{
struct smb2_request *req;
-
req = smb2_request_init(transport, SMB2_OP_NEGPROT, 0x26);
if (req == NULL) return NULL;
/*
check if a range in the reply body is out of bounds
*/
-BOOL smb2_oob(struct smb2_request *req, const uint8_t *ptr, uint_t size)
+BOOL smb2_oob_in(struct smb2_request *req, const uint8_t *ptr, uint_t size)
{
/* be careful with wraparound! */
if (ptr < req->in.body ||
return False;
}
+/*
+ check if a range in the outgoing body is out of bounds
+*/
+BOOL smb2_oob_out(struct smb2_request *req, const uint8_t *ptr, uint_t size)
+{
+ /* be careful with wraparound! */
+ if (ptr < req->out.body ||
+ ptr >= req->out.body + req->out.body_size ||
+ size > req->out.body_size ||
+ ptr + size > req->out.body + req->out.body_size) {
+ return True;
+ }
+ return False;
+}
+
/*
pull a data blob from the body of a reply
*/
DATA_BLOB smb2_pull_blob(struct smb2_request *req, uint8_t *ptr, uint_t size)
{
- if (smb2_oob(req, ptr, size)) {
+ if (smb2_oob_in(req, ptr, size)) {
return data_blob(NULL, 0);
}
return data_blob_talloc(req, ptr, size);
}
+/*
+ pull a ofs/length/blob triple into a data blob
+ the ptr points to the start of the offset/length pair
+*/
+NTSTATUS smb2_pull_ofs_blob(struct smb2_request *req, uint8_t *ptr, DATA_BLOB *blob)
+{
+ uint16_t ofs, size;
+ if (smb2_oob_in(req, ptr, 4)) {
+ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
+ ofs = SVAL(ptr, 0);
+ size = SVAL(ptr, 2);
+ if (smb2_oob_in(req, req->in.hdr + ofs, size)) {
+ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
+ *blob = data_blob_talloc(req, req->in.hdr+ofs, size);
+ NT_STATUS_HAVE_NO_MEMORY(blob->data);
+ return NT_STATUS_OK;
+}
+
+/*
+ push a ofs/length/blob triple into a data blob
+ the ptr points to the start of the offset/length pair
+
+ NOTE: assumes blob goes immediately after the offset/length pair. Needs
+ to be generalised
+*/
+NTSTATUS smb2_push_ofs_blob(struct smb2_request *req, uint8_t *ptr, DATA_BLOB blob)
+{
+ if (smb2_oob_out(req, ptr, 4+blob.length)) {
+ return NT_STATUS_BUFFER_TOO_SMALL;
+ }
+ SSVAL(ptr, 0, 4 + (ptr - req->out.hdr));
+ SSVAL(ptr, 2, blob.length);
+ memcpy(ptr+4, blob.data, blob.length);
+ return NT_STATUS_OK;
+}
struct smb2_session_setup *io)
{
struct smb2_request *req;
+ NTSTATUS status;
req = smb2_request_init(session->transport, SMB2_OP_SESSSETUP,
0x10 + io->in.secblob.length);
if (req == NULL) return NULL;
+ SBVAL(req->out.hdr, SMB2_HDR_UID, session->uid);
SIVAL(req->out.body, 0x00, io->in.unknown1);
SIVAL(req->out.body, 0x04, io->in.unknown2);
SIVAL(req->out.body, 0x08, io->in.unknown3);
- SSVAL(req->out.body, 0x0C, io->in.unknown4);
- SSVAL(req->out.body, 0x0E, io->in.secblob.length);
- memcpy(req->out.body+0x10, io->in.secblob.data, io->in.secblob.length);
+
+ status = smb2_push_ofs_blob(req, req->out.body+0x0C, io->in.secblob);
+ if (!NT_STATUS_IS_OK(status)) {
+ talloc_free(req);
+ return NULL;
+ }
smb2_transport_send(req);
NTSTATUS smb2_session_setup_recv(struct smb2_request *req, TALLOC_CTX *mem_ctx,
struct smb2_session_setup *io)
{
- uint16_t blobsize;
+ NTSTATUS status;
if (!smb2_request_receive(req) ||
- smb2_request_is_error(req)) {
+ (smb2_request_is_error(req) &&
+ !NT_STATUS_EQUAL(req->status, NT_STATUS_MORE_PROCESSING_REQUIRED))) {
return smb2_request_destroy(req);
}
return NT_STATUS_BUFFER_TOO_SMALL;
}
- io->out.unknown1 = IVAL(req->in.body, 0x00);
- io->out.unknown2 = SVAL(req->in.body, 0x04);
- blobsize = SVAL(req->in.body, 0x06);
- io->out.secblob = smb2_pull_blob(req, req->in.body+0x08, blobsize);
+ io->out.unknown1 = IVAL(req->in.body, 0x00);
+ io->out.uid = BVAL(req->in.hdr, SMB2_HDR_UID);
+
+ status = smb2_pull_ofs_blob(req, req->in.body+0x04, &io->out.secblob);
+ if (!NT_STATUS_IS_OK(status)) {
+ smb2_request_destroy(req);
+ return status;
+ }
talloc_steal(mem_ctx, io->out.secblob.data);
return smb2_request_destroy(req);
struct smb2_session {
struct smb2_transport *transport;
struct gensec_security *gensec;
+ uint64_t uid;
};
struct smb2_request_buffer {
#define SMB2_HDR_SEQNUM 0x18
#define SMB2_HDR_PID 0x20
#define SMB2_HDR_TID 0x24
-#define SMB2_HDR_UID 0x28
-#define SMB2_HDR_UID2 0x2c /* whats this? */
+#define SMB2_HDR_UID 0x28 /* 64 bit */
#define SMB2_HDR_SIG 0x30 /* guess ... */
#define SMB2_HDR_BODY 0x40
uint32_t unknown1; /* 0x11 */
uint32_t unknown2; /* 0xF */
uint32_t unknown3; /* 0x00 */
- uint16_t unknown4; /* 0x50 */
- /* uint16_t secblob size here */
+ /* uint16_t secblob ofs/size here */
DATA_BLOB secblob;
} in;
struct {
uint32_t unknown1; /* 0x09 */
- uint16_t unknown2; /* 0x48 */
- /* uint16_t secblob size here */
+ /* uint16_t secblob ofs/size here */
DATA_BLOB secblob;
+ uint64_t uid; /* returned in header */
} out;
};
req->in.ptr = req->in.body;
req->status = NT_STATUS(IVAL(hdr, SMB2_HDR_STATUS));
- dump_data(0, req->in.body, req->in.body_size);
+ DEBUG(2, ("SMB2 RECV seqnum=0x%llx\n", req->seqnum));
+ dump_data(2, req->in.body, req->in.body_size);
/* if this request has an async handler then call that to
notify that the reply has been received. This might destroy
DLIST_REMOVE(transport->pending_recv, req);
req->state = SMB2_REQUEST_ERROR;
}
- dump_data(0, blob.data, blob.length);
+ dump_data(2, blob.data, blob.length);
data_blob_free(&blob);
return NT_STATUS_UNSUCCESSFUL;
}
_smb_setlen(req->out.buffer, req->out.size - NBT_HDR_SIZE);
+ DEBUG(2, ("SMB2 send seqnum=0x%llx\n", req->seqnum));
+ dump_data(2, req->out.body, req->out.body_size);
+
/* check if the transport is dead */
if (req->transport->socket->sock == NULL) {
req->state = SMB2_REQUEST_ERROR;
printf("current_time = %s\n", nt_time_string(mem_ctx, io.out.current_time));
printf("boot_time = %s\n", nt_time_string(mem_ctx, io.out.boot_time));
+ transport->negotiate.secblob = io.out.secblob;
+
return transport;
}
struct smb2_session_setup io;
NTSTATUS status;
TALLOC_CTX *tmp_ctx = talloc_new(transport);
+ DATA_BLOB secblob;
ZERO_STRUCT(io);
io.in.unknown1 = 0x11;
io.in.unknown2 = 0xF;
io.in.unknown3 = 0x00;
- io.in.unknown4 = 0x50;
session = smb2_session_init(transport, transport, True);
return NULL;
}
- status = gensec_update(session->gensec, tmp_ctx,
- session->transport->negotiate.secblob,
- &io.in.secblob);
- if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
- !NT_STATUS_IS_OK(status)) {
- DEBUG(1, ("Failed initial gensec_update : %s\n", nt_errstr(status)));
- return NULL;
- }
+ secblob = session->transport->negotiate.secblob;
+
+ do {
+ NTSTATUS status1;
+
+ status1 = gensec_update(session->gensec, tmp_ctx, secblob, &io.in.secblob);
+ if (!NT_STATUS_EQUAL(status1, NT_STATUS_MORE_PROCESSING_REQUIRED) &&
+ !NT_STATUS_IS_OK(status1)) {
+ DEBUG(1, ("Failed initial gensec_update : %s\n",
+ nt_errstr(status1)));
+ status = status1;
+ break;
+ }
+
+ status = smb2_session_setup(session, tmp_ctx, &io);
+ secblob = io.out.secblob;
+
+ session->uid = io.out.uid;
+
+ if (NT_STATUS_IS_OK(status) &&
+ NT_STATUS_EQUAL(status1, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ status = gensec_update(session->gensec, tmp_ctx, secblob,
+ &io.in.secblob);
+ }
+ } while (NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED));
- status = smb2_session_setup(session, tmp_ctx, &io);
if (!NT_STATUS_IS_OK(status)) {
printf("session setup failed - %s\n", nt_errstr(status));
return NULL;
}
+ printf("Session setup gave UID 0x%llx\n", session->uid);
+
return session;
}