL, NULL, 0 },
1073 /* 0xa7 */ { NULL, NULL, 0 },
1074 /* 0xa8 */ { NULL, NULL, 0 },
1075 /* 0xa9 */ { NULL, NULL, 0 },
1076 /* 0xaa */ { NULL, NULL, 0 },
1077 /* 0xab */ { NULL, NULL, 0 },
1078 /* 0xac */ { NULL, NULL, 0 },
1079 /* 0xad */ { NULL, NULL, 0 },
1080 /* 0xae */ { NULL, NULL, 0 },
1081 /* 0xaf */ { NULL, NULL, 0 },
1082 /* 0xb0 */ { NULL, NULL, 0 },
1083 /* 0xb1 */ { NULL, NULL, 0 },
1084 /* 0xb2 */ { NULL, NULL, 0 },
1085 /* 0xb3 */ { NULL, NULL, 0 },
1086 /* 0xb4 */ { NULL, NULL, 0 },
1087 /* 0xb5 */ { NULL, NULL, 0 },
1088 /* 0xb6 */ { NULL, NULL, 0 },
1089 /* 0xb7 */ { NULL, NULL, 0 },
1090 /* 0xb8 */ { NULL, NULL, 0 },
1091 /* 0xb9 */ { NULL, NULL, 0 },
1092 /* 0xba */ { NULL, NULL, 0 },
1093 /* 0xbb */ { NULL, NULL, 0 },
1094 /* 0xbc */ { NULL, NULL, 0 },
1095 /* 0xbd */ { NULL, NULL, 0 },
1096 /* 0xbe */ { NULL, NULL, 0 },
1097 /* 0xbf */ { NULL, NULL, 0 },
1098 /* 0xc0 */ { "SMBsplopen",reply_printopen,AS_USER},
1099 /* 0xc1 */ { "SMBsplwr",reply_printwrite,AS_USER},
1100 /* 0xc2 */ { "SMBsplclose",reply_printclose,AS_USER},
1101 /* 0xc3 */ { "SMBsplretq",reply_printqueue,AS_USER},
1102 /* 0xc4 */ { NULL, NULL, 0 },
1103 /* 0xc5 */ { NULL, NULL, 0 },
1104 /* 0xc6 */ { NULL, NULL, 0 },
1105 /* 0xc7 */ { NULL, NULL, 0 },
1106 /* 0xc8 */ { NULL, NULL, 0 },
1107 /* 0xc9 */ { NULL, NULL, 0 },
1108 /* 0xca */ { NULL, NULL, 0 },
1109 /* 0xcb */ { NULL, NULL, 0 },
1110 /* 0xcc */ { NULL, NULL, 0 },
1111 /* 0xcd */ { NULL, NULL, 0 },
1112 /* 0xce */ { NULL, NULL, 0 },
1113 /* 0xcf */ { NULL, NULL, 0 },
1114 /* 0xd0 */ { "SMBsends",reply_sends,AS_GUEST},
1115 /* 0xd1 */ { "SMBsendb", NULL,AS_GUEST},
1116 /* 0xd2 */ { "SMBfwdname", NULL,AS_GUEST},
1117 /* 0xd3 */ { "SMBcancelf", NULL,AS_GUEST},
1118 /* 0xd4 */ { "SMBgetmac", NULL,AS_GUEST},
1119 /* 0xd5 */ { "SMBsendstrt",reply_sendstrt,AS_GUEST},
1120 /* 0xd6 */ { "SMBsendend",reply_sendend,AS_GUEST},
1121 /* 0xd7 */ { "SMBsendtxt",reply_sendtxt,AS_GUEST},
1122 /* 0xd8 */ { NULL, NULL, 0 },
1123 /* 0xd9 */ { NULL, NULL, 0 },
1124 /* 0xda */ { NULL, NULL, 0 },
1125 /* 0xdb */ { NULL, NULL, 0 },
1126 /* 0xdc */ { NULL, NULL, 0 },
1127 /* 0xdd */ { NULL, NULL, 0 },
1128 /* 0xde */ { NULL, NULL, 0 },
1129 /* 0xdf */ { NULL, NULL, 0 },
1130 /* 0xe0 */ { NULL, NULL, 0 },
1131 /* 0xe1 */ { NULL, NULL, 0 },
1132 /* 0xe2 */ { NULL, NULL, 0 },
1133 /* 0xe3 */ { NULL, NULL, 0 },
1134 /* 0xe4 */ { NULL, NULL, 0 },
1135 /* 0xe5 */ { NULL, NULL, 0 },
1136 /* 0xe6 */ { NULL, NULL, 0 },
1137 /* 0xe7 */ { NULL, NULL, 0 },
1138 /* 0xe8 */ { NULL, NULL, 0 },
1139 /* 0xe9 */ { NULL, NULL, 0 },
1140 /* 0xea */ { NULL, NULL, 0 },
1141 /* 0xeb */ { NULL, NULL, 0 },
1142 /* 0xec */ { NULL, NULL, 0 },
1143 /* 0xed */ { NULL, NULL, 0 },
1144 /* 0xee */ { NULL, NULL, 0 },
1145 /* 0xef */ { NULL, NULL, 0 },
1146 /* 0xf0 */ { NULL, NULL, 0 },
1147 /* 0xf1 */ { NULL, NULL, 0 },
1148 /* 0xf2 */ { NULL, NULL, 0 },
1149 /* 0xf3 */ { NULL, NULL, 0 },
1150 /* 0xf4 */ { NULL, NULL, 0 },
1151 /* 0xf5 */ { NULL, NULL, 0 },
1152 /* 0xf6 */ { NULL, NULL, 0 },
1153 /* 0xf7 */ { NULL, NULL, 0 },
1154 /* 0xf8 */ { NULL, NULL, 0 },
1155 /* 0xf9 */ { NULL, NULL, 0 },
1156 /* 0xfa */ { NULL, NULL, 0 },
1157 /* 0xfb */ { NULL, NULL, 0 },
1158 /* 0xfc */ { NULL, NULL, 0 },
1159 /* 0xfd */ { NULL, NULL, 0 },
1160 /* 0xfe */ { NULL, NULL, 0 },
1161 /* 0xff */ { NULL, NULL, 0 }
1162
1163 };
1164
1165 /*******************************************************************
1166  allocate and initialize a reply packet
1167 ********************************************************************/
1168
1169 static bool create_outbuf(TALLOC_CTX *mem_ctx, struct smb_request *req,
1170                           const char *inbuf, char **outbuf, uint8_t num_words,
1171                           uint32_t num_bytes)
1172 {
1173         /*
1174          * Protect against integer wrap
1175          */
1176         if ((num_bytes > 0xffffff)
1177             || ((num_bytes + smb_size + num_words*2) > 0xffffff)) {
1178                 char *msg;
1179                 if (asprintf(&msg, "num_bytes too large: %u",
1180                              (unsigned)num_bytes) == -1) {
1181                         msg = CONST_DISCARD(char *, "num_bytes too large");
1182                 }
1183                 smb_panic(msg);
1184         }
1185
1186         *outbuf = TALLOC_ARRAY(mem_ctx, char,
1187                                smb_size + num_words*2 + num_bytes);
1188         if (*outbuf == NULL) {
1189                 return false;
1190         }
1191
1192         construct_reply_common(req, inbuf, *outbuf);
1193         srv_set_message(*outbuf, num_words, num_bytes, false);
1194         /*
1195          * Zero out the word area, the caller has to take care of the bcc area
1196          * himself
1197          */
1198         if (num_words != 0) {
1199                 memset(*outbuf + smb_vwv0, 0, num_words*2);
1200         }
1201
1202         return true;
1203 }
1204
1205 void reply_outbuf(struct smb_request *req, uint8 num_words, uint32 num_bytes)
1206 {
1207         char *outbuf;
1208         if (!create_outbuf(req, req, (char *)req->inbuf, &outbuf, num_words,
1209                            num_bytes)) {
1210                 smb_panic("could not allocate output buffer\n");
1211         }
1212         req->outbuf = (uint8_t *)outbuf;
1213 }
1214
1215
1216 /*******************************************************************
1217  Dump a packet to a file.
1218 ********************************************************************/
1219
1220 static void smb_dump(const char *name, int type, const char *data, ssize_t len)
1221 {
1222         int fd, i;
1223         char *fname = NULL;
1224         if (DEBUGLEVEL < 50) {
1225                 return;
1226         }
1227
1228         if (len < 4) len = smb_len(data)+4;
1229         for (i=1;i<100;i++) {
1230                 if (asprintf(&fname, "/tmp/%s.%d.%s", name, i,
1231                              type ? "req" : "resp") == -1) {
1232                         return;
1233                 }
1234                 fd = open(fname, O_WRONLY|O_CREAT|O_EXCL, 0644);
1235                 if (fd != -1 || errno != EEXIST) break;
1236         }
1237         if (fd != -1) {
1238                 ssize_t ret = write(fd, data, len);
1239                 if (ret != len)
1240                         DEBUG(0,("smb_dump: problem: write returned %d\n", (int)ret ));
1241                 close(fd);
1242                 DEBUG(0,("created %s len %lu\n", fname, (unsigned long)len));
1243         }
1244         SAFE_FREE(fname);
1245 }
1246
1247 /****************************************************************************
1248  Prepare everything for calling the actual request function, and potentially
1249  call the request function via the "new" interface.
1250
1251  Return False if the "legacy" function needs to be called, everything is
1252  prepared.
1253
1254  Return True if we're done.
1255
1256  I know this API sucks, but it is the one with the least code change I could
1257  find.
1258 ****************************************************************************/
1259
1260 static connection_struct *switch_message(uint8 type, struct smb_request *req, int size)
1261 {
1262         int flags;
1263         uint16 session_tag;
1264         connection_struct *conn = NULL;
1265         struct smbd_server_connection *sconn = smbd_server_conn;
1266
1267         errno = 0;
1268
1269         /* Make sure this is an SMB packet. smb_size contains NetBIOS header
1270          * so subtract 4 from it. */
1271         if (!valid_smb_header(req->inbuf)
1272             || (size < (smb_size - 4))) {
1273                 DEBUG(2,("Non-SMB packet of length %d. Terminating server\n",
1274                          smb_len(req->inbuf)));
1275                 exit_server_cleanly("Non-SMB packet");
1276         }
1277
1278         if (smb_messages[type].fn == NULL) {
1279                 DEBUG(0,("Unknown message type %d!\n",type));
1280                 smb_dump("Unknown", 1, (char *)req->inbuf, size);
1281                 reply_unknown_new(req, type);
1282                 return NULL;
1283         }
1284
1285         flags = smb_messages[type].flags;
1286
1287         /* In share mode security we must ignore the vuid. */
1288         session_tag = (lp_security() == SEC_SHARE)
1289                 ? UID_FIELD_INVALID : req->vuid;
1290         conn = req->conn;
1291
1292         DEBUG(3,("switch message %s (pid %d) conn 0x%lx\n", smb_fn_name(type),
1293                  (int)sys_getpid(), (unsigned long)conn));
1294
1295         smb_dump(smb_fn_name(type), 1, (char *)req->inbuf, size);
1296
1297         /* Ensure this value is replaced in the incoming packet. */
1298         SSVAL(req->inbuf,smb_uid,session_tag);
1299
1300         /*
1301          * Ensure the correct username is in current_user_info.  This is a
1302          * really ugly bugfix for problems with multiple session_setup_and_X's
1303          * being done and allowing %U and %G substitutions to work correctly.
1304          * There is a reason this code is done here, don't move it unless you
1305          * know what you're doing... :-).
1306          * JRA.
1307          */
1308
1309         if (session_tag != sconn->smb1.sessions.last_session_tag) {
1310                 user_struct *vuser = NULL;
1311
1312                 sconn->smb1.sessions.last_session_tag = session_tag;
1313                 if(session_tag != UID_FIELD_INVALID) {
1314                         vuser = get_valid_user_struct(sconn, session_tag);
1315                         if (vuser) {
1316                                 set_current_user_info(
1317                                         vuser->server_info->sanitized_username,
1318                                         vuser->server_info->unix_name,
1319                                         pdb_get_domain(vuser->server_info
1320                                                        ->sam_account));
1321                         }
1322                 }
1323         }
1324
1325         /* Does this call need to be run as the connected user? */
1326         if (flags & AS_USER) {
1327
1328                 /* Does this call need a valid tree connection? */
1329                 if (!conn) {
1330                         /*
1331                          * Amazingly, the error code depends on the command
1332                          * (from Samba4).
1333                          */
1334                         if (type == SMBntcreateX) {
1335                                 reply_nterror(req, NT_STATUS_INVALID_HANDLE);
1336                         } else {
1337                                 reply_nterror(req, NT_STATUS_NETWORK_NAME_DELETED);
1338                         }
1339                         return NULL;
1340                 }
1341
1342                 if (!change_to_user(conn,session_tag)) {
1343                         DEBUG(0, ("Error: Could not change to user. Removing "
1344                             "deferred open, mid=%d.\n", req->mid));
1345                         reply_force_doserror(req, ERRSRV, ERRbaduid);
1346                         return conn;
1347                 }
1348
1349                 /* All NEED_WRITE and CAN_IPC flags must also have AS_USER. */
1350
1351                 /* Does it need write permission? */
1352                 if ((flags & NEED_WRITE) && !CAN_WRITE(conn)) {
1353                         reply_nterror(req, NT_STATUS_MEDIA_WRITE_PROTECTED);
1354                         return conn;
1355                 }
1356
1357                 /* IPC services are limited */
1358                 if (IS_IPC(conn) && !(flags & CAN_IPC)) {
1359                         reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1360                         return conn;
1361                 }
1362         } else {
1363                 /* This call needs to be run as root */
1364                 change_to_root_user();
1365         }
1366
1367         /* load service specific parameters */
1368         if (conn) {
1369                 if (req->encrypted) {
1370                         conn->encrypted_tid = true;
1371                         /* encrypted required from now on. */
1372                         conn->encrypt_level = Required;
1373                 } else if (ENCRYPTION_REQUIRED(conn)) {
1374                         if (req->cmd != SMBtrans2 && req->cmd != SMBtranss2) {
1375                                 exit_server_cleanly("encryption required "
1376                                         "on connection");
1377                                 return conn;
1378                         }
1379                 }
1380
1381                 if (!set_current_service(conn,SVAL(req->inbuf,smb_flg),
1382                                          (flags & (AS_USER|DO_CHDIR)
1383                                           ?True:False))) {
1384                         reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1385                         return conn;
1386                 }
1387                 conn->num_smb_operations++;
1388         }
1389
1390         /* does this protocol need to be run as guest? */
1391         if ((flags & AS_GUEST)
1392             && (!change_to_guest() ||
1393                 !check_access(smbd_server_fd(), lp_hostsallow(-1),
1394                               lp_hostsdeny(-1)))) {
1395                 reply_nterror(req, NT_STATUS_ACCESS_DENIED);
1396                 return conn;
1397         }
1398
1399         smb_messages[type].fn(req);
1400         return req->conn;
1401 }
1402
1403 /****************************************************************************
1404  Construct a reply to the incoming packet.
1405 ****************************************************************************/
1406
1407 static void construct_reply(char *inbuf, int size, size_t unread_bytes,
1408                             uint32_t seqnum, bool encrypted,
1409                             struct smb_perfcount_data *deferred_pcd)
1410 {
1411         connection_struct *conn;
1412         struct smb_request *req;
1413
1414         if (!(req = talloc(talloc_tos(), struct smb_request))) {
1415                 smb_panic("could not allocate smb_request");
1416         }
1417
1418         init_smb_request(req, (uint8 *)inbuf, unread_bytes, encrypted, seqnum);
1419         req->inbuf  = (uint8_t *)talloc_move(req, &inbuf);
1420
1421         /* we popped this message off the queue - keep original perf data */
1422         if (deferred_pcd)
1423                 req->pcd = *deferred_pcd;
1424         else {
1425                 SMB_PERFCOUNT_START(&req->pcd);
1426                 SMB_PERFCOUNT_SET_OP(&req->pcd, req->cmd);
1427                 SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, size);
1428         }
1429
1430         conn = switch_message(req->cmd, req, size);
1431
1432         if (req->unread_bytes) {
1433                 /* writeX failed. drain socket. */
1434                 if (drain_socket(smbd_server_fd(), req->unread_bytes) !=
1435                                 req->unread_bytes) {
1436                         smb_panic("failed to drain pending bytes");
1437                 }
1438                 req->unread_bytes = 0;
1439         }
1440
1441         if (req->done) {
1442                 TALLOC_FREE(req);
1443                 return;
1444         }
1445
1446         if (req->outbuf == NULL) {
1447                 return;
1448         }
1449
1450         if (CVAL(req->outbuf,0) == 0) {
1451                 show_msg((char *)req->outbuf);
1452         }
1453
1454         if (!srv_send_smb(smbd_server_fd(),
1455                         (char *)req->outbuf,
1456                         true, req->seqnum+1,
1457                         IS_CONN_ENCRYPTED(conn)||req->encrypted,
1458                         &req->pcd)) {
1459                 exit_server_cleanly("construct_reply: srv_send_smb failed.");
1460         }
1461
1462         TALLOC_FREE(req);
1463
1464         return;
1465 }
1466
1467 /****************************************************************************
1468  Process an smb from the client
1469 ****************************************************************************/
1470 static void process_smb(struct smbd_server_connection *conn,
1471                         uint8_t *inbuf, size_t nread, size_t unread_bytes,
1472                         uint32_t seqnum, bool encrypted,
1473                         struct smb_perfcount_data *deferred_pcd)
1474 {
1475         int msg_type = CVAL(inbuf,0);
1476
1477         DO_PROFILE_INC(smb_count);
1478
1479         DEBUG( 6, ( "got message type 0x%x of len 0x%x\n", msg_type,
1480                     smb_len(inbuf) ) );
1481         DEBUG( 3, ( "Transaction %d of length %d (%u toread)\n", trans_num,
1482                                 (int)nread,
1483                                 (unsigned int)unread_bytes ));
1484
1485         if (msg_type != 0) {
1486                 /*
1487                  * NetBIOS session request, keepalive, etc.
1488                  */
1489                 reply_special((char *)inbuf);
1490                 goto done;
1491         }
1492
1493         if (smbd_server_conn->allow_smb2) {
1494                 if (smbd_is_smb2_header(inbuf, nread)) {
1495                         smbd_smb2_first_negprot(smbd_server_conn, inbuf, nread);
1496                         return;
1497                 }
1498                 smbd_server_conn->allow_smb2 = false;
1499         }
1500
1501         show_msg((char *)inbuf);
1502
1503         construct_reply((char *)inbuf,nread,unread_bytes,seqnum,encrypted,deferred_pcd);
1504         trans_num++;
1505
1506 done:
1507         conn->smb1.num_requests++;
1508
1509         /* The timeout_processing function isn't run nearly
1510            often enough to implement 'max log size' without
1511            overrunning the size of the file by many megabytes.
1512            This is especially true if we are running at debug
1513            level 10.  Checking every 50 SMBs is a nice
1514            tradeoff of performance vs log file size overrun. */
1515
1516         if ((conn->smb1.num_requests % 50) == 0 &&
1517             need_to_check_log_size()) {
1518                 change_to_root_user();
1519                 check_log_size();
1520         }
1521 }
1522
1523 /****************************************************************************
1524  Return a string containing the function name of a SMB command.
1525 ****************************************************************************/
1526
1527 const char *smb_fn_name(int type)
1528 {
1529         const char *unknown_name = "SMBunknown";
1530
1531         if (smb_messages[type].name == NULL)
1532                 return(unknown_name);
1533
1534         return(smb_messages[type].name);
1535 }
1536
1537 /****************************************************************************
1538  Helper functions for contruct_reply.
1539 ****************************************************************************/
1540
1541 void add_to_common_flags2(uint32 v)
1542 {
1543         common_flags2 |= v;
1544 }
1545
1546 void remove_from_common_flags2(uint32 v)
1547 {
1548         common_flags2 &= ~v;
1549 }
1550
1551 static void construct_reply_common(struct smb_request *req, const char *inbuf,
1552                                    char *outbuf)
1553 {
1554         srv_set_message(outbuf,0,0,false);
1555
1556         SCVAL(outbuf, smb_com, req->cmd);
1557         SIVAL(outbuf,smb_rcls,0);
1558         SCVAL(outbuf,smb_flg, FLAG_REPLY | (CVAL(inbuf,smb_flg) & FLAG_CASELESS_PATHNAMES)); 
1559         SSVAL(outbuf,smb_flg2,
1560                 (SVAL(inbuf,smb_flg2) & FLAGS2_UNICODE_STRINGS) |
1561                 common_flags2);
1562         memset(outbuf+smb_pidhigh,'\0',(smb_tid-smb_pidhigh));
1563
1564         SSVAL(outbuf,smb_tid,SVAL(inbuf,smb_tid));
1565         SSVAL(outbuf,smb_pid,SVAL(inbuf,smb_pid));
1566         SSVAL(outbuf,smb_uid,SVAL(inbuf,smb_uid));
1567         SSVAL(outbuf,smb_mid,SVAL(inbuf,smb_mid));
1568 }
1569
1570 void construct_reply_common_req(struct smb_request *req, char *outbuf)
1571 {
1572         construct_reply_common(req, (char *)req->inbuf, outbuf);
1573 }
1574
1575 /*
1576  * How many bytes have we already accumulated up to the current wct field
1577  * offset?
1578  */
1579
1580 size_t req_wct_ofs(struct smb_request *req)
1581 {
1582         size_t buf_size;
1583
1584         if (req->chain_outbuf == NULL) {
1585                 return smb_wct - 4;
1586         }
1587         buf_size = talloc_get_size(req->chain_outbuf);
1588         if ((buf_size % 4) != 0) {
1589                 buf_size += (4 - (buf_size % 4));
1590         }
1591         return buf_size - 4;
1592 }
1593
1594 /*
1595  * Hack around reply_nterror & friends not being aware of chained requests,
1596  * generating illegal (i.e. wct==0) chain replies.
1597  */
1598
1599 static void fixup_chain_error_packet(struct smb_request *req)
1600 {
1601         uint8_t *outbuf = req->outbuf;
1602         req->outbuf = NULL;
1603         reply_outbuf(req, 2, 0);
1604         memcpy(req->outbuf, outbuf, smb_wct);
1605         TALLOC_FREE(outbuf);
1606         SCVAL(req->outbuf, smb_vwv0, 0xff);
1607 }
1608
1609 /**
1610  * @brief Find the smb_cmd offset of the last command pushed
1611  * @param[in] buf       The buffer we're building up
1612  * @retval              Where can we put our next andx cmd?
1613  *
1614  * While chaining requests, the "next" request we're looking at needs to put
1615  * its SMB_Command before the data the previous request already built up added
1616  * to the chain. Find the offset to the place where we have to put our cmd.
1617  */
1618
1619 static bool find_andx_cmd_ofs(uint8_t *buf, size_t *pofs)
1620 {
1621         uint8_t cmd;
1622         size_t ofs;
1623
1624         cmd = CVAL(buf, smb_com);
1625
1626         SMB_ASSERT(is_andx_req(cmd));
1627
1628         ofs = smb_vwv0;
1629
1630         while (CVAL(buf, ofs) != 0xff) {
1631
1632                 if (!is_andx_req(CVAL(buf, ofs))) {
1633                         return false;
1634                 }
1635
1636                 /*
1637                  * ofs is from start of smb header, so add the 4 length
1638                  * bytes. The next cmd is right after the wct field.
1639                  */
1640                 ofs = SVAL(buf, ofs+2) + 4 + 1;
1641
1642                 SMB_ASSERT(ofs+4 < talloc_get_size(buf));
1643         }
1644
1645         *pofs = ofs;
1646         return true;
1647 }
1648
1649 /**
1650  * @brief Do the smb chaining at a buffer level
1651  * @param[in] poutbuf           Pointer to the talloc'ed buffer to be modified
1652  * @param[in] smb_command       The command that we want to issue
1653  * @param[in] wct               How many words?
1654  * @param[in] vwv               The words, already in network order
1655  * @param[in] bytes_alignment   How shall we align "bytes"?
1656  * @param[in] num_bytes         How many bytes?
1657  * @param[in] bytes             The data the request ships
1658  *
1659  * smb_splice_chain() adds the vwv and bytes to the request already present in
1660  * *poutbuf.
1661  */
1662
1663 static bool smb_splice_chain(uint8_t **poutbuf, uint8_t smb_command,
1664                              uint8_t wct, const uint16_t *vwv,
1665                              size_t bytes_alignment,
1666                              uint32_t num_bytes, const uint8_t *bytes)
1667 {
1668         uint8_t *outbuf;
1669         size_t old_size, new_size;
1670         size_t ofs;
1671         size_t chain_padding = 0;
1672         size_t bytes_padding = 0;
1673         bool first_request;
1674
1675         old_size = talloc_get_size(*poutbuf);
1676
1677         /*
1678          * old_size == smb_wct means we're pushing the first request in for
1679          * libsmb/
1680          */
1681
1682         first_request = (old_size == smb_wct);
1683
1684         if (!first_request && ((old_size % 4) != 0)) {
1685                 /*
1686                  * Align the wct field of subsequent requests to a 4-byte
1687                  * boundary
1688                  */
1689                 chain_padding = 4 - (old_size % 4);
1690         }
1691
1692         /*
1693          * After the old request comes the new wct field (1 byte), the vwv's
1694          * and the num_bytes field. After at we might need to align the bytes
1695          * given to us to "bytes_alignment", increasing the num_bytes value.
1696          */
1697
1698         new_size = old_size + chain_padding + 1 + wct * sizeof(uint16_t) + 2;
1699
1700         if ((bytes_alignment != 0) && ((new_size % bytes_alignment) != 0)) {
1701                 bytes_padding = bytes_alignment - (new_size % bytes_alignment);
1702         }
1703
1704         new_size += bytes_padding + num_bytes;
1705
1706         if ((smb_command != SMBwriteX) && (new_size > 0xffff)) {
1707                 DEBUG(1, ("splice_chain: %u bytes won't fit\n",
1708                           (unsigned)new_size));
1709                 return false;
1710         }
1711
1712         outbuf = TALLOC_REALLOC_ARRAY(NULL, *poutbuf, uint8_t, new_size);
1713         if (outbuf == NULL) {
1714                 DEBUG(0, ("talloc failed\n"));
1715                 return false;
1716         }
1717         *poutbuf = outbuf;
1718
1719         if (first_request) {
1720                 SCVAL(outbuf, smb_com, smb_command);
1721         } else {
1722                 size_t andx_cmd_ofs;
1723
1724                 if (!find_andx_cmd_ofs(outbuf, &andx_cmd_ofs)) {
1725                         DEBUG(1, ("invalid command chain\n"));
1726                         *poutbuf = TALLOC_REALLOC_ARRAY(
1727                                 NULL, *poutbuf, uint8_t, old_size);
1728                         return false;
1729                 }
1730
1731                 if (chain_padding != 0) {
1732                         memset(outbuf + old_size, 0, chain_padding);
1733                         old_size += chain_padding;
1734                 }
1735
1736                 SCVAL(outbuf, andx_cmd_ofs, smb_command);
1737                 SSVAL(outbuf, andx_cmd_ofs + 2, old_size - 4);
1738         }
1739
1740         ofs = old_size;
1741
1742         /*
1743          * Push the chained request:
1744          *
1745          * wct field
1746          */
1747
1748         SCVAL(outbuf, ofs, wct);
1749         ofs += 1;
1750
1751         /*
1752          * vwv array
1753          */
1754
1755         memcpy(outbuf + ofs, vwv, sizeof(uint16_t) * wct);
1756         ofs += sizeof(uint16_t) * wct;
1757
1758         /*
1759          * bcc (byte count)
1760          */
1761
1762         SSVAL(outbuf, ofs, num_bytes + bytes_padding);
1763         ofs += sizeof(uint16_t);
1764
1765         /*
1766          * padding
1767          */
1768
1769         if (bytes_padding != 0) {
1770                 memset(outbuf + ofs, 0, bytes_padding);
1771                 ofs += bytes_padding;
1772         }
1773
1774         /*
1775          * The bytes field
1776          */
1777
1778         memcpy(outbuf + ofs, bytes, num_bytes);
1779
1780         return true;
1781 }
1782
1783 /****************************************************************************
1784  Construct a chained reply and add it to the already made reply
1785 ****************************************************************************/
1786
1787 void chain_reply(struct smb_request *req)
1788 {
1789         size_t smblen = smb_len(req->inbuf);
1790         size_t already_used, length_needed;
1791         uint8_t chain_cmd;
1792         uint32_t chain_offset;  /* uint32_t to avoid overflow */
1793
1794         uint8_t wct;
1795         uint16_t *vwv;
1796         uint16_t buflen;
1797         uint8_t *buf;
1798
1799         if (IVAL(req->outbuf, smb_rcls) != 0) {
1800                 fixup_chain_error_packet(req);
1801         }
1802
1803         /*
1804          * Any of the AndX requests and replies have at least a wct of
1805          * 2. vwv[0] is the next command, vwv[1] is the offset from the
1806          * beginning of the SMB header to the next wct field.
1807          *
1808          * None of the AndX requests put anything valuable in vwv[0] and [1],
1809          * so we can overwrite it here to form the chain.
1810          */
1811
1812         if ((req->wct < 2) || (CVAL(req->outbuf, smb_wct) < 2)) {
1813                 goto error;
1814         }
1815
1816         /*
1817          * Here we assume that this is the end of the chain. For that we need
1818          * to set "next command" to 0xff and the offset to 0. If we later find
1819          * more commands in the chain, this will be overwritten again.
1820          */
1821
1822         SCVAL(req->outbuf, smb_vwv0, 0xff);
1823         SCVAL(req->outbuf, smb_vwv0+1, 0);
1824         SSVAL(req->outbuf, smb_vwv1, 0);
1825
1826         if (req->chain_outbuf == NULL) {
1827                 /*
1828                  * In req->chain_outbuf we collect all the replies. Start the
1829                  * chain by copying in the first reply.
1830                  *
1831                  * We do the realloc because later on we depend on
1832                  * talloc_get_size to determine the length of
1833                  * chain_outbuf. The reply_xxx routines might have
1834                  * over-allocated (reply_pipe_read_and_X used to be such an
1835                  * example).
1836                  */
1837                 req->chain_outbuf = TALLOC_REALLOC_ARRAY(
1838                         req, req->outbuf, uint8_t, smb_len(req->outbuf) + 4);
1839                 if (req->chain_outbuf == NULL) {
1840                         goto error;
1841                 }
1842                 req->outbuf = NULL;
1843         } else {
1844                 /*
1845                  * Update smb headers where subsequent chained commands
1846                  * may have updated them.
1847                  */
1848                 SCVAL(req->chain_outbuf, smb_tid, CVAL(req->outbuf, smb_tid));
1849                 SCVAL(req->chain_outbuf, smb_uid, CVAL(req->outbuf, smb_uid));
1850
1851                 if (!smb_splice_chain(&req->chain_outbuf,
1852                                       CVAL(req->outbuf, smb_com),
1853                                       CVAL(req->outbuf, smb_wct),
1854                                       (uint16_t *)(req->outbuf + smb_vwv),
1855                                       0, smb_buflen(req->outbuf),
1856                                       (uint8_t *)smb_buf(req->outbuf))) {
1857                         goto error;
1858                 }
1859                 TALLOC_FREE(req->outbuf);
1860         }
1861
1862         /*
1863          * We use the old request's vwv field to grab the next chained command
1864          * and offset into the chained fields.
1865          */
1866
1867         chain_cmd = CVAL(req->vwv+0, 0);
1868         chain_offset = SVAL(req->vwv+1, 0);
1869
1870         if (chain_cmd == 0xff) {
1871                 /*
1872                  * End of chain, no more requests from the client. So ship the
1873                  * replies.
1874                  */
1875                 smb_setlen((char *)(req->chain_outbuf),
1876                            talloc_get_size(req->chain_outbuf) - 4);
1877
1878                 if (!srv_send_smb(smbd_server_fd(), (char *)req->chain_outbuf,
1879                                   true, req->seqnum+1,
1880                                   IS_CONN_ENCRYPTED(req->conn)
1881                                   ||req->encrypted,
1882                                   &req->pcd)) {
1883                         exit_server_cleanly("chain_reply: srv_send_smb "
1884                                             "failed.");
1885                 }
1886                 TALLOC_FREE(req->chain_outbuf);
1887                 req->done = true;
1888                 return;
1889         }
1890
1891         /* add a new perfcounter for this element of chain */
1892         SMB_PERFCOUNT_ADD(&req->pcd);
1893         SMB_PERFCOUNT_SET_OP(&req->pcd, chain_cmd);
1894         SMB_PERFCOUNT_SET_MSGLEN_IN(&req->pcd, smblen);
1895
1896         /*
1897          * Check if the client tries to fool us. The request so far uses the
1898          * space to the end of the byte buffer in the request just
1899          * processed. The chain_offset can't point into that area. If that was
1900          * the case, we could end up with an endless processing of the chain,
1901          * we would always handle the same request.
1902          */
1903
1904         already_used = PTR_DIFF(req->buf+req->buflen, smb_base(req->inbuf));
1905         if (chain_offset < already_used) {
1906                 goto error;
1907         }
1908
1909         /*
1910          * Next check: Make sure the chain offset does not point beyond the
1911          * overall smb request length.
1912          */
1913
1914         length_needed = chain_offset+1; /* wct */
1915         if (length_needed > smblen) {
1916                 goto error;
1917         }
1918
1919         /*
1920          * Now comes the pointer magic. Goal here is to set up req->vwv and
1921          * req->buf correctly again to be able to call the subsequent
1922          * switch_message(). The chain offset (the former vwv[1]) points at
1923          * the new wct field.
1924          */
1925
1926         wct = CVAL(smb_base(req->inbuf), chain_offset);
1927
1928         /*
1929          * Next consistency check: Make the new vwv array fits in the overall
1930          * smb request.
1931          */
1932
1933         length_needed += (wct+1)*sizeof(uint16_t); /* vwv+buflen */
1934         if (length_needed > smblen) {
1935                 goto error;
1936         }
1937         vwv = (uint16_t *)(smb_base(req->inbuf) + chain_offset + 1);
1938
1939         /*
1940          * Now grab the new byte buffer....
1941          */
1942
1943         buflen = SVAL(vwv+wct, 0);
1944
1945         /*
1946          * .. and check that it fits.
1947          */
1948
1949         length_needed += buflen;
1950         if (length_needed > smblen) {
1951                 goto error;
1952         }
1953         buf = (uint8_t *)(vwv+wct+1);
1954
1955         req->cmd = chain_cmd;
1956         req->wct = wct;
1957         req->vwv = vwv;
1958         req->buflen = buflen;
1959         req->buf = buf;
1960
1961         switch_message(chain_cmd, req, smblen);
1962
1963         if (req->outbuf == NULL) {
1964                 /*
1965                  * This happens if the chained command has suspended itself or
1966                  * if it has called srv_send_smb() itself.
1967                  */
1968                 return;
1969         }
1970
1971         /*
1972          * We end up here if the chained command was not itself chained or
1973          * suspended, but for example a close() command. We now need to splice
1974          * the chained commands' outbuf into the already built up chain_outbuf
1975          * and ship the result.
1976          */
1977         goto done;
1978
1979  error:
1980         /*
1981          * We end up here if there's any error in the chain syntax. Report a
1982          * DOS error, just like Windows does.
1983          */
1984         reply_force_doserror(req, ERRSRV, ERRerror);
1985         fixup_chain_error_packet(req);
1986
1987  done:
1988         /*
1989          * This scary statement intends to set the
1990          * FLAGS2_32_BIT_ERROR_CODES flg2 field in req->chain_outbuf
1991          * to the value req->outbuf carries
1992          */
1993         SSVAL(req->chain_outbuf, smb_flg2,
1994               (SVAL(req->chain_outbuf, smb_flg2) & ~FLAGS2_32_BIT_ERROR_CODES)
1995               | (SVAL(req->outbuf, smb_flg2) & FLAGS2_32_BIT_ERROR_CODES));
1996
1997         /*
1998          * Transfer the error codes from the subrequest to the main one
1999          */
2000         SSVAL(req->chain_outbuf, smb_rcls, SVAL(req->outbuf, smb_rcls));
2001         SSVAL(req->chain_outbuf, smb_err, SVAL(req->outbuf, smb_err));
2002
2003         if (!smb_splice_chain(&req->chain_outbuf,
2004                               CVAL(req->outbuf, smb_com),
2005                               CVAL(req->outbuf, smb_wct),
2006                               (uint16_t *)(req->outbuf + smb_vwv),
2007                               0, smb_buflen(req->outbuf),
2008                               (uint8_t *)smb_buf(req->outbuf))) {
2009                 exit_server_cleanly("chain_reply: smb_splice_chain failed\n");
2010         }
2011         TALLOC_FREE(req->outbuf);
2012
2013         smb_setlen((char *)(req->chain_outbuf),
2014                    talloc_get_size(req->chain_outbuf) - 4);
2015
2016         show_msg((char *)(req->chain_outbuf));
2017
2018         if (!srv_send_smb(smbd_server_fd(), (char *)req->chain_outbuf,
2019                           true, req->seqnum+1,
2020                           IS_CONN_ENCRYPTED(req->conn)||req->encrypted,
2021                           &req->pcd)) {
2022                 exit_server_cleanly("construct_reply: srv_send_smb failed.");
2023         }
2024         TALLOC_FREE(req->chain_outbuf);
2025         req->done = true;
2026 }
2027
2028 /****************************************************************************
2029  Check if services need reloading.
2030 ****************************************************************************/
2031
2032 void check_reload(time_t t)
2033 {
2034         time_t printcap_cache_time = (time_t)lp_printcap_cache_time();
2035
2036         if(last_smb_conf_reload_time == 0) {
2037                 last_smb_conf_reload_time = t;
2038                 /* Our printing subsystem might not be ready at smbd start up.
2039                    Then no printer is available till the first printers check
2040                    is performed.  A lower initial interval circumvents this. */
2041                 if ( printcap_cache_time > 60 )
2042                         last_printer_reload_time = t - printcap_cache_time + 60;
2043                 else
2044                         last_printer_reload_time = t;
2045         }
2046
2047         if (mypid != getpid()) { /* First time or fork happened meanwhile */
2048                 /* randomize over 60 second the printcap reload to avoid all
2049                  * process hitting cupsd at the same time */
2050                 int time_range = 60;
2051
2052                 last_printer_reload_time += random() % time_range;
2053                 mypid = getpid();
2054         }
2055
2056         if (t >= last_smb_conf_reload_time+SMBD_RELOAD_CHECK) {
2057                 reload_services(True);
2058                 last_smb_conf_reload_time = t;
2059         }
2060
2061         /* 'printcap cache time = 0' disable the feature */
2062
2063         if ( printcap_cache_time != 0 )
2064         { 
2065                 /* see if it's time to reload or if the clock has been set back */
2066
2067                 if ( (t >= last_printer_reload_time+printcap_cache_time) 
2068                         || (t-last_printer_reload_time  < 0) ) 
2069                 {
2070                         DEBUG( 3,( "Printcap cache time expired.\n"));
2071                         reload_printers();
2072                         last_printer_reload_time = t;
2073                 }
2074         }
2075 }
2076
2077 static void smbd_server_connection_write_handler(struct smbd_server_connection *conn)
2078 {
2079         /* TODO: make write nonblocking */
2080 }
2081
2082 static void smbd_server_connection_read_handler(struct smbd_server_connection *conn)
2083 {
2084         uint8_t *inbuf = NULL;
2085         size_t inbuf_len = 0;
2086         size_t unread_bytes = 0;
2087         bool encrypted = false;
2088         TALLOC_CTX *mem_ctx = talloc_tos();
2089         NTSTATUS status;
2090         uint32_t seqnum;
2091
2092         /* TODO: make this completely nonblocking */
2093
2094         status = receive_smb_talloc(mem_ctx, smbd_server_fd(),
2095                                     (char **)(void *)&inbuf,
2096                                     0, /* timeout */
2097                                     &unread_bytes,
2098                                     &encrypted,
2099                                     &inbuf_len, &seqnum);
2100         if (NT_STATUS_EQUAL(status, NT_STATUS_RETRY)) {
2101                 goto process;
2102         }
2103         if (NT_STATUS_IS_ERR(status)) {
2104                 exit_server_cleanly("failed to receive smb request");
2105         }
2106         if (!NT_STATUS_IS_OK(status)) {
2107                 return;
2108         }
2109
2110 process:
2111         process_smb(conn, inbuf, inbuf_len, unread_bytes,
2112                     seqnum, encrypted, NULL);
2113 }
2114
2115 static void smbd_server_connection_handler(struct event_context *ev,
2116                                            struct fd_event *fde,
2117                                            uint16_t flags,
2118                                            void *private_data)
2119 {
2120         struct smbd_server_connection *conn = talloc_get_type(private_data,
2121                                               struct smbd_server_connection);
2122
2123         if (flags & EVENT_FD_WRITE) {
2124                 smbd_server_connection_write_handler(conn);
2125         } else if (flags & EVENT_FD_READ) {
2126                 smbd_server_connection_read_handler(conn);
2127         }
2128 }
2129
2130
2131 /****************************************************************************
2132 received when we should release a specific IP
2133 ****************************************************************************/
2134 static void release_ip(const char *ip, void *priv)
2135 {
2136         char addr[INET6_ADDRSTRLEN];
2137         char *p = addr;
2138
2139         client_socket_addr(get_client_fd(),addr,sizeof(addr));
2140
2141         if (strncmp("::ffff:", addr, 7) == 0) {
2142                 p = addr + 7;
2143         }
2144
2145         if ((strcmp(p, ip) == 0) || ((p != addr) && strcmp(addr, ip) == 0)) {
2146                 /* we can't afford to do a clean exit - that involves
2147                    database writes, which would potentially mean we
2148                    are still running after the failover has finished -
2149                    we have to get rid of this process ID straight
2150                    away */
2151                 DEBUG(0,("Got release IP message for our IP %s - exiting immediately\n",
2152                         ip));
2153                 /* note we must exit with non-zero status so the unclean handler gets
2154                    called in the parent, so that the brl database is tickled */
2155                 _exit(1);
2156         }
2157 }
2158
2159 static void msg_release_ip(struct messaging_context *msg_ctx, void *private_data,
2160                            uint32_t msg_type, struct server_id server_id, DATA_BLOB *data)
2161 {
2162         release_ip((char *)data->data, NULL);
2163 }
2164
2165 #ifdef CLUSTER_SUPPORT
2166 static int client_get_tcp_info(struct sockaddr_storage *server,
2167                                struct sockaddr_storage *client)
2168 {
2169         socklen_t length;
2170         if (server_fd == -1) {
2171                 return -1;
2172         }
2173         length = sizeof(*server);
2174         if (getsockname(server_fd, (struct sockaddr *)server, &length) != 0) {
2175                 return -1;
2176         }
2177         length = sizeof(*client);
2178         if (getpeername(server_fd, (struct sockaddr *)client, &length) != 0) {
2179                 return -1;
2180         }
2181         return 0;
2182 }
2183 #endif
2184
2185 /*
2186  * Send keepalive packets to our client
2187  */
2188 static bool keepalive_fn(const struct timeval *now, void *private_data)
2189 {
2190         if (!send_keepalive(smbd_server_fd())) {
2191                 DEBUG( 2, ( "Keepalive failed - exiting.\n" ) );
2192                 return False;
2193         }
2194         return True;
2195 }
2196
2197 /*
2198  * Do the recurring check if we're idle
2199  */
2200 static bool deadtime_fn(const struct timeval *now, void *private_data)
2201 {
2202         struct smbd_server_connection *sconn = smbd_server_conn;
2203         if ((conn_num_open(sconn) == 0)
2204             || (conn_idle_all(sconn, now->tv_sec))) {
2205                 DEBUG( 2, ( "Closing idle connection\n" ) );
2206                 messaging_send(smbd_messaging_context(), procid_self(),
2207                                MSG_SHUTDOWN, &data_blob_null);
2208                 return False;
2209         }
2210
2211         return True;
2212 }
2213
2214 /*
2215  * Do the recurring log file and smb.conf reload checks.
2216  */
2217
2218 static bool housekeeping_fn(const struct timeval *now, void *private_data)
2219 {
2220         change_to_root_user();
2221
2222         /* update printer queue caches if necessary */
2223         update_monitored_printq_cache();
2224
2225         /* check if we need to reload services */
2226         check_reload(time(NULL));
2227
2228         /* Change machine password if neccessary. */
2229         attempt_machine_password_change();
2230
2231         /*
2232          * Force a log file check.
2233          */
2234         force_check_log_size();
2235         check_log_size();
2236         return true;
2237 }
2238
2239 /****************************************************************************
2240  Process commands from the client
2241 ****************************************************************************/
2242
2243 void smbd_process(void)
2244 {
2245         TALLOC_CTX *frame = talloc_stackframe();
2246         char remaddr[INET6_ADDRSTRLEN];
2247
2248         if (lp_maxprotocol() == PROTOCOL_SMB2 &&
2249             lp_security() != SEC_SHARE) {
2250                 smbd_server_conn->allow_smb2 = true;
2251         }
2252
2253         /* Ensure child is set to blocking mode */
2254         set_blocking(smbd_server_fd(),True);
2255
2256         set_socket_options(smbd_server_fd(),"SO_KEEPALIVE");
2257         set_socket_options(smbd_server_fd(), lp_socket_options());
2258
2259         /* this is needed so that we get decent entries
2260            in smbstatus for port 445 connects */
2261         set_remote_machine_name(get_peer_addr(smbd_server_fd(),
2262                                               remaddr,
2263                                               sizeof(remaddr)),
2264                                               false);
2265         reload_services(true);
2266
2267         /*
2268          * Before the first packet, check the global hosts allow/ hosts deny
2269          * parameters before doing any parsing of packets passed to us by the
2270          * client. This prevents attacks on our parsing code from hosts not in
2271          * the hosts allow list.
2272          */
2273
2274         if (!check_access(smbd_server_fd(), lp_hostsallow(-1),
2275                           lp_hostsdeny(-1))) {
2276                 char addr[INET6_ADDRSTRLEN];
2277
2278                 /*
2279                  * send a negative session response "not listening on calling
2280                  * name"
2281                  */
2282                 unsigned char buf[5] = {0x83, 0, 0, 1, 0x81};
2283                 DEBUG( 1, ("Connection denied from %s\n",
2284                            client_addr(get_client_fd(),addr,sizeof(addr)) ) );
2285                 (void)srv_send_smb(smbd_server_fd(),(char *)buf, false,
2286                                    0, false, NULL);
2287                 exit_server_cleanly("connection denied");
2288         }
2289
2290         static_init_rpc;
2291
2292         init_modules();
2293
2294         smb_perfcount_init();
2295
2296         if (!init_account_policy()) {
2297                 exit_server("Could not open account policy tdb.\n");
2298         }
2299
2300         if (*lp_rootdir()) {
2301                 if (chroot(lp_rootdir()) != 0) {
2302                         DEBUG(0,("Failed to change root to %s\n", lp_rootdir()));
2303                         exit_server("Failed to chroot()");
2304                 }
2305                 if (chdir("/") == -1) {
2306                         DEBUG(0,("Failed to chdir to / on chroot to %s\n", lp_rootdir()));
2307                         exit_server("Failed to chroot()");
2308                 }
2309                 DEBUG(0,("Changed root to %s\n", lp_rootdir()));
2310         }
2311
2312         if (!srv_init_signing(smbd_server_conn)) {
2313                 exit_server("Failed to init smb_signing");
2314         }
2315
2316         /* Setup oplocks */
2317         if (!init_oplocks(smbd_messaging_context()))
2318                 exit_server("Failed to init oplocks");
2319
2320         /* Setup aio signal handler. */
2321         initialize_async_io_handler();
2322
2323         /* register our message handlers */
2324         messaging_register(smbd_messaging_context(), NULL,
2325                            MSG_SMB_FORCE_TDIS, msg_force_tdis);
2326         messaging_register(smbd_messaging_context(), NULL,
2327                            MSG_SMB_RELEASE_IP, msg_release_ip);
2328         messaging_register(smbd_messaging_context(), NULL,
2329                            MSG_SMB_CLOSE_FILE, msg_close_file);
2330
2331         /*
2332          * Use the default MSG_DEBUG handler to avoid rebroadcasting
2333          * MSGs to all child processes
2334          */
2335         messaging_deregister(smbd_messaging_context(),
2336                              MSG_DEBUG, NULL);
2337         messaging_register(smbd_messaging_context(), NULL,
2338                            MSG_DEBUG, debug_message);
2339
2340         if ((lp_keepalive() != 0)
2341             && !(event_add_idle(smbd_event_context(), NULL,
2342                                 timeval_set(lp_keepalive(), 0),
2343                                 "keepalive", keepalive_fn,
2344                                 NULL))) {
2345                 DEBUG(0, ("Could not add keepalive event\n"));
2346                 exit(1);
2347         }
2348
2349         if (!(event_add_idle(smbd_event_context(), NULL,
2350                              timeval_set(IDLE_CLOSED_TIMEOUT, 0),
2351                              "deadtime", deadtime_fn, NULL))) {
2352                 DEBUG(0, ("Could not add deadtime event\n"));
2353                 exit(1);
2354         }
2355
2356         if (!(event_add_idle(smbd_event_context(), NULL,
2357                              timeval_set(SMBD_SELECT_TIMEOUT, 0),
2358                              "housekeeping", housekeeping_fn, NULL))) {
2359                 DEBUG(0, ("Could not add housekeeping event\n"));
2360                 exit(1);
2361         }
2362
2363 #ifdef CLUSTER_SUPPORT
2364
2365         if (lp_clustering()) {
2366                 /*
2367                  * We need to tell ctdb about our client's TCP
2368                  * connection, so that for failover ctdbd can send
2369                  * tickle acks, triggering a reconnection by the
2370                  * client.
2371                  */
2372
2373                 struct sockaddr_storage srv, clnt;
2374
2375                 if (client_get_tcp_info(&srv, &clnt) == 0) {
2376
2377                         NTSTATUS status;
2378
2379                         status = ctdbd_register_ips(
2380                                 messaging_ctdbd_connection(),
2381                                 &srv, &clnt, release_ip, NULL);
2382
2383                         if (!NT_STATUS_IS_OK(status)) {
2384                                 DEBUG(0, ("ctdbd_register_ips failed: %s\n",
2385                                           nt_errstr(status)));
2386                         }
2387                 } else
2388                 {
2389                         DEBUG(0,("Unable to get tcp info for "
2390                                  "CTDB_CONTROL_TCP_CLIENT: %s\n",
2391                                  strerror(errno)));
2392                 }
2393         }
2394
2395 #endif
2396
2397         smbd_server_conn->nbt.got_session = false;
2398
2399         smbd_server_conn->smb1.negprot.max_recv = MIN(lp_maxxmit(),BUFFER_SIZE);
2400
2401         smbd_server_conn->smb1.sessions.done_sesssetup = false;
2402         smbd_server_conn->smb1.sessions.max_send = BUFFER_SIZE;
2403         smbd_server_conn->smb1.sessions.last_session_tag = UID_FIELD_INVALID;
2404         /* users from session setup */
2405         smbd_server_conn->smb1.sessions.session_userlist = NULL;
2406         /* workgroup from session setup. */
2407         smbd_server_conn->smb1.sessions.session_workgroup = NULL;
2408         /* this holds info on user ids that are already validated for this VC */
2409         smbd_server_conn->smb1.sessions.validated_users = NULL;
2410         smbd_server_conn->smb1.sessions.next_vuid = VUID_OFFSET;
2411         smbd_server_conn->smb1.sessions.num_validated_vuids = 0;
2412 #ifdef HAVE_NETGROUP
2413         smbd_server_conn->smb1.sessions.my_yp_domain = NULL;
2414 #endif
2415
2416         conn_init(smbd_server_conn);
2417         if (!init_dptrs(smbd_server_conn)) {
2418                 exit_server("init_dptrs() failed");
2419         }
2420
2421         smbd_server_conn->smb1.fde = event_add_fd(smbd_event_context(),
2422                                                   smbd_server_conn,
2423                                                   smbd_server_fd(),
2424                                                   EVENT_FD_READ,
2425                                                   smbd_server_connection_handler,
2426                                                   smbd_server_conn);
2427         if (!smbd_server_conn->smb1.fde) {
2428                 exit_server("failed to create smbd_server_connection fde");
2429         }
2430
2431         TALLOC_FREE(frame);
2432
2433         while (True) {
2434                 NTSTATUS status;
2435
2436                 frame = talloc_stackframe_pool(8192);
2437
2438                 errno = 0;
2439
2440                 status = smbd_server_connection_loop_once(smbd_server_conn);
2441                 if (!NT_STATUS_EQUAL(status, NT_STATUS_RETRY) &&
2442                     !NT_STATUS_IS_OK(status)) {
2443                         DEBUG(3, ("smbd_server_connection_loop_once failed: %s,"
2444                                   " exiting\n", nt_errstr(status)));
2445                         break;
2446                 }
2447
2448                 TALLOC_FREE(frame);
2449         }
2450
2451         exit_server_cleanly(NULL);
2452 }
2453
2454 bool req_is_in_chain(struct smb_request *req)
2455 {
2456         if (req->vwv != (uint16_t *)(req->inbuf+smb_vwv)) {
2457                 /*
2458                  * We're right now handling a subsequent request, so we must
2459                  * be in a chain
2460                  */
2461                 return true;
2462         }
2463
2464         if (!is_andx_req(req->cmd)) {
2465                 return false;
2466         }
2467
2468         if (req->wct < 2) {
2469                 /*
2470                  * Okay, an illegal request, but definitely not chained :-)
2471                  */
2472                 return false;
2473         }
2474
2475         return (CVAL(req->vwv+0, 0) != 0xFF);
2476 }