#include "includes.h"
+#undef DBGC_CLASS
+#define DBGC_CLASS DBGC_RPC_SRV
+
#define PIPE "\\PIPE\\"
#define PIPELEN strlen(PIPE)
static smb_np_struct *chain_p;
static int pipes_open;
-#ifndef MAX_OPEN_PIPES
-#define MAX_OPEN_PIPES 2048
+/*
+ * Sometimes I can't decide if I hate Windows printer driver
+ * writers more than I hate the Windows spooler service driver
+ * writers. This gets around a combination of bugs in the spooler
+ * and the HP 8500 PCL driver that causes a spooler spin. JRA.
+ *
+ * bumped up from 20 -> 64 after viewing traffic from WordPerfect
+ * 2002 running on NT 4.- SP6
+ * bumped up from 64 -> 256 after viewing traffic from con2prt
+ * for lots of printers on a WinNT 4.x SP6 box.
+ */
+
+#ifndef MAX_OPEN_SPOOLSS_PIPES
+#define MAX_OPEN_SPOOLSS_PIPES 256
#endif
+static int current_spoolss_pipes_open;
static smb_np_struct *Pipes;
static pipes_struct *InternalPipes;
/****************************************************************************
Reset pipe chain handle number.
****************************************************************************/
+
void reset_chain_p(void)
{
chain_p = NULL;
int i;
smb_np_struct *p, *p_it;
static int next_pipe;
+ BOOL is_spoolss_pipe = False;
DEBUG(4,("Open pipe requested %s (pipes_open=%d)\n",
pipe_name, pipes_open));
-
+ if (strstr(pipe_name, "spoolss"))
+ is_spoolss_pipe = True;
+
+ if (is_spoolss_pipe && current_spoolss_pipes_open >= MAX_OPEN_SPOOLSS_PIPES) {
+ DEBUG(10,("open_rpc_pipe_p: spooler bug workaround. Denying open on pipe %s\n",
+ pipe_name ));
+ return NULL;
+ }
+
/* not repeating pipe numbers makes it easier to track things in
log files and prevents client bugs where pipe numbers are reused
over connection restarts */
p = (smb_np_struct *)malloc(sizeof(*p));
- if (!p)
- {
+ if (!p) {
DEBUG(0,("ERROR! no memory for pipes_struct!\n"));
return NULL;
}
p->np_state = p->namedpipe_create(pipe_name, conn, vuid);
if (p->np_state == NULL) {
-
DEBUG(0,("open_rpc_pipe_p: make_internal_rpc_pipe_p failed.\n"));
SAFE_FREE(p);
return NULL;
}
-
DLIST_ADD(Pipes, p);
/*
}
/****************************************************************************
- * make an internal namedpipes structure
+ Make an internal namedpipes structure
****************************************************************************/
static void *make_internal_rpc_pipe_p(char *pipe_name,
ZERO_STRUCTP(p);
- if ((p->mem_ctx = talloc_init()) == NULL) {
+ if ((p->mem_ctx = talloc_init("pipe %s %p", pipe_name, p)) == NULL) {
DEBUG(0,("open_rpc_pipe_p: talloc_init failed.\n"));
SAFE_FREE(p);
return NULL;
DLIST_ADD(InternalPipes, p);
p->conn = conn;
+
+ /* Ensure the connection isn't idled whilst this pipe is open. */
+ p->conn->num_files_open++;
+
p->vuid = vuid;
p->ntlmssp_chal_flags = 0;
p->pipe_user.uid = (uid_t)-1;
p->pipe_user.gid = (gid_t)-1;
- /* Store the session key */
+ /* Store the session key and NT_TOKEN */
if (vuser) {
- memcpy(p->session_key, vuser->session_key, sizeof(p->session_key));
+ p->session_key = data_blob(vuser->session_key.data, vuser->session_key.length);
+ p->pipe_user.nt_user_token = dup_nt_token(vuser->nt_user_token);
}
/*
void free_pipe_context(pipes_struct *p)
{
if (p->mem_ctx) {
- DEBUG(3,("free_pipe_context: destroying talloc pool of size %u\n", talloc_pool_size(p->mem_ctx) ));
+ DEBUG(3,("free_pipe_context: destroying talloc pool of size %lu\n", (unsigned long)talloc_pool_size(p->mem_ctx) ));
talloc_destroy_pool(p->mem_ctx);
} else {
- p->mem_ctx = talloc_init();
+ p->mem_ctx = talloc_init("pipe %s %p", p->name, p);
if (p->mem_ctx == NULL)
p->fault_state = True;
}
* Authentication _was_ requested and it already failed.
*/
- DEBUG(0,("process_request_pdu: RPC request received on pipe %s where \
-authentication failed. Denying the request.\n", p->name));
+ DEBUG(0,("process_request_pdu: RPC request received on pipe %s "
+ "where authentication failed. Denying the request.\n",
+ p->name));
set_incoming_fault(p);
- return False;
- }
+ return False;
+ }
+
+ if (p->netsec_auth_validated && !api_pipe_netsec_process(p, rpc_in_p)) {
+ DEBUG(0,("process_request_pdu: failed to do schannel processing.\n"));
+ set_incoming_fault(p);
+ return False;
+ }
/*
* Check the data length doesn't go over the 15Mb limit.
* Append the data portion into the buffer and return.
*/
- {
- char *data_from = prs_data_p(rpc_in_p) + prs_offset(rpc_in_p);
-
- if(!prs_append_data(&p->in_data.data, data_from, data_len)) {
- DEBUG(0,("process_request_pdu: Unable to append data size %u to parse buffer of size %u.\n",
- (unsigned int)data_len, (unsigned int)prs_data_size(&p->in_data.data) ));
- set_incoming_fault(p);
- return False;
- }
-
+ if(!prs_append_some_prs_data(&p->in_data.data, rpc_in_p, prs_offset(rpc_in_p), data_len)) {
+ DEBUG(0,("process_request_pdu: Unable to append data size %u to parse buffer of size %u.\n",
+ (unsigned int)data_len, (unsigned int)prs_data_size(&p->in_data.data) ));
+ set_incoming_fault(p);
+ return False;
}
if(p->hdr.flags & RPC_FLG_LAST) {
ZERO_STRUCTP(p);
SAFE_FREE(p);
-
+
return True;
}
if (p->mem_ctx)
talloc_destroy(p->mem_ctx);
+
+ free_pipe_rpc_context( p->contexts );
/* Free the handles database. */
close_policy_by_pipe(p);
DLIST_REMOVE(InternalPipes, p);
+ p->conn->num_files_open--;
+
ZERO_STRUCTP(p);
SAFE_FREE(p);
git.samba.org / jra / samba / .git / blobdiff